[plug] debian etch + vsftpd does not chroot jail users
Denis Brown
dsbrown at cyllene.uwa.edu.au
Thu Apr 17 16:00:19 WST 2008
Dear PLUG list members,
Despite best efforts I cannot get users to be confined to their chroot
jails. Debian etch and vsftpd installed using aptitude. Vsftpd version
is 2.0.5
Have scoured the web for info on this and I understand the manner in which
vsftpd's config file *should* jail users, but it does not :-( Snippets
follow:
<quote from /etc/vsftpd.conf>
chroot_local_user=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
<unquote>
User "badboy" appears in /etc/vsftpd.chroot_list
User "badboy" has entry in /etc/passwd like so...
badboy:x:1002:1002:Bad Boy,,,:/home/badboy/./:/bin/bash
The use of a trailing /./ for the home directory specification was
mentioned in one of the web articles but it apparently makes no difference.
Using pscp.exe on a windows box I can sftp to the host, authenticate as
badboy and happily issue cd .. commands and traverse the directory tree
:-( At each level I can do an ls and see contents. It was my
understanding that this should not be possible.
There are no errata or bugs filed against vsftpd that I can see and the
only mentions that it has on the web generally have been from people who
messed up the configuration by misinterpreting the config file
directives. Maybe I've joined that elite too?
Thoughts appreciated!
Denis
More information about the plug
mailing list