HPE Community
Operating System - HP-UX
1819791 Members
3413 Online
109607 Solutions
New Discussion юеВ

Re: vsftpd chroot

 
Thom Cornwell
Frequent Advisor

тАО02-01-2006 03:39 AM

тАО02-01-2006 03:39 AM

vsftpd chroot

Has anyone else successfully made chroot work in vsftpd via the configuration file?
0 Kudos
9 REPLIES 9
Thom Cornwell
Frequent Advisor

тАО02-01-2006 03:44 AM

тАО02-01-2006 03:44 AM

Re: vsftpd chroot

Here is the supporting software that I have installed:

openssh-4.2p1
openssl-0.9.8a
HP-UX Secure Shell: sftp.c,v A.04.20.004
what /usr/local/sbin/vsftpd
/usr/local/sbin/vsftpd:
$Revision: 92453-07 linker linker crt0.o B.11.47 051005 $
0 Kudos
Thom Cornwell
Frequent Advisor

тАО02-01-2006 05:37 AM

тАО02-01-2006 05:37 AM

Re: vsftpd chroot

grep -v "^#" vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
ftpd_banner=VSFTPD Server 2.03
chroot_list_file=/etc/vsftpd.chroot_list
xferlog_std_format=NO
xferlog_enable=YES
log_ftp_protocol=YES
check_shell=NO
vsftpd_log_file=/var/log/vsftpd.log
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
0 Kudos
Ivan Ferreira
Honored Contributor

тАО02-01-2006 05:56 AM

тАО02-01-2006 05:56 AM

Re: vsftpd chroot

I don't see these parameters in you configuration file:

chroot_local_user=YES
chroot_list_enable=YES
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Thom Cornwell
Frequent Advisor

тАО02-01-2006 06:07 AM

тАО02-01-2006 06:07 AM

Re: vsftpd chroot

chroot_list_file=/etc/vsftpd.chroot_list
The other two are disabled, as the documentation reads that having them enabled, then the list works in reverse.
0 Kudos
Thom Cornwell
Frequent Advisor

тАО02-02-2006 02:34 AM

тАО02-02-2006 02:34 AM

Re: vsftpd chroot

I have discovered that I am not getting to the vsftpd, but instead am getting to the ssh subsystem /opt/ssh/libexec/sftp-server when I sftp to the system. What I need to know at this point is how to tell sshd not to start /opt/ssh/libexex/sftp-server, but instead use the inetd.conf entry I have for the vsftpd for requests coming to port 20. During this process I have successfully compiled the version 2.04 of vsftpd, thinking the problem was in version 2.03.
0 Kudos
Mike Keighley
Frequent Advisor

тАО02-21-2006 06:37 AM

тАО02-21-2006 06:37 AM

Re: vsftpd chroot

A bit of a misunderstanding here, I think.

vsftpd is NOT a replacement sftp server (is it ?)

rather it is a conventional ftp server (ports 21 and 20) which implements the "AUTH TLS" and "PROT P" extensions to the ftp protocol, thus encrypting command or data or both.

so yes, a remote sftp client will connect to openssh/sftpd, not vsftpd.

a decent client for talking to vsftpd might be e.g. CoreFTP lite.
nil illegitimi root-andum
0 Kudos
Thom Cornwell
Frequent Advisor

тАО02-21-2006 06:45 AM

тАО02-21-2006 06:45 AM

Re: vsftpd chroot

Yes it was me the confused person who was the source of the problem ;-) I however am now trimming down what is needed versus what is not needed when you use the ssh_chroot_setup.sh. There just has to be an easier way to set up a chroot jail house for sftp users. Thank you for the information about a viable client.
0 Kudos
Mike Keighley
Frequent Advisor

тАО02-21-2006 07:50 AM

тАО02-21-2006 07:50 AM

Re: vsftpd chroot

you're welcome, of course.

... and I should have apologised for not actually answering the original question:
No, I haven't managed to get vsftpd to work chroot-ed

... and yes I agree that chroot-ing in general is harder than it should be.

I am leaning more in the direction of SELINUX, where you define a policy which severely restricts what a given executable can do. Not being able to read or write a file outside the homedir, seems as close to chroot as makes no difference.

p.s. should have mentioned that CoreFTP Lite *can* also be an sftp client, tho' that ain't what I use it for.
nil illegitimi root-andum
0 Kudos
Thom Cornwell
Frequent Advisor

тАО02-22-2006 01:19 AM

тАО02-22-2006 01:19 AM

Re: vsftpd chroot

User education helped clear up a misconception
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.