# vsftpd OOPS cannot change directory

## nuhiNlow

i'm using vsftpd with virtual users and client keeps getting an error that vsftpd can't change into the client's dir

build   R   ] net-ftp/vsftpd-2.1.0  USE="pam ssl tcpd -caps (-selinux) -xinetd" 0 kB

```
phoenix vsftpd # cat vsftpd.conf

#

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

#

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

# capabilities.

#

# Listen on IPv4. xinet users must set NO or comment out

# otherwise it must be set YES

listen=YES

#

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=NO

#

# Uncomment this to allow local users to log in.

local_enable=YES

#

# Uncomment this to enable any form of FTP write command.

write_enable=YES

#

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

local_umask=022

#

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

#

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

#

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

#

# Activate logging of uploads/downloads.

xferlog_enable=YES

#

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

#

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=whoever

#

# You may override where the log file goes if you like. The default is shown

# below.

#xferlog_file=/var/log/vsftpd.log

#

# If you want, you can have your log file in standard ftpd xferlog format.

# Note that the default log file location is /var/log/xferlog in this case.

#xferlog_std_format=YES

#

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

#

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

#

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

nopriv_user=ftp

#

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

#

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that on some FTP servers, ASCII support allows a denial of service

# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

# predicted this attack and has always been safe, reporting the size of the

# raw file.

# ASCII mangling is a horrible feature of the protocol.

#ascii_upload_enable=YES

#ascii_download_enable=YES

#

# You may fully customise the login banner string:

#ftpd_banner=Welcome to blah FTP service.

#

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd/banned_emails

#

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

#chroot_list_enable=YES

# (default follows)

#chroot_list_file=/etc/vsftpd/chroot_list

#

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

#

# When "listen" directive is enabled, vsftpd runs in standalone mode and

# listens on IPv4 sockets. This directive cannot be used in conjunction

# with the listen_ipv6 directive.

listen=YES

#

# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6

# sockets, you must run two copies of vsftpd whith two configuration files.

# Make sure, that one of the listen options is commented !!

#listen_ipv6=YES

pasv_min_port=59000

pasv_max_port=59900

chroot_local_user=YES

#this is important

ssl_enable=YES

#choose what you like, if you accept anon-connections

# you may want to enable this

# allow_anon_ssl=NO

#choose what you like,

# it's a matter of performance i guess

# force_local_data_ssl=NO

#choose what you like

force_local_logins_ssl=NO

#you should at least enable this if you enable ssl...

ssl_tlsv1=YES

#choose what you like

ssl_sslv2=YES

#choose what you like

ssl_sslv3=YES

#give the correct path to your currently generated *.pem file

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

#the *.pem file contains both the key and cert

rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

local_max_rate=30000

# If enabled, all non-anonymous logins are classed as "guest" logins. A guest

# login is remapped to the user specified in the guest_username setting.

guest_enable=YES

guest_username=virtualftp

pam_service_name=vsftpd

# Virtual users will be logged into /var/ftp/[username]/

user_sub_token=$USER

local_root=/var/ftp/$USER 

userlist_enable=YES

userlist_file=/etc/vsftpd/user_list

userlist_deny=NO

log_ftp_protocol=YES

```

----------

## TheAbu

Your config looks ok (I would only reduce the "width" of the passive ports, unless you really expect a huge amount of connections, I would rather go 59000 to 59010). 

Your firewall is set up the right way ? (by that I mean, incoming 21 and outgoing 59000 to 59900)

Here is a copy of my config (also using virtual users) if it can be of help

```
# Port to connect to

listen_port=21

# Standalone mode (no xinetd)

listen=YES

# Banner

banner_file=/etc/vsftpd/banner

# Anonymous not allowed

anonymous_enable=NO

# Local users enabled

local_enable=YES

# Guest

guest_enable=YES

guest_username=virtual

# List of valid users

userlist_file=/etc/vsftpd/users

userlist_enable=YES

userlist_deny=NO

# Jailing the virtual user

chroot_local_user=YES

# Securing the directories

write_enable=NO

anon_upload_enable=NO

anon_mkdir_write_enable=NO

anon_other_write_enable=NO

hide_ids=YES

# Pam service

pam_service_name=vsftpd

# SSL Options

ssl_enable=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_private_key_file=/etc/ssl/certs/vsftpd.pem

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

# Passive ports

pasv_max_port=51602

pasv_min_port=51600

# Max sessions

max_clients=5

max_per_ip=2

# Logging

xferlog_enable=YES

xferlog_file=/var/log/vsftpd.log

log_ftp_protocol=YES

# User config

user_config_dir=/etc/vsftpd/vsftpd_user_conf
```

for my firewall I have:

21 allowed in (Actually, for security reasons I don't use 21, but doesn't really matter)

51600 to 51602 allowed in too (pasv range)

----------

## nuhiNlow

firewall is set up ok.

i'm testing on my internal LAN and getting this error.

does not appear to be network related.

thanks

----------

## TheAbu

You probably already checked that but for the sake of completion:

the home folder for your virtual user belongs to root with group virtual (or whatever your virtual user is called? 

permissions on this folder is set to 2750 ?

the subfolders (your user's folder) also belong to root with group virtual and permissions are also set to 2750 ?

