topic Re: vsftpd chroot in Operating System - HP-UX

vsftpd chroot

Thom Cornwell — Wed, 01 Feb 2006 11:39:04 GMT

Has anyone else successfully made chroot work in vsftpd via the configuration file?

Re: vsftpd chroot

Thom Cornwell — Wed, 01 Feb 2006 11:44:13 GMT

Here is the supporting software that I have installed:

openssh-4.2p1
openssl-0.9.8a
HP-UX Secure Shell: sftp.c,v A.04.20.004
what /usr/local/sbin/vsftpd
/usr/local/sbin/vsftpd:
$Revision: 92453-07 linker linker crt0.o B.11.47 051005 $

Re: vsftpd chroot

Thom Cornwell — Wed, 01 Feb 2006 13:37:19 GMT

grep -v "^#" vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
ftpd_banner=VSFTPD Server 2.03
chroot_list_file=/etc/vsftpd.chroot_list
xferlog_std_format=NO
xferlog_enable=YES
log_ftp_protocol=YES
check_shell=NO
vsftpd_log_file=/var/log/vsftpd.log
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

Re: vsftpd chroot

Ivan Ferreira — Wed, 01 Feb 2006 13:56:25 GMT

I don't see these parameters in you configuration file:

chroot_local_user=YES
chroot_list_enable=YES

Re: vsftpd chroot

Thom Cornwell — Wed, 01 Feb 2006 14:07:47 GMT

chroot_list_file=/etc/vsftpd.chroot_list
The other two are disabled, as the documentation reads that having them enabled, then the list works in reverse.

Re: vsftpd chroot

Thom Cornwell — Thu, 02 Feb 2006 10:34:14 GMT

I have discovered that I am not getting to the vsftpd, but instead am getting to the ssh subsystem /opt/ssh/libexec/sftp-server when I sftp to the system. What I need to know at this point is how to tell sshd not to start /opt/ssh/libexex/sftp-server, but instead use the inetd.conf entry I have for the vsftpd for requests coming to port 20. During this process I have successfully compiled the version 2.04 of vsftpd, thinking the problem was in version 2.03.

Re: vsftpd chroot

Mike Keighley — Tue, 21 Feb 2006 14:37:07 GMT

A bit of a misunderstanding here, I think.

vsftpd is NOT a replacement sftp server (is it ?)

rather it is a conventional ftp server (ports 21 and 20) which implements the "AUTH TLS" and "PROT P" extensions to the ftp protocol, thus encrypting command or data or both.

so yes, a remote sftp client will connect to openssh/sftpd, not vsftpd.

a decent client for talking to vsftpd might be e.g. CoreFTP lite.

Re: vsftpd chroot

Thom Cornwell — Tue, 21 Feb 2006 14:45:12 GMT

Yes it was me the confused person who was the source of the problem ;-) I however am now trimming down what is needed versus what is not needed when you use the ssh_chroot_setup.sh. There just has to be an easier way to set up a chroot jail house for sftp users. Thank you for the information about a viable client.

Re: vsftpd chroot

Mike Keighley — Tue, 21 Feb 2006 15:50:50 GMT

you're welcome, of course.

... and I should have apologised for not actually answering the original question:
No, I haven't managed to get vsftpd to work chroot-ed

... and yes I agree that chroot-ing in general is harder than it should be.

I am leaning more in the direction of SELINUX, where you define a policy which severely restricts what a given executable can do. Not being able to read or write a file outside the homedir, seems as close to chroot as makes no difference.

p.s. should have mentioned that CoreFTP Lite *can* also be an sftp client, tho' that ain't what I use it for.

Re: vsftpd chroot

Thom Cornwell — Wed, 22 Feb 2006 09:19:36 GMT

User education helped clear up a misconception