So far I have been unable to keep an FTP user jailed to their website directory. Is there a solution that both fixes this bug and keeps the user jailed to their directory?
My vsFTPd settings that I changed:
listen_port=9000
Set: anonymous_enable=NO
Uncomment: local_enable=YES
Uncomment: write_enable=YES
Uncomment: local_umask=022
Set: connect_from_port_20=NO
Uncomment: idle_session_timeout=600
Uncomment: data_connection_timeout=120
Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104]
Added: banner_file=/etc/issue.net
Uncomment: chroot_local_user=YES
Uncomment: chroot_local_user=YES
Uncomment: chroot_list_enable=YES
Uncomment : chroot_list_file=/etc/vsftpd.chroot_listAt the end of the file I added:
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
# Connection limit for each IP address:
max_per_ip=10
# Maximum number of clients:
max_clients=5
# FTP Passive Settings
pasv_enable=YES
#If your listen_port is 9000 set this range to 7500 and 8500
pasv_min_port=[port range min]
pasv_max_port=[port range max]The user in question, mybloguser, is jailed to her/his website directory under /srv/www/myblog and this user is not part of the nano /etc/vsftpd.chroot_list file. The user’s home directory is also /srv/www/myblog which used to work in the past.
I tried the allow_writeable_chroot=YES solution which did not work, and actually broke vsFTPd completely.
I have tried:
Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot() on vsftpd
How can we both fix this error and keep the user jailed to their home directory?
09 Answers
For VSFTPD 3,
- Go to:
/etc/vsftpd.conf and add this:
allow_writeable_chroot=YESJust add it if it does not exist yet.
Restart the vsftpd service:
service vsftpd restart
And it should work.
5The real solution of this problem: the home folder of the user should not be writable only readable.
So, if user site is in the folder is cat/, folder cat must have chmod 555 and all will be OK.
After further review of this post, in the comments a package was posted that fixed my issue. You can search for it by either my name or "Marks" Documentation: . Here are my details of how I fixed this further.
USERS ARE STILL JAILED TO THEIR HOME DIRECTORIES!!!
# ------------------------------------------------------------------------------
# SETUP FTP USERS --------------------------------------------------------------
# ------------------------------------------------------------------------------
# create the ftp users and lock them to the website directories
useradd -d /srv/www/[website/appname] -m [ftp user name]
# set the ftp account passwords
passwd [ftp user name]
# add the ftp users to the www-data user/group
adduser [ftp user name] www-data
# BUG FIX: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
sudo add-apt-repository ppa:thefrontiergroup/vsftpd
sudo apt-get update
sudo apt-get install vsftpd
# Edit the vsftpd.conf and append this setting to the end of the file to keep users' jailed!
nano /etc/vsftpd.conf
# add all of the text between the starting [[ and ending ]]
# [[
# Keep non-chroot listed users jailed
allow_writeable_chroot=YES
# ]]
# restart the service for changes to take effect
sudo service vsftpd restart
#test ftp via secondary terminal window:
ftp [ftp user name]@[server ipaddress] [ftp port] 9 According to the previous answer "The REAL solution of this problem: the home folder of the user should not be writable only read.". The general thinking is right, but with a wrong realization.
Below I'll try to give a simple example:
For a start, we need to build a topology of the user directory:
/home (ro) |-someuser (rw,700) |-ftp_upload (ro,555) - ch_rooting here, required read-only by vsftpd :( |-temp (rw,755) |-in_box (rw,755) |-out_box (rw,755)
vsftpd.conf cut:
# Enable chrooting chroot_local_user=YES # chroot all users except listened inside chroot_list chroot_list_enable=YES # Exception list. Ideally, it should be blank ;) chroot_list_file=/etc/vsftpd/chroot_list # Map ftp root directory to specific directory local_root=/home/someuser/ftp
This configuration works great with a single-user configuration. For multi-user, the "user_config_dir" directive should be used additionally.
**UPDATE 20/09
------**
Here is tricky workaround, not best idea to use, but.... If u need writable ftp root folder, just insert permission change commands in pre-start and post-start commands.
Pre-start - change permissions to read-only, which the server requires (:
Start server
Post-start - change permission to read-write, or which you need.
It's pretty much what toastboy70 mentioned. Make ftp-root dir chown'd to ftp.ftp and non-writable (/etc/vsftpd.conf): anon_root=/srv/ftp
Then make a writable child dir: /srv/ftp/upload
The simple fix is to do as the error message suggests: make the root non-writable and then if you need to enable uploads, make a subdirectory which does have write permission. No config changes necessary.
I needed to add the following to the /etc/vsftpd.conf file as well:
seccomp_sandbox=NOAND no need for the custom repo!!
And uncomment the line:
write_enable=YES After 3 hours of googling I got on Ubuntu 14.04.2 LTS VSFTPd 3 working. The home folder will be visible /home/vimal once accessed with a client. I have logged in with vimal with root privilege. I have ftpShare folder created, but has not much meaning.
sudo chown vimal:vimal /home/vimal/ftpShare/some useful commands:
sudo nano /etc/vsftpd.conf
sudo service vsftpd restart
sudo apt-get purge vsftpd
netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN
ftp:// for browser loginAbove means ftp daemon is working
I have following configuration:
seccomp_sandbox=no
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
allow_writeable_chroot=YESOnce FTP working you may further tune it to specific needs, some of above have default values, but i don't remember exactly.
Errors seen in FTP Client:
1. 500 OOPS: prctl PR_SET_SECCOMP failed
Solution.
seccomp_sandbox=no [add it on the very first line vsftpd.conf, after initial commented section ends]
2. 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
allow_writeable_chroot=YESI added it at the last line.
I solved the problem of vsFTPd refusing to run with a writable root inside chroot() on my Ubuntu server as follows:
I just added the below line in the vsftpd.conf file:
allow_writeable_chroot=YES