How to configure ProFTPD to chroot users to /home directory or any other selected directory

Wednesday, 30th June 2010

If you’re using ProFTPD user on a Linux server you most certainly has wondered how you can configure the FTP server to chroot (or jail) it’s users to a particular directory of choice.

By the default the behaviour of ProFPTD is not to use any chrooting, I believe because chrooting is not yet a mass well accepted standard, so you will have to do a minor modifications to proftpd.conf file.
Actually it’s a way easier than it sounds to configure the ProFTPD to chroot / jail it’s users.

To configure ProFTPD to chroot it’s users to the /home directory all you have to do is edit your proftpd.conf
On Debian Linux and many other Linux distributions the proftpd.conf is located in /etc/proftpd/proftpd.conf

root@linux-server:~# vim /etc/proftpd/proftpd.conf

Therein uncomment the line # DefaultRoot ~

to read

DefaultRoot ~

If you further need to chroot proftpd users to be jailed to let’s say their public_html file for security reasons you can just change the up-mentioned proftpd DocumentRoot directive to:

DefaultRoot ~/public_html

Hopefully partaking this steps will be a step further to make your Linux server a bit more secure.

Share this on:

Download PDFDownload PDF

Previoust Post: «

Next Post: »

Tags:

This entry was posted on Wednesday, June 30th, 2010 at 3:50 pm and is filed under Computer Security, Linux, System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “How to configure ProFTPD to chroot users to /home directory or any other selected directory”

  1. gecko says:
    January 4, 2013 at 11:28 pm
    Firefox 3.6.17 Firefox 3.6.17 Ubuntu 9.10 Ubuntu 9.10
    Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.17) Gecko/20110422 Ubuntu/9.10 (karmic) Firefox/3.6.17

    proftp: DocumentRoot : Cruel!!!

    I want to grant specific groups specific home-dirs somewhere
    in the filesystem, not necessarily under /home

    I found:

    DefaultRoot / admins #yes,totally unsecure,but secure intranet 🙂
    DefaultRoot /mnt/md1 ftpusers
    DefaultRoot /mnt/md1/public public
    DefaultRoot ~

    but nothing!!
    horrible software!

    i run:
    Linux IB-NAS4220-B 2.6.15 #140 Fri Sep 7 10:29:15 CST 2007 armv4l GNU/Linux

    View CommentView Comment
    Reply
    • admin says:
      January 5, 2013 at 6:39 pm
      Opera 11.00 Opera 11.00 GNU/Linux x64 GNU/Linux x64
      Opera/9.80 (X11; Linux x86_64; U; bg) Presto/2.7.62 Version/11.00

      Hi,

      try to play with umask var;

      # Umask 022 is a good standard umask to prevent new files and dirs
      # (second parm) from being group and world writable.
      Umask 022 022

      Also maybe try to set permissions manually with chmod / chown to directories? I think I don’t fully understand what you need to do.

      Regards,
      Georgi

      View CommentView Comment
      Reply
  2. Alexander Ewering says:
    April 17, 2014 at 2:38 pm
    Google Chrome 26.0.1410.64 Google Chrome 26.0.1410.64 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

    I have just stumbled over this, uhm, BUG and I must say, I am totally baffled as to why DefaultRoot ~ is not the DEFAULT.

    This is highly dangerous and certainly sheds a bad light on a product that on the whole doesn't have the best security record anyway.

    View CommentView Comment
    Reply

Leave a Reply

CommentLuv badge