Automatically change to subfolder in chroot jail on login Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Come Celebrate our 10 Year Anniversary!How to create virtual users in vsftpd?vsftp “Access is denied” when writing as an authenticated userVSFTPD won't allow upload to mounted (Shared) Directory. RHEL6Vsftpd access over wanChroot user VSFTPD, can't enter FolderChroot Jailing groups via sshd_config for FTP results in connection aborted for all members in that groupFTP over SSH chroot permissionsvsftpd on rhel 7.4 disallowing write & modifyVsftpd user authenticationFTP: Jail user to Home folder
Multi tool use
How often does castling occur in grandmaster games?
What does Turing mean by this statement?
AppleTVs create a chatty alternate WiFi network
How to change the tick of the color bar legend to black
Central Vacuuming: Is it worth it, and how does it compare to normal vacuuming?
Tips to organize LaTeX presentations for a semester
How to write capital alpha?
Why is the change of basis formula counter-intuitive? [See details]
What adaptations would allow standard fantasy dwarves to survive in the desert?
i2c bus hangs in master RPi access to MSP430G uC ~1 in 1000 accesses
Found this skink in my tomato plant bucket. Is he trapped? Or could he leave if he wanted?
Delete free apps from library
A proverb that is used to imply that you have unexpectedly faced a big problem
As a dual citizen, my US passport will expire one day after traveling to the US. Will this work?
Sally's older brother
Why is it faster to reheat something than it is to cook it?
Should a wizard buy fine inks every time he want to copy spells into his spellbook?
My mentor says to set image to Fine instead of RAW — how is this different from JPG?
Is openssl rand command cryptographically secure?
Mounting TV on a weird wall that has some material between the drywall and stud
Is there any word for a place full of confusion?
The Nth Gryphon Number
What does the writing on Poe's helmet say?
Special flights
Automatically change to subfolder in chroot jail on login
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!How to create virtual users in vsftpd?vsftp “Access is denied” when writing as an authenticated userVSFTPD won't allow upload to mounted (Shared) Directory. RHEL6Vsftpd access over wanChroot user VSFTPD, can't enter FolderChroot Jailing groups via sshd_config for FTP results in connection aborted for all members in that groupFTP over SSH chroot permissionsvsftpd on rhel 7.4 disallowing write & modifyVsftpd user authenticationFTP: Jail user to Home folder
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm setting up an FTP server to replace an old windows server install. I'm using vsftpd on Ubuntu 16.04.
There are multiple users (automated test systems) external to the company, and we want to make the change transparent - no changes required to client machines
I have followed this guide and setup the virtual users and chroot jail. This works correcty, and when I log in using Filezilla, I can see that I am successfully chrooted into the virtual user's home directory (home/vftp/$USER).
However. This directory must not be writeable, to prevent breakout from the jail, so I have created a sub-directory home/vftp/$USER/uploads with write permissions. Because I don't want to have to make changes on the client machines, I need for them to be changed to this uploads directory upon login so that they just login + upload without having to change directory.
I'm aware that I can allow a writeable root (and hence not require a subfolder) with allow_writeable_chroot=YES, but as this is an externally-facing machine that's not really a great idea.
Is there a way that I can put the user in a chroot jail, but switch their working directory to a sub-directory?
vsftpd
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
add a comment |
I'm setting up an FTP server to replace an old windows server install. I'm using vsftpd on Ubuntu 16.04.
There are multiple users (automated test systems) external to the company, and we want to make the change transparent - no changes required to client machines
I have followed this guide and setup the virtual users and chroot jail. This works correcty, and when I log in using Filezilla, I can see that I am successfully chrooted into the virtual user's home directory (home/vftp/$USER).
However. This directory must not be writeable, to prevent breakout from the jail, so I have created a sub-directory home/vftp/$USER/uploads with write permissions. Because I don't want to have to make changes on the client machines, I need for them to be changed to this uploads directory upon login so that they just login + upload without having to change directory.
