Jail FTP Users to Their Home Directories

Even if you trust your users not to purposefully hack your server, allowing them to peruse your entire file system of your dedicated server whenever they want is definitely a bad idea.

On most Linux distributions, the normal users do not have permissions to make any changes to system directories like /etc /var and /usr, but they can still see them. If their accounts were ever compromised, the identity thief would then have a much easier time picking out a particular directory or system file to attack, if it is perfectly visible.

Fortunately, there is a way to make sure a user cannot move past his or her own home directory, if nothing else, to set your mind at ease. Since your users will be accessing the server through FTP, the easiest way to jail them in their directories is to configure it in your FTP server. I will give two examples of two popular FTP servers: VSFTP and ProFTPD

In VSFTP, edit the /etc/vsftpd/vsftpd.conf

nano /etc/vsftpd/vsftpd.conf

and change, add, or uncomment the following line:

chroot_local_user=YES

Save the file and restart VSFTP

/etc/init.d/vsftpd restart

In ProFTPD, edit the following file:

/etc/proftpd/proftpd.conf

and uncomment the following line (remove the # in front of it):

DefaultRoot ~

If you need to jail the users further, for example, in their document root directories (such as public_html), use the following line:

DefaultRoot ~/public_html

Save the file and restart ProFTPD:

/etc/init.d/proftpd restart

Now your users will not be able to browse through the entire directory structure of your server, only through their own files. There is another method to accomplish the same thing in SSH, and we will discuss that in a separate post.











Comments: