Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1234
  • Last Modified:

CentOS 6 VSFTP FTP User Setup

I have CentOS 6 installed with vsftp, httpd, php, and phpmyadmin all loaded and running fine.  By default, permissions to var/www/html is granted to root:root  but I want the only ftp user on the server to have full access to the var/www/html and var/www/cgi-bin    

I attempted to create a symlink from var/ftp/pub to var/www/html but that does not give the user permissions to upload, change, or create in this directory.  

What is the safest most secure way of giving the ftp user access to our html and cgi-bin directory?
0
the-miz
Asked:
the-miz
  • 15
  • 11
  • 5
3 Solutions
 
wesly_chenCommented:
>  giving the ftp user access to our html and cgi-bin directory
1. Create a group, say called "ftpgrp".
(as root)
groupadd  ftpgrp

2. Add all the ftp user into that group, ftpgrp
edit  /etc/group
ftpgrp:x:<gid>:ftpuser1,ftpuser2,ftpuser3,ftpuser4

3. Change group ownership for  /var/www/html and /var/www/cgi-bin
chgrp -R ftpgrp  /var/www/html  /var/www/cgi-bin

4. Change permission for /var/www/html and /var/www/cgi-bin
chmod -R 775  /var/www/html  /var/www/cgi-bin
0
 
the-mizAuthor Commented:
I still get an Access Denied using cuteftp when I try to create a directory or upload a file.  I restarted the vsftpd service and httpd service, and still permission denied.
0
 
wesly_chenCommented:
> when I try to create a directory or upload a file.  
Where?
Please do
ls -l  /path-to-problem-dir
id
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
mohansahuCommented:
Hi,

Please do the steps & check it.

1. shortlink to /var/ftp/pub folder to /var/www/html

 ln -s   /var/ftp/pub /var/www/html

2. set the access control by using
 setfacl -m u:apache:--x /var/ftp/pub/
 setfacl -m u:ftpuser:rwx /var/ftp/pub/

3. change the owner ship of the pub folder
 chown -R ftpuser.ftpuser pub

4. check the getfacl /var/ftp/pub folder

MS






0
 
the-mizAuthor Commented:
ls -l /var/www/  looks like this:

drwxrwxr-x.  2   root         root 4096   Jul     7 06:31 cgi-bin
drwxr-xr-x.   3   root          root 4096  Sep   7 09:12 error
drwxrwxr-x.  2   root         root 4096   Nov 11  2010 html
drwxr-xr-x.   3   root          root 4096  Sep   7 11:11 icons
drwxr-xr-x.  14  root          root 4096  Sep   7 09:13 manual
drwxr-xr-x.   2   webalizer root 4096  Sep   8 03:22 usage

ls -l /var/ftp/ looks like this:

drwxrwxr-x+   2   contechftp   ftp  4096  Sep  7 14:14 pub




MS, I tried what you wrote but still no permission to create a folder, file or anything.  Create a folder gives me a "Can't create following directory:" error and "access denied" for when I try to upload.
0
 
mohansahuCommented:
this write permission problem in the pub folder

try

 chown -R ftpuser.ftpuser /var/ftp/pub/

OR

chmod 777 /var/ftp/pub/

MS
0
 
the-mizAuthor Commented:
tried ftpuser.ftpuser  in the chown command but says invalid user.  What does the period represent in between the ftpuser.ftpuser?
0
 
mohansahuCommented:
ftpuser in sense ftp user, which user r  u able to access the folder

like .  chown -R ftp.ftp /var/ftp/pub/

in the above command usename is ftp

MS
0
 
the-mizAuthor Commented:
Well I chmod 777 /var/ftp/pub  but still no permission.

It seems like such a simple task, all I want is my ftpuser to be able to log in through cuteftp and have full read/write access to html and cgi-bin directory.  
0
 
mohansahuCommented:

create a username called ftp and use the below command
 
chown -R ftp.ftp /var/ftp/pub/

then check ls -l /var/ftp/pub/

MS
0
 
mohansahuCommented:
yes , u have to give the full permission html and cgi-bin folder to ftp user.

0
 
the-mizAuthor Commented:
ftp user already exists, ran the chown command and got

lrwxrwxrwx. 1 ftp ftp 17 Sep  8 08:32 cgi-bin -> /var/www/cgi-bin/
lrwxrwxrwx. 1 ftp ftp 14 Sep  8 08:31 html -> /var/www/html/

for permissions on /var/ftp/pub

still unable to write to html or cgi-bin :(
0
 
wesly_chenCommented:
drwxrwxr-x.  2   root         root 4096   Jul     7 06:31 cgi-bin
drwxrwxr-x.  2   root         root 4096   Nov 11  2010 html

/var/www/cgi-bin  and /var/www/html   are still owned by "root" group.
You did NOT do the third step.

If you already have ftp group, and all the ftp users are in "ftp group  (very important (step 2), please check /etc/group file to verify )
Then
chgrp   -R   ftp    /var/www/html   /var/www/cgi-bin
0
 
wesly_chenCommented:
after  "chgrp   -R   ftp    /var/www/html   /var/www/cgi-bin"
please do
ls  -l   /var/www
grep  ftp  /etc/group

and post the result here
0
 
the-mizAuthor Commented:
Still same, here's the results:

[root@servername ~]# ls -l /var/www/
total 24
drwxrwxr-x.    2 root          ftp   4096 Sep  8 08:27 cgi-bin
drwxr-xr-x.     3 root          root 4096 Sep  7 09:12 error
drwxrwxrwx.  2 root          ftp   4096 Sep  8 08:29 html
drwxr-xr-x.     3 root          root 4096 Sep  7 11:11 icons
drwxr-xr-x.   14 root          root 4096 Sep  7 09:13 manual
drwxr-xr-x.     2 webalizer root 4096 Sep  8 03:22 usage


[root@servername ~]# grep ftp /etc/group
ftp:x:50:ftpuser
0
 
wesly_chenCommented:
From the result of "grep ftp /etc/group", it only show
login account name "ftpuser" as group.
Are you FTP login as "ftpuser"?
If you FTP login as other login name, say "miz", then please add miz into ftp group
---- /etc/group ----
ftp:x:50:ftpuser,miz
------------
Then ftp login as "miz" and try it.  (please replace "miz" with actual FTP account name).
All other FTP login name, say ftp1, ftp2.... Please add to /etc/group
ftp:x:50:ftpuser, miz,ftp1,ftp2,ftp3
0
 
the-mizAuthor Commented:
my user is ftpuser, the group is ftp

I only have one user to have access via ftp
0
 
wesly_chenCommented:
Ok, so
you ftp login CentOS as "ftpuser" and
------------
cd  /var/www/html
mkdir  test   ====> succeed or fail?
0
 
the-mizAuthor Commented:
I ftp login with CuteFTP as ftpuser but cannot make a directory named test.  It fails.

I cannot run ftp on the server itself as it gives me a "command not found" error.
0
 
wesly_chenCommented:
Would you be able to create any dir under  /var/ftp/pub ?
0
 
the-mizAuthor Commented:
No, I tried that as well...  unsuccessful
0
 
wesly_chenCommented:
Please post your vsftpd.conf
make sure
write_enable=YES

Then restart vsftpd (service vsftpd restart)
0
 
the-mizAuthor Commented:
anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

listen=YES

pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
0
 
the-mizAuthor Commented:
It was already set to YES
0
 
wesly_chenCommented:
Could ftpuser can create a test dir anywhere?
If yes, please do
ls  -l /path-to-dir   (the parent dir to "test" dir)
0
 
the-mizAuthor Commented:
ftpuser can create in the /tmp folder

drwxrwxrwt.   4 root root  4096 Sep  8 15:04 tmp
0
 
the-mizAuthor Commented:
Though ftpuser can create a directory in /tmp with the above permissions, I changed the permissions to match the /tmp for /var/www/html and /var/ftp/pub  but still could not create.  How is it that I can not get ftpuser permission to read and write in these directories?
0
 
wesly_chenCommented:
OK,
1.
not through FTP(cuteftp), just directly login Ubuntu (ssh or from console) as "ftpuser", then
cd  /var/www/html
mkdir test1

If it work. then it is vsftp setting issue:

2. Create another account, say userA, for ftp on Ubuntu, add that account to "ftp" group in /etc/group.
Then login as "userA" directly, do
cd  /var/www/html
mkdir test2
to make sure userA can create directory under /var/www/html

Then use cuteftp FTP login as "userA" and create test3 directory under /var/www/html
If works, then "ftpuser" account is not right.
0
 
the-mizAuthor Commented:
Corrected the problem.

SELinux is enabled. Entered the following command:

# setenforce 0

I was able to write to the directory.

Thanks everyone
0
 
wesly_chenCommented:
glad to hear you find the solution yourselves. select your post as solution and close it.
0
 
the-mizAuthor Commented:
Was able to come across the answer on another forum.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 15
  • 11
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now