Ubuntu: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() Keep user jailed



Question:

Before you close this out to repetition, I have been researching all of the proposed solutions to this bug and so far I have been unable to keep a FTP user jailed to their website directory. While I am not a ubuntu server expert, I wanted to reach out to the community to see if anyone has found a solution that both fixes this bug and keeps the user jailed to their directory.

My vsftpd settings that I changed:

listen_port=9000  Set: anonymous_enable=NO   Uncomment: local_enable=YES   Uncomment: write_enable=YES   Uncomment: local_umask=022   Set: connect_from_port_20=NO   Uncomment: idle_session_timeout=600  Uncomment: data_connection_timeout=120   Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104]  Added: banner_file=/etc/issue.net   Uncomment: chroot_local_user=YES  Uncomment: chroot_local_user=YES   Uncomment: chroot_list_enable=YES   Uncomment : chroot_list_file=/etc/vsftpd.chroot_list  

At the end of the file I added:

# Show hidden files and the "." and ".." folders.  # Useful to not write over hidden files:  force_dot_files=YES    # Hide the info about the owner (user and group) of the files.  hide_ids=YES    # Connection limit for each IP:  max_per_ip=10    # Maximum number of clients:  max_clients=5    # FTP Passive Settings  pasv_enable=YES  #If your listen_port is 9000 set this range to 7500 and 8500  pasv_min_port=[port range min]  pasv_max_port=[port range max]  

The user in question mybloguser is jailed to her website directory under /srv/www/myblog and this user is not part of the nano /etc/vsftpd.chroot_list file. The user’s home directory is also /srv/www/myblog which used to work in the past.

I tried the allow_writeable_chroot=YES solution which did not work, and actually broke vsftpd completely.

I have tried:

http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot

VSFTPd stopped working after update

http://programster.blogspot.com/2012/12/ubuntu-1204-setting-up-ftp-server-with.html

http://imbuzu.wordpress.com/2012/05/07/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot-on-vsftpd/

How can we both fix this error and keep the user jailed to their home directory?


Solution:1

The real solution of this problem: the home folder of the user should not be writable only readable.

So, if user site is in the folder is cat/example.com/http/, folder cat must have chmod 555 and all will be OK.


Solution:2

After further review of this post, in the comments a package was posted that fixed my issue. You can search for it by either my name or "Marks" Documentation: http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/. Here are my details of how I fixed this further.

USERS ARE STILL JAILED TO THEIR HOME DIRECTORIES!!!

# ------------------------------------------------------------------------------  # SETUP FTP USERS --------------------------------------------------------------  # ------------------------------------------------------------------------------    # create the ftp users and lock them to the website directories  useradd -d /srv/www/[website/appname] -m [ftp user name]    # set the ftp account passwords  passwd [ftp user name]    # add the ftp users to the www-data user/group  adduser [ftp user name] www-data    # BUG FIX: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()  sudo add-apt-repository ppa:thefrontiergroup/vsftpd  sudo apt-get update  sudo apt-get install vsftpd    # Edit the vsftpd.conf and append this setting to the end of the file to keep users' jailed!  nano /etc/vsftpd.conf    # add all of the text between the starting [[ and ending ]]  # [[    # Keep non-chroot listed users jailed  allow_writeable_chroot=YES    # ]]    # restart the service for changes to take effect  sudo service vsftpd restart    #test ftp via secondary terminal window:  ftp [ftp user name]@[server ipaddress] [ftp port]  


Solution:3

For VSFTPD 3,

  1. Go to: /etc/vsftpd.conf
  2. and add this:

    allow_writeable_chroot=YES  

And it should work.


Solution:4

According to previous answer "The REAL solution of this problem: the home folder of the user should not be writable only read.". General think is right but with wrong realization.

Below i'll try to give simple example:

For start we need to build topology of user directory:

   /home (ro)        |-someuser (rw,700)           |-ftp_upload (ro,555)  - ch_rooting here, required ro by vsftpd :(             |-temp (rw,755)             |-in_box (rw,755)             |-out_box (rw,755)    

vsftpd.conf cut:

  #enable chrooting  chroot_local_user=YES    #chroot all users except listened inside chroot_list  chroot_list_enable=YES    #exception list, ideally should be blank ;)   chroot_list_file=/etc/vsftpd/chroot_list    #map ftp root dir to specifiec dir   local_root=/home/someuser/ftp  

This configuration works great with single-user configuration, for multi-user should be used additionally "user_config_dir" directive.

**UPDATE 20/09

------**

Here is tricky workaround, not best idea to use, but.... If u need writable ftp root folder, just insert permission change commands in pre-start and post-start commands.

1) pre-start - change permissions to read-only, which server require (:

2) start server

3) post-start - change permission to read-write, or which u need.


Solution:5

I needed to add the following to the /etc/vsftpd.conf file as well:

seccomp_sandbox=NO  

AND no need for the custom repo!!

And uncomment the line:

write_enable=YES  


Solution:6

The simple fix is to do as the error message suggests: make the root non-writable and then if you need to enable uploads, make a subdirectory which does have write permission. No config changes necessary.


Solution:7

After 3 hours of googling I got on Ubuntu 14.04.2 LTS VSFTPd 3 working. The home folder will be visible /home/vimal once accessed with a client. I have logged in with vimal with root privilege. I have ftpShare folder created, but has not much meaning.

sudo chown vimal:vimal /home/vimal/ftpShare/  

some useful commands:

sudo nano /etc/vsftpd.conf  sudo service vsftpd restart  sudo apt-get purge vsftpd  netstat -a | grep ftp  tcp        0        0        *:ftp         *:*        LISTEN  ftp://12.345.23.xxx/  for browser login  

Above means ftp daemon is working

I have following configuration:

seccomp_sandbox=no  listen=YES  anonymous_enable=NO  local_enable=YES  write_enable=YES  local_umask=022  dirmessage_enable=YES  use_localtime=YES  xferlog_enable=YES  connect_from_port_20=YES  chroot_local_user=YES  chroot_list_enable=NO  secure_chroot_dir=/var/run/vsftpd/empty  rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key  allow_writeable_chroot=YES  

Once FTP working you may further tune it to specific needs, some of above have default values, but i don't remember exactly.

Errors seen in FTP Client:

1. 500 OOPS: prctl PR_SET_SECCOMP failed

Solution.

seccomp_sandbox=no      

[add it on the very first line vsftpd.conf, after initial commented section ends]

2. 500 OOPS: vsftpd: refusing to run with writable root inside chroot()

allow_writeable_chroot=YES  

I added it at the last line.


Solution:8

It's pretty much what toastboy70 mentioned. Make ftp-root dir chown'd to ftp.ftp and non-writable (/etc/vsftpd.conf): anon_root=/srv/ftp

Then make a writable child dir: /srv/ftp/upload


Solution:9

I solved the problem of vsftpd refusing to run with writable root inside chroot() ubuntu in my server as follows:

I just added below line in vsftpd.conf file below.

allow_writeable_chroot=YES  

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »