Wiki article - Chroot vsftpd with non-system users
Posted: 2011/11/17 13:36:21
Alan, since your name is at the bottom of the article http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users I suspect this is one for you...
I wanted to set up something similar to this article so that I could divorce ftp users from system users - i.e give ftp users absolutely no ability to logon to anything else. I found a few shortcomings in it :-(
1) db_load does not [u]replace[/u] the contents of an existing accounts.db, it appends to it. This means that the instructions for deleting users do not work
2) Passwords are held in accounts.db in plain text and are humanly readable by anyone with read access to accounts.db. Can be fixed by using crypt=crypt on the pam entry and piping the password through e.g. openssl passwd -crypt -stdin -salt ab
3) The iptables rules probably only need the first of the two mentioned rules but ip_conntrack_ftp should be added to /etc/sysconfig/iptables-options IPTABLES_MODULES line. This, together with the standard RELATED,ESTABLISHED iptables rule should be sufficient.
To get this set up to completely ignore system based users I had to change guest_enable= from NO to YES and also I found that the per-user settings were unnecessary. I ended up with this lot
[code]
anon_world_readable_only=NO
anonymous_enable=NO
chroot_local_user=YES
guest_enable=YES
hide_ids=YES
listen=YES
local_enable=YES
max_clients=100
max_per_ip=2
nopriv_user=ftp
pam_service_name=ftp
session_support=NO
use_localtime=YES
user_config_dir=/etc/vsftpd/users
userlist_enable=YES
userlist_file=/etc/vsftpd/denied_users
xferlog_enable=YES
local_umask=022
connect_from_port_20=YES
dirlist_enable=YES
download_enable=YES
local_max_rate=110000
dual_log_enable=YES
user_sub_token=$USER
local_root=/var/ftp/virtual_users/$USER/
[/code]
I wanted to set up something similar to this article so that I could divorce ftp users from system users - i.e give ftp users absolutely no ability to logon to anything else. I found a few shortcomings in it :-(
1) db_load does not [u]replace[/u] the contents of an existing accounts.db, it appends to it. This means that the instructions for deleting users do not work
2) Passwords are held in accounts.db in plain text and are humanly readable by anyone with read access to accounts.db. Can be fixed by using crypt=crypt on the pam entry and piping the password through e.g. openssl passwd -crypt -stdin -salt ab
3) The iptables rules probably only need the first of the two mentioned rules but ip_conntrack_ftp should be added to /etc/sysconfig/iptables-options IPTABLES_MODULES line. This, together with the standard RELATED,ESTABLISHED iptables rule should be sufficient.
To get this set up to completely ignore system based users I had to change guest_enable= from NO to YES and also I found that the per-user settings were unnecessary. I ended up with this lot
[code]
anon_world_readable_only=NO
anonymous_enable=NO
chroot_local_user=YES
guest_enable=YES
hide_ids=YES
listen=YES
local_enable=YES
max_clients=100
max_per_ip=2
nopriv_user=ftp
pam_service_name=ftp
session_support=NO
use_localtime=YES
user_config_dir=/etc/vsftpd/users
userlist_enable=YES
userlist_file=/etc/vsftpd/denied_users
xferlog_enable=YES
local_umask=022
connect_from_port_20=YES
dirlist_enable=YES
download_enable=YES
local_max_rate=110000
dual_log_enable=YES
user_sub_token=$USER
local_root=/var/ftp/virtual_users/$USER/
[/code]