vsftpd: refusing to run with writable root inside chroot() - fix not working

English Applications
1

I cannot fully connect to my ftp server. I get the login prompt in the browser, login as anonymous, then I get the error. Logging in from a terminal looks like this:

russ@behne:~> ftp behne.ddns.net
Connected to behne.ddns.net (112.208.203.161).
220-Welcome to openSUSE Leap 42.2 - Kernel %r (%t).
220 
331 Please specify the password.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
421 Service not available, remote server has closed connection
ftp>

Error message:
vsftpd: refusing to run with writable root inside chroot()

Fix I’ve tried:
I tried the allow_writeable_chroot=YES solution which did not work. (Yes, I restarted the server with systemctl restart vsftpd) There was no effect, as though either the setting allow_writeable_chroot=YES in the config file is being ignored, or the config file in its entirety isn’t being read on restart.

I do not want to try the other suggested fix of removing all writable bits from the user’s home directories, as I understand that there are undesirable side effects from doing that. I’d much rather fix this one.

Does anyone know what to do, what to test, and how to fix this?

2

First,

You probably need to describe in detail how you set up your chroot… exactly what is in it, if any part of it uses bind mountings and most importantly what you did to secure it (because by default chroots are widely known not to be secure by default).

Related,
You should also know that since we have had systemd that there are other options that are considered far better to implement what has traditionally been placed in a chroot… Generally, Linux Containers can provide the secure isolation that would restrict access to, and if compromised restrict access out of the specified file tree. Docker and LXC are both mature solutions that use Linux Containers and although I haven’t looked closely probably systemd-nspawn can satisfy your objectives as well. Linux Containers can be implemented with a full application running on a full OS, or a stub of an OS…

TSU

3

Actually, I don’t recall setting up any chroot at all. I just installed vsftpd and immediately got this problem. All I need is a working ftp server where anonymous can upload only to the upload directory, and download from everywhere else except the upload directory.

I’m willing to uninstall vsftpd and reinstall any ftp server from scratch if I could get some guidance in how to get it working right.

4

I looked in the Yast ftp tool and saw that the setting for chroot was enabled there. I wasn’t aware of that before. Unselecting it made no difference.

Okay, taking my own advice, I uninstalled it all. Then I used the Yast ftp tool again, and it gave me a choice of two FTP servers, so I selected vsftpd again, it installed complete with a new config file.
This time I made sure that the chroot box was unselected. I enabled and started vsftpd using systemctl, and tried to connect again. Same error message.
I then added the line “allow_writeable_chroot=YES” to /etc/vsftpd.conf, restarted the server and - no joy. Same problem.

So this time I’m pretty sure I didn’t unknowingly set up any chroot anything.

5

I gave up and tried pure-ftpd, it didn’t work, and I don’t care for it, so I uninstalled that too, and installed proftpd.

I actually prefer proftpd, but am having problems with it too! Using ftp from a terminal I get logged in as anonymous, the help command works, but ls hangs the server until it times out. Using a browser to connect to the server just hangs with a blank page.

What’s causing this?

Try it yourself: ftp://behne.ddns.net

6

Clicked oIndex van ftp://behne.ddns.net/n it and got a fomatted version of an index page:

Index van ftp://behne.ddns.net/

with eleven entries below it.
One of them is a welcome message:


____         ___   ____       _                
|  _ \ _   _ / _ \ | __ )  ___| |__  _ __   ___ 
| |_) | | | | |/ / |  _ \ / _ \ '_ \| '_ \ / _ \
|  _ <| |_| | |\ \ | |_) |  __/ | | | | | |  __/
|_| \_\\__,_| ||_/ |____/ \___|_| |_|_| |_|\___|
            |_|                                
Greetings and salutations! You are currently logged in as %U. 
It's now %T here in the Phillipines.
  This is my public FTP server. Feel free to wander around and download any 
files you're interested in. 
  If you're looking for ebooks go to http://behne.ddns.net:8787 and you'll 
likely find something interesting. I just ask one thing: please donate ebooks 
which I don't already have by putting them into the "upload" directory. I 
prefer how-to books and those having to do with alternate technology, 
survival, and self-sufficiency.
  Please do not upload Microsoft programs or other executables here, they 
will simply be deleted.
  The file "ls-lR.lst" contains a listing of all files currently available on 
this site. To reduce loading on the server please download it to find what you 
may need before trying to browse around aimlessly. ls-lR.lst is automatically 
updated every hour.

