SFTP problem with Virtual Machine

I am trying to use Fetch to sftp to a virutal machine some files.  This is the error I get

https://gyazo.com/d08a0f674602d181ce3748006f8a4e04

this is the iptables setup

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:16509
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:16514
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:sftp
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

here is the netstat command

[root@localhost tmp]# netstat -plant | grep 22
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2274/sshd          
tcp        0      0 :::22                       :::*                        LISTEN      2274/sshd          

the directory is chowned root:root

the /var/log/secure

Oct  2 07:56:46 localhost sshd[4302]: Accepted password for webmaster from 192.168.0.178 port 50528 ssh2
Oct  2 07:56:46 localhost sshd[4302]: pam_unix(sshd:session): session opened for user webmaster by (uid=0)
Oct  2 07:56:46 localhost sshd[4304]: subsystem request for sftp

I have the user webmaster on both the source and target machine with the same password.  Webmaster is in the visudo file for root privileges.

Thanks,
sharingsunshineAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

savoneCommented:
First, SFTP is a subsystem of SSH, so having two iptables rules (one for SSH and one for SFTP) is redundant and not needed.

Next, this is probably:

1) A file level permission issue
or
2) SELINUX

Third,  SFTP does not work with sudo (some command line will work, but no clients that I know of).  When you try to PUT the file, it is not doing "sudo put" it is just doing put, which will fail (as you can see).

A decent (but not perfect) work around would be to either give the webmaster GROUP access to the files like so:

chown -R root:webmaster /var/www/html/*

Then make sure the group has rw permissions like so:

chmod -R 764 /var/www/html/*

Also, be aware that SELINUX can still deny this action.

Check to see if selinux is enforcing:

sestatus

You can look in the /var/log/audit/audit.log file to see if SELinux is taking action.

Good luck.
sharingsunshineAuthor Commented:
selinux is disabled

[root@localhost cache]# sestatus
SELinux status:                 disabled

Thanks for the explanation on the put vs sudo put.  I now see why it isn't working.

rather than chowning all the files how can I give the webmaster group similar privileges as root? Because there will be other files that need to be put on the VM and I prefer to not change all of them.
savoneCommented:
There is no way to give the webmaster group similar privileges without changing the privileges on the files.

You don't have to change all the files, just all the files in the root directory of the webserver which the webmaster will be changing.  I am assuming this is what you want since your using the webmaster account and adding a php file.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

sharingsunshineAuthor Commented:
this is what was done for our actual server but I don't understand all the switches on the commands without doing some research.

Can you step me through doing this using this method?  Because I have webmaster as a user already but not added in the same manner.

You will need
a new user that will only be used for FTP uploads -- in this example
'webmaster' Add this user like this: sudo useradd -m -g apache
webmaster Change the user's default umask: sudo su -c 'echo "umask
002" >> /home/webmaster/.bashrc' Add the password for the user
(Alternatively, create an SSH key): sudo passwd webmaster If using
password, set "PasswordAuthentication yes" in /etc/ssh/sshd_config -
remember to restart ssh service: sudo sshd restart This user now has a
default group of "apache" and will have writable permissions when
creating files and directories. 2. Change permissions so the new user
can write In order to add write permission to our new user, we have to
make changes to our current structure - to allow members of 'apache'
group to be able to write: sudo chmod -R g+w /data You can now log in
via your SFTP client, and you will be able to write to /data and
underlying directories as 'webmaster' user Anything you write will
have permissions: drwxrwxr-x 2 webmaster apache 4096 May 31 14:23
testdir -rw-rw-r-- 1 webmaster apache 4993 May 31 14:23 testfile As
you can see, the apache group can write to the files/dirs as well, so you
never have to log in to the instance and manually change permissions
savoneCommented:
If you just add the user to the apache group, change permissions and set their umask it should work fine.


sudo usermod -a -G apache webmaster

then, set he umask:

sudo su -c 'echo "umask 002" >> /home/webmaster/.bashrc

Now set the permissions:

sudo chmod -R g+w /data
sharingsunshineAuthor Commented:
I tried to implement your code based on what I need and found in your echo command there was a missing ' so I put it behind the last ".  It then accepted that command then I went to change permissions but you had  /data which is what is on the server from my original directions.  So in my case I used /var and it seemed to work.


[root@localhost ~]# su -c 'echo "umask 002"' >> /home/webmaster/.bashrc

[root@localhost ~]# chmod -R g+w /var

not knowing the commands well I am not sure what I have done.  Webmaster is still there.

webmaster:x:501:501::/home/webmaster:/bin/bash

I changed the password to make sure I had the right one.

However, I am getting this error now when I try to sftp to the server and now root doesn't work and it used to work fine.
https://gyazo.com/9a7b8a48efed2234b45546c1d298c9bb

So I must have misunderstood the intent when I added in the extra single quote.  Please help me to get this sorted out.

Thanks,
sharingsunshineAuthor Commented:
I am now getting this message every time I use sudo -i after I am logged in.

sudo: /var/db/sudo writable by non-owner (040720), should be mode 0700

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
savoneCommented:
To fix the sudo error do:

chmod 0700 /var/db/sudo


This was caused because you did:

chmod -R g+w /var

INSTEAD of

chmod -R g+w /data


This means you changed all the permissions in the /var directory. Other issues might arise from this, but without knowing exactly what we will have to work through them as found.

The sudo command that was missing a single quote should have been:

sudo su -c 'echo "umask 002" >> /home/webmaster/.bashrc'
sharingsunshineAuthor Commented:
Some progress in that the warning message for sudo has gone away

Also getting same error on trying to login with webmaster using sftp.

https://gyazo.com/19a66ed57466973ea2d75f22b43dd660

running a chkconfig is shows sshd isn't on so tried to start it and got this error
https://gyazo.com/9cf3640a77a2196d03bcd419a9091fe7
savoneCommented:
So ssh daemon did not start, again because of another /var permissions error.  I am expecting to see a lot of those.

This should fix it.
chown root:root /var/empty/sshd
chmod 744 /var/empty/sshd


Then try to start sshd again.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sharingsunshineAuthor Commented:
That got ssh to work and I am able to sftp with webmaster and with howdy.

So great going.

Thanks for coming back and helping me get this going.
savoneCommented:
You are welcome.  I am sorry there was a delay there, but I have a job and a family! :)

Just be aware that /var directory might cause more issues in the future because of that slip up you made early on.  If you need more help I am sure there are a lot of people on EE that will help.  It may also be wide to look up "understanding linux permissions" and doing some reading.

Good luck!
sharingsunshineAuthor Commented:
Thanks again, I will do that.  

I knew I needed some more background in permissions so I will use that phrase as a search argument.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.