I'm aware that I can allow a writeable root (and hence not require a subfolder) with allow_writeable_chroot=YES, but as this is an externally-facing machine that's not really a great idea.
Is there a way that I can put the user in a chroot jail, but switch their working directory to a sub-directory?
vsftpd
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
I don't know a working solution, but I would probably look into pam_exec, matching on group, on successful login, exec a script which has the commands to put them in the subdir. I am not sure that all clients will play well with this however.
– Aaron
Apr 11 '18 at 21:39
@Aaron Thanks. That's exactly what I'd concluded yesterday, too, after some more searching of the interwebs. Some experimenting required now methinks.
– SiHa
Apr 12 '18 at 7:04
add a comment |
I'm setting up an FTP server to replace an old windows server install. I'm using vsftpd on Ubuntu 16.04.
There are multiple users (automated test systems) external to the company, and we want to make the change transparent - no changes required to client machines
I have followed this guide and setup the virtual users and chroot jail. This works correcty, and when I log in using Filezilla, I can see that I am successfully chrooted into the virtual user's home directory (home/vftp/$USER).
However. This directory must not be writeable, to prevent breakout from the jail, so I have created a sub-directory home/vftp/$USER/uploads with write permissions. Because I don't want to have to make changes on the client machines, I need for them to be changed to this uploads directory upon login so that they just login + upload without having to change directory.
I'm aware that I can allow a writeable root (and hence not require a subfolder) with allow_writeable_chroot=YES, but as this is an externally-facing machine that's not really a great idea.
Is there a way that I can put the user in a chroot jail, but switch their working directory to a sub-directory?
vsftpd
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
I'm setting up an FTP server to replace an old windows server install. I'm using vsftpd on Ubuntu 16.04.
There are multiple users (automated test systems) external to the company, and we want to make the change transparent - no changes required to client machines
I have followed this guide and setup the virtual users and chroot jail. This works correcty, and when I log in using Filezilla, I can see that I am successfully chrooted into the virtual user's home directory (home/vftp/$USER).
However. This directory must not be writeable, to prevent breakout from the jail, so I have created a sub-directory home/vftp/$USER/uploads with write permissions. Because I don't want to have to make changes on the client machines, I need for them to be changed to this uploads directory upon login so that they just login + upload without having to change directory.
I'm aware that I can allow a writeable root (and hence not require a subfolder) with allow_writeable_chroot=YES, but as this is an externally-facing machine that's not really a great idea.
Is there a way that I can put the user in a chroot jail, but switch their working directory to a sub-directory?
vsftpd
vsftpd
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
edited Apr 11 '18 at 13:46
SiHa
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
asked Apr 11 '18 at 13:22
SiHaSiHa
1213
1213
I don't know a working solution, but I would probably look into pam_exec, matching on group, on successful login, exec a script which has the commands to put them in the subdir. I am not sure that all clients will play well with this however.
– Aaron
Apr 11 '18 at 21:39
@Aaron Thanks. That's exactly what I'd concluded yesterday, too, after some more searching of the interwebs. Some experimenting required now methinks.
– SiHa
Apr 12 '18 at 7:04
add a comment |
I don't know a working solution, but I would probably look into pam_exec, matching on group, on successful login, exec a script which has the commands to put them in the subdir. I am not sure that all clients will play well with this however.
– Aaron
Apr 11 '18 at 21:39
@Aaron Thanks. That's exactly what I'd concluded yesterday, too, after some more searching of the interwebs. Some experimenting required now methinks.
– SiHa
Apr 12 '18 at 7:04
I don't know a working solution, but I would probably look into pam_exec, matching on group, on successful login, exec a script which has the commands to put them in the subdir. I am not sure that all clients will play well with this however.
– Aaron
Apr 11 '18 at 21:39
I don't know a working solution, but I would probably look into pam_exec, matching on group, on successful login, exec a script which has the commands to put them in the subdir. I am not sure that all clients will play well with this however.
