Solved

CentOS 6 VSFTP FTP User Setup

Posted on 2011-09-07
31
1,172 Views
Last Modified: 2012-05-12
I have CentOS 6 installed with vsftp, httpd, php, and phpmyadmin all loaded and running fine.  By default, permissions to var/www/html is granted to root:root  but I want the only ftp user on the server to have full access to the var/www/html and var/www/cgi-bin    

I attempted to create a symlink from var/ftp/pub to var/www/html but that does not give the user permissions to upload, change, or create in this directory.  

What is the safest most secure way of giving the ftp user access to our html and cgi-bin directory?
0
Comment
Question by:the-miz
  • 15
  • 11
  • 5
31 Comments
 
LVL 38

Accepted Solution

by:
wesly_chen earned 250 total points
ID: 36498214
>  giving the ftp user access to our html and cgi-bin directory
1. Create a group, say called "ftpgrp".
(as root)
groupadd  ftpgrp

2. Add all the ftp user into that group, ftpgrp
edit  /etc/group
ftpgrp:x:<gid>:ftpuser1,ftpuser2,ftpuser3,ftpuser4

3. Change group ownership for  /var/www/html and /var/www/cgi-bin
chgrp -R ftpgrp  /var/www/html  /var/www/cgi-bin

4. Change permission for /var/www/html and /var/www/cgi-bin
chmod -R 775  /var/www/html  /var/www/cgi-bin
0
 

Author Comment

by:the-miz
ID: 36498461
I still get an Access Denied using cuteftp when I try to create a directory or upload a file.  I restarted the vsftpd service and httpd service, and still permission denied.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36498804
> when I try to create a directory or upload a file.  
Where?
Please do
ls -l  /path-to-problem-dir
id
0
 
LVL 6

Expert Comment

by:mohansahu
ID: 36501575
Hi,

Please do the steps & check it.

1. shortlink to /var/ftp/pub folder to /var/www/html

 ln -s   /var/ftp/pub /var/www/html

2. set the access control by using
 setfacl -m u:apache:--x /var/ftp/pub/
 setfacl -m u:ftpuser:rwx /var/ftp/pub/

3. change the owner ship of the pub folder
 chown -R ftpuser.ftpuser pub

4. check the getfacl /var/ftp/pub folder

MS






0
 

Author Comment

by:the-miz
ID: 36501998
ls -l /var/www/  looks like this:

drwxrwxr-x.  2   root         root 4096   Jul     7 06:31 cgi-bin
drwxr-xr-x.   3   root          root 4096  Sep   7 09:12 error
drwxrwxr-x.  2   root         root 4096   Nov 11  2010 html
drwxr-xr-x.   3   root          root 4096  Sep   7 11:11 icons
drwxr-xr-x.  14  root          root 4096  Sep   7 09:13 manual
drwxr-xr-x.   2   webalizer root 4096  Sep   8 03:22 usage

ls -l /var/ftp/ looks like this:

drwxrwxr-x+   2   contechftp   ftp  4096  Sep  7 14:14 pub




MS, I tried what you wrote but still no permission to create a folder, file or anything.  Create a folder gives me a "Can't create following directory:" error and "access denied" for when I try to upload.
0
 
LVL 6

Expert Comment

by:mohansahu
ID: 36502166
this write permission problem in the pub folder

try

 chown -R ftpuser.ftpuser /var/ftp/pub/

OR

chmod 777 /var/ftp/pub/

MS
0
 

Author Comment

by:the-miz
ID: 36502257
tried ftpuser.ftpuser  in the chown command but says invalid user.  What does the period represent in between the ftpuser.ftpuser?
0
 
LVL 6

Expert Comment

by:mohansahu
ID: 36502332
ftpuser in sense ftp user, which user r  u able to access the folder

like .  chown -R ftp.ftp /var/ftp/pub/

in the above command usename is ftp

MS
0
 

Author Comment

by:the-miz
ID: 36502349
Well I chmod 777 /var/ftp/pub  but still no permission.

It seems like such a simple task, all I want is my ftpuser to be able to log in through cuteftp and have full read/write access to html and cgi-bin directory.  
0
 
LVL 6

Assisted Solution

by:mohansahu
mohansahu earned 250 total points
ID: 36502366

create a username called ftp and use the below command
 
chown -R ftp.ftp /var/ftp/pub/

then check ls -l /var/ftp/pub/

MS
0
 
LVL 6

Expert Comment

by:mohansahu
ID: 36502394
yes , u have to give the full permission html and cgi-bin folder to ftp user.

