使用 chroot Jail 禁用用户主目录之外的操作?

tag-icon tag-icon users chroot vsftpd
使用 chroot Jail 禁用用户主目录之外的操作?

gclegal我正在尝试使用 chroot Jail将用户限制在名为的特定目录中。我已取消注释/etc/vsftpd.conf文件中的行

chroot_local_user=YES

创建了一个名为 的新用户kg

$ sudo groupadd xenomai
$ sudo useradd -d /var/www/html/gclegal -g xenomai kg
$ sudo passwd kg

通过此配置,我可以使用kg用户通过 vsftpd 登录,但我也可以浏览回父目录并修改它们,直到/var/www/html.

如何禁用用户 ( /var/www/html/gclegal) 家以外的所有操作?

答案1

vsftpd2.2.2 版本开始,有两种将用户关在chroot监狱中的选项:

  • chroot_list_enable

只需将用户添加到chroot列表中/etc/vsftpd/chroot_list,例如您想要放入chroot jail.

  • chroot_local_user

这将把所有本地用户关进chroot监狱,然而,如果设置了此选项,则将chroot_list成为用户的列表不要进去 a chroot jail.

kg因此,如果您已配置,请检查您的列表不包含用户chroot_local_user=YES

显然,vsftpd在进行配置更改后重新启动守护进程。

摘自 man vsftpd.conf

   chroot_list_enable
          If activated, you may provide a list of local users who are placed in a chroot() jail  in  their  home  directory  upon  login.  The  meaning  is  slightly  different  if
          chroot_local_user  is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail.  By default, the file containing this list
          is /etc/vsftpd/chroot_list, but you may override this with the chroot_list_file setting.

          Default: NO

   chroot_local_user
          If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login.  Warning: This option has security implications, especially
          if  the  users  have  upload permission, or shell access. Only enable if you know what you are doing.  Note that these security implications are not vsftpd specific. They
          apply to all FTP daemons which offer to put local users in chroot() jails.

          Default: NO

我已经为用户配置了 vsftpd chroot,这些是/etc/vsftpd.conf我使用的设置 ( Ubuntu 14.04):

listen=YES
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
allow_writeable_chroot=YES

笔记: 确保/etc/vsftpd.chroot_list/etc/vsftpd/chroot_list为空。

一旦你让它工作,如果你想跟踪ftp登录,那么你可以设置session_support=YES,然后这些应该使用以下last命令显示:

username   vsftpd:12025 IP address     Tue Oct 14 14:05 - 14:10  (00:05)
username   vsftpd:12011 IP address     Tue Oct 14 14:04 - 14:05  (00:00)

注意 - utmp 和 wtmp 支持仅在启用 PAM 的版本中提供。

答案2

我将 selinux 设置为permissive并重新启动vsftpd.service,这解决了问题。

相关内容