ProFTPD and jailing users

I moved all my sites to a couple months back on Joe’s recommendation and I’m hosting sites for a couple buddies on it right now. One of the problems with opening your server up to your buddies is that, trustworthy as they may be, you don’t want them mucking around with the system by CD’ing up to places they shouldn’t be hanging out. The guys at VPS Center have provided a nice web-based app for the creation of FTP users, but you can’t lock down the users to a specific directory via the web. I did some research today and found out that you can edit the ProFTPD configuration file so that users are “jailed” (a ProFTPD term, not mine) into their websites and can’t muck around outside their own sandbox.

The configuration file lives on my system at /etc/proftpd.conf, open that puppy up and add:

DefaultRoot /usr/hosts/ groupname

where /usr/hosts/ is the directory containing the site that you want to lock down and groupname is the name of the group (usually the same as the username) that you want to restrict. Restart the server (/etc/rc.d/init.d/proftpd restart) and the next time the user in question logs in, they’ll be automatically redirected to the ‘jailed’ directory and they won’t be be able to browse directories above the one you’ve established as the base.

On a related note, if it seems like your FTP connections take forever to establish, add:

UseReverseDNS off
IdentLookups off

to the ProFTPD configuration file as well (restart required). You’ll see a dramatic decrease in the amount of time it takes to make an FTP connection.

One thought on “ProFTPD and jailing users”

  1. It seems that you can just use `DefaultRoot ~` and it jails all users to their own root.

    This seems easier, and will also work when the users and groups are not one-to-one

Leave a Reply

Your email address will not be published. Required fields are marked *