Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 167095 - net-ftp/vsftpd default options
Summary: net-ftp/vsftpd default options
Status: RESOLVED UPSTREAM
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Roy Marples (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-02-15 19:10 UTC by Charlie Page
Modified: 2007-02-15 22:48 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Charlie Page 2007-02-15 19:10:09 UTC
the following option doesn't exist by default in the options file (and the default is NO):
chroot_local_user=YES
but it is mentioned (thank god).
I think that it should exist and be set to yes.  This is after all supposed to be very secure ftp.
I became aware of this as someone using Internet Explorer to ftp into my server was like "I see directories, boot.."  I thought that being very secure ftp and that because my IE sent me to the users home directory that chrooting the user was the case.

Reproducible: Always

Steps to Reproduce:
1.Install vsftp
2.Allow local user access.
3.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-02-15 21:27:20 UTC
(In reply to comment #0)
> I became aware of this as someone using Internet Explorer to ftp into my server
> was like "I see directories, boot.."  

Well done; sorry but running a server assumes you know what you are doing; if not,  then don't moan here.
Comment 2 Charlie Page 2007-02-15 22:12:41 UTC
I am saying that:
1)`chroot_local_user=` should be in the default config file /etc/vsftp/vsftp.conf.
2)the default should be YES.
3)this would be a much more secure default setting.
4)security is good.
Comment 3 Roy Marples (RETIRED) gentoo-dev 2007-02-15 22:48:40 UTC
From the man page

 chroot_local_user
              If set to YES, local users will be  (by  default)  placed  in  a
              chroot()  jail  in  their  home directory after login.  Warning:
              This option has security implications, especially if  the  users
              have upload permission, or shell access. Only enable if you know
              what you are doing.  Note that these security  implications  are
              not  vsftpd  specific. They apply to all FTP daemons which offer
              to put local users in chroot() jails.

              Default: NO


The man page clearly implies that you should know about chroot before activating this option. As such upstream will have to change their documentation before I even think about changing the default.