36

So far I have been unable to keep an FTP user jailed to their website directory. Is there a solution that both fixes this bug and keeps the user jailed to their directory?

My vsFTPd settings that I changed:

listen_port=9000
Set: anonymous_enable=NO
Uncomment: local_enable=YES
Uncomment: write_enable=YES
Uncomment: local_umask=022
Set: connect_from_port_20=NO
Uncomment: idle_session_timeout=600
Uncomment: data_connection_timeout=120
Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104]
Added: banner_file=/etc/issue.net
Uncomment: chroot_local_user=YES
Uncomment: chroot_local_user=YES
Uncomment: chroot_list_enable=YES
Uncomment : chroot_list_file=/etc/vsftpd.chroot_list

At the end of the file I added:

# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES

# Hide the info about the owner (user and group) of the files.
hide_ids=YES

# Connection limit for each IP address:
max_per_ip=10

# Maximum number of clients:
max_clients=5

# FTP Passive Settings
pasv_enable=YES
#If your listen_port is 9000 set this range to 7500 and 8500
pasv_min_port=[port range min]
pasv_max_port=[port range max]

The user in question, mybloguser, is jailed to her/his website directory under /srv/www/myblog and this user is not part of the nano /etc/vsftpd.chroot_list file. The user’s home directory is also /srv/www/myblog which used to work in the past.

I tried the allow_writeable_chroot=YES solution which did not work, and actually broke vsFTPd completely.

I have tried:

How can we both fix this error and keep the user jailed to their home directory?

Peter Mortensen
  • 854
Chris Hough
  • 598

11 Answers11

42

For VSFTPD 3,

  1. Go to: /etc/vsftpd.conf

  2. and add this:

    allow_writeable_chroot=YES

    Just add it if it does not exist yet.

  3. Restart the vsftpd service:

    service vsftpd restart

And it should work.

Black
  • 844
Carlos Sura
  • 421
23

The real solution of this problem: the home folder of the user should not be writable only readable.

So, if user site is in the folder is cat/example.com/http/, folder cat must have chmod 555 and all will be OK.

palacsint
  • 2,227
nikita
  • 247
13

After further review of this post, in the comments a package was posted that fixed my issue. You can search for it by either my name or "Marks" Documentation: http://www.benscobie.com/fixing-500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/. Here are my details of how I fixed this further.

USERS ARE STILL JAILED TO THEIR HOME DIRECTORIES!!!

# ------------------------------------------------------------------------------
# SETUP FTP USERS --------------------------------------------------------------
# ------------------------------------------------------------------------------

# create the ftp users and lock them to the website directories
useradd -d /srv/www/[website/appname] -m [ftp user name]

# set the ftp account passwords
passwd [ftp user name]

# add the ftp users to the www-data user/group
adduser [ftp user name] www-data

# BUG FIX: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
sudo add-apt-repository ppa:thefrontiergroup/vsftpd
sudo apt-get update
sudo apt-get install vsftpd

# Edit the vsftpd.conf and append this setting to the end of the file to keep users' jailed!
nano /etc/vsftpd.conf

# add all of the text between the starting [[ and ending ]]
# [[

# Keep non-chroot listed users jailed
allow_writeable_chroot=YES

# ]]

# restart the service for changes to take effect
sudo service vsftpd restart

#test ftp via secondary terminal window:
ftp [ftp user name]@[server ipaddress] [ftp port]
Chris Hough
  • 598
9

According to the previous answer "The REAL solution of this problem: the home folder of the user should not be writable only read.". The general thinking is right, but with a wrong realization.

Below I'll try to give a simple example:

For a start, we need to build a topology of the user directory:

 /home (ro)
   |-someuser (rw,700)
         |-ftp_upload (ro,555)  - ch_rooting here, required read-only by vsftpd :(
           |-temp (rw,755)
           |-in_box (rw,755)
           |-out_box (rw,755)

vsftpd.conf cut:

# Enable chrooting
chroot_local_user=YES

# chroot all users except listened inside chroot_list
chroot_list_enable=YES

# Exception list. Ideally, it should be blank ;)
chroot_list_file=/etc/vsftpd/chroot_list

# Map ftp root directory to specific directory
local_root=/home/someuser/ftp

This configuration works great with a single-user configuration. For multi-user, the "user_config_dir" directive should be used additionally.

**UPDATE 20/09

------**

Here is tricky workaround, not best idea to use, but.... If u need writable ftp root folder, just insert permission change commands in pre-start and post-start commands.

  1. Pre-start - change permissions to read-only, which the server requires (:

  2. Start server

  3. Post-start - change permission to read-write, or which you need.

Peter Mortensen
  • 854
Reishin
  • 926
4

It's pretty much what toastboy70 mentioned. Make ftp-root dir chown'd to ftp.ftp and non-writable (/etc/vsftpd.conf): anon_root=/srv/ftp

Then make a writable child dir: /srv/ftp/upload

AsifHaswarey
  • 41
2

The simple fix is to do as the error message suggests: make the root non-writable and then if you need to enable uploads, make a subdirectory which does have write permission. No config changes necessary.

toastboy70
  • 21
  • 1
1

I needed to add the following to the /etc/vsftpd.conf file as well:

seccomp_sandbox=NO

AND no need for the custom repo!!

And uncomment the line: 

write_enable=YES
Seth
  • 59,332
MuffinMan
  • 11
0

chroot_local_user=YES

allow_writeable_chroot=YES

Making these changes works perfectly for me. Thanks everyone for the support.

SathishKumarArunachalam
  • 1
  • 1
0

I lost 4 hours solving same problem. Nowhere was written that despite the home folder (/home/$USER) you should also close write access to jail folder:

sudo chmod a-w /var/run/vsftpd/empty

well, this folder MAY be noticed in

/etc/vsftpd.conf
Tejas Lotlikar
  • 2,985
Konstantin Kochnov
  • 1
0

After 3 hours of googling I got on Ubuntu 14.04.2 LTS VSFTPd 3 working. The home folder will be visible /home/vimal once accessed with a client. I have logged in with vimal with root privilege. I have ftpShare folder created, but has not much meaning.

sudo chown vimal:vimal /home/vimal/ftpShare/

some useful commands:

sudo nano /etc/vsftpd.conf
sudo service vsftpd restart
sudo apt-get purge vsftpd
netstat -a | grep ftp
tcp        0        0        *:ftp         *:*        LISTEN
ftp://12.345.23.xxx/  for browser login

Above means ftp daemon is working

I have following configuration: 

seccomp_sandbox=no
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
allow_writeable_chroot=YES

Once FTP working you may further tune it to specific needs, some of above have default values, but i don't remember exactly.

Errors seen in FTP Client:

1. 500 OOPS: prctl PR_SET_SECCOMP failed

Solution.

seccomp_sandbox=no

[add it on the very first line vsftpd.conf, after initial commented section ends]

2. 500 OOPS: vsftpd: refusing to run with writable root inside chroot() 

allow_writeable_chroot=YES

I added it at the last line.

vimal krishna
  • 289
0

I solved the problem of vsFTPd refusing to run with a writable root inside chroot() on my Ubuntu server as follows:

I just added the below line in the vsftpd.conf file:

allow_writeable_chroot=YES
abu_bua
  • 11,313
Somnath Das
  • 1