PowerScale OneFS: Error Received After Upgrade "500 OOPS: Vsftpd: Refuses to Run with Writable Root Inside Chroot"

Summary: After an upgrade or patch, when the FTP user connects to a PowerScale FTP server, it fails with the error message "500 OOPS: Vsftpd: Refusing to run with writable root inside chroot()." ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

FTP user login fails with: 
500 OOPS: vsftpd: refusing to run with writable root inside chroot()

Cause

The issue occurs after upgrading OneFS to a version containing upgraded vsftpd:

  • 8.2.2_GA-RUP_2023-06 and later
  • 9.1.0.29 and later
  • 9.2.1.23 and later
  • 9.4.0.14 and later
  • 9.5.0.4 and later
  • 9.6.0.0 and later

For example, the vsftpd pkg is updated from vsftpd-ssl-2.3.4vsftpd-ssl-3.0.5.

More details are on the vsftpd official home page at https://security.appspot.com/vsftpd/Changelog.txt This hyperlink is taking you to a website outside of Dell Technologies.

- Add stronger checks for the configuration error of running with a writeable root directory inside a chroot(). This may bite people who carelessly turned on chroot_local_user but such is life.
- Add new config setting "allow_writeable_chroot" to help people in a bit of a spot with the v2.3.5 defensive change. Only applies to non-anonymous.

The issue is that the FTP user's root directory is writable. The chroot limit is used, which is not allowed in the recent update. The chroot directory that users are locked to must not be writable.

Resolution

Note: This change is not persistent across OneFS upgrades as /etc/mcp/templates/vsftpd.conf is changed back to default. After upgrades, ensure that the resolution is applied again to avoid experiencing the issue in this KB article.

There are two options to address this issue:
  • Option 1: Remove write permissions on the user's root directory.
Run the following command, replacing the directory with your user's chroot directory: 
#chmod a-w /home/user
  • Option 2: Work around the stronger checks by adding the configuration settings below into the vsftpd global configuration file or individual user configuration file:
allow_writeable_chroot=YES

On the OneFS cluster, it is recommended to make a copy of the vsftpd configuration to /ifs/data/Isilon_Support/. For example: 
# cp -av /etc/mcp/templates/vsftpd.conf  /ifs/data/Isilon_Support/vsftpd.conf.bak
Then, using the VI editor, add the following line to /etc/mcp/templates/vsftpd.conf " 
allow_writeable_chroot=YES"

Another option instead of using the VI editor is to use the echo command to append a line to that same file: 

# echo "allow_writeable_chroot=YES"  >>  /etc/mcp/templates/vsftpd.conf

Wait for a few seconds, then check that the file gets updated to all nodes and that the file md5 checksum is consistent. 

# isi_for_array -s md5 /etc/mcp/templates/vsftpd.conf

Here is a quick reproduction of the issue and the steps to fix it:

  1. Log in to a PowerScale cluster running OneFS 9.4.0.14. Below is the FTP user home directory:

test2-fxq5rm3-1# ls -ld /ifs/home/warmsvcisiftp
drwx------     2 warmsvcisiftp  Isilon Users  264 Jun 13 02:50 /ifs/home/warmsvcisiftp

  1. FTP user login fails with the error message:


test2-fxq5rm3-1# ftp localhost
Trying 127.0.0.1:21 ...
Connected to localhost.
220-PowerScale OneFS 9.4.0.14
220
Name (localhost:root): warmsvcisiftp
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
ftp: Login failed
ftp>
  1. There are two options to address this issue depending on your workflow and concerns:
  • Option 1:  Remove the write permissions for the user's root directory:
test2-fxq5rm3-1# chmod a-w /ifs/home/warmsvcisiftp
test2-fxq5rm3-1# ls -ld /ifs/home/warmsvcisiftp
dr-x------     2 warmsvcisiftp  Isilon Users  264 Jun 13 02:50 /ifs/home/warmsvcisiftp

test2-fxq5rm3-1# ftp localhost
Trying 127.0.0.1:21 ...
Connected to localhost.
220-PowerScale OneFS 9.4.0.14
220
Name (localhost:root): warmsvcisiftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
  • Option 2: Work around the security check:
test2-fxq5rm3-1# chmod u+w /ifs/home/warmsvcisiftp
test2-fxq5rm3-1# ls -ld /ifs/home/warmsvcisiftp
drwx------     2 warmsvcisiftp  Isilon Users  264 Jun 13 02:50 /ifs/home/warmsvcisiftp
test2-fxq5rm3-1# echo "allow_writeable_chroot=YES" >> /etc/mcp/templates/vsftpd.conf
test2-fxq5rm3-1# isi_for_array -s md5 /etc/mcp/templates/vsftpd.conf
test2-fxq5rm3-1: MD5 (/etc/mcp/templates/vsftpd.conf) = 4920beaff65c3bfa09bd18582c2fbcf8
test2-fxq5rm3-2: MD5 (/etc/mcp/templates/vsftpd.conf) = 4920beaff65c3bfa09bd18582c2fbcf8
test2-fxq5rm3-3: MD5 (/etc/mcp/templates/vsftpd.conf) = 4920beaff65c3bfa09bd18582c2fbcf8
test2-fxq5rm3-1# ftp localhost
Trying 127.0.0.1:21 ...
Connected to localhost.
220-PowerScale OneFS 9.4.0.14
220
Name (localhost:root): warmsvcisiftp
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.

Additional Information

Affected Products

PowerScale OneFS, PowerScale F200, PowerScale F600, PowerScale F900, PowerScale Hybrid H700, PowerScale P100
Article Properties
Article Number: 000214872
Article Type: Solution
Last Modified: 28 May 2025
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.