500 OOPS: vsftpd: refusing to run with writable root inside chroot()

5,329 views
Skip to first unread message

Ozzy

unread,
Nov 21, 2012, 7:27:53 PM11/21/12
to al...@googlegroups.com
flashed box with 0.1RC2 and most things went well. So thank you for the effords.

One thing i cant get running is ftp, getting this error on ftp. sftp works ok.

tried a lot of things from web like on these pages


Any ideas would be nice.

Here is the config file

yslog_enable=yes                                                               
connect_from_port_20=yes                                                        
                                                                                
dirmessage_enable=yes                                                           
ls_recurse_enable=yes                                                           
write_enable=yes                                                                
                                                                                
local_enable=yes                                                                
secure_chroot_dir=/var/run/vsftpd                                               
nopriv_user=ftp                                                                 
                                                                                
pasv_min_port=30000                                                             
pasv_max_port=30100                                                             
                                                                                
ssl_tlsv1=yes                                                                   
ssl_sslv2=no                                                                    
ssl_sslv3=no                                                                    
rsa_cert_file=/etc/ssl/certs/vsftpd.pem                                         
                                                                                
no_anon_password=yes                                                            
allow_anon_ssl=yes                                                              
anon_mkdir_write_enable=yes                                                     
anon_other_write_enable=yes                                                     
anon_umask=0                                                                    
anon_root=/mnt/md0/Public                                                       
                                                                                
                                                                                
chroot_local_user=no                                                            
anonymous_enable=no                                                             
anon_upload_enable=no                                                           
ssl_enable=no                                                                   
force_local_logins_ssl=no                                                       
force_local_data_ssl=no                                                         
userlist_enable=no             

Joao Cardoso

unread,
Nov 22, 2012, 9:52:09 AM11/22/12
to


On Nov 22, 2012 12:27 AM, "Ozzy" <ozers...@gmail.com> wrote:
>
> flashed box with 0.1RC2 and most things went well. So thank you for the effords.
>
> One thing i cant get running is ftp, getting this error on ftp. sftp works ok.
>
> tried a lot of things from web like on these pages
>
> https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon
> https://www.digitalocean.com/community/articles/how-to-set-up-vsftpd-on-ubuntu-12-04
>
> Any ideas would be nice.

I only get this error if I enable chroot in the webgui (the Restrict Folders checkbox)

The error message is associated with the secure_chroot_dir directive, about which the vsftpd manual says:

This option should be the name of a directory which is empty. Also, the directory should not be writable by the ftp user. This directory is used as a secure chroot() jail at times vsftpd does not require filesystem access.
Default: /usr/share/empty

It seems to be incorrectly setup in Alt-F...

[Added: No, it is not Alt-F fault, it is this way by design, and has plagued many users and distributions.

As it is, if you chroot (checking the Restrict Folders checkbox in the webgui), then all users will get the error; if you don't chroot, then only the anonymous user (ftp) will get the message.

From the vsftpd official FAQ:

Q) Help! I'm getting the error message "refusing to run with writable root".
A) vsftpd is protecting against dangerous configurations. The cause of this
message is usually dodgy ownership of the ftp home directory. The home
directory should NOT be owned by the ftp user itself. Neither should it
be writable by the ftp user. A way to fix this is:
chown root ~ftp; chmod -w ~ftp
Another cause might be an attempt to use chroot_local_user without setting up
the directory ownership properly.

]

> --
> You received this message because you are subscribed to the Google Groups "Alt-F" group.
> To post to this group, send email to al...@googlegroups.com.
> To unsubscribe from this group, send email to alt-f+un...@googlegroups.com.
> Visit this group at http://groups.google.com/group/alt-f?hl=en.
> To view this discussion on the web visit https://groups.google.com/d/msg/alt-f/-/rpWxI7JBmrwJ.
>  
>  

Ozzy

unread,
Nov 22, 2012, 2:31:04 PM11/22/12
to al...@googlegroups.com
Restrict directories checked or unchecked, still the same issue. Error is before any user/pass commands, not even even anon helps.
What is the ftp root directory here that it is looking for permissions? /home does not exisit as far as i know

Ozzy

Joao Cardoso

unread,
Nov 23, 2012, 9:51:53 AM11/23/12
to


On Nov 22, 2012 7:31 PM, "Ozzy" <ozers...@gmail.com> wrote:
>
> Restrict directories checked or unchecked, still the same issue. Error is before any user/pass commands, not even even anon helps

you must be using a client (ms windows?) that is using anonymous automaticaly (the 'ftp' user).
The 'ftp' user always exists, other users have to be created.

> What is the ftp root directory here that it is looking for permissions?

/var/run/vsftpd is created automatically.

