Setting up chroot jails for your vsftpd users

Nitin Venkatesh's Gravatar

Nitin Venkatesh
published Jan. 23, 2015, midnight

chroot jails keep your users locked in a directory and not let them wander about the filesystem to places they have no business poking their noses into.

Alrighty, let's implement this in our vsftpd server so that you don't have your FTP users peeking at the passwd and shadow files. We assume you've already created your FTP user and have set their home directory to the uploads directory. This was covered in the previous article - Setting up vsftpd on Ubuntu.

Now here's the glitch - your uploads folder has to be writable but chroot requires that your root / parent folder into which the user chroots is not writable. Okay, let's tackle this -

Editing vsftpd.conf

First of all, check the vsftpd version you're currently running and make sure it's above v3

$ vsftpd -v
vsftpd: version 3.0.2

Now, edit the /etc/vsftpd.conf file - $ sudo vi /etc/vsftpd.conf and change/add the following lines:


And restart our vsftpd server - $ sudo service vsftpd restart

Editing user settings:

We want to ensure that the user isn't a pesky one, who bypasses all the restrictions we just put in place with our new vsftpd configuration, by SSH-ing into the box.

There are a lot of ways to tackle this, but I'm going to use a dummy shell to do so.

First, we create an empty file in our /bin directory called fakeshell

$ sudo touch /bin/fakeshell

Next, I modify the user created in the previous post (uploader) to use this shell by default.

$ sudo usermod -s /bin/fakeshell uploader

# Just to confirm

$ tail -1 /etc/passwd

Now when you try to SSH with your FTP user credentials:

$ ssh uploader@
uploader@'s password: 
Permission denied, please try again.

And that's it, you have created a chroot jail which your FTP users can't get out of or try to SSH into your box!