Error message "500 OOPS: vsftpd: refusing to run with writable root inside chroot()" - keep user jailed
So far I have been unable to keep an FTP user jailed to their website directory. Is there a solution that both fixes this bug and keeps the user jailed to their directory?
My vsFTPd settings that I changed:
listen_port=9000 Set: anonymous_enable=NO Uncomment: local_enable=YES Uncomment: write_enable=YES Uncomment: local_umask=022 Set: connect_from_port_20=NO Uncomment: idle_session_timeout=600 Uncomment: data_connection_timeout=120 Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104] Added: banner_file=/etc/issue.net Uncomment: chroot_local_user=YES Uncomment: chroot_local_user=YES Uncomment: chroot_list_enable=YES Uncomment : chroot_list_file=/etc/vsftpd.chroot_listAt the end of the file I added:
# Show hidden files and the "." and ".." folders. # Useful to not write over hidden files: force_dot_files=YES # Hide the info about the owner (user and group) of the files. hide_ids=YES # Connection limit for each IP address: max_per_ip=10 # Maximum number of clients: max_clients=5 # FTP Passive Settings pasv_enable=YES #If your listen_port is 9000 set this range to 7500 and 8500 pasv_min_port=[port range min] pasv_max_port=[port range max]The user in question,
mybloguser, is jailed to her/his website directory under/srv/www/myblogand this user is not part of thenano /etc/vsftpd.chroot_listfile. The user’s home directory is also/srv/www/myblogwhich used to work in the past.I tried the
allow_writeable_chroot=YESsolution which did not work, and actually broke vsFTPd completely.I have tried:
Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot() on vsftpd
How can we both fix this error and keep the user jailed to their home directory?
After further review of this post, in the comments a package was posted that fixed my issue. You can search for it by either my name or "Marks" Documentation: http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/. Here are my details of how I fixed this further.
USERS ARE STILL JAILED TO THEIR HOME DIRECTORIES!!!
# ------------------------------------------------------------------------------ # SETUP FTP USERS -------------------------------------------------------------- # ------------------------------------------------------------------------------ # create the ftp users and lock them to the website directories useradd -d /srv/www/[website/appname] -m [ftp user name] # set the ftp account passwords passwd [ftp user name] # add the ftp users to the www-data user/group adduser [ftp user name] www-data # BUG FIX: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() sudo add-apt-repository ppa:thefrontiergroup/vsftpd sudo apt-get update sudo apt-get install vsftpd # Edit the vsftpd.conf and append this setting to the end of the file to keep users' jailed! nano /etc/vsftpd.conf # add all of the text between the starting [[ and ending ]] # [[ # Keep non-chroot listed users jailed allow_writeable_chroot=YES # ]] # restart the service for changes to take effect sudo service vsftpd restart #test ftp via secondary terminal window: ftp [ftp user name]@[server ipaddress] [ftp port]**Please Note:** Chris's solution will add a third-party package server to your repository list! Why install a secure, chrooted FTP server when you _blindly_ accept foreign software packages to be installed on your system. (Chris: I don't think that you will take advantage, but using this solution IMHO is bad sysadmining)
do you have a better approach to solving this dilemma @reto? It has been a small mess to solve. THank you for your help.
if there's an updated package from the distribution I would try to use that. Most distributions provide backports for older releases. If thats not possible I'd get the source from the original developer and build it myself. If there's a patch floating around I might apply it (usually they are small and can manually be checked).
This Thread has 12'000 views, lets assume that 5% use your solution and added your repo. You could easily add a new version of a core package with a backdoor integrated. Within a week you could have access to 600 systems out there. I don't think that you would do that, but adding third-party repo is just not very safe.
(i've just see that this probably is not your repository server, so please understand the 'you' as 'the owner of the repository')
You are correct, I did reference a posted solution in that blog article, I do not own the repo. I tried finding a back ported solution with no luck. Hopefully the formal package will be fixed soon.
As @reto said it is too awesome for using this solution. And he said to install the new version of vsftpd by building it. So, why the ubuntu developer team upgrade the package in 12.04 repositories to solve this problem? Isn't it better?
I didn't need to update from repo. For me adding the line "allow_writeable_chroot=YES" fixed the bug
@chrishough I am getting below error Connection attempt failed with "ECONNREFUSED - Connection refused by server". if i add allow_writeable_chroot=YES
For VSFTPD 3,
- Go to:
/etc/vsftpd.conf and add this:
allow_writeable_chroot=YESJust add it if it does not exist yet.