Enjoy!
Ruß (Russ), rwbehne1@gmail.com
-----------------------------------------------------------------------------
Your host %R has been logged.
There are currently %N user(s) out of %M allowed at a time.
Current path: %C  Free space in this partition: %F
-----------------------------------------------------------------------------
7

I’ll take a look at this when I have some time but in the meantime…

  • Over the years, the YAST FTP module hasn’t always worked for vsftpd. When that has happened, IIRC I chose pure-ftpd instead
  • Unless things have changed, the YAST FTP module like many other modules will not install anything for you, you have to install all necessary packages on your own. So, for instance just because you might choose pure-ftpd in the FTP Server module, that will not install the pure-ftpd application, you have to do that on your own.
  • I don’t remember the last time I might have checked enabling root “write” in a chroot (largely for the reasons I described above) so would generally not expect that setting up the chroot is automatically done for you.

TSU

8

I’m not sure what you mean. Did you type in** ls** at the command prompt and get a directory listing? When I do it responds with:

200 PORT command successful

…and then it just hangs there doing nothing, giving no directory listing, until it times out.

Or did you only use a browser? When I use a browser to connect and I only get a blank screen, and it just hangs there indefinitely - no welcome.txt is displayed, nothing. Just a blank screen.

Did you try from a terminal? Type in ftp behne.ddns.net at the command prompt and see if it connects that way. It probably will, (it does for me,) but does ls work for you? It still isn’t working for me:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful
425 Unable to build data connection: Connection timed out
ftp>
9

Well, as said, I clicked on it. And as I was using Firefox reading the thread, Firefox switched to it, showing the (locally in the browser) indexed page. Not blank like you seem to get.

But I assume you want me to use ftp:

henk@boven:~> ftp behne.ddns.net
Connected to behne.ddns.net.
220 FTP server ready
Name (behne.ddns.net:henk): 
331 Password required for henk
Password:

Any other things you want me to do?

10

since it wouldn’t take much for me to run a little test, I decided to set up vsftpd on a 42.2 using the YAST FTP Server module.

Started with a pretty ordinary 42.2 I use for testing. A few extra things are already installed, but nothing related to FTP.

Installed

zypper in vsftpd yast2-ftp-server

Immediately opened YAST > Network Services > FTP Server

Configured
Startup

  • When booting
  • There is no option for ProFTP, and I only have vsftpd installed

General

  • Modified Welcome page (The default is a bug. Any experienced FTP Admin will know that if the Greeting Welcomes Users, then it legally allows hackers to hack. The warning should clearly welcome legitimate Users but say illegitimate use is unwelcome).
  • At first selected “Chroot Everyone” but that req setting FTP permissions manually so DO NOT CHECK the box to chroot
  • For Testing, did not set an FTP directory for Authenticated Users, so interestingly the $HOME directory becomes the FTP directory. Recommend setting to /srv/ftp but may require setting appropriate file permissions.

Authentication

  • Set to “Both”
  • Enabled Upload (but not Anonymous which can be dangerous

Expert Mode

  • Enabled Passive Mode (Actually there is no such thing. Should be called PASV mode)
  • Checked box to Open Port in Firewall

After setting the above, went back to the Startup eection and hit the button “Save Settings and Restart FTP Now” and then the “Finish” button that again saves settings and closes the FTP server module.

Test connecting from another machine, Interestingly I found that the default console FTP client in openSUSE has deprecated a number of standard commands like “push” and “pull” and “ftp://” is no longer supported. Instead, the following in a console

ftp *user@address *

And then, you’re successfully logged in!
I performed a test “mkdir” and uploaded a test file, I also found that “cd” works (which ordinarily shouldn’t). So, all in all it looks like there are substantial changes in the LEAP FTP client which makes it much easier to use than what has existed for many years, but as I also mentioned… It also looks like some of the original and standard commands have been removed in favor of “more contemporary” commands.