> /home does not exisit as far as i know

it does as soon as you create a user with the webgui

Anyway, there is a problem with the ftp user even when Restrict is not checked. Other users work fine. I have to check it.

If you have no users, you can use the 'root' user, same pass as the webgui.
To debug, use a command line client. E.g:

with "chroot_local_user=yes"

jcard@silver:~/tmp> ftp nas

Connected to nas.homenet.

220 (vsFTPd 2.3.5)

Name (nas:jcard): 

331 Please specify the password.

Password:

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

ftp: Login failed.

ftp> 

ftp> bye

with "chroot_local_user=no":

jcard@silver:~/tmp> ftp nas

Connected to nas.homenet.

220 (vsFTPd 2.3.5)

Name (nas:jcard): 

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/mnt/md0/Users/Joao Cardoso"

ftp> bye

221 Goodbye.


Joao Cardoso

unread,
Nov 23, 2012, 1:43:11 PM11/23/12
to al...@googlegroups.com


On Friday, November 23, 2012 1:23:28 AM UTC, Joao Cardoso wrote:


On Nov 22, 2012 7:31 PM, "Ozzy" <ozers...@gmail.com> wrote:
>
> Restrict directories checked or unchecked, still the same issue. Error is before any user/pass commands, not even even anon helps

you must be using a client (ms windows?) that is using anonymous automaticaly (the 'ftp' user).
The 'ftp' user always exists, other users have to be created.

> What is the ftp root directory here that it is looking for permissions?

/var/run/vsftpd is created automatically.

> /home does not exisit as far as i know

it does as soon as you create a user with the webgui

Anyway, there is a problem with the ftp user even when Restrict is not checked. Other users work fine. I have to check it.


After a couple of hours(!) researching this, I found that the deliberate decision of the vsftpd author to "refusing to run with writable root inside chroot" was contested even by Debian, that has a patch that adds the possibility to overcome that.
With that patch, the option 'allow_writeable_chroot=yes' can be added to the vsftpd configuration file allowing regular users to have their home directory writable (by themselves only) and still allowing vsftpd to chroot(*) to it.

However, that patch still denies the ftp (anonymous/passwordless) user that capability.
Although I was able to create my own patch and also allow the anonymous user that capability, I don't feel comfortable to use it in Alt-F, as I'm not a security expert. So, in the future, I will not use my patch, only the Debian one.
This means that the "Anonymous Directory" in the webgui must be not writable, for the anonymous/passwordless/ftp user be able to login.

For those who want to enable vsftpd chroot and still have their home folders writable, you can use the vsftpd file from here, copy it to the /usr/sbin/ folder, make it executable, and add 'allow_writeable_chroot=yes' to /etc/vsftpd.conf.
Remember that the anonymous ftp user might not be able to login, depending on the "Anonymous Directory" permissions.
You must have an Alt-F package installed in order for this to survive a reboot, and, of course, "Save Settings" after changing the configuration file.

Confused? Than this is not for you ;-)

Joao

(*) chroot means that you are restricted to only use your own home/login folder, and you are not allowed to see/use other users home folders. You are "jailed" on your home.
In the webgui you activate this feature by checking the "Restrict directories" checkbox.

Ozzy

unread,
Nov 29, 2012, 10:25:52 PM11/29/12
to al...@googlegroups.com
/var/run/vsftpd

owner of this directory is root:root and if i change it to ftp:ftp and remove group permission it works. but it wont keep after restart. settings saved. 

Joao Cardoso

unread,
Nov 30, 2012, 10:47:08 AM11/30/12
to al...@googlegroups.com


On Friday, November 30, 2012 3:25:52 AM UTC, Ozzy wrote:
/var/run/vsftpd

owner of this directory is root:root and if i change it to ftp:ftp and remove group permission it works. but it wont keep after restart. settings saved. 

That directory is created by the ftp init script, which is invoked by the inetd init script, and is not on disk, so it will not survive a reboot (or a inetd service restart)
Acoording to the vsftp manual,

      secure_chroot_dir
              This  option  should  be the name of a directory which is empty. Also, the directory
              should not be writable by the ftp user. This directory is used as a secure  chroot()
              jail at times vsftpd does not require filesystem access.

              Default: /usr/share/empty

It happens that the default value is also the 'ftp' home directory, as it is not supposed to write nothing there, only on the anon_root (from the manual):

      anon_root
              This option represents a directory which vsftpd will try to  change  into  after  an
              anonymous login. Failure is silently ignored.

              Default: (none)

If you get this sorted out, please report back.

I was going to release a vsftpd update with the Debian "allow-writeable-root" patch, but I will wait a little bit more for your results.

Joao
Reply all
Reply to author
Forward
0 new messages