Learn how to configure Chroot FTP in RHEL 8 to restrict users to their home directories, enhancing security and access control. Follow this step-by-step guide to set up and manage a secure FTP environment. #centlinux #linux #chroot
Table of Contents
Problem Definition
In some situations, we have to give FTP access to users, but we do not want to access the whole server using FTP protocol.
For such scenarios, we do chroot FTP configuration for users to restrict them to their home directories. But sometimes, we are required to restrict them to another directory, while keeping their home directories intact for ssh access.
In this article, we will show you how to install vsftpd (Very Secure FTP) service and configure chroot jail for the FTP users to limit their FTP sessions to their respective /var/www/html/[username] directories.
Read Also: How to configure Chroot SFTP Server in Linux

Environment Specification
We are using a minimal Red Hat Enterprise Linux 8 virtual machine with following specifications.
- CPU – 3.4 Ghz (2 cores)
- Memory – 2 GB
- Storage – 40 GB
- Operating System – RHEL 8.3
- Hostname – apache-01.centlinux.com
- IP Address – 192.168.116.238 /24
Recommended Training: Complete Linux Training Course to Get Your Dream IT Job 2025 from Imran Afzal

Create Users in Linux OS
Establish a secure connection with your Apache server, apache-01.centlinux.com, by logging in as the root user using an SSH client. This step ensures you have administrative privileges to configure and manage your FTP server.
Before setting up FTP access, you need to create user accounts that will be allowed to connect to the server. These users will have restricted access based on your FTP configuration settings.
To accomplish this, execute the necessary commands in the Linux Bash prompt to create user accounts and assign them secure passwords. This ensures that each user has a unique login credential, enhancing security and access control.
# useradd user1
# echo "linuxpassword" | passwd --stdin user1
Changing password for user user1.
passwd: all authentication tokens updated successfully.
# useradd user2
# echo "linuxpassword" | passwd --stdin user2
Changing password for user user2.
passwd: all authentication tokens updated successfully.
Hint: If you want to disable the SSH access for these users then you can set their login shell to /sbin/nologin.
Install VSFTPD on RHEL 8
VSFTPD is the default and preferred FTP server software in famous Linux distros including RHEL 8.
You can install the software package from standard yum repositories, if you have configured a valid Red Hat subscription.
# dnf install -y vsftpd
...Installed:
vsftpd-3.0.3-32.el8.x86_64
Complete!
Generate SSL Certificate for FTP Service
To enhance the security of your FTP server, it is essential to configure SSL/TLS encryption. This ensures that all data transmissions, including login credentials and file transfers, are securely encrypted, preventing unauthorized access.
A self-signed SSL certificate is required to enable FTPS (FTP Secure), allowing encrypted connections between FTP clients and the server. Without an SSL certificate, modern FTP clients will likely refuse to establish a secure connection, making it impossible for users to log in securely.
To generate a self-signed SSL certificate along with a private key, you can use the OpenSSL command-line utility. Execute the following OpenSSL command to create an SSL certificate and a corresponding private key, which will be used to encrypt FTP connections on your server.
# openssl req -x509 -nodes -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem -days 365 -newkey rsa:2048
Generating a RSA private key
.........+++++
......+++++
writing new private key to '/etc/vsftpd/vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Centlinux
Organizational Unit Name (eg, section) []:IT Lab
Common Name (eg, your name or your server's hostname) []:apache-01.centlinux.com
Email Address []:ahmer@apache-01.centlinux.com
Hint: If you have configured a Certificate Authority for your Network, then you can generate a CSR (Certificate Signing Request) and acquire a digital signature from your Certificate Authority.
HUANUO Laptop Desk Mount, Laptop Mount for 17-inch Notebooks or 15”-32” Monitors, Laptop Arm with Ventilated Tray, Fully Adjustable Arm with Tilt, Swivel & Rotation, Holds up to 22 lbs
$27.99 (as of February 6, 2025 14:55 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Chroot FTP Configuration
To restrict FTP access to specific users, you need to add them to the vsftpd user list file. This file determines which users are allowed or denied access based on the vsftpd configuration settings.
The default user list file for vsftpd is typically located at /etc/vsftpd/user_list
. By adding your designated FTP users to this file, you ensure that only authorized accounts can connect to the FTP server, enhancing security and preventing unauthorized logins.
To modify the user_list
file, you can use the Vim text editor or any other text editor of your choice. Open the file, add the usernames of the allowed users, and save the changes. This step is crucial in configuring a secure and controlled FTP environment on your Linux server.
# vi /etc/vsftpd/user_list
Add the users in this file.
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
user1
user2
Take a backup of vsftpd.conf file and then edit it in vim text editor.
# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.org
# vi /etc/vsftpd/vsftpd.conf
Locate and set following directives in this file. These settings are related to chroot FTP configuration and SSL configurations.
userlist_enable=YES
userlist_deny=NO
ssl_enable=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1_2=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.key
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=30000
pasv_max_port=31000
debug_ssl=YES
chroot_local_user=YES
local_root=/var/www/html/$USER
user_sub_token=$USER
allow_writeable_chroot=YES
Start FTP Service
To make your FTP server operational, you need to enable and start the vsftpd (Very Secure FTP Daemon) service on your Linux system.
Enabling the service ensures that vsftpd automatically starts at boot time, allowing FTP access without requiring manual intervention after a system restart. Starting the service activates the FTP server, allowing users to connect and transfer files based on your configured settings.
# systemctl enable --now vsftpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service â /usr/lib/systemd/system/vsftpd.service.
Once the vsftpd service is started, you should verify its status to ensure it is running correctly. Additionally, you may need to allow FTP traffic through the firewall to enable remote connections. Properly enabling and starting the FTP service is essential for seamless file transfers and secure remote access.
# systemctl status vsftpd
â vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor pres>
Active: active (running) since Sun 2021-03-21 09:37:18 EDT; 41s ago
Process: 1643 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited>
Main PID: 1644 (vsftpd)
Tasks: 1 (limit: 5815)
Memory: 868.0K
CGroup: /system.slice/vsftpd.service
ââ1644 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Mar 21 09:37:18 apache-01.centlinux.com systemd[1]: Starting Vsftpd ftp daemon.>
Mar 21 09:37:18 apache-01.centlinux.com systemd[1]: Started Vsftpd ftp daemon.
Switch Controller Compatible with Switch/Switch Lite/Switch OLED/Windows/iOS/Android, RGB Lightning Programmable 1000mAh Wireless Switch Pro Controller with One Key Pairing Wake Up Turbo Vibration
$19.99 (as of February 6, 2025 14:54 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Configure Linux Firewall
Allow the FTP service ports in Linux firewall.
# firewall-cmd --permanent --add-service=ftp
success
# firewall-cmd --reload
success
Configure SELinux Boolean
Set the following SELinux boolean to disable SELinux MAC (Mandatory Linux Control) for FTP users.
It is necessary because the SELinux file context for /var/www/html directory is httpd_sys_content_t. Therefore, the FTP users may face permission issues.
# setsebool -P ftpd_full_access 1
Create Chroot FTP Directories
Create chroot FTP directories for your users.
# mkdir /var/www/html/user{1..2}
Set the ownership of chroot jail directories.
# chown -R user1:apache /var/www/html/user1
# chown -R user2:apache /var/www/html/user2
Create an empty file in each directory. So you can distinguish the chroot jail directory after login by using a FTP client.
# touch /var/www/html/user1/user1_files
# touch /var/www/html/user2/user2_files
Accessing FTP Server
You need a FTP client to access your FTP server. The default FTP client in RHEL 8 is lftp. You can install it from standard yum repositories.
# dnf install -y lftp
You can now use lftp command to access your FTP server.
# lftp user1@localhost
Password:
lftp user1@localhost:~> ls
ls: Fatal error: Certificate verification: Not trusted (31:98:F7:05:AB:E2:0B:46:BB:39:BE:93:1F:5B:A8:BD:34:E2:71:63)
The certification warning is due to the self signed certificate. You can suppress this warning in lftp by executing following command at Linux bash prompt.
# echo "set ssl:verify-certificate no" >> /etc/lftp.conf
Now, execute lftp command again.
# lftp user1@localhost
Password:
lftp user1@localhost:~> ls
-rw-r--r-- 1 0 0 0 Mar 21 13:59 user1_files
You can see that the user1 is login to his own chroot FTP jail i.e. /var/www/html/user1.
Similarly, login as user2 FTP user.
# lftp user2@localhost
Password:
lftp user2@localhost:~> ls
-rw-r--r-- 1 0 0 0 Mar 21 13:59 user2_files
Just like user1, user2 is login to his own chroot FTP jail i.e. /var/www/html/user2.
Our Chroot FTP Configurations are working fine.
Linux Bible
$63.00 (as of February 6, 2025 14:52 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)Final Thoughts
Configuring Chroot FTP in RHEL 8 is an essential step in securing file transfers by restricting users to their designated directories. By properly setting up vsftpd and applying the necessary permissions, you can ensure a secure and controlled FTP environment. Regular monitoring and periodic updates will further enhance the security of your FTP server. With this setup, you can confidently manage file transfers while maintaining system integrity.
Struggling with Linux server management? I offer professional support to ensure your servers are secure, optimized, and always available. Visit my Fiverr profile to learn more!
Leave a Reply
You must be logged in to post a comment.