vsFTPd is probably the most secure FTP daemon that exists for *nix operating systems and that is shipped with a number of Linux distributions as the default FTP server. Given the fact that its purpose is offering an FTP daemon implementation with regards to security, there are some limitations.
One of these limitations includes the use of symbolic links. vsFTPd doesn’t allow browsing symbolic link targets as long as their target is outside the user’s chroot. Let’s try the following scenario (based on my router’s configuration):
we have this folder: /tmp/harddisk/music
we have the following folder for user: /tmp/harddisk/ftp_pvt/user
we create a symbolic link inside user’s folder to point to the music folder:
ln -s /tmp/harddisk/music /tmp/harddisk/ftp_pvt/user/music
It seems like everything is okay. As long as the permissions for the folder music grants access for the right users, everybody following that symbolic link on the system should be able to do whatever he/she is allowed. But when trying to access that folder (following the symbolic link) via vsFTPd, the user will get:
Status: Retrieving directory listing... Command: CWD /disc0_3/ftp_pvt/user/music Response: 550 Failed to change directory. Error: Failed to retrieve directory listing
So, what’s the solution besides the stupid one of copying the directory that you want to be accessed to a place where user has access? Simple. Mount! How? Well, like this:
create a directory inside user’s chroot:
mount the folder you want user to access using the bind option:
mount --bind /tmp/harddisk/music /tmp/harddisk/ftp_pvt/user/music
Now you can properly give access to folders and files located outside of a user’s chroot without compromising security using vsFTPd. Any complaints?