Unfortunately, Ubuntu 12.04 LTS has
vsftpd (very famous FTP server) in version 2.3.5 as latest one, which is affected by well know problem of disallowing users to login and throwing
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
error, when using default
vsftpd configuration (including a must-have
There are few ways of working around this problem and most of them are discussed in this post.
Why do we have this problem?
Some says, that this is due to
vsftpd developers having burning pants and adding more security than we actually need. I found some sources claiming that vsftpd-2.3.5 disallows login with writable root directory, because of possible
I don’t know, which is true, but I would rather accept first answer. As you may find traces in 2.3.5 log, which suggests that developers understood, this change will affect many, may make their lives harder and piss them off a little bit. Plus: adding
allow_writable_root=YES flag to version 3.0.0, after large amount of critics received upon 2.3.5 release.
Ubuntu adds a little bit to this problem, as version 12.04 LTS even today have
vsftpd 2.3.5 as newest one, though it is over one and a half year since that one was released. So, executing
sudo apt-get upgrade vsftpd won’t bring you newer, 3.0.0, version and you have to upgrade it manually.
Since 2.3.5 is quite old, you should upgrade it even, if you’re not affected by the issue discussed in this article.
The easiest way to solve “500 OOPS: vsftpd: refusing to run with writable root inside chroot()” issue is to upgrade
vsftp to version 3.0.0 or newer, which includes
Setting it to
YES solves this problem.
Unfortunately, even as of writing this (mid June 2013), Ubuntu 12.04 LTS has version 2.3.5 set as newest one, so you have to update it manually.
Solution o how to do this is given in VSFTPd stopped working after update AskUbuntu question.
You should only note, that link provided there for
wget parameter, is dead. Probably, because version
3.0.2-3 is now out. Anyone facing this problem, should visit this site to get correct link. Above mentioned link is for 64-bit platform. To find links for this package for other platforms, like for example 32-bit, follow to this page and scroll down to
Download vsftpd section.
There are other things you may consider, if above doesn’t suit you. Some of them are dangerous or even very dangerous and may easily harm your system, so think twice, what you’re doing.
- Downgrade to any version prior 2.3.5, which doesn’t contain extra security checkings, when using
vsftpdaway and use
vsftpd-ext, which contains
allow_writable_rootoption in every version. But this package is not maintained for a longer time. So, using it may be considered a security issue. More on
vsftpd-extcan be found here.
- Take over write permission from top (home) folder with
chmod a-w /home/ftpuser, create subdirectories with write access and allow users to use only subdirectories. More here. This, however, worked for me only for users’ home dirs and failed, when I wanted to do the same with webserver paths (that is, remove write access from
/var/www, create subdir, each for each domain, and allow users to write only it these subdirs).
- Use one of hacks, presented in this comment, to force version 2.3.5 to work, like you suppose it to work. I found some sources saying, that this isn’t the best solution and I don’t use it neither.
- Some of solutions discussed in Ubuntu Help on chrooting only certain users.
- If you really, really trust all your users or you’ll be the only one using this FTP server, you may consider setting
chroot_local_user=NO. This will give any user acceess to every file and folder on your server. You understand the consequences, right?
Of course — again — you’re highly advised to update to 3.0 version instead of any of above tricks and use
If you’re installing FTP server for the first time, you may consider reading also [this](Installing and configuring FTP server on on Ubuntu 12.04 and adding users) post, to get to guide, which presents a step-by-step approach on adding FTP users with access to only folder in WWW root directory, no access to home directory or other server parts and with no SSH access to the server.