500 oops: vsftpd: refusing to run with writable root inside chroot


#1

If you’re using vsftpd with chroot local user option and write enable like this:

write_enable=YES
chroot_local_user=YES

and you’re getting following error when you log-in through ftp:

500 OOPS: vsftpd: refusing to run with writable root inside chroot()

you can fix the problem with adding following line to /etc/vsftpd.conf and restart the vsftpd service:

allow_writeable_chroot=YES

#2

There is an alternative solution to vsftpd’s “writable root” problem.

You can make root directory (not /, it would be home directory of logged-in user if chroot setup activated) as non-writable and create a subdirectory with write permissions enabled.

You can write into all of the subdirectories without making any configuration change.


#3

If we take security more seriously, we should go with your suggested solution.

Because of the FTP is not an encrypted protocol, allowing writing to root directory of logged-in user can be harmful. It is possible to overwrite .bashrc, .profile, change default PATH, put infected binaries and prepare aliases for that etc.

Most of the cases, it would be a better solution to prevent ftp uploads on root directory of logged-in user and giving write permissions only to the subfolders rather than allowing with allow_writeable_chroot=YES option.