– Aaron
Apr 11 '18 at 21:39
@Aaron Thanks. That's exactly what I'd concluded yesterday, too, after some more searching of the interwebs. Some experimenting required now methinks.
– SiHa
Apr 12 '18 at 7:04
@Aaron Thanks. That's exactly what I'd concluded yesterday, too, after some more searching of the interwebs. Some experimenting required now methinks.
– SiHa
Apr 12 '18 at 7:04
add a comment |
1 Answer
1
active
oldest
votes
If you can set the user home directory, you can specify passwd_chroot_enable=YES in vsftpd.conf along with a home directory such as /home/vftp/USER/./uploads in /etc/passwd.
It will create the chroot jail in /home/vftp/USER and use the uploads subdirectory as the user HOME directory.
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
Thanks - I can't mark as accepted, because we went a different way eventually, so I can't test it out.
– SiHa
Apr 15 at 8:00
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f907161%2fautomatically-change-to-subfolder-in-chroot-jail-on-login%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you can set the user home directory, you can specify passwd_chroot_enable=YES in vsftpd.conf along with a home directory such as /home/vftp/USER/./uploads in /etc/passwd.
It will create the chroot jail in /home/vftp/USER and use the uploads subdirectory as the user HOME directory.
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
Thanks - I can't mark as accepted, because we went a different way eventually, so I can't test it out.
– SiHa
Apr 15 at 8:00
add a comment |
If you can set the user home directory, you can specify passwd_chroot_enable=YES in vsftpd.conf along with a home directory such as /home/vftp/USER/./uploads in /etc/passwd.
It will create the chroot jail in /home/vftp/USER and use the uploads subdirectory as the user HOME directory.
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
Thanks - I can't mark as accepted, because we went a different way eventually, so I can't test it out.
– SiHa
Apr 15 at 8:00
add a comment |
If you can set the user home directory, you can specify passwd_chroot_enable=YES in vsftpd.conf along with a home directory such as /home/vftp/USER/./uploads in /etc/passwd.
It will create the chroot jail in /home/vftp/USER and use the uploads subdirectory as the user HOME directory.
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
If you can set the user home directory, you can specify passwd_chroot_enable=YES in vsftpd.conf along with a home directory such as /home/vftp/USER/./uploads in /etc/passwd.
It will create the chroot jail in /home/vftp/USER and use the uploads subdirectory as the user HOME directory.
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
answered Apr 15 at 7:33
Christophe Drevet-DroguetChristophe Drevet-Droguet
1,43211222
1,43211222
Thanks - I can't mark as accepted, because we went a different way eventually, so I can't test it out.
– SiHa
Apr 15 at 8:00
add a comment |
Thanks - I can't mark as accepted, because we went a different way eventually, so I can't test it out.
– SiHa
Apr 15 at 8:00
Thanks - I can't mark as accepted, because we went a different way eventually, so I can't test it out.
– SiHa
Apr 15 at 8:00
Thanks - I can't mark as accepted, because we went a different way eventually, so I can't test it out.
– SiHa
Apr 15 at 8:00
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f907161%2fautomatically-change-to-subfolder-in-chroot-jail-on-login%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
35krTkXKMZi026czIEdi9ySsNYiMKCnXN2,9fZELj,1vqdA4XkIxC8,DX,OEQ,KJhEn35su z0pBT3hE,GeOF,8crCVTa JHDsuouz,KsSBv6
I don't know a working solution, but I would probably look into pam_exec, matching on group, on successful login, exec a script which has the commands to put them in the subdir. I am not sure that all clients will play well with this however.
– Aaron
Apr 11 '18 at 21:39
@Aaron Thanks. That's exactly what I'd concluded yesterday, too, after some more searching of the interwebs. Some experimenting required now methinks.
– SiHa
Apr 12 '18 at 7:04