The default vsftpd.conf is incorrect: # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list If you set chroot_list_enable to YES, vsftpd will still NOT chroot people on default. The list is STILL used to who will be chrooted. This isn't good since then people will enable it thinking that everyone is chrooted when in reality nobody is being chrooted. Just for reference, here's the vsftpd.conf man page: chroot_list_enable If activated, you may provide a list of local users who are placed in a chroot() jail in their home directory upon login. The meaning is slightly different if chroot_local_user is set to YES. In this case, the list becomes a list of users which are NOT to be placed in a chroot() jail. By default, the file containing this list is /etc/vsftpd/chroot_list, but you may override this with the chroot_list_file setting. Default: NO Reproducible: Always Steps to Reproduce: 1. 2. 3.
We install the same config file that ships with vsftpd (with a few minor changes in relation to starting up) ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.3/vsftpd.conf Both the config file and the man page entries make perfect sense to me as they clearly state that chroot_local_user needs to be YES to make chroot default. Marking as UPSTEAM - if you can convince the author to change his config file, ours will change too.