How to install and configure FTP server with chroot in Ubuntu 12.04 LTS
In this tutorial we will learn how to configure FTP server with chroot enable in Ubuntu 12.04 LTS.
Advantage : The ftp user is bounded to login only into home directory ( because of chroot enabled ).The user can’not change directory other than directory inside its own home directory.
We can also define which user can change to other system directories including its home directory.
Note:Note: We will install the vsftpd 3.0 package after downloading it into the system. We are not going to use “apt-get install” method . The reason it has bug related to chroot enable.For reference https://sharadchhetri.com/2013/05/20/500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/
Follow the given below steps –
Step1 : Download vsftpd package and install it
tux@ubuntu:~$ sudo su - [sudo] password for tux: root@ubuntu:~# root@ubuntu:~# cd /root/ root@ubuntu:~# wget http://security.ubuntu.com/ubuntu/pool/main/v/vsftpd/vsftpd_3.0.2-1ubuntu2_i386.deb Resolving security.ubuntu.com (security.ubuntu.com)… 91.189.92.190 , 91.189.92.201, 91.189.92.202, … Connecting to security.ubuntu.com (security.ubuntu.com)|91.189.92.190|:80… connected. HTTP request sent, awaiting response… 200 OK Length: 114714 (112K) [application/x-debian-package] Saving to: `vsftpd_3.0.2-1ubuntu2_i386.deb’ 100%[=========================================================================================>] 114,714 219K/s in 0.5s 2013-05-20 09:36:21 (219 KB/s) – `vsftpd_3.0.2-1ubuntu2_i386.deb’ saved [114714/114714] root@ubuntu:~# root@ubuntu:~# root@ubuntu:~# dpkg -i vsftpd_3.0.2-1ubuntu2_i386.deb #### Install the dependency of VSFTPD #### root@ubuntu:~ # apt-get install libcap2
Step3 : Take the backup of Original vsftpd.conf file
#cp -p vsftpd.conf.dpkg-new vsftpd.conf # cp -p /etc/vsftpd.conf /etc/vsftpd.conf.orig
Step 4 : Enable the given below bolded parameters in /etc/vsftpd.conf file.
root@ubuntu:/# vi /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
allow_writeable_chroot=YES
root@ubuntu:/#
Step 5: Now restart the vsftpd service
service vsftpd restart
Step 6 : Now you can login into ftp server and upload and download the file. Use command line,web browser or any ftp client filezilla,cyberduck,fireftp etc.
Allow some user to change into other system directories including its home directory
Step A: Create a file /etc/vsftpd.chroot_list and give system username in file which you want to provide the chroot ftp access.
# touch /etc/vsftpd.chroot_list # vi /etc/vsftpd.chroot_list username1 joe
Step B: Now in same /etc/vsftpd.conf file enable the parameter “chroot_list_file=/etc/vsftpd.chroot_list”
vi /etc/vsftpd.conf chroot_list_file=/etc/vsftpd.chroot_list
Step C: Restart the vsftpd service
service vsftpd restart
Step 4 : Now check your FTP login through command line or FTP client.
REFERENCE of /etc/vsftpd.conf actual configuration which I am using in server
root@ubuntu:/etc# egrep -v ‘^#’ vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
allow_writeable_chroot=YES
root@ubuntu:/etc#
Below is the example in which only user joe can change to other system directory and because username tux is not listed in /etc/vsftpd.chroot_list,hence user tux is not able to change to other directories except the directories within its home directories.
linux@tuxworld:~$ ftp 10.10.0.13
Connected to 10.10.0.13.
220 (vsFTPd 3.0.2)
Name (10.10.0.13:linux): joe
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /home/tux
250 Directory successfully changed.
ftp> cd /opt
250 Directory successfully changed.
ftp> bye
221 Goodbye.
linux@tuxworld:~$
linux@tuxworld:~$ ftp 10.10.0.13
Connected to 10.10.0.13.
220 (vsFTPd 3.0.2)
Name (10.10.0.13:linux): tux
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /home/joe
550 Failed to change directory.
ftp> cd /opt
550 Failed to change directory.
ftp>