Setting Up vsftpd as a Chroot’d Dropbox

The Backstory

During my time studying Computing Security at the Rochester Institute of Technology, I was involved in a number of security-related clubs. Their premier security research group was SPARSA, where students would present security topics and demo exploits.

ISTS — the Information Security Talent Search — was a 2-day hackathon where teams of four would attack other team’s servers while simultaneously defending their own. A good portion of the points were awarded for keeping services like FTP and DNS up and running throughout the competition.

In preparation for the competition, my team looked at both vsftpd and ProFTP. These services worked out of the box, but configuring a secure chroot for users to drop files into was more difficult than I imagined.

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

Messages like these became infuriating. After countless hours, we were able to configure vsftpd to act as a chroot dropbox. This let a user read and write files to a controlled directory without having access to the entire filesystem.

Installing vsftpd

Note: Although vsftpd should act the same on most servers, I am using Ubuntu 16.04.2 LTS for this example.

To install vsftpd, I used the apt package manager.

$ sudo apt update
$ sudo apt install vsftpd

Once you have installed the package, ensure that the service is up and running.

$ sudo systemctl status vsftpd

Configuration

After installing the service, it’s time to configure the service. The configuration file by default lives in /etc/vsftpd.conf. Open the config file with an editor and paste in the configuration.

$ sudo vim /etc/vsftpd.conf

allow_writeable_chroot=YES
anonymous_enable=NO
chroot_local_user=YES
connect_from_port_20=YES
data_connection_timeout=120
dirmessage_enable=YES
ftpd_banner=Welcome.
idle_session_timeout=600
listen=YES
local_enable=YES
local_umask=022
pam_service_name=ftp
pasv_enable=NO
secure_chroot_dir=/home/
use_localtime=YES
write_enable=YES
xferlog_enable=YES

Creating an FTP User

This is just good practice. Having one account — sometimes called a functional account — that can only access this service is strongly advised.

$ sudo adduser ftpuser

Once the account is created, we will set the correct permissions on the user’s home directory.

$ sudo chmod -R 755 /home/ftpuser
$ sudo usermod -s /sbin/nologin ftpuser

Restart and Test

Once the service is installed, the configuration file has been copied and a user account has been created, you can restart the service and test!

$ sudo sudo systemctl reload vsftpd
$ sudo systemctl restart vsftpd
$ ftp server.com

Real-world Application

One of the most common applications of an FTP dropbox is for companies that wish to regularly push you information. It is most commonly called “FTP Push.”

This is a common practice with government entities and services that offer daily data dumps. “FTP Push” can be a pain, especially since we live in a world of RESTful APIs and other file-sharing services. But hopefully this guide makes it painless to setup a secure FTP dropbox with ease.