What does FTP Jailing mean, and what features does a server OS require in order to enable it?

I have a fuzzy notion of what the term "ftp jailing" means, but when it comes to permissions and security, fuzzy is imprudent. What is it? How is it implemented? Is it mostly a capability of the ftp server, or does it emerge from how the underlying OS does permissions?


Solution 1:

"Jailing" in ftp means locking the ftp session to a particular subset of the filesystem. Usually it is set so that if a particular user logs in, they can only ftp to their own directory space.

The ftp server will often have an option that, when a user is connected, to chroot the user, which means as far as that user is concerned, the root of the universe is some specific portion of the total available filesystem.

'vsftp' has a really clear explanation and how-to at vsftpd.

Some other examples include proftp and ftp on hp/ux.

Solution 2:

Here's how I do it in a Windows IIS environment. Figure it will help someone in the future.

  1. set up the local user accounts on the computer for each "user/client"
  2. In explorer setup the NTFS structure so that you have a "root" folder and inside that folder you have folders for each client/etc.
  3. Set up the NTFS rights, so that each user (you can use a group called FTP users, and add them all to that group) has "List" rights to the root folder. Then give them specific rights to each of their "home" folders (read/write/whatever).
  4. In IIS for the FTP site, create virtual directories named EXACTLY the same as the user accounts you created, and point each one to the right home folder. ie. virtual directory of BOBJONES points to d:\ftpsite\BOBJONES
  5. go back into explorer and create a new folder in the same folder as the ROOT folder and call it DEADEND
  6. give the FTP users list/read permissions to the DEADEND folder
  7. Back in IIS set the "root folder" for the FTP site to the DEADEND folder

That's it.

now when BOBJONES logs into the FTP site he is in the BOBJONES directory. If he gets wily and tries to do a cd .. to go up to the parent/root he'll get knocked into the DEADEND folder and won't see the list of everyone else's home folders, etc. (NOTE: he can get back to his home folder by typing cd BOBJONES still)

ONE FINAL NOTE: anybody that has a user ID but no virtual directory named the same will get defaulted to the root directory which has been changed to DEADEND.

Solution 3:

FTP jailing means that the loggend in user sees his root directory as one that you define. He cannot go any higher up the tree, as the FTP client sees his dir as the root directory.

Say you have the following:

/home/ben_linus/
/home/ben_linus/data
/home/ben_linus/progs

You set the root to /home/ben_linus/

He will see

/
/data
/progs

Solution 4:

I don't see a reason why it should be OS dependent. Nothing keeps you from coding an FTP server that will return / for some random directory after using cd .. often enough without actually being in / on Unix or at the top level drive in Windows.

Regarding permissions it depends a lot on how you configure your FTP servers, some FTP servers can map from/to any user, that means you could configure an FTP server that need "normal" authentication but when writing the file to the OS on the host permissions will be mapped to a certain user you configured.

Some discussion about chroot (as well as a follow up link) can be found in the ProFTPd FAQ.

Solution 5:

It's a feature of the ftp server (for the most of them) for example with vsftpd you can "jail" users to their homedir by using configuration

chroot_local_user=YES

The ftp server will not let the user to go below that directory.

User homedir: /home/ftp
User can access: /home/ftp, /home/ftp/pub
User can not access: /home, /etc, /, /root etc..