How to Fix “500 OOPS: vsftpd: refusing to run with writable root inside chroot()” on Debian 7.3 (Wheezy)


4 views

After setting up vsFTPd 2.3.5 on Debian 7.3 with chroot restrictions, many administrators encounter this stubborn error despite having proper configurations:

listen=YES
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES

While Ubuntu 12.04 typically responds to the allow_writeable_chroot parameter, Debian Wheezy's vsFTPd package has stricter security enforcement. The chroot jail requires specific directory permissions.

Here's what actually works on Debian 7.3:

# Create a dedicated FTP directory
sudo mkdir -p /home/user/ftp/files
sudo chown -R user:user /home/user/ftp
sudo chmod a-w /home/user/ftp
sudo chmod 750 /home/user/ftp/files

# Then modify /etc/vsftpd.conf:
local_root=/home/user/ftp
user_sub_token=$USER
local_root=/home/$USER/ftp

For shared environments, consider this configuration:

# In /etc/vsftpd.conf:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
allow_writeable_chroot=YES

# Then create the chroot list:
sudo touch /etc/vsftpd.chroot_list
sudo chmod 600 /etc/vsftpd.chroot_list

After making changes, always test with:

sudo service vsftpd restart
ftp localhost

If issues persist, check logs:

tail -f /var/log/vsftpd.log

Remember that writeable chroots present security risks. For production systems, consider:

  • Using separate jailed directories
  • Implementing proper umask settings
  • Regularly auditing permissions

When configuring vsftpd 2.3.5 on Debian 7.3 (Wheezy), many administrators encounter the frustrating login failure with the message "500 OOPS: vsftpd: refusing to run with writable root inside chroot()". While solutions exist for Ubuntu systems, Debian requires specific handling due to its security model.

Most online guides suggest either:

1. allow_writeable_chroot=YES
2. Making the chroot directory non-writable

However, Debian's vsftpd package has stricter security defaults than Ubuntu. The real solution lies in understanding Debian's chroot behavior.

Here's a verified configuration that works on Debian 7.3:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
allow_writeable_chroot=YES
pasv_min_port=15000
pasv_max_port=15200
file_open_mode=0666
local_root=/home/$USER/ftp

Create this structure for each user:

sudo mkdir -p /home/username/ftp/files
sudo chown username:username /home/username/ftp
sudo chmod a-w /home/username/ftp
sudo chown username:username /home/username/ftp/files

This maintains security while allowing uploads to the 'files' subdirectory.

For systems with SELinux, additional commands may be required:

sudo setsebool -P ftp_home_dir on
sudo restorecon -R /home/username

Enable detailed logging to identify remaining issues:

dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
xferlog_file=/var/log/xferlog
log_ftp_protocol=YES

After configuration:

sudo service vsftpd restart
ftp localhost
# Enter credentials
ftp> put testfile.txt
ftp> ls

Successful execution confirms proper configuration.