I do recommend the modifications I described, and will be submitting bug reports so they shouldn’t need to be modified manually in the future (assuming modification suggestions are accepted).

And, although the YAST FTP Server module won’t support complex configurations, it’s still pretty darn good for getting an FTP server up and running within a few minutes, absolutely far less time than the usual manual configurations.

TSU

11

Your desired configuration is unusual.
Ordinarily, access is configured similar to how the YAST module configures…

A User is assigned a directory for their own use.
The User is then generally granted download rights, and optionally upload rights.

Instead of what you’re requesting which could be complicated (and therefor subject to error)
Every User should know that they can log in to the FTP server 2 ways, either as Anonymous or using their own User account.
When they log in as Anonymous, it’s a commonly shared area, where any file they upload is accessible to all.
When they log in as their own User name, then they are able to upload and download files only they can see nd no one else (except root).

Note also…
Although an FTP application normally maintains its own database of FTP Users, the YAST FTP Server module apparently does not set up FTP Users this way, instead regular System Users are set up as FTP Users.

Of course, this is normally undesirable, after all no one wants ordinary Users to be able to log locally on a Server.
So, although untested I’d recommend seeing if you can go in to the YAST > Users and Security > Users and uncheck the box that grants the ability to interactively login. Hopefully, that should disable local logins but still allow FTP logins (This might not work). In fact, if this doesn’t work, then I’d say that a High Priority bug should be submitted that describes this problem, and that the FTP User role should be dis-associated from ordinary Users since it’s more often than not a bad idea.

If the above doesn’t work, then I’m sure that the FTP server can be set up properly simply by following the offline documentation that’s always installed locally… The docs should be at the following location and include numerous configuration examples

/usr/share/doc/packages/vsftpd/

Note that if you installed any other FTP server, especially any not supported by the YAST FTP server module like ProFTP should be set up using documentation from the same file location above.

TSU

12

So you know why your re-install isn’t working…

You should know that when a package is uninstalled, by default configuration files are generally left behind.
This means that when your re-installed, you were still using the mis-configuration you created earlier.
So, you may have <thought> you were starting anew with a new, default config file but unless you did the following you actually didn’t.

To address this, there are two approaches…

  1. Method I **don’t **usually recommend, but may be necessary
    Identify the contents of the package before uninstalling, and make sure everything is removed… Yes, check every individual file… before re-installing. To view a package’s contents, run the following
rpm -ql *packagename*
  1. Method I **do **recommend which should work almost always
    Do a “force re-install” which will re-install every file, over-writing anything that might already exist. Normally, this should return everything including configuration files to their default
zypper in -f *packagename*

The above will not affect any data files generated by the installation, which may also have to be identified and removed manually.

Also, note that when installing an FTP server you have a major decision whether to use the YAST FTP Server module or not.
If you use it, you shouldn’t be editing the config files or file system permissions manually.
But, as I noted the YAST FTP Server module won’t necessarily give you what you want, which would then mean you should not use YAST (I’d personally recommend not installing or uninstalling to avoid any confusion) and <only> follow the documentation I pointed out to you which over the years I’ve found to be very good.

TSU

13

Okay, let’s regroup.

1. Other’s report that it works for them, that they don’t see what I’m seeing.
**
2.** I’m still having problems. since other people claim that they get a listing, AND since I have exactly the same problem here no matter which ftp server is installed…

  • I gave up on vsftpd
    because it keeps giving the “vsftpd: refusing to run with writable root inside chroot()” error no mater what I do. - tried and gave up on pure-ftpd
    because it has all these symptoms except the chroot nonsense. (…and it is NONSENSE since I’m not using chroot!) - and now have proftpd
    installed with the same exact symptoms.

