Prevent FTP users from being able to navigate to directories above their home
9,450
You will need to find a feature specific to the ftp server you are using that could create a chroot-like environment. Some examples are:
- proftpd: DefaultRoot. This option will have to point what is the chroot dir of a server.
-
pureftpd:
-A
option. Quoting the documentation
This feature is called "chroot". You can enable this by running pure-ftpd with the "-A" switch to do this with ALL your users (but root) .
-
vsftpd:
chroot_local_user=YES
will chroot to default user home. There is already a good answer here.
Related videos on Youtube
Author by
Cain Nuke
Updated on September 18, 2022Comments
-
Cain Nuke almost 2 years
I created a user on Centos 7 via webmin and pointed
/var/www/html/
page as their home directory so when they log in they start from there.However, I logged in myself and realized that they can navigate from there to the upper directories which I don't want. How can I prevent this from happening?
Thank you.
-
Cain Nuke about 7 yearsits weird but I didnt install any ftp server so I dont even know how come I am able to FTP access.
-
Admin about 7 yearsAs pointed out by @ivanivan, the default ftp server on webmin should be
proftpd
. It is just a matter of finding the configuration file and put a line likeDefaultRoot=/var/www/html/
on it :) -
Cain Nuke about 7 yearsBut that one is stopped right now and Im still able to access. Is that normal?
-
Admin about 7 years
netstat -tapn | grep 21
, and see what is the process that isLISTENING
on this port(21/tcp - ftp) -
Cain Nuke about 7 yearsI see nothing on port 21, the user is on port 22.
-
Admin about 7 years22 is
ssh
so,sftp
orscp
are the protocols used to exchange files. Are you sure that is really an ftp server, and there is no custom port configured? -
Admin about 7 yearsSFTP is and extension of FTP throuhg SSH. That's why you can access, because it is not related do proftpd. If you have a
ssh
daemon running on your server, you will mostly be able to use sftp... "chrooting" sftp is a hell of a quest, and should not be as trivial as it is with a ftp server... -
Cain Nuke about 7 yearsSo I need to enable chroot in SSH instead?
-
Admin about 7 yearsYup. If you are using SFTP you started asking the wrong question, since they use totally different servers... and it is not a trivial question(you should follow a how-to) - wiki.archlinux.org/index.php/SFTP_chroot
-
Cain Nuke about 7 yearsThank you for your help. Although it was actually easier than that.