Proftpd DefaultRoot

In proftpd.conf, there is a line

You can guess what DefaultRoot means. It means the default directory when an ftp client logs in. “DefaultRoot ~” means when a user connects and logs in ftp, it comes at his home directory. But the main use of the DefaultRoot directive is not to set the home directory of ftp users, but to jail ftp users to specific directory. In the Proftpd DefaultRoot example above, the ftp user is jailed in its home directory, he can only see the files/folders under his home directory. He cannot access the directories above his home directory by clicking the .. directory. Even you create a soft link pointing to another directory outside the DefaultRoot directory, the ftp user still cannot access it through the symlink. This is because proftpd uses the chroot system call to change the root directory, and the content of symbolic link(the target directory) may not exist under the new root. You can get detailed explanation¬† about this problem here. If you find defaultroot not working for symlinks in home directory, you can follow this post to comment the “DefaultRoot ~ !adm” line in proftpd.conf. The user still comes at his home directory on login, but he is not jailed in his home directory now since no chroot is called. The symlinks in his home directory are not affected and can be accessed normally.

The second parameter of the DefaultRoot is a Linux Group name(not a user name). Here, we restrict the users who are not in the group adm to their respective home directory. Using the second parameter, we can set defaultroot for specific user. Proftpd supports multiple DefaultRoot directives. We can set user1 to group1, set user2 belong to group2, then set different DefaultRoot for different groups.

Now, user1 is jailed in /dir1 and user2 is jailed in /dir2.



Posted in tips of hosting