**
3.** I switched browsers from firefox to Konqurer to see what would happen, and am still l getting a blank screen, but with konqurer it asked me for a “passphrase” (No, passphrase, not password.)
**
4.** Then I tried using lynx, and got this (after a long delay):

russ@behne:~> lynx ftp://behne.ddns.net
Looking up behne.ddns.net
Making FTP connection to behne.ddns.net
Looking up 112.208.154.140:40273
Making FTP data connection to 112.208.154.140:40273
Looking up behne.ddns.net
Making FTP connection to behne.ddns.net
Can't Access `ftp://behne.ddns.net/'
Alert!: Unable to access document.
lynx: Can't access startfile 
russ@behne:~&gt;

(Text entered by me are in blue.)

**5. **Using ftp from the command line proceeds like this:

russ@behne:~> ftp behne.ddns.net       
Connected to behne.ddns.net (112.208.154.140).
220 FTP server ready
331 Anonymous login ok, send your complete email address as your password
230-  
  ____         ___   ____       _                
 |  _ \ _   _ / _ \ | __ )  ___| |__  _ __   ___ 
 | |_) | | | | |/ / |  _ \ / _ \ '_ \| '_ \ / _ \
 |  _ <| |_| | |\ \ | |_) |  __/ | | | | | |  __/
 |_| \_\\__,_| ||_/ |____/ \___|_| |_|_| |_|\___|
             |_|                                
 Greetings and salutations! You are currently logged in as anonymous. 
 It's now Tue Dec 27 10:23:29 2016 here in the Phillipines.
   This is my public FTP server. Feel free to wander around and download any 
 files you're interested in. 
   If you're looking for ebooks go to http://behne.ddns.net:library and you'll 
 likely find something interesting. I just ask one thing: please donate ebooks 
 which I don't already have by putting them into the "upload" directory. I 
 prefer how-to books and those having to do with alternate technology, 
 survival, and self-sufficiency.
   Please do not upload Microsoft programs or other executables here, they 
 will simply be deleted.
   The file "ls-lR.lst" contains a listing of all files currently available on 
 this site. To reduce loading on the server please download it to find what you 
 may need before trying to browse around aimlessly. ls-lR.lst is automatically 
 updated every hour.
 
 Enjoy!
 Ruß (Russ), rwbehne1@gmail.com
 -----------------------------------------------------------------------------
 Your host 112.208.154.140 has been logged.
 There are currently 1 user(s) out of 10 allowed at a time.
 Current path: /  Free space in this partition: 80864596
 -----------------------------------------------------------------------------
 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> help
Commands may be abbreviated.  Commands are:

!               debug           mdir            sendport        site
$               dir             mget            put             size
account         disconnect      mkdir           pwd             status
append          exit            mls             quit            struct
ascii           form            mode            quote           system
bell            get             modtime         recv            sunique
binary          glob            mput            reget           tenex
bye             hash            newer           rstatus         tick
case            help            nmap            rhelp           trace
cd              idle            nlist           rename          type
cdup            image           ntrans          reset           user
chmod           lcd             open            restart         umask
close           ls              prompt          rmdir           verbose
cr              macdef          passive         runique         ?
delete          mdelete         proxy           send
ftp> ls
200 PORT command successful
425 Unable to build data connection: Connection timed out
ftp>

N.B. - As you can see, I get logged in okay using ftp and the help command works just fine, BUT ls CAUSES IT TO HANG UNTIL TIMEOUT.

  1. I tried using firefox on my Galaxy tablet:

So why is it that I’m having all these weird and incomprehensible problems which you all apparently aren’t seeing? (Has anyone else tried to connect and had a problem?)
Why is is it affecting only me on my localhost and in my local network? What else could be causing this?

14

So, it comes down to your LAN?

Then check all firewall settings (not of the LAN, but of the individual systems). Don’t forget that there is ftp (port 21) and ftp-data (port 20).

15

That’s what I was thinking. My router/modem properly forwards all requests to 192.168.1.200, and the firewall on the computer is opened for both 21 and 20, which should be obvious if you can connect and get a listing.

I can’t imagine what could be causing this. There’s other weird problems besides this one, like the ‘desktop effects’ and ‘screen edges’ in Desktop effects under Configure Desktop stopped working with this install, and I have no clue how to re-enable them. Weird.

