[thelist] unix acl help

[Dean Mah]

On Dec 20, 2007 11:49 AM, Robert O'Rourke <rob at sanchothefat.com> wrote:
> David Menzel wrote:
> > What you describe wanting is exactly what chroot is supposed to do. You
> > stated that you believe this is setup already, but please check your
> > settings on this again. To quote from a previous respondent :
> >
> > - Adding regular users to vsftpd.chroot_list should prevent them from
> > leaving their home directory, e.g., /home/username.
> >
> >
> >
>
> This is essentially what I have, with everything else under /etc/vsftpd
> untouched:
>
> /etc/passwd:
> username:x:1009:1013::/home/ftp/./username:/sbin/nologin
>
> /etc/group:
> ftp-users:x:1013:apache,username
>
> /etc/vsftpd/vsftpd.conf:
> anonymous_enable=NO
> local_enable=YES
> write_enable=YES
> local_umask=022
> connect_from_port_20=YES
> nopriv_user=ftp
> chroot_local_user=YES
> chroot_list_enable=YES
> chroot_list_file=/etc/vsftpd/chroot_list
> pam_service_name=vsftpd
> userlist_enable=YES
> listen=YES
> tcp_wrappers=NO
>
> /etc/vsftpd/chroot_list:
> username
>
> One (possibly groan inducing) thing that may be messing with it is that
> in their home directory I've symlinked to another file in another
> directory (/home/websites) with the right permissions where each
> websites static files are stored eg. images/pdfs/exes. Would reversing
> the symlink so that the files are in /home/ftp/username stop them from
> being able to list directories outside of their home directory?

The users should not have access to /home/websites from FTP as you've
chroot'ed them into their home directory.  For the symlink to still be valid,
the directory would need to be /home/ftp/username/home/websites.  Which
is not your intent.

Did you restart vsftpd or get it to reload its configuration?  You might want
to remove the . from the user's home directory, i.e., /home/ftp/username.

Maybe check your logs to see if there was a configuration error that you
missed when restarting vsftpd.

Dean