vsftpd configuration: detailed explanation of chroot_local_user and chroot_list_enable

In many cases, we want to restrict FTP users to their home directory (root directory) and prevent them from browsing other directories on the server. In this situation, I need to use the `chroot_local_user`, `chroot_list_enable`, and `chroot_list_file` options. The following is an explanation of these three configuration items:

• chroot_local_user # Whether to restrict all users to the home directory. YES enables, NO disables. (The default value for this item is NO, meaning that if no configuration is made after installing vsftpd, FTP users can switch up to directories outside the desired directory.)

• chroot_list_enable #Whether to enable the restricted user list YES enables NO disables (including commenting it out)

• chroot_list_file=/etc/vsftpd/chroot_list # Whether to restrict users to the home directory. Whether to use a restricted list or an exclusion list depends on the value of `chroot_local_user`. We can remember it like this: `chroot_local_user` is always a single value.globalThe setting, when set to YES, locks all users to their home directory; when set to NO, all users are not locked to their home directory. Therefore, we inevitably need to make some adjustments in the global settings.Fine-tuningThat is, we always need a kind of "Exception mechanismTherefore, when `chroot_list_enable=YES`, it means we "need exceptions". The meaning of "exceptions" always has a context: when "all users are locked to their home directory" (i.e., `chroot_local_user=YES`), the "exceptions" are: which users are not locked; when "all users are not locked to their home directory" (i.e., `chroot_local_user=NO`), the "exceptions" are: which users need to be locked. This explanation makes the relationship between the two clear!

For the combined effects of chroot_local_user and chroot_list_enable, please refer to the table below:

Let's take an example:

Suppose there are two FTP users, ftp1 and ftp2. The plan is to lock ftp1 to its home directory, preventing it from switching to other directories, while allowing ftp2 to freely switch directories. This can be achieved in the following two ways:

Method 1:

make:

chroot_local_user=YES chroot_list_enable=YES

The list of names in /etc/vsftpd/chroot_list is as follows:
ftp2

Explanation: `chroot_local_user=YES` restricts all users to their home directory. `chroot_list_enable=YES` enables `chroot_list_file`. Since `chroot_local_user=YES` means all users are "restricted to their home directory", `chroot_list_file`, which is always an "exception list", lists users who are "not restricted to their home directory".

Method 2:

make:

chroot_local_user=NO chroot_list_enable=YES

The list of names in /etc/vsftpd/chroot_list is as follows:
ftp1

Explanation: `chroot_local_user=NO` means all users are not restricted to their home directory. `chroot_list_enable=YES` means `chroot_list_file` should be enabled. Since `chroot_local_user=NO` means all users are "not restricted to their home directory", `chroot_list_file`, which is always an "exception list", lists those users who are "restricted to their home directory".

Other situations:

For the combination of chroot_local_user and chroot_list_enable, there are two more cases:
chroot_local_user=YES
chroot_list_enable=NO
和
chroot_local_user=NO
chroot_list_enable=NO

When chroot_list_enable=NO, chroot_list_file is no longer enabled. In this case, it simply restricts all users to or does not restrict them to their home directory!

Replenish:

• Regarding the settings for chroot_local_user, we generally prefer to: globally prevent users from leaving the home directory, and add exceptions using chroot_list! That is, use the settings in Case 1!

• The default root user for anonymous users is /var/ftp