Having a difficult time trying to setup VSFTPD as an anonymous read only FTP server

This is with a fresh install of openwrt on a wrt1900ac router using openwrt 18.06

The goal is to setup an anonymous read only VSFTPD server on my router running openwrt 18.06 that shares the contents i have stored in a drive which is attached to the router via USB.

I have been trying to setup an anonymous read only FTP server using VSFTPD. I am able to login using the root account login but it only shows me a blank directory which i believe is

/home/ftp

I did login to the router using winscp to edit the file "vsftpd.conf" which is located in the "/etc" folder and did this

background=YES
listen=YES
anonymous_enable=yes
anon_root=/tmp/mnt/sda1/FTP/Basmaff
local_enable=no
write_enable=no
local_umask=022
check_shell=NO
#dirmessage_enable=YES
#ftpd_banner=Welcome to blah FTP service.
session_support=NO
#syslog_enable=YES
#userlist_enable=YES
#userlist_deny=NO
#userlist_file=/etc/vsftpd/vsftpd.users
#xferlog_enable=YES
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt"
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=NO
#force_local_logins_ssl=NO
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
#rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
#rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem

I only did four changes which was enable anonymous, add an anon_root directory, and disable local_enable and write_enable.

So now when i attempt to login as anonymous this is what i get when trying to connect in filezilla

Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS *********************
Response: 500 OOPS: cannot change directory:/home/ftp
Error: Critical error: Could not connect to server

exactly how can i get vsftpd to share the contents stored on a drive i have attached to the router?

I did some googling and copy and pasting commands but i have not been able to accomplish my goal.

Anyone know of a solution for this?

pgrep -f -a ftp
ls -l -d /home /home/ftp

What about HTTP/SFTP?

I ran those commands and on running the second one, i got this

ls: /home: No such file or directory
ls: /home/ftp: No such file or directory

Still got the error message

Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS *********************
Response: 500 OOPS: cannot change directory:/home/ftp
Error: Critical error: Could not connect to server

Also, I like learning. Could you explain to me what that command does exactly?

Do i have to? I fail to see the reason why i would need to if this is an anonymous read only FTP server.

mkdir -p /home/ftp
chmod 755 /home
chmod 777 /home/ftp
1 Like

I copy and pasted the commands in a putty window and then made another attempt. But i got this error message in filezilla

Command: USER anonymous
Response: 331 Please specify the password.
Command: PASS *********************
Response: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Error: Critical error: Could not connect to server

so i added this command

background=YES
listen=YES
listen_port=21
anonymous_enable=yes
local_root=/tmp/mnt/sda1/FTP/Basmaff
allow_writeable_chroot=YES   <**right here**
local_enable=no
write_enable=no
local_umask=022
check_shell=NO
#dirmessage_enable=YES
#ftpd_banner=Welcome to blah FTP service.
session_support=NO
#syslog_enable=YES
#userlist_enable=YES
#userlist_deny=NO
#userlist_file=/etc/vsftpd/vsftpd.users
#xferlog_enable=YES
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt"
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=NO
#force_local_logins_ssl=NO
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
#rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
#rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem

restarted vsftpd and still got the same error.

To connect, explicitly use LAN-interface IPv4-address.
I've just tested with anonymous_enable=YES and it works for me.

....ok?

I am connecting to it via lan IP address 192.168.1.1 via wired Ethernet. And it's plugged in directly from the computer I'm using to Port 1 on the router.

opkg update
opkg install vsftpd
sed -i -e "
/^anonymous_enable=/s/^/#/
\$a anonymous_enable=YES
" /etc/vsftpd.conf
service vsftpd restart
mkdir -p /home/ftp
touch /home/ftp/test_anon_ftp

Then try to connect and you should be able to see the file test_anon_ftp.

1 Like

i ran those commands in putty and found the test file.

i re-added the "anon_root" command with the directory going to the drive (and i even placed a picture in the drive) and restarted vsftpd. i logged back in filezilla and it shows me an empty directory but says it connected successfully.

When i try to login the ftp server via chrome browser, it says the site cannot be reached.

when i remove anon_root from the configuration file and restart vsftpd, things work again and i can see the test file.

1 Like

Most likely you don't have enough permissions to access the target directory.
Fix mount options in case of NTFS and fix permissions recursively in case of native Linux FS.

1 Like

I dont know how to set permissions in linux.

Sidenote: I should state that i am a windows user and now kind of a fan of dd-wrt. was a huge fan but not much anymore after what i have been seeing going on since around 2014.

-anyway-

So after checking the commands you had me write, this is what i did.

I swapped the drive for a fat32 drive with the same files on it and plugged it into openwrt. i set it up the same way did with the other drive and then ran the same chmod commands but with 755 pointing to /tmp/mnt/sda1/ and the 777 pointing to /tmp/mnt/sda1/FTP/Basmaff. Which did not work. I have no idea what the chmod commands and their numbers mean or do.

|Command:|USER anonymous|
|---|---|
|Response:|500 OOPS: vsftpd: refusing to run with writable root inside chroot()|
|Error:|Could not connect to server|

I am going to stop for now. take a short break because all i expected to do was this.

install openwrt
install vsftpd via command line
edit configuration text file for vsftpd
run vsftpd via command line
up and running with files on seperate usb drive attached to router now being shared via anonymous FTP.

But instead I have been stuck for the past 4-5 hours, along with a couple of other days, trying to share a folder on a router via FTP with users being able to login anonymously to grab whatever they want from shared folder.

So why would someone like me choose to use openwrt?

Because its lightweight upon install. Just install your programs and your good to go. It also has better ipv6 support. But i did not realize that it would be this complex and hard to carry out some tasks like these that are not in the gui.

