I have a vanilla Gentoo system without selinux. Trying to get a ftp login failed with: rose@lynx:/home/rose(32)$ ftp orca Connected to orca.bioinf.cs.uni-potsdam.de. 220 (vsFTPd 3.0.3) Name (orca:rose): 530 Please login with USER and PASS. 530 Please login with USER and PASS. SSL not available 331 Please specify the password. Password: 500 OOPS: cannot change directory:/home/$USER Login failed. 421 Service not available, remote server has closed connection ftp> root@orca:/root(61)# cat /etc/vsftpd/vsftpd.conf listen=YES local_enable=YES anonymous_enable=NO write_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES #local_root=/data_orca/Projects/$USER local_root=/home/$USER #anon_root=/home/ftp userlist_file=/etc/vsftpd/vsftpd.userlist userlist_file=/etc/vsftpd/vsftpd.userlist root@orca:/root(62)# cat /etc/vsftpd/vsftpd.userlist rose larkom rose_test root@orca:/root(63)# ll -d /home/rose drwxr-xr-x 112 rose rose 4096 Jul 13 23:22 /home/rose/ I found some discussion about "500 OOPS: cannot change directory", e.g. https://askubuntu.com/questions/174235/500-oops-cannot-change-directory-home-user-public-html-vsftpd-error or https://nurikabe.blog/2009/06/15/defeating-vsftp-error-500-oops-cannot-change-directorysomedirectory/ They all refer to "setsebool -P ftp_home_dir on". But I think, that is only usefull for selinux systems. I do not have sesebool. Is it impossible to use chroot_local_user on a non-selinux system? If I comment the chroot_local_user line in /etc/vsftpd/vsftpd.conf the ftp login works. But in this case the ftp user can see whole filesystem at the ftp server, which I would like to avoid without changing all the permissions, which makes other trouble. root@orca:/root(59)# emerge --info net-ftp/vsftpd Portage 2.3.42 (python 3.5.5-final-0, default/linux/amd64/17.0/desktop/gnome/systemd, gcc-7.3.0, glibc-2.27-r5, 4.17.2-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-4.17.2-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_W3520_@_2.67GHz-with-gentoo-2.6 KiB Mem: 12327180 total, 373604 free KiB Swap: 100679336 total, 100489384 free Timestamp of repository gentoo: Fri, 13 Jul 2018 02:00:01 +0000 Head commit of repository gentoo: b67cc4819a89a73e0f846e011359e76b5de45cad sh bash 4.4_p23 ld GNU ld (Gentoo 2.30 p3) 2.30.0 app-shells/bash: 4.4_p23::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.26.2::gentoo dev-lang/python: 2.7.15::gentoo, 3.5.5-r1::gentoo, 3.6.6::gentoo dev-util/cmake: 3.11.4::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.11.6-r3::gentoo, 1.16.1-r1::gentoo sys-devel/binutils: 2.30-r3::gentoo sys-devel/gcc: 7.3.0-r3::gentoo sys-devel/gcc-config: 1.9.1::gentoo sys-devel/libtool: 2.4.6-r5::gentoo sys-devel/make: 4.2.1-r3::gentoo sys-kernel/linux-headers: 4.17::gentoo (virtual/os-headers) sys-libs/glibc: 2.27-r5::gentoo Repositories: gentoo location: /usr/portage_orca sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-verify-max-age: 24 sync-rsync-extra-opts: sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 x-portage location: /usr/local/portage masters: gentoo priority: 0 imaging location: /var/lib/layman/imaging masters: gentoo priority: 50 sage-on-gentoo location: /var/lib/layman/sage-on-gentoo masters: gentoo science priority: 50 science location: /var/lib/layman/science masters: gentoo priority: 50 x11 location: /var/lib/layman/x11 masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.2/ext-active/ /etc/php/cgi-php7.2/ext-active/ /etc/php/cli-php7.2/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en fr ru" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="64bit R X Xaw3d a52 aac acl acpi admin afs alsa amd64 amr ao apache2 apng applet archive armadillo arpack aspell assistant atlas audiofile automap automount barcode bash-completion berkdb blas blast bluetooth bluray boost branding btrfs bzip2 cairo cdda cddb cdf cdio cdparanoia cdr cgi chm cilk clang cli cmake collada colord