16

Recommend… go back to vsftpd because it should work.

So, did you do the things I posted?

First, if you have vsftpd currently installed, get a listing of its package contents. If it’s not installed then skip this step

rpm -ql vsftpd

Uninstall every package that has ftp in its name’

zypper rm '*ftp*'

Now, let’s look for anything that might still be on your system that has “ftp” in the name or path

If you have locate installed, then skip the following step to install
If you don’t have locate installed, then install it

zypper in mlocate

Now, although the locate dataase will update every 24 hrs, we don’t want to wait that long, so to populate the database the following should be run. Even if it was already installed, because we will be looking for results of an operation just performed, we also want to update the database

updatedb

Now, with a current database containing all file and folder names in your system we can now look to see if anything on your system has “ftp” in the path or file name

locate ftp

Evaluate the results, whether they are possibly unimportant (like documentation or empty folders) or significant (like configuration and data files). Do what is needed to make sure there is nothing in your system that might affect a newly installed FTP server.

The steps above should pretty much assure a system purged of anything that should affect a new app install.

Now, install vsftpd and the yast ftp server module as I described in my previous post.

If you want to avoid these kinds of issues related to files left over from previous installs, you should implement virtualization and virtual snapshots. By doing so, you would be able to create a snapshot prior to any experimentation and have a one click solution to rolling back to a known and typically pristine configuration. Although the same <might> be accomplished with a BTRFS rollback, it’s less clear to me knowing exactly what that result would be.

TSU

17

No, based on what you’ve posted the evidence suggests an application problem, not a network problem.

TSU

18

Okay TSU,

I slowly went through your instructions and pedantically followed them. Once vsftpd was newly installed I did some edits in the config manually, and didn’t touch the Yast tool. Got the service started, then tried it. No joy. Same error.

So I added the line “allow_writeable_chroot=YES” to the end of the config file, restarted the service to insure it got read, and - no joy. Nothing different. It’s as though vsftpd isn’t reading the config file at all.

I put screenshots here along with the journal contents: http://behne.ddns.net/Forum/
The one is the persistent error.
Another shows a new intermittent error which happened only twice, and not again. I didn’t see this before, so I think it probably isn’t relevant.

Although I set it to write to the log files in /var/log/ nothing is being written - the files are empty.
I was previously suspecting that the config file isn’t being read when vsftpd starts, and with the logs not being written I think there may be a read/write problem going on here.
Then again, I looked in man vsftpd.conf and “allow_writeable_chroot=YES” isn’t even listed there, so I’m now wondering if it’s even a valid switch.
I set vstpd to run as user ftp in the config, and all files are chowned to ftp.ftp so that shouldn’t be a problem I think.

Konquerer gives the same symptoms.

Connecting from the command line looks like this:

behne:~ # ftp behne.ddns.net
Connected to behne.ddns.net (112.208.150.147).
220 (vsFTPd 3.0.2)
331 Please specify the password.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
421 Service not available, remote server has closed connection
ftp>

I have my .netrc file set to do anonymous logins, so I don’t have to enter it manually.

Using lynx ftp://behne.ddns.net only gives this error: **Alert!: Unable to access document.

**What else can be tested?

19

Your website appears to be down, so I can’t see your screenshots.

For now, just do the following and post the results.

You should choose to either use the YAST FTP server or not. Don’t mix the using YAST and manually editing files, particularly when setting up initially. Use the FTP Server module to set up a working configuration before starting to experiment.

In particular, I’d like to see you post the results of

updatedb && locate '*ftp*'

Which should be generally empty of any files before you install vsftpd.
Then after installing vsftpd, for instance

zypper in vsftpd

then start vsftpd with its default configuration using the following command (which can still be modified as I described earlier, and post the results of the following.

zypper start vsftpd.service

TSU

20

Also,
You should also post the permissions of the location where your FTP User accounts upload/download their files.

If you had used the YAST module for configuration, the default location would be the home directory. You can also specify /srv/ftp/ or any other location.

ls -l* ftp_directory*

TSU