If i am getting no more help on this, please let me know. Thanks.

Directory /tmp is not a proper place for mounts.
Change it to one of those:

/mnt
/mnt/usb
/home
/home/ftp
/home/username

Also FAT and NTFS are not native Linux FS.
So, you need to set up permissions via mount options.
It should be something like:

umask=0

I went to mount points and remounted it as /mnt/usb1

I also added "umask=0" in the options box for that mount point.

anything else? I do not know where else to go from here. I did ask someone else on a discord server what chmod is and showed him this thread. And he said "so that's why your having a difficult time. you do not know chmod" and then explained to me that its some kind of thing where you take some values, add them up, and get something like 777 or some other number that will apply whatever permissions it is that your trying to apply.

I've tested anonymous access to custom directory.
It seems that the issue is not related to permissions, but the acecess is limited to home directory of user ftp.
Still have not googled the option responsible for this behavior.
So, you can either change user ftp home directory inside /etc/passwd, or mount your drive in the /home/ftp.
It would be the simplest workaround for now.

2 Likes

I remounted /dev/sda1 to /home/ftp. I reconnected to the FTP server using filezilla and its giving me the error message

|Command:|USER anonymous|
|---|---|
|Response:|331 Please specify the password.|
|Command:|PASS *********************|
|Response:|500 OOPS: vsftpd: refusing to run with writable root inside chroot()|
|Error:|Critical error: Could not connect to server|

And even when i put ...

background=YES
listen=YES
listen_port=21
anonymous_enable=YES
allow_writeable_chroot=YES <   ...THIS COMMAND RIGHT HERE...
local_enable=no
write_enable=no
local_umask=022
check_shell=NO
#dirmessage_enable=YES
#ftpd_banner=Welcome to blah FTP service.
session_support=NO
#syslog_enable=YES
#userlist_enable=YES
#userlist_deny=NO
#userlist_file=/etc/vsftpd/vsftpd.users
#xferlog_enable=YES
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt"
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=NO
#force_local_logins_ssl=NO
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
#rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
#rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem

...saved it, restarted vsftpd and it still gives me the same error message.

Hey, you might have sorted this by now but I think the problem was you missing the ftp_username=nobody attribute. Once I put that in it all worked as expected.

I've done a write up of my OpenWRT WRT 1900 ACS Config at Linksys WRT 1900 ACS with Huawei E3372 Hi-Link LTE Dongle

my /etc/vsftpd.conf is as follows:

background=YES
listen=YES
anonymous_enable=YES
ftp_username=nobody
anon_root=/mnt/sda2/lab
no_anon_password=YES
local_enable=NO
write_enable=NO
local_umask=022
check_shell=NO
dirmessage_enable=YES
ftpd_banner=Welcome to Glovebox FTP service.
session_support=NO
#syslog_enable=YES
#userlist_enable=YES
#userlist_deny=NO
#userlist_file=/etc/vsftpd/vsftpd.users
#xferlog_enable=YES
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj >
#ssl_enable=YES
#allow_anon_ssl=NO
#force_local_data_ssl=NO
#force_local_logins_ssl=NO
#ssl_tlsv1=YES
#ssl_sslv2=NO
#ssl_sslv3=NO
#rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
#rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem
2 Likes

I have the same goal as a topic starter and face the same issue.

I mounted my NTFS drive with this command:
ntfs-3g /dev/sda1 /mnt/my-usb -o rw,lazytime,noatime,big_writes

Everything works as expected with the following /etc/vsftpd.conf:

background=YES
listen=YES
anonymous_enable=YES
local_enable=NO
write_enable=NO
local_umask=022
check_shell=NO
session_support=NO
anon_root=/mnt
ftp_username=nobody
no_anon_password=YES

I can connect to the FTP server and see all the files on my drive. But I want to limit the anonymous user to the ftp folder on my drive.

If I change anon_root=/mnt to anon_root=/mnt/my-usb/ftp I get the following error during a connection attempt:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()

Should I add some mounting option or what?

passwd_chroot_enable
If enabled, along with chroot_local_user , then a chroot() jail location may be specified on a per-user basis. Each user's jail is derived from their home directory string in /etc/passwd. The occurrence of /./ in the home directory string denotes that the jail is at that particular location in the path.

Default: NO

anon_root
This option represents a directory which vsftpd will try to change into after an anonymous login. Failure is silently ignored.

Default: (none)

ftp_username
This is the name of the user we use for handling anonymous FTP. The home directory of this user is the root of the anonymous FTP area.

Default: ftp

I only know how to get this working with non anonymous users...
For example:
I have user1
And passwd_chroot_enable set to yes (and all other options needed to make chroot work)
I have a global ftp directory owned by nobody:nogroup (the user/group vsftpd is running as) with 777 permission
/mnt/data/ftp

user1 home directory is:
/mnt/data/ftp/user1
which is owned by this user and his grp (same name) but is not writable.

The actual ftp directory for this user is:
/mnt/data/ftp/user1/uploads
which is also owned by this user and his group but this directory is writable.

To make vsftpd change into this upload directory automatically the passwd file has to be modified like this (where passwd_chroot_enable comes into play):
user1:x:1000:1000::/mnt/data/ftp/user1/./uploads:/bin/false
Note: The ./uploads after the actual home directory.

Maybe you can do something like this with the default ftp user?

And actually I'm not sure if the passwd_chroot_enable help text is actually correct...
It implies that the actual chroot in this case would be:
/mnt/data/ftp/user1/uploads
Which doesn't seem to be the case.
The actual chroot is: /mnt/data/ftp/user1
Because user1 is able to move out of the uploads directory up to his home directory but not further/higher.