[plug] debian etch + vsftpd does not chroot jail users

Richard Meyer meyerri at westnet.com.au
Thu Apr 17 16:14:23 WST 2008 

Just an idea.

>From what I can see vsftpd is an ftp daemon. As far as I know sftp is
NOT an ftp implementation, it is a manifestation of ssh with an ftp-type
interface to do scp copies.

The ssh protocol doesn't care about the ftp daemon, and ignores what it
says. 

To prove whether this is correct, bring down the ftp daemon and connect
from windows again - if you can, my supposition is right, and you'll
have to use some other way to jail the client.



On Thu, 2008-04-17 at 16:00 +0800, Denis Brown wrote:
> Dear PLUG list members,
> 
> Despite best efforts I cannot get users to be confined to their chroot 
> jails.   Debian etch and vsftpd installed using aptitude.   Vsftpd version 
> is 2.0.5
> 
> Have scoured the web for info on this and I understand the manner in which 
> vsftpd's config file *should* jail users, but it does not :-(   Snippets 
> follow:
> 
> <quote from /etc/vsftpd.conf>
> chroot_local_user=NO
> chroot_list_enable=YES
> chroot_list_file=/etc/vsftpd.chroot_list
> <unquote>
> 
> User "badboy" appears in /etc/vsftpd.chroot_list
> 
> User "badboy" has entry in /etc/passwd like so...
> badboy:x:1002:1002:Bad Boy,,,:/home/badboy/./:/bin/bash
> 
> The use of a trailing /./ for the home directory specification was 
> mentioned in one of the web articles but it apparently makes no difference.
> 
> Using pscp.exe on a windows box I can sftp to the host, authenticate as 
> badboy and happily issue cd .. commands and traverse the directory tree 
> :-(   At each level I can do an ls and see contents.    It was my 
> understanding that this should not be possible.
> 
> There are no errata or bugs filed against vsftpd that I can see and the 
> only mentions that it has on the web generally have been from people who 
> messed up the configuration by misinterpreting the config file 
> directives.    Maybe I've joined that elite too?
> 
> Thoughts appreciated!
> Denis
> 
> 
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
-- 
Richard Meyer
Necessity is the plea for every infringement of human freedom.
It is the argument of tyrants; it is the creed of slaves. 
William Pitt, 1783

Linux Counter user #306629

More information about the plug mailing list