VSFTPD configuration: Chroot_local_user and chroot_list_enable detailed

In many cases, we would like to restrict FTP users from being able to live under their home directory (root dir) and not allow them to jump out of the home directory to browse other directories on the server, so I need to use the chroot_local_user,chroot_list_enable. Chroot_list_file these three options. The following is an explanation of the three configuration items:

• chroot_local_useR #是否将所有用户限制在主目录, yes to enable no disable. (The default value is no, that is, the FTP user can switch up to the directory if not configured after installing VSFTPD)

• chroot_list_enable #是否启动限制用户的名单 Yes to enable no disable (including commented out and disabled)

• chroot_list_file=/etc/vsftpd/chroot_list #是否限制在主目录下的用户名单, as to whether the limit list or the exclusion list, depending on the value of Chroot_local_user, We can remember this: Chroot_local_user is always a global setting, when Yes, all users are locked in the home directory, no, all users are not locked in the home directory. Then we're going to have to make some " tweaks " in the global setting, that is, we always need an " exception mechanism ", so when chroot_list_enable=yes, we "need exceptions." The meaning of "exception" always has a context, that is, when "All users are locked in the home directory" (that is, Chroot_local_user=yes), "Exception" is: The user is not locked, and when "All users are not locked in the home directory" (that is, Chroot_local_ User=no), "Exception" is: which users to be locked out. So the relationship between interpretation and memory is clear!

For the combination effect of chroot_local_user and chroot_list_enable, refer to the following table:

     
 

   
   
    
    
    
  
   
  
 
   
  
    
chroot_local_ User=yes  
 
    
chroot_local_ User=no  
 
   
 
   
  
    
 
 
    
 
 
   
 
   
 
    
Chroot_list_enable=no
 
    
1. All users are limited to their home directory 2. Do not use the user list specified by chroot_list_file, no "exception" users
 
    
1. All users are not restricted to their home directory under 2. Do not use the user list specified by chroot_list_file, no "exception" users
 
   
 
  
  
 

Let's give an example:

Suppose there are FTP1, FTP2 two FTP users, planning to let FTP1 users locked in the home directory, not allow the switch to other directories, but allow FTP2 users to freely switch directories, can be implemented in the following two ways:

Way One:

Make:
Chroot_local_user=yes
Chroot_list_enable=yes
The list of/etc/vsftpd/chroot_list lists is:
Ftp2

Explanation: Chroot_local_user=yes restricts all users to the home directory, chroot_list_enable=yes means to enable chroot_list_file because Chroot_local_user=yes, That is, all users are "confined to the home directory", so the Chroot_list_file is always listed as the "exception list" for those who "will not be restricted to the home directory".

Way two:

Make:
Chroot_local_user=no
Chroot_list_enable=yes
The list of/etc/vsftpd/chroot_list lists is:
Ftp1

Explanation: Chroot_local_user=no All users are not limited to the main directory, chroot_list_enable=yes means to enable chroot_list_file, because Chroot_local_user=no, That is, all users are "not confined to the home directory", so the chroot_list_file that are always used as "exception lists" are those who "will be restricted to the home directory".

Other information:

There are two cases for the combination of Chroot_local_user and chroot_list_enable:

Chroot_local_user=yes
Chroot_list_enable=no
And
Chroot_local_user=no
Chroot_list_enable=no

When Chroot_list_enable=no, it is no longer enabled Chroot_list_file, this is simply to limit the entire user or not limited to the main directory!

Add:

• With regard to the settings of chroot_local_user, usually we tend to: global prohibit jump out of the home directory, using Chroot_list to add exceptions! That is: Use Case 1 settings!

• The default root for anonymous users is/var/ftp

VSFTPD configuration: Chroot_local_user and chroot_list_enable detailed