Error message "500 OOPS: vsftpd: refusing to run with writable root inside chroot()" - keep user jailed

  • So far I have been unable to keep an FTP user jailed to their website directory. Is there a solution that both fixes this bug and keeps the user jailed to their directory?

    My vsFTPd settings that I changed:

    listen_port=9000
    Set: anonymous_enable=NO
    Uncomment: local_enable=YES
    Uncomment: write_enable=YES
    Uncomment: local_umask=022
    Set: connect_from_port_20=NO
    Uncomment: idle_session_timeout=600
    Uncomment: data_connection_timeout=120
    Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104]
    Added: banner_file=/etc/issue.net
    Uncomment: chroot_local_user=YES
    Uncomment: chroot_local_user=YES
    Uncomment: chroot_list_enable=YES
    Uncomment : chroot_list_file=/etc/vsftpd.chroot_list
    

    At the end of the file I added:

    # Show hidden files and the "." and ".." folders.
    # Useful to not write over hidden files:
    force_dot_files=YES
    
    # Hide the info about the owner (user and group) of the files.
    hide_ids=YES
    
    # Connection limit for each IP address:
    max_per_ip=10
    
    # Maximum number of clients:
    max_clients=5
    
    # FTP Passive Settings
    pasv_enable=YES
    #If your listen_port is 9000 set this range to 7500 and 8500
    pasv_min_port=[port range min]
    pasv_max_port=[port range max]
    

    The user in question, mybloguser, is jailed to her/his website directory under /srv/www/myblog and this user is not part of the nano /etc/vsftpd.chroot_list file. The user’s home directory is also /srv/www/myblog which used to work in the past.

    I tried the allow_writeable_chroot=YES solution which did not work, and actually broke vsFTPd completely.

    I have tried:

    How can we both fix this error and keep the user jailed to their home directory?

    Somehow, for me, at least with "virtual" ftp users, just adding the setting `allow_writeable_chroot=YES` was enough and actually worked "as expected" FWIW...

  • Chris Hough

    Chris Hough Correct answer

    8 years ago

    After further review of this post, in the comments a package was posted that fixed my issue. You can search for it by either my name or "Marks" Documentation: http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/. Here are my details of how I fixed this further.

    USERS ARE STILL JAILED TO THEIR HOME DIRECTORIES!!!

    # ------------------------------------------------------------------------------
    # SETUP FTP USERS --------------------------------------------------------------
    # ------------------------------------------------------------------------------
    
    # create the ftp users and lock them to the website directories
    useradd -d /srv/www/[website/appname] -m [ftp user name]
    
    # set the ftp account passwords
    passwd [ftp user name]
    
    # add the ftp users to the www-data user/group
    adduser [ftp user name] www-data
    
    # BUG FIX: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
    sudo add-apt-repository ppa:thefrontiergroup/vsftpd
    sudo apt-get update
    sudo apt-get install vsftpd
    
    # Edit the vsftpd.conf and append this setting to the end of the file to keep users' jailed!
    nano /etc/vsftpd.conf
    
    # add all of the text between the starting [[ and ending ]]
    # [[
    
    # Keep non-chroot listed users jailed
    allow_writeable_chroot=YES
    
    # ]]
    
    # restart the service for changes to take effect
    sudo service vsftpd restart
    
    #test ftp via secondary terminal window:
    ftp [ftp user name]@[server ipaddress] [ftp port]
    

    **Please Note:** Chris's solution will add a third-party package server to your repository list! Why install a secure, chrooted FTP server when you _blindly_ accept foreign software packages to be installed on your system. (Chris: I don't think that you will take advantage, but using this solution IMHO is bad sysadmining)

    do you have a better approach to solving this dilemma @reto? It has been a small mess to solve. THank you for your help.

    if there's an updated package from the distribution I would try to use that. Most distributions provide backports for older releases. If thats not possible I'd get the source from the original developer and build it myself. If there's a patch floating around I might apply it (usually they are small and can manually be checked).

    This Thread has 12'000 views, lets assume that 5% use your solution and added your repo. You could easily add a new version of a core package with a backdoor integrated. Within a week you could have access to 600 systems out there. I don't think that you would do that, but adding third-party repo is just not very safe.

    (i've just see that this probably is not your repository server, so please understand the 'you' as 'the owner of the repository')

    You are correct, I did reference a posted solution in that blog article, I do not own the repo. I tried finding a back ported solution with no luck. Hopefully the formal package will be fixed soon.

    As @reto said it is too awesome for using this solution. And he said to install the new version of vsftpd by building it. So, why the ubuntu developer team upgrade the package in 12.04 repositories to solve this problem? Isn't it better?

