Solved

CentOS 6 VSFTP FTP User Setup

Posted on 2011-09-07
31
1,195 Views
Last Modified: 2012-05-12
I have CentOS 6 installed with vsftp, httpd, php, and phpmyadmin all loaded and running fine.  By default, permissions to var/www/html is granted to root:root  but I want the only ftp user on the server to have full access to the var/www/html and var/www/cgi-bin    

I attempted to create a symlink from var/ftp/pub to var/www/html but that does not give the user permissions to upload, change, or create in this directory.  

What is the safest most secure way of giving the ftp user access to our html and cgi-bin directory?
0
Comment
Question by:the-miz
  • 15
  • 11
  • 5
31 Comments
 
LVL 38

Accepted Solution

by:
wesly_chen earned 250 total points
ID: 36498214
>  giving the ftp user access to our html and cgi-bin directory
1. Create a group, say called "ftpgrp".
(as root)
groupadd  ftpgrp

2. Add all the ftp user into that group, ftpgrp
edit  /etc/group
ftpgrp:x:<gid>:ftpuser1,ftpuser2,ftpuser3,ftpuser4

3. Change group ownership for  /var/www/html and /var/www/cgi-bin
chgrp -R ftpgrp  /var/www/html  /var/www/cgi-bin

4. Change permission for /var/www/html and /var/www/cgi-bin
chmod -R 775  /var/www/html  /var/www/cgi-bin
0
 

Author Comment

by:the-miz
ID: 36498461
I still get an Access Denied using cuteftp when I try to create a directory or upload a file.  I restarted the vsftpd service and httpd service, and still permission denied.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36498804
> when I try to create a directory or upload a file.  
Where?
Please do
ls -l  /path-to-problem-dir
id
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 6

Expert Comment

by:mohansahu
ID: 36501575
Hi,

Please do the steps & check it.

1. shortlink to /var/ftp/pub folder to /var/www/html

 ln -s   /var/ftp/pub /var/www/html

2. set the access control by using
 setfacl -m u:apache:--x /var/ftp/pub/
 setfacl -m u:ftpuser:rwx /var/ftp/pub/

3. change the owner ship of the pub folder
 chown -R ftpuser.ftpuser pub

4. check the getfacl /var/ftp/pub folder

MS






0
 

Author Comment

by:the-miz
ID: 36501998
ls -l /var/www/  looks like this:

drwxrwxr-x.  2   root         root 4096   Jul     7 06:31 cgi-bin
drwxr-xr-x.   3   root          root 4096  Sep   7 09:12 error
drwxrwxr-x.  2   root         root 4096   Nov 11  2010 html
drwxr-xr-x.   3   root          root 4096  Sep   7 11:11 icons
drwxr-xr-x.  14  root          root 4096  Sep   7 09:13 manual
drwxr-xr-x.   2   webalizer root 4096  Sep   8 03:22 usage

ls -l /var/ftp/ looks like this:

drwxrwxr-x+   2   contechftp   ftp  4096  Sep  7 14:14 pub




MS, I tried what you wrote but still no permission to create a folder, file or anything.  Create a folder gives me a "Can't create following directory:" error and "access denied" for when I try to upload.
0
 
LVL 6

Expert Comment

by:mohansahu
ID: 36502166
this write permission problem in the pub folder

try

 chown -R ftpuser.ftpuser /var/ftp/pub/

OR

chmod 777 /var/ftp/pub/

MS
0
 

Author Comment

by:the-miz
ID: 36502257
tried ftpuser.ftpuser  in the chown command but says invalid user.  What does the period represent in between the ftpuser.ftpuser?
0
 
LVL 6

Expert Comment

by:mohansahu
ID: 36502332
ftpuser in sense ftp user, which user r  u able to access the folder

like .  chown -R ftp.ftp /var/ftp/pub/

in the above command usename is ftp

MS
0
 

Author Comment

by:the-miz
ID: 36502349
Well I chmod 777 /var/ftp/pub  but still no permission.

It seems like such a simple task, all I want is my ftpuser to be able to log in through cuteftp and have full read/write access to html and cgi-bin directory.  
0
 
LVL 6

Assisted Solution

by:mohansahu
mohansahu earned 250 total points
ID: 36502366

create a username called ftp and use the below command
 
chown -R ftp.ftp /var/ftp/pub/

then check ls -l /var/ftp/pub/

MS
0
 
LVL 6

Expert Comment

by:mohansahu
ID: 36502394
yes , u have to give the full permission html and cgi-bin folder to ftp user.