0
 

Author Comment

by:the-miz
ID: 36502464
ftp user already exists, ran the chown command and got

lrwxrwxrwx. 1 ftp ftp 17 Sep  8 08:32 cgi-bin -> /var/www/cgi-bin/
lrwxrwxrwx. 1 ftp ftp 14 Sep  8 08:31 html -> /var/www/html/

for permissions on /var/ftp/pub

still unable to write to html or cgi-bin :(
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36503135
drwxrwxr-x.  2   root         root 4096   Jul     7 06:31 cgi-bin
drwxrwxr-x.  2   root         root 4096   Nov 11  2010 html

/var/www/cgi-bin  and /var/www/html   are still owned by "root" group.
You did NOT do the third step.

If you already have ftp group, and all the ftp users are in "ftp group  (very important (step 2), please check /etc/group file to verify )
Then
chgrp   -R   ftp    /var/www/html   /var/www/cgi-bin
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36503149
after  "chgrp   -R   ftp    /var/www/html   /var/www/cgi-bin"
please do
ls  -l   /var/www
grep  ftp  /etc/group

and post the result here
0
 

Author Comment

by:the-miz
ID: 36503515
Still same, here's the results:

[root@servername ~]# ls -l /var/www/
total 24
drwxrwxr-x.    2 root          ftp   4096 Sep  8 08:27 cgi-bin
drwxr-xr-x.     3 root          root 4096 Sep  7 09:12 error
drwxrwxrwx.  2 root          ftp   4096 Sep  8 08:29 html
drwxr-xr-x.     3 root          root 4096 Sep  7 11:11 icons
drwxr-xr-x.   14 root          root 4096 Sep  7 09:13 manual
drwxr-xr-x.     2 webalizer root 4096 Sep  8 03:22 usage


[root@servername ~]# grep ftp /etc/group
ftp:x:50:ftpuser
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 38

Expert Comment

by:wesly_chen
ID: 36504183
From the result of "grep ftp /etc/group", it only show
login account name "ftpuser" as group.
Are you FTP login as "ftpuser"?
If you FTP login as other login name, say "miz", then please add miz into ftp group
---- /etc/group ----
ftp:x:50:ftpuser,miz
------------
Then ftp login as "miz" and try it.  (please replace "miz" with actual FTP account name).
All other FTP login name, say ftp1, ftp2.... Please add to /etc/group
ftp:x:50:ftpuser, miz,ftp1,ftp2,ftp3
0
 

Author Comment

by:the-miz
ID: 36504291
my user is ftpuser, the group is ftp

I only have one user to have access via ftp
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36504337
Ok, so
you ftp login CentOS as "ftpuser" and
------------
cd  /var/www/html
mkdir  test   ====> succeed or fail?
0
 

Author Comment

by:the-miz
ID: 36504647
I ftp login with CuteFTP as ftpuser but cannot make a directory named test.  It fails.

I cannot run ftp on the server itself as it gives me a "command not found" error.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36504853
Would you be able to create any dir under  /var/ftp/pub ?
0
 

Author Comment

by:the-miz
ID: 36504992
No, I tried that as well...  unsuccessful
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36505046
Please post your vsftpd.conf
make sure
write_enable=YES

Then restart vsftpd (service vsftpd restart)
0
 

Author Comment

by:the-miz
ID: 36505135
anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

listen=YES

pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
0
 

Author Comment

by:the-miz
ID: 36505144
It was already set to YES
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36505160
Could ftpuser can create a test dir anywhere?
If yes, please do
ls  -l /path-to-dir   (the parent dir to "test" dir)
0
 

Author Comment

by:the-miz
ID: 36505218
ftpuser can create in the /tmp folder

drwxrwxrwt.   4 root root  4096 Sep  8 15:04 tmp
0
 

Author Comment

by:the-miz
ID: 36509829
Though ftpuser can create a directory in /tmp with the above permissions, I changed the permissions to match the /tmp for /var/www/html and /var/ftp/pub  but still could not create.  How is it that I can not get ftpuser permission to read and write in these directories?
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36511002
OK,
1.
not through FTP(cuteftp), just directly login Ubuntu (ssh or from console) as "ftpuser", then
cd  /var/www/html
mkdir test1

If it work. then it is vsftp setting issue:

2. Create another account, say userA, for ftp on Ubuntu, add that account to "ftp" group in /etc/group.
Then login as "userA" directly, do
cd  /var/www/html
mkdir test2
to make sure userA can create directory under /var/www/html

Then use cuteftp FTP login as "userA" and create test3 directory under /var/www/html
If works, then "ftpuser" account is not right.
0
 

Assisted Solution

by:the-miz
the-miz earned 0 total points
ID: 36511037
Corrected the problem.

SELinux is enabled. Entered the following command:

# setenforce 0

I was able to write to the directory.

Thanks everyone
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36511062
glad to hear you find the solution yourselves. select your post as solution and close it.
0
 

Author Closing Comment

by:the-miz
ID: 36534693
Was able to come across the answer on another forum.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now