Prevent FTP users from being able to navigate to directories above their home
9,450
You will need to find a feature specific to the ftp server you are using that could create a chroot-like environment. Some examples are:
- proftpd: DefaultRoot. This option will have to point what is the chroot dir of a server.
-
pureftpd:
-Aoption. Quoting the documentation
This feature is called "chroot". You can enable this by running pure-ftpd with the "-A" switch to do this with ALL your users (but root) .
-
vsftpd:
chroot_local_user=YESwill chroot to default user home. There is already a good answer here.
Related videos on Youtube
16 : 32
IIS FTP - User Isolation Setup with Admin Access
04 : 26
How To Create A Ftp User With Specific Dir Access Only On A Ubuntu
08 : 15
Tutorial FTP Ubuntu - Create a FTP user to access home directory only
18 : 41
4. IIS FTP - User Isolation Setup and other Features
01 : 51
Unix & Linux: Prevent FTP users from being able to navigate to directories above their home
09 : 10
vsFTP Server on Ubuntu - Part 2 - Allow Users Local Access FTP Server - Restrict Home Directory
Author by
Cain Nuke
Updated on September 18, 2022Comments
-
Cain Nuke almost 2 years
I created a user on Centos 7 via webmin and pointed
/var/www/html/page as their home directory so when they log in they start from there.However, I logged in myself and realized that they can navigate from there to the upper directories which I don't want. How can I prevent this from happening?
Thank you.
-
Cain Nuke about 7 yearsits weird but I didnt install any ftp server so I dont even know how come I am able to FTP access.
-
Admin about 7 yearsAs pointed out by @ivanivan, the default ftp server on webmin should beproftpd. It is just a matter of finding the configuration file and put a line likeDefaultRoot=/var/www/html/on it :) -
Cain Nuke about 7 yearsBut that one is stopped right now and Im still able to access. Is that normal?
-
Admin about 7 years
netstat -tapn | grep 21, and see what is the process that isLISTENINGon this port(21/tcp - ftp) -
Cain Nuke about 7 yearsI see nothing on port 21, the user is on port 22.
-
Admin about 7 years22 is
sshso,sftporscpare the protocols used to exchange files. Are you sure that is really an ftp server, and there is no custom port configured? -
Admin about 7 yearsSFTP is and extension of FTP throuhg SSH. That's why you can access, because it is not related do proftpd. If you have a
sshdaemon running on your server, you will mostly be able to use sftp... "chrooting" sftp is a hell of a quest, and should not be as trivial as it is with a ftp server... -
Cain Nuke about 7 yearsSo I need to enable chroot in SSH instead?
-
Admin about 7 yearsYup. If you are using SFTP you started asking the wrong question, since they use totally different servers... and it is not a trivial question(you should follow a how-to) - wiki.archlinux.org/index.php/SFTP_chroot
-
Cain Nuke about 7 yearsThank you for your help. Although it was actually easier than that.