# vsFTPd: chroot and symlinks



## APseudoUtopia (Nov 30, 2008)

Hey. I've recently found out that when vsFTPd is set to chroot users, symlinks that point to outside the users home dir don't work. For example, a symlink in /home/user/backups, which points to /code/backups, does not work. As in, vsFTPd will give a "permission denied" when trying to follow the symlink.

I've googled this, and found out that, in Linux, a way to get around this issue is to run something like:
"mount --bind /code/backups /home/user/backups"

Is there anything similar to this --bind switch in mount for FreeBSD? I really want to restrict the FTP users to their home dir, but I also really want them to be able to access the backups. And, unfortunately, I'm unable to switch to a different FTP daemon due to politics ;-)

Thanks for any suggestions.

EDIT: Now that I think about it, I could always run vsFTPd from within a jail somehow, which will allow me to remove the chroot restriction. I have no experience with jails though.


----------



## brd@ (Nov 30, 2008)

You could use a nullfs mount I think, see the mount_nullfs man page for more info.


----------



## APseudoUtopia (Nov 30, 2008)

I read the manpage and it seemed like it would work, however, I'm getting the following error:



> # mkdir /usr/home/user/backups
> # mount_nullfs -o ro /usr/local/backups /usr/home/user/backups
> mount_nullfs: Operation not supported by device
> # mount_nullfs /usr/local/backups /usr/home/user/backups
> mount_nullfs: Operation not supported by device



I'm not using any odd filesystem setups, but I am running a custom kernel. Maybe the lack of a kernel option is causing the error? Anyway, here's the output of 'mount', in case it helps:



> /dev/ad0s1a on / (ufs, local, noatime)
> devfs on /dev (devfs, local)
> /dev/ad0s1e on /tmp (ufs, local, noatime, noexec, nosuid, soft-updates)
> /dev/ad0s1f on /usr (ufs, local, noatime, soft-updates)
> /dev/ad0s1d on /var (ufs, local, noatime, nosuid, soft-updates)



Thanks a lot


----------



## cajunman4life (Nov 30, 2008)

I can tell you the reason why it doesn't work, but I can't help you on a work-around.

It doesn't work because it's not supposed to. The user is chrooted, and following a symlink outside that chroot would defeat the purpose of being chrooted.


----------



## oversize (Dec 3, 2008)

You could use hardlinks too. 
But as hardlinks won't link to a directory, you propably dont want that.


----------



## danger@ (Dec 3, 2008)

Do you have a custom kernel?
You need either


```
options NULLFS
```

in your kernel configuration file, or load the kernel module.

check man page for more information. Unfortunately it's not yet in -STABLE branches...That reminds me that I should MFC it


----------

