the-miz
asked on
CentOS 6 VSFTP FTP User Setup
I have CentOS 6 installed with vsftp, httpd, php, and phpmyadmin all loaded and running fine. By default, permissions to var/www/html is granted to root:root but I want the only ftp user on the server to have full access to the var/www/html and var/www/cgi-bin
I attempted to create a symlink from var/ftp/pub to var/www/html but that does not give the user permissions to upload, change, or create in this directory.
What is the safest most secure way of giving the ftp user access to our html and cgi-bin directory?
I attempted to create a symlink from var/ftp/pub to var/www/html but that does not give the user permissions to upload, change, or create in this directory.
What is the safest most secure way of giving the ftp user access to our html and cgi-bin directory?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> when I try to create a directory or upload a file.
Where?
Please do
ls -l /path-to-problem-dir
id
Where?
Please do
ls -l /path-to-problem-dir
id
Hi,
Please do the steps & check it.
1. shortlink to /var/ftp/pub folder to /var/www/html
ln -s /var/ftp/pub /var/www/html
2. set the access control by using
setfacl -m u:apache:--x /var/ftp/pub/
setfacl -m u:ftpuser:rwx /var/ftp/pub/
3. change the owner ship of the pub folder
chown -R ftpuser.ftpuser pub
4. check the getfacl /var/ftp/pub folder
MS
Please do the steps & check it.
1. shortlink to /var/ftp/pub folder to /var/www/html
ln -s /var/ftp/pub /var/www/html
2. set the access control by using
setfacl -m u:apache:--x /var/ftp/pub/
setfacl -m u:ftpuser:rwx /var/ftp/pub/
3. change the owner ship of the pub folder
chown -R ftpuser.ftpuser pub
4. check the getfacl /var/ftp/pub folder
MS
ASKER
ls -l /var/www/ looks like this:
drwxrwxr-x. 2 root root 4096 Jul 7 06:31 cgi-bin
drwxr-xr-x. 3 root root 4096 Sep 7 09:12 error
drwxrwxr-x. 2 root root 4096 Nov 11 2010 html
drwxr-xr-x. 3 root root 4096 Sep 7 11:11 icons
drwxr-xr-x. 14 root root 4096 Sep 7 09:13 manual
drwxr-xr-x. 2 webalizer root 4096 Sep 8 03:22 usage
ls -l /var/ftp/ looks like this:
drwxrwxr-x+ 2 contechftp ftp 4096 Sep 7 14:14 pub
MS, I tried what you wrote but still no permission to create a folder, file or anything. Create a folder gives me a "Can't create following directory:" error and "access denied" for when I try to upload.
drwxrwxr-x. 2 root root 4096 Jul 7 06:31 cgi-bin
drwxr-xr-x. 3 root root 4096 Sep 7 09:12 error
drwxrwxr-x. 2 root root 4096 Nov 11 2010 html
drwxr-xr-x. 3 root root 4096 Sep 7 11:11 icons
drwxr-xr-x. 14 root root 4096 Sep 7 09:13 manual
drwxr-xr-x. 2 webalizer root 4096 Sep 8 03:22 usage
ls -l /var/ftp/ looks like this:
drwxrwxr-x+ 2 contechftp ftp 4096 Sep 7 14:14 pub
MS, I tried what you wrote but still no permission to create a folder, file or anything. Create a folder gives me a "Can't create following directory:" error and "access denied" for when I try to upload.
this write permission problem in the pub folder
try
chown -R ftpuser.ftpuser /var/ftp/pub/
OR
chmod 777 /var/ftp/pub/
MS
try
chown -R ftpuser.ftpuser /var/ftp/pub/
OR
chmod 777 /var/ftp/pub/
MS
ASKER
tried ftpuser.ftpuser in the chown command but says invalid user. What does the period represent in between the ftpuser.ftpuser?
ftpuser in sense ftp user, which user r u able to access the folder
like . chown -R ftp.ftp /var/ftp/pub/
in the above command usename is ftp
MS
like . chown -R ftp.ftp /var/ftp/pub/
in the above command usename is ftp
MS
ASKER
Well I chmod 777 /var/ftp/pub but still no permission.
It seems like such a simple task, all I want is my ftpuser to be able to log in through cuteftp and have full read/write access to html and cgi-bin directory.
It seems like such a simple task, all I want is my ftpuser to be able to log in through cuteftp and have full read/write access to html and cgi-bin directory.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes , u have to give the full permission html and cgi-bin folder to ftp user.
ASKER
ftp user already exists, ran the chown command and got
lrwxrwxrwx. 1 ftp ftp 17 Sep 8 08:32 cgi-bin -> /var/www/cgi-bin/
lrwxrwxrwx. 1 ftp ftp 14 Sep 8 08:31 html -> /var/www/html/
for permissions on /var/ftp/pub
still unable to write to html or cgi-bin :(
lrwxrwxrwx. 1 ftp ftp 17 Sep 8 08:32 cgi-bin -> /var/www/cgi-bin/
lrwxrwxrwx. 1 ftp ftp 14 Sep 8 08:31 html -> /var/www/html/
for permissions on /var/ftp/pub
still unable to write to html or cgi-bin :(
drwxrwxr-x. 2 root root 4096 Jul 7 06:31 cgi-bin
drwxrwxr-x. 2 root root 4096 Nov 11 2010 html
/var/www/cgi-bin and /var/www/html are still owned by "root" group.
You did NOT do the third step.
If you already have ftp group, and all the ftp users are in "ftp group (very important (step 2), please check /etc/group file to verify )
Then
chgrp -R ftp /var/www/html /var/www/cgi-bin
drwxrwxr-x. 2 root root 4096 Nov 11 2010 html
/var/www/cgi-bin and /var/www/html are still owned by "root" group.