    I didn't need to update from repo. For me adding the line "allow_writeable_chroot=YES" fixed the bug

    @chrishough I am getting below error Connection attempt failed with "ECONNREFUSED - Connection refused by server". if i add allow_writeable_chroot=YES

  • For VSFTPD 3,

    1. Go to: /etc/vsftpd.conf
    2. and add this:

      allow_writeable_chroot=YES
      

      Just add it if it does not exist yet.

    3. Restart the vsftpd service:

      service vsftpd restart
      

    And it should work.

    The questioner actually states that he already tried this and it did not work, so this is not an answer to his question.

    Where can I read about the security implications of this choice?

    worked for me (this was also mentioned in the comment of the accepted answer)

  • The real solution of this problem: the home folder of the user should not be writable only readable.

    So, if user site is in the folder is cat/example.com/http/, folder cat must have chmod 555 and all will be OK.

    That makes no sense. The user's directory should not be writeable???

    How exactly is the user supposed to **UPLOAD** files if they can't write?!

    It works well for an anonymous ftp without upload rights, thanks!

    right! now it's ok

    This works perfectly! Just create an home for the user with chmod 555 and then, inside that, create a home for the website (or websites), with chmod 755 or the one you need: everything will work and the user will have write permissions.

  • According to the previous answer "The REAL solution of this problem: the home folder of the user should not be writable only read.". The general thinking is right, but with a wrong realization.

    Below I'll try to give a simple example:

    For a start, we need to build a topology of the user directory:

     /home (ro)
       |-someuser (rw,700)
             |-ftp_upload (ro,555)  - ch_rooting here, required read-only by vsftpd :(
               |-temp (rw,755)
               |-in_box (rw,755)
               |-out_box (rw,755)
    
    

    vsftpd.conf cut:

    # Enable chrooting
    chroot_local_user=YES
    
    # chroot all users except listened inside chroot_list
    chroot_list_enable=YES
    
    # Exception list. Ideally, it should be blank ;)
    chroot_list_file=/etc/vsftpd/chroot_list
    
    # Map ftp root directory to specific directory
    local_root=/home/someuser/ftp
    

    This configuration works great with a single-user configuration. For multi-user, the "user_config_dir" directive should be used additionally.

    **UPDATE 20/09

    ------**

    Here is tricky workaround, not best idea to use, but.... If u need writable ftp root folder, just insert permission change commands in pre-start and post-start commands.

    1. Pre-start - change permissions to read-only, which the server requires (:

    2. Start server

    3. Post-start - change permission to read-write, or which you need.

    I tried many variations but could not make it work for a WP server. Is this working for you on a WP configuration?

    look to update section, mauby this variant can help u, it's not completely safe to do so, but if no other possibilities...

  • I needed to add the following to the /etc/vsftpd.conf file as well:

    seccomp_sandbox=NO
    

    AND no need for the custom repo!!

    And uncomment the line:

    write_enable=YES
    
  • It's pretty much what toastboy70 mentioned. Make ftp-root dir chown'd to ftp.ftp and non-writable (/etc/vsftpd.conf): anon_root=/srv/ftp

    Then make a writable child dir: /srv/ftp/upload

  • The simple fix is to do as the error message suggests: make the root non-writable and then if you need to enable uploads, make a subdirectory which does have write permission. No config changes necessary.

  • After 3 hours of googling I got on Ubuntu 14.04.2 LTS VSFTPd 3 working. The home folder will be visible /home/vimal once accessed with a client. I have logged in with vimal with root privilege. I have ftpShare folder created, but has not much meaning.

    sudo chown vimal:vimal /home/vimal/ftpShare/
    

    some useful commands:

    sudo nano /etc/vsftpd.conf
    sudo service vsftpd restart
    sudo apt-get purge vsftpd
    netstat -a | grep ftp
    tcp        0        0        *:ftp         *:*        LISTEN
    ftp://12.345.23.xxx/  for browser login
    

    Above means ftp daemon is working

    I have following configuration:

    seccomp_sandbox=no
    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    use_localtime=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    chroot_local_user=YES
    chroot_list_enable=NO
    secure_chroot_dir=/var/run/vsftpd/empty
    rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    allow_writeable_chroot=YES
    

    Once FTP working you may further tune it to specific needs, some of above have default values, but i don't remember exactly.

    Errors seen in FTP Client:

    1. 500 OOPS: prctl PR_SET_SECCOMP failed

    Solution.

    seccomp_sandbox=no    
    

    [add it on the very first line vsftpd.conf, after initial commented section ends]

    2. 500 OOPS: vsftpd: refusing to run with writable root inside chroot()

    allow_writeable_chroot=YES
    

    I added it at the last line.

  • I solved the problem of vsFTPd refusing to run with a writable root inside chroot() on my Ubuntu server as follows:

    I just added the below line in the vsftpd.conf file:

    allow_writeable_chroot=YES
    

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM

Tags used