Wiki article - Chroot vsftpd with non-system users

General support questions including new installations

Wiki article - Chroot vsftpd with non-system users

Postby TrevorH » 2011/11/17 13:36:21

Alan, since your name is at the bottom of the article http://wiki.centos.org/HowTos/Chroot_Vs ... stem_users I suspect this is one for you...

I wanted to set up something similar to this article so that I could divorce ftp users from system users - i.e give ftp users absolutely no ability to logon to anything else. I found a few shortcomings in it :-(

1) db_load does not replace the contents of an existing accounts.db, it appends to it. This means that the instructions for deleting users do not work
2) Passwords are held in accounts.db in plain text and are humanly readable by anyone with read access to accounts.db. Can be fixed by using crypt=crypt on the pam entry and piping the password through e.g. openssl passwd -crypt -stdin -salt ab
3) The iptables rules probably only need the first of the two mentioned rules but ip_conntrack_ftp should be added to /etc/sysconfig/iptables-options IPTABLES_MODULES line. This, together with the standard RELATED,ESTABLISHED iptables rule should be sufficient.

To get this set up to completely ignore system based users I had to change guest_enable= from NO to YES and also I found that the per-user settings were unnecessary. I ended up with this lot

Code: Select all
anon_world_readable_only=NO
anonymous_enable=NO
chroot_local_user=YES
guest_enable=YES
hide_ids=YES
listen=YES
local_enable=YES
max_clients=100
max_per_ip=2
nopriv_user=ftp
pam_service_name=ftp
session_support=NO
use_localtime=YES
user_config_dir=/etc/vsftpd/users
userlist_enable=YES
userlist_file=/etc/vsftpd/denied_users
xferlog_enable=YES
local_umask=022
connect_from_port_20=YES
dirlist_enable=YES
download_enable=YES
local_max_rate=110000
dual_log_enable=YES
user_sub_token=$USER
local_root=/var/ftp/virtual_users/$USER/
User avatar
TrevorH
Forum Moderator
 
Posts: 9168
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Wiki article - Chroot vsftpd with non-system users

Postby AlanBartlett » 2011/11/17 16:47:18

@Trevor,

Although I was the last person to make a change to that page (probably a typo or English grammar), I did not write it nor do I fully understand it. :-?

There's two ways to get your modifications in place:

(1) Create you own wiki account, as per Contribute to the Wiki and ask Ralph to give you access to that page (preferred).

(2) Spell out exactly what you would like to see changed and then pass it to me to action on your behalf (less preferred).

I hope you will make the right choice. :-D
User avatar
AlanBartlett
Forum Moderator
 
Posts: 8975
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk

Wiki article - Chroot vsftpd with non-system users

Postby toracat » 2011/11/17 16:52:46

I strongly recommend choice (1). :-)

Also, one can see the history of any wiki page by adding a ?action=info to the URL like so:

http://wiki.centos.org/HowTos/Chroot_Vs ... ction=info

You see Alan did a typo correction the last two times.
User avatar
toracat
Forum Moderator
 
Posts: 6696
Joined: 2006/09/03 16:37:24
Location: California, US


Return to CentOS 5 - General Support

Who is online

Users browsing this forum: No registered users and 5 guests