After upgrading vsftpd to 2.3.5 you may be getting the following message when trying to log in.
500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
This is due to the following update:
- Add stronger checks for the configuration error of running with a writeable
root directory inside a chroot(). This may bite people who carelessly turned
on chroot_local_user but such is life.
The problem is that your users root directory is writable, which isn’t allowed when using chroot restrictions in the new update. The following command will fix this problem, replace the directory with your users root:
chmod a-w /home/user
This is not a perfect solution as doing this can cause a few problems with things that need to write to the root directory.
A commenter, Dmitriy, has suggested 3 ways to also overcome this problem.
This solution will then prevent user from uploading any files since they won’t have write access to the directory. How do you solve if the purpose of the FTP access is to allow uploading of files?
It will only prevent uploading files to the users root directory, not any sub-directories. I didn’t have this issue as I don’t write to the root directory but instead have various sub-directories for each website.
I’m going to assume that this is the only way of working around this unless you compile from source and remove that part of the update yourself.
Thanks. Seems strange to require that a person CD into a subdirectory in order to upload files. I tried setting local_root to something other than the user’s home directory — but that still creates the same error — because after the FTP connection is established it does a chroot() to that new directory. Seems like vsftpd works hard to require a person to explicitly CD into a subdirectory before uploading files. Is this some new FTP security best practice? Or just a vsftpd oddity? I haven’t tried it, but I’m guessing “virtual users” will have the same issue…
The official reason was for security: “disallow login with writable root directory because of possible glibc vulnerabilities”.
I was looking on the Arch linux forums and I came across a workaround, I’m not sure if this exists on other distributions though:
https://bbs.archlinux.org/viewtopic.php?pid=1038842#p1038842
I tested this and sure it works.
But if your users are also allowed to SSH in or otherwise use tools that write files to the root of the users home directory that will fail.
Like updating history of bash/vi commands etc, like these files:
.bash_history
.bash_logout
.bash_profile
.bashrc
.viminfo
The only way to get around it currently is to compile vsftpd yourself, unless somebody can come up with a better option because I can’t think of one at the moment.
Hello, put up to config file /etc/vsftpd/vsftpd.conf option:
allow_writable_root=YES
you can choose one of 3 ways:
1. Define option local_root= in configuration file. must by /home or other path to directory with users folders.
In this way vsftpd chrooting to /home directory.
2. Define option passwd_chroot_enable=yes in configuration file and change in /etc/passwd file user home directory from «/home/user» to «/home/./user» (w/o quotes).
In this way vsftpd chrooting to /home directory.
3. Download sources of vsftpd-ext, compile and overwrite exist vsftpd binaries or take it from repositories and add to configuration file option allow_writable_root=yes.
Thanks Dmitriy, I’ve added a comment in the post about your solutions.
Thanks!
Very sad behavior of the new vsftpd version, makes it basically unusable because /home/$user directories without write rights for the user are a joke. Defeats the entire purpose of allowing ftp access to the home directories :-(
In freebsd from ports 3th metod : vsftpd-ext with allow_writable_root=yes not working !
Are you using the latest vsftpd-ext?
For me it works (vsFTPd version 2.3.5+ (ext.1))).
yes, 2.3.5.1
vsftpd started with inetd:
ftp stream tcp nowait root /usr/local/libexec/vsftpd vsftpd
config:
anonymous_enable=NO
local_enable=YES
write_enable=YES
listen_port=21
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
hide_file={/mail}.
secure_chroot_dir=/usr/local/share/vsftpd/empty
max_clients=200
max_per_ip=100
chroot_local_user=YES
text_userdb_names=YES
force_dot_files=YES
listen_address=xxx.xxx.xxx.xxx (my ip adress)
allow_writable_root=YES
You could try emailing Dmitriy(the chap that runs the project I believe) for help as I have no idea what could be wrong there. His Email is at the bottom of this page: http://vsftpd.devnet.ru/
Oh. I agree with Gerald, very sad behaviour, I cant configure in proper way my ftp server, it`s terrible.
mikel; can’t you add this directive to your conf instead of using “allow_writeable_root”
local_root=/home
Or one of the other options posted by dmitriy?
The only thing you have to do is treat users home as users home and put everything inside a dedicate directory, like the public_html used to accomplish.
BTW the FreeBSD works like a charm.
Cheers