[Klug-general] vsFTPd secure homes

David Halliday david.halliday at gmail.com
Mon Jul 16 22:15:42 BST 2007


This question is for those more familiar with FTP and chroot.
My set-up at the moment isn't overly security conscious, only me and a
trusted friend can log in. What I want is for users to log into their
/home/<username> directory without being able to just browse to
anywhere on the system at a whim (the default on vsFTPd). This is
simply achieved by using the following option in the vsftp.conf file:
chroot_local_user=YES

Now I'm aware that the man page says:
chroot_local_user
If set to YES, local users will be (by default) placed in a chroot()
jail in their home directory after login. Warning:  This option has
security implications, especially if the users have upload permission,
or shell access. Only enable if you know what you are doing. Note that
these security implications are not vsftpd specific. They apply to all
FTP daemons which offer to put local users in chroot() jails.

Now the FAQ says this:
Q) Help! What are the security implications referred to in the
"chroot_local_user" option?

A) Firstly note that other ftp daemons have the same implications. It is a
generic problem.
The problem isn't too severe, but it is this: Some people have FTP user
accounts which are not trusted to have full shell access. If these
accounts can also upload files, there is a small risk. A bad user now has
control of the filesystem root, which is their home directory. The ftp
daemon might cause some config file to be read - e.g. /etc/some_file. With
chroot(), this file is now under the control of the user. vsftpd is
careful in this area. But, the system's libc might want to open locale
config files or other settings...


So my question is... Can I allow my users to access their home
directories and little else with FTP without having some security
issue?

I can remember my university having something set up with this exact
behaviour. But surely a university computer science department (with
some good minds behind it) wouldn't have left itself open to attack?
So is this security consideration paranoia or is there a way to get
the result without being at risk?

This isn't a problem in my current set up but I would like to know if
there is a proper way of doing things for if ever i get into a
(hopefully high paying) job where i may need to set up secure servers.



More information about the Kent mailing list