What is the secure way to isolate ftp server users on unix?

Solution 1:

The correct practice you will use depends on the software you use.

If you know all your users, then I'd say using chroot is not a big deal. If you are giving accounts to people you don't if you can trust, then you may not want to.

You may want to also take a look at pureftpd and it's "chroot" options:

Apart from the "-a" flag, Pure-FTPd has another way to fine-tune chroot() rules. Let's take an /etc/passwd entry:

mimi:x:501:100:Mimi:/home/mimi:/bin/zsh

Without any special rule, mimi will be able to log in and to retrieve any public-readable file in the filesystem. Now, let's change a bit of its home directory:

mimi:x:501:100:Mimi:/home/mimi/./:/bin/zsh

So what? Mimi's home directory is still the same and common applications shouldn't notice any difference. But Pure-FTPd understands "chroot() until /./". So when mimi next carries out a FTP log in, only the /home/mimi directory will be reachable, not the whole filesystem. If you don't like the "-a" and its trusted gid thing, this is a good way to only chroot() some users.

http://download.pureftpd.org/pub/pure-ftpd/doc/README

Of course please do your research concerning security issues. Don't take anyones word for it.

You don't need to use chroot to achieve isolation. That just makes it look nice for the user and the ignorant will think there are no other files on the server. You could also use file permissions to keep users from snooping around. You could also run your ftp daemon in a VM and reduce the risk further.