contrib crypt css cups curl cxx daap db dbi dbm dbus declarative designer devhelp device-mapper dga dia djvu doc dot dri ds2409 ds9097 ds9097u dts dv dvb dvd dvdr dvi dynamicplugin eds egl elf emacs emboss emf encode epiphany evdev evo examples excel exif expat extensions extra extras faac faad fam ffmpeg fftw firefox fits flac fltk fontconfig foomaticdb fortran fortran95 fpm fpx ftp fuse gcj gd gdal gdbm gedit geoip geolocation geos gfortran gif gimp git glade glamor glib glpk gml gmp gnome gnome-keyring gnome-online-accounts gnuplot gnutls gold gphoto2 gpm grammar graphics graphtft graphviz grass gsl gsm gstreamer gtk gtk3 gudev guile hddtemp hdf hdf5 hdri html http httpd hvm hwdb iconv icq icu id3tag ide imagemagick imap inotify introspection ipod ipv6 ithreads jadetex java jbig jit john jpeg jpeg2k kate kdepim kdrive kerberos keymap kpathsea kvm ladspa lame lapack latex lcms ldap lensfun libffi libgda libkms libnotify libsamplerate libsecret libtirpc live lm_sensors lua lzma lzo mad mail maildir mapnik math matroska media-library mercurial mikmod mng mod modules mono motif mozilla mp3 mp4 mpeg mpi mpi-threads mplayer mtp multilib multimedia musepack musicbrainz mysql mysqli nautilus ncurses neXt netcdf netpbm network networking nfs nls nntp nptl nsplugin ntfs ntp numpy obex objc ocaml ocr octave odbc ofa ogdi ogg opencv openexr opengl openmp openvg pam pango pcre pda pdf pdl2 perl plasma plotutils plugins png podcast policykit portaudio posix postgres postscript ppds ppp preview-latex proj projectm pstricks pulseaudio python q16 q32 qemu qhull qml qt5 quicktime raw readline reiserfs reports rle romio rpc rrdcgi rrdtool sage samba sasl schroedinger science sdk sdl seccomp secure-delete server session shout sip slang slp smart smbclient smp sms snmp soap sockets sound soup sox speex spell sql sqlite ssl startup-notification stlport subtitles subversion sudo svg svm systemd szip t1lib tbb tcl tcpd tex tex4ht theora thesaurus threads thunderbird tidy tiff tk tools tracker truetype udev udisks unicode upower usb utempter v4l v4l2 vaapi vala valgrind vdpau video vim-syntax virt-network virtualbox visio vorbis vpx vtk wav wayland webdav webdav-serf webkit wmf wxwidgets x264 xa xattr xcb xen xetex xft xine xml xmlreader xmlrpc xpm xv xvid xvmc yaml youtube zlib zsh-completion zvbi" ABI_X86="64" ALSA_CARDS="intel8x0" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_core authn_dbm authn_default authn_file authz_core authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgid dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info lbmethod_byrequests log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif slotmem_shm so socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="karbon plan sheets stage words" CAMERAS="canon fuji ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="nss" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="emu efi-64 pc xen" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" L10N="de en fr ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5 python3_6" QEMU_SOFTMMU_TARGETS="arm i386 x86_64" QEMU_USER_TARGETS="arm i386 x86_64" RUBY_TARGETS="ruby23" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= net-ftp/vsftpd-3.0.3-r2::gentoo was built with the following: USE="pam ssl tcpd -caps -libressl (-selinux) -xinetd" ABI_X86="(64)"
You need to add "user_sub_token" to your config. > user_sub_token > This option is useful is conjunction with virtual users. It is > used to automatically generate a home directory for each virtual > user, based on a template. For example, if the home directory of > the real user specified via guest_username is /home/vir‐ > tual/$USER, and user_sub_token is set to $USER, then when vir‐ > tual user fred logs in, he will end up (usually chroot()'ed) in > the directory /home/virtual/fred. This option also takes affect > if local_root contains user_sub_token. > > Default: (none)
