limetech
adding support for per user chroot jails to Unraid's stock FTP powered by vsftpd
What and Why
I made some changes to enable per user chroot jails for vsftpd. This is the same functionality offered by ProFTPD but since vsftpd comes with Unraid and can also do it I figured it made sense.
- You can select the root folder for each user
- Users are restricted to this folder
- You can enable/disable logging to syslog
I couldn't figure out how to test the changes to the help text because I don't know how to update the helptext.dot file.
One More File
Along with the three files listed in this commit, the /etc/vsftpd.conf file needs to be edited. I couldn't find it in this repo so I am putting those details here. These three settings need to be added:
# new code start - IMTheNachoMan
chroot_local_user=YES
allow_writeable_chroot=YES
user_config_dir=/boot/config/vsftpd.user_config_dir
# end new code - IMTheNachoMan
How It Works
-
chroot_local_userforces users to stay within their "home directory". -
user_config_dirtellsvsftpdwhere to look for per user settings
I don't have a way to spin up an Unraid VM or second box so I can't do a full thorough test but testing it on my main/only/production Unraid box worked fine.
Screenshot
Known FTP Enabled Bug
I opened a bug report about this: https://forums.unraid.net/bug-reports/stable-releases/ftp-server-in-692-still-auto-starts-on-reboot-r1588/.
I think it happens because /etc/inetd.conf is replaced on reboot and in the stock one the ftp line is not commented out.
To fix it, my thought was to save some FTP enable/disable status in /boot/config/vsftpd.cfg and then something in /boot/config/go that would read it but I am not convinced that is the right approach within the Unraid ecosystem.
To fix it, my thought was to save some FTP enable/disable status in /boot/config/vsftpd.cfg and then something in /boot/config/go that would read it but I am not convinced that is the right approach within the Unraid ecosystem.
I'd avoid needing to change the go file.
I'd avoid needing to change the go file.
How else would I go about it? I assume /etc/inetd.conf is part of the stock OS file that doesn't get saved on reboot. So there would need to be someway to save and check user preference and update that file accordingly....
I am adding support for pasv_min_port and pasv_max_port but hit a dilemma. Changes to /etc/vsftpd.conf do not persist on reboot. Users shouldn't have to muck with the go file to make their settings from the webGui stick.
Is there a way from the webGui/PHP to write changes to whatever file is being used to create the /etc/vsftpd.conf file on boot?
Hello. I was wondering if there is anything else I need to do for this pull request? I've been using it for weeks with no issue. I think it will make unRAID better. It addresses the risk and makes the experience better.
As of right now, everything works as expected except the PASV min/max port values reset after reboot. Changes to /etc/vsftpd.conf do not persist on reboot. Users shouldn't have to muck with the go file to make their settings from the webGui stick.
Is there a way from the webGui/PHP to write changes to whatever file is being used to create the /etc/vsftpd.conf file on boot?
I was wondering if anyone had looked at this?
If there is no intention of incorporating my code -- there are no hard feelings or issues on my part. I'd just like to know so I can "close the case" on my end.
And if it won't be incorporated, then I'd prefer to just nix the code I have on my Unraid box and use ProFTPD or something. I have to use FTP cause that is all my camera and printer support.
Apologies for letting this sit for so long. ftp is an insecure protocol that isn't seeing a lot of traction right now. I'd suggest switching to a different protocol, or an ftp server in a Docker container (which I imagine by now you have done). Again, apologies for letting this sit.
Many things still only talk/understand FTP -- like some wifi security cameras.
I know folks could run a Docker container but that seems like avoidable overhead when unRAID has it built in and the unRAID code just needs some tweaks to make it more secure.