----------

## nuhiNlow

Mar 30 17:23:25 [vsftpd] pam_userdb(vsftpd:auth): user_lookup: could not open database `/etc/vsftpd/passwd': Invalid argument

i keep getting that error

drwxr-s---  3 virtualftp users  4096 2009-03-27 11:37 ftp

what does the chmod 2750 do? i have not used that one before.

thanks for your replies. difficult getting back into this one as i dropped it in disgust on friday.

may spend more time on it tomorrow but i did a lot of googling and kept coming back to the pam problem mentioned in the first line of this post.

seems i have run across an old bug/problem that never got resolved with pam and berkdb.

would be nice to confirm.

merci!

----------

## TheAbu

Here is a cat of the vsftpd file I created in /etc/pam.d/ if it can help

auth required /lib/security/pam_userdb.so db=/etc/vsftpd/login

account required /lib/security/pam_userdb.so db=/etc/vsftpd/login

 I guess you did emerge sys-auth/pam_userdb ?

Sorry if some of my questions sounds a bit condescending, but it's a fairly complex setup and a lot of things can go wrong if you forget one step  :Smile: 

----------

## nuhiNlow

no worries about the questions, that's the only way this will get solved is by examining every part of the setup.

[ebuild   R   ] sys-auth/pam_userdb-0.99.8.1  USE="nls" 0 kB

phoenix vsftpd # cat /etc/pam.d/vsftpd 

auth required pam_userdb.so db=/etc/vsftpd/passwd crypt=hash

account required pam_userdb.so db=/etc/vsftpd/passwd crypt=hash

----------

## nuhiNlow

auth required /lib/security/pam_userdb.so db=/etc/vsftpd/passwd crypt=hash

account required /lib/security/pam_userdb.so db=/etc/vsftpd/passwd crypt=hash

have also tried using /lib64/security...

still get the pam error in logs.

here's emerge --info

phoenix vsftpd # emerge --info

Portage 2.2_rc27 (default/linux/amd64/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.29-gentoo x86_64)

=================================================================

System uname: Linux-2.6.29-gentoo-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_6400+-with-glibc2.2.5

Timestamp of tree: Fri, 27 Mar 2009 11:30:16 +0000

app-shells/bash:     3.2_p48-r1

dev-java/java-config: 1.3.7-r1, 2.1.7

dev-lang/python:     2.5.4-r2

dev-util/cmake:      2.6.3

sys-apps/baselayout: 2.0.0-r2

sys-apps/openrc:     0.4.2-r1

sys-apps/sandbox:    1.6

sys-devel/autoconf:  2.13, 2.63

sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2

sys-devel/binutils:  2.19.1-r1

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.6a

virtual/os-headers:  2.6.28-r1

ACCEPT_KEYWORDS="amd64 ~amd64"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=native -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /var/lib/hsqldb"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"

CXXFLAGS="-O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks fixpackages metadata-transfer parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

LANG="en_US.utf8"

LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed"

LINGUAS="en_US"

MAKEOPTS="-j5"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="3dnow X a52 aac acl acpi alsa amd64 apm banshee berkdb bzip2 cdinstall cdparanoia cdr cli cracklib crypt cups dbus dga directfb dri dvb dvd dvdr dvdread encode escreen exif fam ffmpeg flac fortran gdbm gif gimp gnome gnome-keyring gnutls gphoto2 gpm gstreamer gtk gtkhtml hal hddtemp iconv ipod isdnlog java java6 javascript jpeg lame libnotify libv4l2 lm_sensors mad midi mmx mp3 mp4 mpeg mudflap multilib musicbrainz mysql nautilus ncurses nls nptl nptlonly nsplugin nvidia offensive ogg opengl openmp pam pcre pdf perl png pppd python quicktime rdesktop readline reflection sensord session smp spell spl sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vnc vorbis wavpack xml xorg xscreensaver xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="auth_basic autoindex authz_host auth_host dir mime dav dav_fs authn_file auth_digest authz_groupfile" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US" USERLAND="GNU" VIDEO_CARDS="nvidia"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

----------

