vsftpd: 500 OOPS: prctl PR_SET_SECCOMP failed

8

4

I have an issue with vsftpd. When I connect to my FTP server via FileZilla I get the error:

500 OOPS: prctl PR_SET_SECCOMP failed
Error: Critical error
Error: Could not connect to server

I've tried to connect via my file manager as well and it doesn't seem to function. I can connect to all my other servers with no issue so I'm certain that it's a server related issue.

I run Ubuntu 14.04 on a VPSDime VPS. vsftpd version 3.0.2. The error didn't occur after an update or change in configuration but the error started to occur when I was working on a website; it was working fine before I got the error.

I've rebooted, restarted vsftpd and updated my system. Any ideas?

Xweque

Posted 2015-04-30T10:14:34.990

Reputation: 183

Answers

17

The message indicates that the prctl(PR_SET_SECCOMP, ...) call failed.

ret = prctl(PR_SET_SECCOMP, 2, &prog, 0, 0);
if (ret != 0)
{
  die("prctl PR_SET_SECCOMP failed");
}

It can happen when your kernel does not have the CONFIG_SECCOMP_FILTER enabled. But that can hardly change while you "work on website".

Quote from prctl man page:

PR_SET_SECCOMP (since Linux 2.6.23)

Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The seccomp mode is selected via arg2. (The seccomp constants are defined in <linux/seccomp.h>

...

With arg2 set to SECCOMP_MODE_FILTER (since Linux 3.5) the system calls allowed are defined by a pointer to a Berkeley Packet Filter passed in arg3. This argument is a pointer to struct sock_fprog; it can be designed to filter arbitrary system calls and system call arguments. This mode is available only if the kernel is configured with CONFIG_SECCOMP_FILTER enabled.

As a poor workaround, you can configure vsftpd not to enable the the seccomp mode.

Use the seccomp_sandbox=no option in the vsftpd.conf.

The option does not seem to be documented.

Martin Prikryl

Posted 2015-04-30T10:14:34.990

Reputation: 13 764

Thanks that worked. Do you know if there may be any complications from doing this? What is seccomp? – Xweque – 2015-04-30T11:40:36.880

See http://en.wikipedia.org/wiki/Seccomp

– Martin Prikryl – 2015-04-30T11:41:25.420

2Thanks, it worked for me too. I wonder why I suddently have this kind of problem. I'm using an OVH virtualized server with Ubuntu 14.04 and kernel 2.6.32. – Miguel El Merendero – 2015-07-08T21:03:25.313

I had exactly the same problem, same config than @MiguelElMerendero, and it solved it. Many thanks! – Bigood – 2015-07-16T22:06:40.860

0

Response:    500 OOPS: vsftpd: refusing to run with writable root inside chroot()

The "500 OOPS" error vsftpd returns is a security measure designed to prevent writable root access for FTP users by default. To resolve this issue there are two main options available.

Allowing Writable User-root Access

The simplest method is to alter the /etc/vsftpd.conf file once again and enable one particular setting:

nano /etc/vsftpd.conf

Edit the file so it resembles the following:

# Allow users to write to their root directory
allow_writeable_chroot=YES

https://uk.godaddy.com/help/how-to-set-up-an-ftp-server-on-ubuntu-1404-12301

MaXiM

Posted 2015-04-30T10:14:34.990

Reputation: 1

0

The reason why this error from vfstpd occurs in some Linux kernels (most notably RHEL/Centos 6.x from 6.5 onwards) is the following assumption in vsftpd's sources,

https://github.com/dagwieers/vsftpd/blob/master/seccompsandbox.c#L642


  ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
  if (ret != 0)
  {
    if (errno == EINVAL)
    {
      /* Kernel isn't good enough. */
      return;
    }
    die("prctl PR_SET_NO_NEW_PRIVS");
  }

  if (!tunable_seccomp_sandbox)
  {
    return;
  }
[ ... ]
  ret = prctl(PR_SET_SECCOMP, 2, &prog, 0, 0);
  if (ret != 0)
  {
    die("prctl PR_SET_SECCOMP failed");
}

With https://rhn.redhat.com/errata/RHSA-2015-0864.html Redhat added:

Note: the fix for this issue is the kernel part of the overall fix, and introduces the PR_SET_NO_NEW_PRIVS functionality and the related SELinux exec transitions support.

This breaks vsftpd's assumption above that any kernel which supports PR_SET_NO_NEW_PRIVS also supports PR_SET_SECCOMP mode 2.

vsftpd silently ignores the EINVAL from the first prctl() but fails with the shown error message on the second.

The configuration parameter Martin Prikryl mentioned above is merely making it exit cleanly just after the (now-successful) first prctl(), while before / on older kernels, it cleanly/silently exited on that call.

FrankH.

Posted 2015-04-30T10:14:34.990

Reputation: 111

Asked: 2015-04-30T10:14:34.990

Viewed: 17 285 times

Active: 2017-02-17T23:32:47.347