Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: vsftpd: refusing to run with writable root inside chroot() - fix not working

  1. #1
    Join Date
    Jan 2014
    Location
    San Jose City, PH.
    Posts
    118

    Default vsftpd: refusing to run with writable root inside chroot() - fix not working

    I cannot fully connect to my ftp server. I get the login prompt in the browser, login as anonymous, then I get the error. Logging in from a terminal looks like this:
    Code:
    russ@behne:~> ftp behne.ddns.net
    Connected to behne.ddns.net (112.208.203.161).
    220-Welcome to openSUSE Leap 42.2 - Kernel %r (%t).
    220 
    331 Please specify the password.
    500 OOPS: vsftpd: refusing to run with writable root inside chroot()
    Login failed.
    421 Service not available, remote server has closed connection
    ftp>

    Error message:

    vsftpd: refusing to run with writable root inside chroot()

    Fix I've tried:
    I tried the allow_writeable_chroot=YES
    solution which did not work. (Yes, I restarted the server with systemctl restart vsftpd) There was no effect, as though either the setting allow_writeable_chroot=YES in the config file is being ignored, or the config file in its entirety isn't being read on restart.

    I do not want to try the other suggested fix of removing all writable bits from the user's home directories, as I understand that there are undesirable side effects from doing that. I'd much rather fix this one.

    Does anyone know what to do, what to test, and how to fix this?
    AMD Ryzen 3 1200 Quad-core Processor, 32MB memory, KDE
    DRIVES: 2 4TB BTRFS raid1, 1 4TB BTRFS for backups

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,296
    Blog Entries
    2

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    First,

    You probably need to describe in detail how you set up your chroot... exactly what is in it, if any part of it uses bind mountings and most importantly what you did to secure it (because by default chroots are widely known not to be secure by default).

    Related,
    You should also know that since we have had systemd that there are other options that are considered far better to implement what has traditionally been placed in a chroot... Generally, Linux Containers can provide the secure isolation that would restrict access to, and if compromised restrict access out of the specified file tree. Docker and LXC are both mature solutions that use Linux Containers and although I haven't looked closely probably systemd-nspawn can satisfy your objectives as well. Linux Containers can be implemented with a full application running on a full OS, or a stub of an OS...

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Jan 2014
    Location
    San Jose City, PH.
    Posts
    118

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    Actually, I don't recall setting up any chroot at all. I just installed vsftpd and immediately got this problem. All I need is a working ftp server where anonymous can upload only to the upload directory, and download from everywhere else except the upload directory.

    I'm willing to uninstall vsftpd and reinstall any ftp server from scratch if I could get some guidance in how to get it working right.
    AMD Ryzen 3 1200 Quad-core Processor, 32MB memory, KDE
    DRIVES: 2 4TB BTRFS raid1, 1 4TB BTRFS for backups

  4. #4
    Join Date
    Jan 2014
    Location
    San Jose City, PH.
    Posts
    118

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    I looked in the Yast ftp tool and saw that the setting for chroot was enabled there. I wasn't aware of that before. Unselecting it made no difference.

    Okay, taking my own advice, I uninstalled it all. Then I used the Yast ftp tool again, and it gave me a choice of two FTP servers, so I selected vsftpd again, it installed complete with a new config file.
    This time I made sure that the chroot box was unselected. I enabled and started vsftpd using systemctl, and tried to connect again. Same error message.
    I then added the line "allow_writeable_chroot=YES" to /etc/vsftpd.conf, restarted the server and - no joy. Same problem.

    So this time I'm pretty sure I didn't unknowingly set up any chroot anything.
    AMD Ryzen 3 1200 Quad-core Processor, 32MB memory, KDE
    DRIVES: 2 4TB BTRFS raid1, 1 4TB BTRFS for backups

  5. #5
    Join Date
    Jan 2014
    Location
    San Jose City, PH.
    Posts
    118

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    I gave up and tried pure-ftpd, it didn't work, and I don't care for it, so I uninstalled that too, and installed proftpd.

    I actually prefer proftpd, but am having problems with it too! Using ftp from a terminal I get logged in as anonymous, the help command works, but ls hangs the server until it times out. Using a browser to connect to the server just hangs with a blank page.

    What's causing this?

    Try it yourself: ftp://behne.ddns.net
    Last edited by rwbehne1; 25-Dec-2016 at 05:44. Reason: Added URL
    AMD Ryzen 3 1200 Quad-core Processor, 32MB memory, KDE
    DRIVES: 2 4TB BTRFS raid1, 1 4TB BTRFS for backups

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,157

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    Quote Originally Posted by rwbehne1 View Post
    Try it yourself: ftp://behne.ddns.net
    Clicked oIndex van ftp://behne.ddns.net/n it and got a fomatted version of an index page:
    with eleven entries below it.
    One of them is a welcome message:
    Code:
    ____         ___   ____       _                
    |  _ \ _   _ / _ \ | __ )  ___| |__  _ __   ___ 
    | |_) | | | | |/ / |  _ \ / _ \ '_ \| '_ \ / _ \
    |  _ <| |_| | |\ \ | |_) |  __/ | | | | | |  __/
    |_| \_\\__,_| ||_/ |____/ \___|_| |_|_| |_|\___|
                |_|                                
    Greetings and salutations! You are currently logged in as %U. 
    It's now %T here in the Phillipines.
      This is my public FTP server. Feel free to wander around and download any 
    files you're interested in. 
      If you're looking for ebooks go to http://behne.ddns.net:8787 and you'll 
    likely find something interesting. I just ask one thing: please donate ebooks 
    which I don't already have by putting them into the "upload" directory. I 
    prefer how-to books and those having to do with alternate technology, 
    survival, and self-sufficiency.
      Please do not upload Microsoft programs or other executables here, they 
    will simply be deleted.
      The file "ls-lR.lst" contains a listing of all files currently available on 
    this site. To reduce loading on the server please download it to find what you 
    may need before trying to browse around aimlessly. ls-lR.lst is automatically 
    updated every hour.
    