You did NOT do the third step.
If you already have ftp group, and all the ftp users are in "ftp group (very important (step 2), please check /etc/group file to verify )
Then
chgrp -R ftp /var/www/html /var/www/cgi-bin
after "chgrp -R ftp /var/www/html /var/www/cgi-bin"
please do
ls -l /var/www
grep ftp /etc/group
and post the result here
please do
ls -l /var/www
grep ftp /etc/group
and post the result here
ASKER
Still same, here's the results:
[root@servername ~]# ls -l /var/www/
total 24
drwxrwxr-x. 2 root ftp 4096 Sep 8 08:27 cgi-bin
drwxr-xr-x. 3 root root 4096 Sep 7 09:12 error
drwxrwxrwx. 2 root ftp 4096 Sep 8 08:29 html
drwxr-xr-x. 3 root root 4096 Sep 7 11:11 icons
drwxr-xr-x. 14 root root 4096 Sep 7 09:13 manual
drwxr-xr-x. 2 webalizer root 4096 Sep 8 03:22 usage
[root@servername ~]# grep ftp /etc/group
ftp:x:50:ftpuser
[root@servername ~]# ls -l /var/www/
total 24
drwxrwxr-x. 2 root ftp 4096 Sep 8 08:27 cgi-bin
drwxr-xr-x. 3 root root 4096 Sep 7 09:12 error
drwxrwxrwx. 2 root ftp 4096 Sep 8 08:29 html
drwxr-xr-x. 3 root root 4096 Sep 7 11:11 icons
drwxr-xr-x. 14 root root 4096 Sep 7 09:13 manual
drwxr-xr-x. 2 webalizer root 4096 Sep 8 03:22 usage
[root@servername ~]# grep ftp /etc/group
ftp:x:50:ftpuser
From the result of "grep ftp /etc/group", it only show
login account name "ftpuser" as group.
Are you FTP login as "ftpuser"?
If you FTP login as other login name, say "miz", then please add miz into ftp group
---- /etc/group ----
ftp:x:50:ftpuser,miz
------------
Then ftp login as "miz" and try it. (please replace "miz" with actual FTP account name).
All other FTP login name, say ftp1, ftp2.... Please add to /etc/group
ftp:x:50:ftpuser, miz,ftp1,ftp2,ftp3
login account name "ftpuser" as group.
Are you FTP login as "ftpuser"?
If you FTP login as other login name, say "miz", then please add miz into ftp group
---- /etc/group ----
ftp:x:50:ftpuser,miz
------------
Then ftp login as "miz" and try it. (please replace "miz" with actual FTP account name).
All other FTP login name, say ftp1, ftp2.... Please add to /etc/group
ftp:x:50:ftpuser, miz,ftp1,ftp2,ftp3
ASKER
my user is ftpuser, the group is ftp
I only have one user to have access via ftp
I only have one user to have access via ftp
Ok, so
you ftp login CentOS as "ftpuser" and
------------
cd /var/www/html
mkdir test ====> succeed or fail?
you ftp login CentOS as "ftpuser" and
------------
cd /var/www/html
mkdir test ====> succeed or fail?
ASKER
I ftp login with CuteFTP as ftpuser but cannot make a directory named test. It fails.
I cannot run ftp on the server itself as it gives me a "command not found" error.
I cannot run ftp on the server itself as it gives me a "command not found" error.
Would you be able to create any dir under /var/ftp/pub ?
ASKER
No, I tried that as well... unsuccessful
Please post your vsftpd.conf
make sure
write_enable=YES
Then restart vsftpd (service vsftpd restart)
make sure
write_enable=YES
Then restart vsftpd (service vsftpd restart)
ASKER
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
ASKER
It was already set to YES
Could ftpuser can create a test dir anywhere?
If yes, please do
ls -l /path-to-dir (the parent dir to "test" dir)
If yes, please do
ls -l /path-to-dir (the parent dir to "test" dir)
ASKER
ftpuser can create in the /tmp folder
drwxrwxrwt. 4 root root 4096 Sep 8 15:04 tmp
drwxrwxrwt. 4 root root 4096 Sep 8 15:04 tmp
ASKER
Though ftpuser can create a directory in /tmp with the above permissions, I changed the permissions to match the /tmp for /var/www/html and /var/ftp/pub but still could not create. How is it that I can not get ftpuser permission to read and write in these directories?
OK,
1.
not through FTP(cuteftp), just directly login Ubuntu (ssh or from console) as "ftpuser", then
cd /var/www/html
mkdir test1
If it work. then it is vsftp setting issue:
2. Create another account, say userA, for ftp on Ubuntu, add that account to "ftp" group in /etc/group.
Then login as "userA" directly, do
cd /var/www/html
mkdir test2
to make sure userA can create directory under /var/www/html
Then use cuteftp FTP login as "userA" and create test3 directory under /var/www/html
If works, then "ftpuser" account is not right.
1.
not through FTP(cuteftp), just directly login Ubuntu (ssh or from console) as "ftpuser", then
cd /var/www/html
mkdir test1
If it work. then it is vsftp setting issue:
2. Create another account, say userA, for ftp on Ubuntu, add that account to "ftp" group in /etc/group.
Then login as "userA" directly, do
cd /var/www/html
mkdir test2
to make sure userA can create directory under /var/www/html
Then use cuteftp FTP login as "userA" and create test3 directory under /var/www/html
If works, then "ftpuser" account is not right.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
glad to hear you find the solution yourselves. select your post as solution and close it.
ASKER
Was able to come across the answer on another forum.
ASKER