Restart the vsftpd service:
service vsftpd restart
And it should work.
The questioner actually states that he already tried this and it did not work, so this is not an answer to his question.
Where can I read about the security implications of this choice?
worked for me (this was also mentioned in the comment of the accepted answer)
- Go to:
The real solution of this problem: the home folder of the user should not be writable only readable.
So, if user site is in the folder is
cat/example.com/http/, foldercatmust havechmod 555and all will be OK.That makes no sense. The user's directory should not be writeable???
How exactly is the user supposed to **UPLOAD** files if they can't write?!
It works well for an anonymous ftp without upload rights, thanks!
right! now it's ok
This works perfectly! Just create an home for the user with chmod 555 and then, inside that, create a home for the website (or websites), with chmod 755 or the one you need: everything will work and the user will have write permissions.
According to the previous answer "The REAL solution of this problem: the home folder of the user should not be writable only read.". The general thinking is right, but with a wrong realization.
Below I'll try to give a simple example:
For a start, we need to build a topology of the user directory:
/home (ro) |-someuser (rw,700) |-ftp_upload (ro,555) - ch_rooting here, required read-only by vsftpd :( |-temp (rw,755) |-in_box (rw,755) |-out_box (rw,755)vsftpd.conf cut:
# Enable chrooting chroot_local_user=YES # chroot all users except listened inside chroot_list chroot_list_enable=YES # Exception list. Ideally, it should be blank ;) chroot_list_file=/etc/vsftpd/chroot_list # Map ftp root directory to specific directory local_root=/home/someuser/ftp
This configuration works great with a single-user configuration. For multi-user, the "user_config_dir" directive should be used additionally.
**UPDATE 20/09
------**
Here is tricky workaround, not best idea to use, but.... If u need writable ftp root folder, just insert permission change commands in pre-start and post-start commands.
Pre-start - change permissions to read-only, which the server requires (:
Start server
Post-start - change permission to read-write, or which you need.
I tried many variations but could not make it work for a WP server. Is this working for you on a WP configuration?
look to update section, mauby this variant can help u, it's not completely safe to do so, but if no other possibilities...
I needed to add the following to the /etc/vsftpd.conf file as well:
seccomp_sandbox=NOAND no need for the custom repo!!
And uncomment the line:
write_enable=YESIt's pretty much what toastboy70 mentioned. Make ftp-root dir chown'd to ftp.ftp and non-writable (/etc/vsftpd.conf): anon_root=/srv/ftp
Then make a writable child dir: /srv/ftp/upload
The simple fix is to do as the error message suggests: make the root non-writable and then if you need to enable uploads, make a subdirectory which does have write permission. No config changes necessary.
After 3 hours of googling I got on Ubuntu 14.04.2 LTS VSFTPd 3 working. The home folder will be visible /home/vimal once accessed with a client. I have logged in with vimal with root privilege. I have ftpShare folder created, but has not much meaning.
sudo chown vimal:vimal /home/vimal/ftpShare/some useful commands:
sudo nano /etc/vsftpd.conf sudo service vsftpd restart sudo apt-get purge vsftpd netstat -a | grep ftp tcp 0 0 *:ftp *:* LISTEN ftp://12.345.23.xxx/ for browser loginAbove means ftp daemon is working
I have following configuration:
seccomp_sandbox=no listen=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES chroot_list_enable=NO secure_chroot_dir=/var/run/vsftpd/empty rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key allow_writeable_chroot=YESOnce FTP working you may further tune it to specific needs, some of above have default values, but i don't remember exactly.
Errors seen in FTP Client:
1. 500 OOPS: prctl PR_SET_SECCOMP failed
Solution.
seccomp_sandbox=no[add it on the very first line vsftpd.conf, after initial commented section ends]
2. 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
allow_writeable_chroot=YESI added it at the last line.
I solved the problem of vsFTPd refusing to run with a writable root inside chroot() on my Ubuntu server as follows:
I just added the below line in the
vsftpd.conffile:allow_writeable_chroot=YES
License under CC-BY-SA with attribution
Content dated before 6/26/2020 9:53 AM
rogerdpack 5 years ago
Somehow, for me, at least with "virtual" ftp users, just adding the setting `allow_writeable_chroot=YES` was enough and actually worked "as expected" FWIW...