Error message "500 OOPS: vsftpd: refusing to run with writable root inside chroot()" - keep user jailed

12.04 webserver vsftpd
177,383

Solution 1

After further review of this post, in the comments a package was posted that fixed my issue. You can search for it by either my name or "Marks" Documentation: http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/. Here are my details of how I fixed this further.

USERS ARE STILL JAILED TO THEIR HOME DIRECTORIES!!!

# ------------------------------------------------------------------------------
# SETUP FTP USERS --------------------------------------------------------------
# ------------------------------------------------------------------------------

# create the ftp users and lock them to the website directories
useradd -d /srv/www/[website/appname] -m [ftp user name]

# set the ftp account passwords
passwd [ftp user name]

# add the ftp users to the www-data user/group
adduser [ftp user name] www-data

# BUG FIX: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
sudo add-apt-repository ppa:thefrontiergroup/vsftpd
sudo apt-get update
sudo apt-get install vsftpd

# Edit the vsftpd.conf and append this setting to the end of the file to keep users' jailed!
nano /etc/vsftpd.conf

# add all of the text between the starting [[ and ending ]]
# [[

# Keep non-chroot listed users jailed
allow_writeable_chroot=YES

# ]]

# restart the service for changes to take effect
sudo service vsftpd restart

#test ftp via secondary terminal window:
ftp [ftp user name]@[server ipaddress] [ftp port]

Solution 2

For VSFTPD 3,

  1. Go to: /etc/vsftpd.conf

  2. and add this:

    allow_writeable_chroot=YES

    Just add it if it does not exist yet.

  3. Restart the vsftpd service:

    service vsftpd restart

And it should work.

Solution 3

The real solution of this problem: the home folder of the user should not be writable only readable.

So, if user site is in the folder is cat/example.com/http/, folder cat must have chmod 555 and all will be OK.

Solution 4

According to the previous answer "The REAL solution of this problem: the home folder of the user should not be writable only read.". The general thinking is right, but with a wrong realization.

Below I'll try to give a simple example:

For a start, we need to build a topology of the user directory:

 /home (ro)
   |-someuser (rw,700)
         |-ftp_upload (ro,555)  - ch_rooting here, required read-only by vsftpd :(
           |-temp (rw,755)
           |-in_box (rw,755)
           |-out_box (rw,755)

vsftpd.conf cut:

# Enable chrooting
chroot_local_user=YES

# chroot all users except listened inside chroot_list
chroot_list_enable=YES

# Exception list. Ideally, it should be blank ;)
chroot_list_file=/etc/vsftpd/chroot_list

# Map ftp root directory to specific directory
local_root=/home/someuser/ftp

This configuration works great with a single-user configuration. For multi-user, the "user_config_dir" directive should be used additionally.

**UPDATE 20/09

------**

Here is tricky workaround, not best idea to use, but.... If u need writable ftp root folder, just insert permission change commands in pre-start and post-start commands.

  1. Pre-start - change permissions to read-only, which the server requires (:

  2. Start server

  3. Post-start - change permission to read-write, or which you need.

Solution 5

It's pretty much what toastboy70 mentioned. Make ftp-root dir chown'd to ftp.ftp and non-writable (/etc/vsftpd.conf): anon_root=/srv/ftp

Then make a writable child dir: /srv/ftp/upload

Share:
177,383

Related videos on Youtube

Chris Hough
Author by

Chris Hough

Updated on September 18, 2022

Comments

  • Chris Hough
    Chris Hough almost 2 years

    So far I have been unable to keep an FTP user jailed to their website directory. Is there a solution that both fixes this bug and keeps the user jailed to their directory?

