How to Fix “500 OOPS: vsftpd: refusing to run with writable root inside chroot()” on Debian 7.3 (Wheezy)


14 views

After setting up vsFTPd 2.3.5 on Debian 7.3 with chroot restrictions, many administrators encounter this stubborn error despite having proper configurations:

listen=YES
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES

While Ubuntu 12.04 typically responds to the allow_writeable_chroot parameter, Debian Wheezy's vsFTPd package has stricter security enforcement. The chroot jail requires specific directory permissions.

Here's what actually works on Debian 7.3:

# Create a dedicated FTP directory
sudo mkdir -p /home/user/ftp/files
sudo chown -R user:user /home/user/ftp
sudo chmod a-w /home/user/ftp
sudo chmod 750 /home/user/ftp/files

# Then modify /etc/vsftpd.conf:
local_root=/home/user/ftp
user_sub_token=$USER
local_root=/home/$USER/ftp

For shared environments, consider this configuration:

# In /etc/vsftpd.conf:
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
allow_writeable_chroot=YES

# Then create the chroot list:
sudo touch /etc/vsftpd.chroot_list
sudo chmod 600 /etc/vsftpd.chroot_list

After making changes, always test with:

sudo service vsftpd restart
ftp localhost

If issues persist, check logs:

tail -f /var/log/vsftpd.log

Remember that writeable chroots present security risks. For production systems, consider:

  • Using separate jailed directories
  • Implementing proper umask settings
  • Regularly auditing permissions

When configuring vsftpd 2.3.5 on Debian 7.3 (Wheezy), many administrators encounter the frustrating login failure with the message "500 OOPS: vsftpd: refusing to run with writable root inside chroot()". While solutions exist for Ubuntu systems, Debian requires specific handling due to its security model.

Most online guides suggest either:

1. allow_writeable_chroot=YES
2. Making the chroot directory non-writable

However, Debian's vsftpd package has stricter security defaults than Ubuntu. The real solution lies in understanding Debian's chroot behavior.

Here's a verified configuration that works on Debian 7.3:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
allow_writeable_chroot=YES
pasv_min_port=15000
pasv_max_port=15200
file_open_mode=0666
local_root=/home/$USER/ftp

Create this structure for each user:

sudo mkdir -p /home/username/ftp/files
sudo chown username:username /home/username/ftp
sudo chmod a-w /home/username/ftp
sudo chown username:username /home/username/ftp/files

This maintains security while allowing uploads to the 'files' subdirectory.

For systems with SELinux, additional commands may be required:

sudo setsebool -P ftp_home_dir on
sudo restorecon -R /home/username

Enable detailed logging to identify remaining issues:

dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
xferlog_file=/var/log/xferlog
log_ftp_protocol=YES

After configuration:

sudo service vsftpd restart
ftp localhost
# Enter credentials
ftp> put testfile.txt
ftp> ls

Successful execution confirms proper configuration.