Friday, January 11, 2008

Chrooting User in VSFTPD

For FTP Server, i personally like VSFTPD, since it's very small in size, easy to configure, and it's very secure. You also have two kinds of options for starting the vsftpd daemon, either via inetd or standalone (i would prefer the first one though).

Few days ago, one of my friend asked me a FTP configuration that could prevent users to go up to the root level. I said that VSFTPD should have prevent that, but when i tried to reproduce, it seems that the default configuration didn't enable this option: chroot_local_user=yes. The results? User who have a local account can access the whole system, including getting the /etc/passwd or /etc/shadow password (even though he had to crack it to get access for all system). This is not a good default configuration. So i asked my friend who is working as a sysadmin in my campus. He used proFTPD, but he managed to look the VSFTPD configuration for me, and he found the chroot_local_user option. Here's the description for that option from VSFTPD's Man Page:
chroot_local_user
If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. Warning: This option has security implications, especially if the users have upload permission, or shell access. Only enable if you know what you are doing. Note that these security implications are not vsftpd specific. They apply to all FTP daemons which offer to put local users in chroot() jails.

Default: NO
I'm quite confused with the security implication. I thought it would be a good idea to place users on their home directory and not other place. Can somebody give a good explanation on this?