    My vsFTPd settings that I changed:

    listen_port=9000
Set: anonymous_enable=NO
Uncomment: local_enable=YES
Uncomment: write_enable=YES
Uncomment: local_umask=022
Set: connect_from_port_20=NO
Uncomment: idle_session_timeout=600
Uncomment: data_connection_timeout=120
Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104]
Added: banner_file=/etc/issue.net
Uncomment: chroot_local_user=YES
Uncomment: chroot_local_user=YES
Uncomment: chroot_list_enable=YES
Uncomment : chroot_list_file=/etc/vsftpd.chroot_list

    At the end of the file I added:

    # Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES

# Hide the info about the owner (user and group) of the files.
hide_ids=YES

# Connection limit for each IP address:
max_per_ip=10

# Maximum number of clients:
max_clients=5

# FTP Passive Settings
pasv_enable=YES
#If your listen_port is 9000 set this range to 7500 and 8500
pasv_min_port=[port range min]
pasv_max_port=[port range max]

    The user in question, mybloguser, is jailed to her/his website directory under /srv/www/myblog and this user is not part of the nano /etc/vsftpd.chroot_list file. The user’s home directory is also /srv/www/myblog which used to work in the past.

    I tried the allow_writeable_chroot=YES solution which did not work, and actually broke vsFTPd completely.

    I have tried:

    How can we both fix this error and keep the user jailed to their home directory?

  • Paolopast
    Paolopast about 11 years
    Please Note: Chris's solution will add a third-party package server to your repository list! Why install a secure, chrooted FTP server when you blindly accept foreign software packages to be installed on your system. (Chris: I don't think that you will take advantage, but using this solution IMHO is bad sysadmining)
  • Paolopast
    Paolopast about 11 years
    This Thread has 12'000 views, lets assume that 5% use your solution and added your repo. You could easily add a new version of a core package with a backdoor integrated. Within a week you could have access to 600 systems out there. I don't think that you would do that, but adding third-party repo is just not very safe.
  • Paolopast
    Paolopast about 11 years
    (i've just see that this probably is not your repository server, so please understand the 'you' as 'the owner of the repository')
  • Chris Hough
    Chris Hough about 11 years
    You are correct, I did reference a posted solution in that blog article, I do not own the repo. I tried finding a back ported solution with no luck. Hopefully the formal package will be fixed soon.
  • Kevin Bowen
    Kevin Bowen almost 11 years
    That makes no sense. The user's directory should not be writeable???
  • Cerin
    Cerin almost 11 years
    How exactly is the user supposed to UPLOAD files if they can't write?!
  • Chris Hough
    Chris Hough almost 11 years
    I tried many variations but could not make it work for a WP server. Is this working for you on a WP configuration?
  • Reishin
    Reishin almost 11 years
    look to update section, mauby this variant can help u, it's not completely safe to do so, but if no other possibilities...
  • sighrobot
    sighrobot over 10 years
    As @reto said it is too awesome for using this solution. And he said to install the new version of vsftpd by building it. So, why the ubuntu developer team upgrade the package in 12.04 repositories to solve this problem? Isn't it better?
  • abumalick
    abumalick over 10 years
    I didn't need to update from repo. For me adding the line "allow_writeable_chroot=YES" fixed the bug
  • palacsint
    palacsint over 10 years
    It works well for an anonymous ftp without upload rights, thanks!
  • vimal1083
    vimal1083 almost 10 years
    @chrishough I am getting below error Connection attempt failed with "ECONNREFUSED - Connection refused by server". if i add allow_writeable_chroot=YES
  • lucaferrario
    lucaferrario over 9 years
    This works perfectly! Just create an home for the user with chmod 555 and then, inside that, create a home for the website (or websites), with chmod 755 or the one you need: everything will work and the user will have write permissions.
  • Requist
    Requist over 9 years
    The questioner actually states that he already tried this and it did not work, so this is not an answer to his question.
  • flickerfly
    flickerfly about 9 years
    Where can I read about the security implications of this choice?
  • Sverre
    Sverre over 8 years
    worked for me (this was also mentioned in the comment of the accepted answer)
  • Manoj Sethi
    Manoj Sethi almost 3 years
    worked right away. Thanks.
  • Admin
    Admin about 2 years
    Worked like a champ!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Making websites visible to outside networks with Ubuntu Server 12.04
Host two separate web servers on the same IP
Enable FIPS 140-2 in ubuntu
Changing permissions for folders and files in /var/www/?
How do I set up an Ubuntu server as a secondary DNS
create an alias for `localhost:8080/` as `www.my-domain.com/`
vsFTPd stopped working after update
VSFTPD configuration problems with 12.04
VSFTPD 553 error: could not create file
vsftp configuration issue