There are several thousand blog posts about vsftp and allow_writeable_chroot=YES
The common error message:
Fixing 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()
I solved the problem on my server.
But one question remains:
Why is it advisable to use allow_writeable_chroot=NO
?
Up to now I only found nebulous arguments like "For security reasons".
What are these "security reasons"?
Best Answer
If the FTP credentials of a user (even a virtual user) with a writeable
chroot
get compromised, the attacker might conceivably be able to perform a ROARING BEAST ATTACK. To summarise my rough understanding of this attack, it involves exploiting the fact that some C libraries (perhaps including ones used by the FTP server) will look for dynamic libraries that they depend on at hard-coded paths in/etc
or other common locations. The attacker uploads evil versions of those dynamic libraries to the/etc
within thechroot
, then sends a command to the (running-as-root) FTP server that induces it to run some code that loads in that dynamic library from/etc
. The attacker's evil code then runs as root. This escalates the attack from a mere compromise of the user's FTP folder to rooting the entire machine.Having a non-writeable chroot renders this attack impossible (unless you, the sysadmin, have unwisely created writeable folders with names like
/etc
and/lib
within your FTP users'chroot
directories).