Error message "500 OOPS: vsftpd: refusing to run with writable root inside chroot()" - keep user jailed
So far I have been unable to keep an FTP user jailed to their website directory. Is there a solution that both fixes this bug and keeps the user jailed to their directory?
My vsFTPd settings that I changed:
listen_port=9000 Set: anonymous_enable=NO Uncomment: local_enable=YES Uncomment: write_enable=YES Uncomment: local_umask=022 Set: connect_from_port_20=NO Uncomment: idle_session_timeout=600 Uncomment: data_connection_timeout=120 Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104] Added: banner_file=/etc/issue.net Uncomment: chroot_local_user=YES Uncomment: chroot_local_user=YES Uncomment: chroot_list_enable=YES Uncomment : chroot_list_file=/etc/vsftpd.chroot_list
At the end of the file I added:
# Show hidden files and the "." and ".." folders. # Useful to not write over hidden files: force_dot_files=YES # Hide the info about the owner (user and group) of the files. hide_ids=YES # Connection limit for each IP address: max_per_ip=10 # Maximum number of clients: max_clients=5 # FTP Passive Settings pasv_enable=YES #If your listen_port is 9000 set this range to 7500 and 8500 pasv_min_port=[port range min] pasv_max_port=[port range max]
The user in question,
mybloguser, is jailed to her/his website directory under
/srv/www/myblogand this user is not part of the
nano /etc/vsftpd.chroot_listfile. The user’s home directory is also
/srv/www/myblogwhich used to work in the past.
I tried the
allow_writeable_chroot=YESsolution which did not work, and actually broke vsFTPd completely.
I have tried:
How can we both fix this error and keep the user jailed to their home directory?
After further review of this post, in the comments a package was posted that fixed my issue. You can search for it by either my name or "Marks" Documentation: http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/. Here are my details of how I fixed this further.
USERS ARE STILL JAILED TO THEIR HOME DIRECTORIES!!!
# ------------------------------------------------------------------------------ # SETUP FTP USERS -------------------------------------------------------------- # ------------------------------------------------------------------------------ # create the ftp users and lock them to the website directories useradd -d /srv/www/[website/appname] -m [ftp user name] # set the ftp account passwords passwd [ftp user name] # add the ftp users to the www-data user/group adduser [ftp user name] www-data # BUG FIX: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() sudo add-apt-repository ppa:thefrontiergroup/vsftpd sudo apt-get update sudo apt-get install vsftpd # Edit the vsftpd.conf and append this setting to the end of the file to keep users' jailed! nano /etc/vsftpd.conf # add all of the text between the starting [[ and ending ]] # [[ # Keep non-chroot listed users jailed allow_writeable_chroot=YES # ]] # restart the service for changes to take effect sudo service vsftpd restart #test ftp via secondary terminal window: ftp [ftp user name]@[server ipaddress] [ftp port]
**Please Note:** Chris's solution will add a third-party package server to your repository list! Why install a secure, chrooted FTP server when you _blindly_ accept foreign software packages to be installed on your system. (Chris: I don't think that you will take advantage, but using this solution IMHO is bad sysadmining)
do you have a better approach to solving this dilemma @reto? It has been a small mess to solve. THank you for your help.
if there's an updated package from the distribution I would try to use that. Most distributions provide backports for older releases. If thats not possible I'd get the source from the original developer and build it myself. If there's a patch floating around I might apply it (usually they are small and can manually be checked).
This Thread has 12'000 views, lets assume that 5% use your solution and added your repo. You could easily add a new version of a core package with a backdoor integrated. Within a week you could have access to 600 systems out there. I don't think that you would do that, but adding third-party repo is just not very safe.
(i've just see that this probably is not your repository server, so please understand the 'you' as 'the owner of the repository')
You are correct, I did reference a posted solution in that blog article, I do not own the repo. I tried finding a back ported solution with no luck. Hopefully the formal package will be fixed soon.
As @reto said it is too awesome for using this solution. And he said to install the new version of vsftpd by building it. So, why the ubuntu developer team upgrade the package in 12.04 repositories to solve this problem? Isn't it better?
I didn't need to update from repo. For me adding the line "allow_writeable_chroot=YES" fixed the bug
For VSFTPD 3,
- Go to:
and add this:
Just add it if it does not exist yet.
Restart the vsftpd service:
service vsftpd restart
And it should work.
The questioner actually states that he already tried this and it did not work, so this is not an answer to his question.
- Go to:
The real solution of this problem: the home folder of the user should not be writable only readable.
So, if user site is in the folder is
chmod 555and all will be OK.
According to the previous answer "The REAL solution of this problem: the home folder of the user should not be writable only read.". The general thinking is right, but with a wrong realization.
Below I'll try to give a simple example:
For a start, we need to build a topology of the user directory:
/home (ro) |-someuser (rw,700) |-ftp_upload (ro,555) - ch_rooting here, required read-only by vsftpd :( |-temp (rw,755) |-in_box (rw,755) |-out_box (rw,755)
# Enable chrooting chroot_local_user=YES # chroot all users except listened inside chroot_list chroot_list_enable=YES # Exception list. Ideally, it should be blank ;) chroot_list_file=/etc/vsftpd/chroot_list # Map ftp root directory to specific directory local_root=/home/someuser/ftp
This configuration works great with a single-user configuration. For multi-user, the "user_config_dir" directive should be used additionally.
Here is tricky workaround, not best idea to use, but.... If u need writable ftp root folder, just insert permission change commands in pre-start and post-start commands.
Pre-start - change permissions to read-only, which the server requires (:
Post-start - change permission to read-write, or which you need.
I tried many variations but could not make it work for a WP server. Is this working for you on a WP configuration?
After 3 hours of googling I got on Ubuntu 14.04.2 LTS VSFTPd 3 working. The home folder will be visible /home/vimal once accessed with a client. I have logged in with vimal with root privilege. I have ftpShare folder created, but has not much meaning.
sudo chown vimal:vimal /home/vimal/ftpShare/
some useful commands:
sudo nano /etc/vsftpd.conf sudo service vsftpd restart sudo apt-get purge vsftpd netstat -a | grep ftp tcp 0 0 *:ftp *:* LISTEN ftp://12.345.23.xxx/ for browser login
Above means ftp daemon is working
I have following configuration:
seccomp_sandbox=no listen=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES chroot_list_enable=NO secure_chroot_dir=/var/run/vsftpd/empty rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key allow_writeable_chroot=YES
Once FTP working you may further tune it to specific needs, some of above have default values, but i don't remember exactly.
Errors seen in FTP Client:
1. 500 OOPS: prctl PR_SET_SECCOMP failed
[add it on the very first line vsftpd.conf, after initial commented section ends]
2. 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
I added it at the last line.