    Enjoy!
    Ruß (Russ), rwbehne1@gmail.com
    -----------------------------------------------------------------------------
    Your host %R has been logged.
    There are currently %N user(s) out of %M allowed at a time.
    Current path: %C  Free space in this partition: %F
    -----------------------------------------------------------------------------
    Last edited by hcvv; 25-Dec-2016 at 07:36.
    Henk van Velden

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,296
    Blog Entries
    2

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    I'll take a look at this when I have some time but in the meantime...

    - Over the years, the YAST FTP module hasn't always worked for vsftpd. When that has happened, IIRC I chose pure-ftpd instead
    - Unless things have changed, the YAST FTP module like many other modules will not install anything for you, you have to install all necessary packages on your own. So, for instance just because you might choose pure-ftpd in the FTP Server module, that will not install the pure-ftpd application, you have to do that on your own.
    - I don't remember the last time I might have checked enabling root "write" in a chroot (largely for the reasons I described above) so would generally not expect that setting up the chroot is automatically done for you.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Jan 2014
    Location
    San Jose City, PH.
    Posts
    118

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    I'm not sure what you mean. Did you type in ls at the command prompt and get a directory listing? When I do it responds with:
    Code:
    200 PORT command successful
    ...and then it just hangs there doing nothing, giving no directory listing, until it times out.

    Or did you only use a browser? When I use a browser to connect and I only get a blank screen, and it just hangs there indefinitely - no welcome.txt is displayed, nothing. Just a blank screen.

    Did you try from a terminal? Type in ftp behne.ddns.net at the command prompt and see if it connects that way. It probably will, (it does for me,) but does ls work for you? It still isn't working for me:
    230 Anonymous access granted, restrictions apply
    Remote system type is UNIX.
    Using binary mode to transfer files.
    Code:
    ftp> ls
    200 PORT command successful
    425 Unable to build data connection: Connection timed out
    ftp>
    AMD Ryzen 3 1200 Quad-core Processor, 32MB memory, KDE
    DRIVES: 2 4TB BTRFS raid1, 1 4TB BTRFS for backups

  9. #9
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,157

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    Well, as said, I clicked on it. And as I was using Firefox reading the thread, Firefox switched to it, showing the (locally in the browser) indexed page. Not blank like you seem to get.

    But I assume you want me to use ftp:
    Code:
    henk@boven:~> ftp behne.ddns.net
    Connected to behne.ddns.net.
    220 FTP server ready
    Name (behne.ddns.net:henk): 
    331 Password required for henk
    Password:
    Any other things you want me to do?
    Henk van Velden

  10. #10
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,296
    Blog Entries
    2

    Default Re: vsftpd: refusing to run with writable root inside chroot() - fix not working

    since it wouldn't take much for me to run a little test, I decided to set up vsftpd on a 42.2 using the YAST FTP Server module.

    Started with a pretty ordinary 42.2 I use for testing. A few extra things are already installed, but nothing related to FTP.

    Installed
    Code:
    zypper in vsftpd yast2-ftp-server
    Immediately opened YAST > Network Services > FTP Server

    Configured
    Startup
    • When booting
    • There is no option for ProFTP, and I only have vsftpd installed

    General
    • Modified Welcome page (The default is a bug. Any experienced FTP Admin will know that if the Greeting Welcomes Users, then it legally allows hackers to hack. The warning should clearly welcome legitimate Users but say illegitimate use is unwelcome).
    • At first selected "Chroot Everyone" but that req setting FTP permissions manually so DO NOT CHECK the box to chroot
    • For Testing, did not set an FTP directory for Authenticated Users, so interestingly the $HOME directory becomes the FTP directory. Recommend setting to /srv/ftp but may require setting appropriate file permissions.

    Authentication
    • Set to "Both"
    • Enabled Upload (but not Anonymous which can be dangerous

    Expert Mode
    • Enabled Passive Mode (Actually there is no such thing. Should be called PASV mode)
    • Checked box to Open Port in Firewall


    After setting the above, went back to the Startup eection and hit the button "Save Settings and Restart FTP Now" and then the "Finish" button that again saves settings and closes the FTP server module.

    Test connecting from another machine, Interestingly I found that the default console FTP client in openSUSE has deprecated a number of standard commands like "push" and "pull" and "ftp://" is no longer supported. Instead, the following in a console
    Code:
    ftp user@address 
    And then, you're successfully logged in!
    I performed a test "mkdir" and uploaded a test file, I also found that "cd" works (which ordinarily shouldn't). So, all in all it looks like there are substantial changes in the LEAP FTP client which makes it much easier to use than what has existed for many years, but as I also mentioned... It also looks like some of the original and standard commands have been removed in favor of "more contemporary" commands.

    I do recommend the modifications I described, and will be submitting bug reports so they shouldn't need to be modified manually in the future (assuming modification suggestions are accepted).

    And, although the YAST FTP Server module won't support complex configurations, it's still pretty darn good for getting an FTP server up and running within a few minutes, absolutely far less time than the usual manual configurations.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •