Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot()

Unfortunately, Ubuntu 12.04 LTS has vsftpd (very famous FTP server) in version 2.3.5 as latest one, which is affected by well know problem of disallowing users to login and throwing

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

error, when using default vsftpd configuration (including a must-have chroot_local_user=YES setting).

There are few ways of working around this problem and most of them are discussed in this post.

Why do we have this problem?

Some says, that this is due to vsftpd developers having burning pants and adding more security than we actually need. I found some sources claiming that vsftpd-2.3.5 disallows login with writable root directory, because of possible glibc vulnerabilities.

I don’t know, which is true, but I would rather accept first answer. As you may find traces in 2.3.5 log, which suggests that developers understood, this change will affect many, may make their lives harder and piss them off a little bit. Plus: adding allow_writable_root=YES flag to version 3.0.0, after large amount of critics received upon 2.3.5 release.

Ubuntu adds a little bit to this problem, as version 12.04 LTS even today have vsftpd 2.3.5 as newest one, though it is over one and a half year since that one was released. So, executing sudo apt-get upgrade vsftpd won’t bring you newer, 3.0.0, version and you have to upgrade it manually.

Since 2.3.5 is quite old, you should upgrade it even, if you’re not affected by the issue discussed in this article.

Solution

The easiest way to solve “500 OOPS: vsftpd: refusing to run with writable root inside chroot()” issue is to upgrade vsftp to version 3.0.0 or newer, which includes allow_writable_root flag.

Setting it to YES solves this problem.

Unfortunately, even as of writing this (mid June 2013), Ubuntu 12.04 LTS has version 2.3.5 set as newest one, so you have to update it manually.

Solution o how to do this is given in VSFTPd stopped working after update AskUbuntu question.

You should only note, that link provided there for wget parameter, is dead. Probably, because version 3.0.2-3 is now out. Anyone facing this problem, should visit this site to get correct link. Above mentioned link is for 64-bit platform. To find links for this package for other platforms, like for example 32-bit, follow to this page and scroll down to Download vsftpd section.

Other options

There are other things you may consider, if above doesn’t suit you. Some of them are dangerous or even very dangerous and may easily harm your system, so think twice, what you’re doing.

You may:

  1. Downgrade to any version prior 2.3.5, which doesn’t contain extra security checkings, when using chroot_local_user=YES.
  2. Throw vsftpd away and use vsftpd-ext, which contains allow_writable_root option in every version. But this package is not maintained for a longer time. So, using it may be considered a security issue. More on vsftpd-ext can be found here.
  3. Take over write permission from top (home) folder with chmod a-w /home/ftpuser, create subdirectories with write access and allow users to use only subdirectories. More here. This, however, worked for me only for users’ home dirs and failed, when I wanted to do the same with webserver paths (that is, remove write access from /var/www, create subdir, each for each domain, and allow users to write only it these subdirs).
  4. Use one of hacks, presented in this comment, to force version 2.3.5 to work, like you suppose it to work. I found some sources saying, that this isn’t the best solution and I don’t use it neither.
  5. Some of solutions discussed in Ubuntu Help on chrooting only certain users.
  6. If you really, really trust all your users or you’ll be the only one using this FTP server, you may consider setting chroot_local_user=NO. This will give any user acceess to every file and folder on your server. You understand the consequences, right?

Of course — again — you’re highly advised to update to 3.0 version instead of any of above tricks and use allow_writable_root=YES flag.

Foreword

If you’re installing FTP server for the first time, you may consider reading also [this](Installing and configuring FTP server on on Ubuntu 12.04 and adding users) post, to get to guide, which presents a step-by-step approach on adding FTP users with access to only folder in WWW root directory, no access to home directory or other server parts and with no SSH access to the server.

Leave a Reply