vsftpd: refusing to run with writable root inside chroot
Solution 1
either do the both other answers (downgrading, or reducing security by disabling the check)
Another option would be to actually fix the issue by having correct permissions for the root chroot folder.
Qouting a nice blogpost, which Marek already linked
– Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.
the chrooted root directory is writeable by the user, this is not allowed anymore by the update Marek mentioned.
So fixing it would require you to:
Change the write permissions of the chrooted home root
f.e.
chmod a-w /home/user
forcing your users to upload to a subdirectory though.
Solution 2
Your write enable
is set to YESr
instead of YES
also try adding
allow_writeable_chroot=YES
Usually this helps
sudo add-apt-repository ppa:thefrontiergroup/vsftpd
sudo apt-get update
sudo apt-get install vsftpd
Solution 3
Change vsftpd to lower version. This is a security patch introduced in vsftpd 2.3.5
http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/
Related videos on Youtube
wolvpak
Updated on September 18, 2022Comments
-
wolvpak almost 2 years
I want to setup a anonymous only ftp server (able to upload files). Here is my config file:
listen=YES anonymous_enable=YES anon_root=/var/www/ftp local_enable=YES write_enable=YESr. anon_upload_enable=YES anon_mkdir_write_enable=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES dirmessage_enable=YES use_localtime=YES secure_chroot_dir=/var/run/vsftpd/empty rsa_cert_file=/etc/ssl/private/vsftpd.pem pam_service_name=vsftpd
But when i try to connect it:
kan@kan:~$ ftp yxxxng.bej Connected to yxxx. 220 (vsFTPd 2.3.5) Name (yxxxg.bej:kan): anonymous 331 Please specify the password. Password: 500 OOPS: vsftpd: refusing to run with writable root inside chroot() Login failed Can anyone help ?
-
Net Runner about 7 years> if that doesn't work, downgrade. This is a good point.