0
 

Author Comment

by:the-miz
ID: 36502464
ftp user already exists, ran the chown command and got

lrwxrwxrwx. 1 ftp ftp 17 Sep  8 08:32 cgi-bin -> /var/www/cgi-bin/
lrwxrwxrwx. 1 ftp ftp 14 Sep  8 08:31 html -> /var/www/html/

for permissions on /var/ftp/pub

still unable to write to html or cgi-bin :(
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36503135
drwxrwxr-x.  2   root         root 4096   Jul     7 06:31 cgi-bin
drwxrwxr-x.  2   root         root 4096   Nov 11  2010 html

/var/www/cgi-bin  and /var/www/html   are still owned by "root" group.
You did NOT do the third step.

If you already have ftp group, and all the ftp users are in "ftp group  (very important (step 2), please check /etc/group file to verify )
Then
chgrp   -R   ftp    /var/www/html   /var/www/cgi-bin
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36503149
after  "chgrp   -R   ftp    /var/www/html   /var/www/cgi-bin"
please do
ls  -l   /var/www
grep  ftp  /etc/group

and post the result here
0
 

Author Comment

by:the-miz
ID: 36503515
Still same, here's the results:

[root@servername ~]# ls -l /var/www/
total 24
drwxrwxr-x.    2 root          ftp   4096 Sep  8 08:27 cgi-bin
drwxr-xr-x.     3 root          root 4096 Sep  7 09:12 error
drwxrwxrwx.  2 root          ftp   4096 Sep  8 08:29 html
drwxr-xr-x.     3 root          root 4096 Sep  7 11:11 icons
drwxr-xr-x.   14 root          root 4096 Sep  7 09:13 manual
drwxr-xr-x.     2 webalizer root 4096 Sep  8 03:22 usage


[root@servername ~]# grep ftp /etc/group
ftp:x:50:ftpuser
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36504183
From the result of "grep ftp /etc/group", it only show
login account name "ftpuser" as group.
Are you FTP login as "ftpuser"?
If you FTP login as other login name, say "miz", then please add miz into ftp group
---- /etc/group ----
ftp:x:50:ftpuser,miz
------------
Then ftp login as "miz" and try it.  (please replace "miz" with actual FTP account name).
All other FTP login name, say ftp1, ftp2.... Please add to /etc/group
ftp:x:50:ftpuser, miz,ftp1,ftp2,ftp3
0
 

Author Comment

by:the-miz
ID: 36504291
my user is ftpuser, the group is ftp

I only have one user to have access via ftp
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36504337
Ok, so
you ftp login CentOS as "ftpuser" and
------------
cd  /var/www/html
mkdir  test   ====> succeed or fail?
0
 

Author Comment

by:the-miz
ID: 36504647
I ftp login with CuteFTP as ftpuser but cannot make a directory named test.  It fails.

I cannot run ftp on the server itself as it gives me a "command not found" error.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36504853
Would you be able to create any dir under  /var/ftp/pub ?
0
 

Author Comment

by:the-miz
ID: 36504992
No, I tried that as well...  unsuccessful
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36505046
Please post your vsftpd.conf
make sure
write_enable=YES

Then restart vsftpd (service vsftpd restart)
0
 

Author Comment

by:the-miz
ID: 36505135
anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

listen=YES

pam_service_name=vsftpd
userlist_enable=NO
tcp_wrappers=YES
0
 

Author Comment

by:the-miz
ID: 36505144
It was already set to YES
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36505160
Could ftpuser can create a test dir anywhere?
If yes, please do
ls  -l /path-to-dir   (the parent dir to "test" dir)
0
 

Author Comment

by:the-miz
ID: 36505218
ftpuser can create in the /tmp folder

drwxrwxrwt.   4 root root  4096 Sep  8 15:04 tmp
0
 

Author Comment

by:the-miz
ID: 36509829
Though ftpuser can create a directory in /tmp with the above permissions, I changed the permissions to match the /tmp for /var/www/html and /var/ftp/pub  but still could not create.  How is it that I can not get ftpuser permission to read and write in these directories?
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36511002
OK,
1.
not through FTP(cuteftp), just directly login Ubuntu (ssh or from console) as "ftpuser", then
cd  /var/www/html
mkdir test1

If it work. then it is vsftp setting issue:

2. Create another account, say userA, for ftp on Ubuntu, add that account to "ftp" group in /etc/group.
Then login as "userA" directly, do
cd  /var/www/html
mkdir test2
to make sure userA can create directory under /var/www/html

Then use cuteftp FTP login as "userA" and create test3 directory under /var/www/html
If works, then "ftpuser" account is not right.
0
 

Assisted Solution

by:the-miz
the-miz earned 0 total points
ID: 36511037
Corrected the problem.

SELinux is enabled. Entered the following command:

# setenforce 0

I was able to write to the directory.

Thanks everyone
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 36511062
glad to hear you find the solution yourselves. select your post as solution and close it.
0
 

Author Closing Comment

by:the-miz
ID: 36534693
Was able to come across the answer on another forum.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS- KeepAlived notify script not working 23 103
Can't ping New Linux Servers 40 90
linux 13 77
list of sudo access for date range 5 29
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question