CentOS Local User not able to view directories/files via FTP login
First of all I'd create a symlink between /var/www/ and my home what this does is, when you land into /home/usr you can go to /home/usr/www and it will redirect you to /var/www
for instance.
cd /home/usr
sudo ln -s /var/www www
perform a ls -lrt on /var/www
ls -lrt /var/www/
now make sure your usr is part of group that owns www. this tells you who owns that directory, if it's root:root, it's a bad practice, depending on your distro, it could be www-data or apache etc..
cat /etc/group | grep -e apache -e http -e ftp -e www
apache:x:48:
if usr is at the end of the result your usr is part of that group if you don't have a group that owns www and it's root:root create one
groupadd www-data
assuming that group is www-data
sudo adduser usr www-data
now make your user the boss of www
sudo chown usr:www-data -R /var/www
set the right permissions of www
sudo chmod 0755 -R /var/www
sudo chmod g+s -R /var/www
Related videos on Youtube
Ryan Prentiss
Updated on September 18, 2022Comments
-
Ryan Prentiss over 1 year
Currently running CentOS 6.5 with vsftpd.
I would like to explain my process and then have the proper process explained back to me from scratch which I believe will solve my issue.
I am currently able to log into my server via FTP from my "root" user account, but I understand that is bad practice. So what I need to do is create another local user/virtual user (I really do not know) to be able to access via FTP the "/var/www" directory.
(I'm simply needing to get to the point were I can begin uploading web files, as I'm a web programmer, not a system administrator -- but I was so pleasantly surprise with a dedicated server to work with.)
Initially I created a Local User, but was only able to FTP the "home" user directory. So I next tries unjailing that user via CHROOT (vsftpd.conf). That worked sort of; the parent directories were visible, but upon navigating up to them via FTP everything disappeared (possibly an issue with permissions, I don't know). Next I tried rejailing the Local User and then modifying its "home" directory from "/home/" to "/var/www". After doing attempting that, I FTP'd in and then could not see anything, so another fail. I've since returned the user's "home" directory back to "/home/" and crawl over to SOF confused as hell.
vsftpd.conf
# Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # The target log file can be vsftpd_log_file or xferlog_file. # This depends on setting xferlog_std_format parameter xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # The name of log file when xferlog_enable=YES and xferlog_std_format=YES # WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log xferlog_file=/var/log/xferlog # # Switches between logging into vsftpd_log_file and xferlog_file files. # NO writes to vsftpd_log_file, YES to xferlog_file xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). chroot_local_user=YES chroot_list_enable=NO # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. listen=YES # # This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6 # sockets, you must run two copies of vsftpd with two configuration files. # Make sure, that one of the listen options is commented !! #listen_ipv6=YES pasv_enable=YES pasv_min_port=50000 pasv_max_port=51000 port_enable=YES pasv_address=xxx.xxx.xxx.xxx pasv_addr_resolve=NO pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
Any help is greatly appreciated.
-
Elliott Frisch about 10 yearsWhat user is serving "/var/www"? That's the one you should login as. I'm not sure that "chroot" is going to be very effective, because you want this user to be able to change the real files (or am I missing something)?
-
Ryan Prentiss about 10 years@ElliottFrisch Currently the only user able to access everything including "/var/www? is the "root".
-
Elliott Frisch about 10 yearsSo, you don't have apache serving content from that folder?
-
slm about 10 yearsDo you have to use FTP? If you can SSH into the server you can do the file transferring using just SCP (you can use clients to do this as well, such as filezilla) forgoing the need to maintain an FTP server.
-
Ryan Prentiss about 10 years@ElliottFrisch Yes, apache is serving that folder.
-
Elliott Frisch about 10 yearsAnd, what user is Apache running as?
-
Ryan Prentiss about 10 years@ElliottFrisch I believe "root". There were no Local Users on the server prior to the installation of Apache and vsftpd. I've just recently added the Local User in an attempt to not use the "root" as an ftp login.
-
Elliott Frisch about 10 years@RyanPrentiss Probably not. Apache is usually run as "apache" or "httpd" or "web". You can probably tell by the permissions on
/var/www
. Make/var/www
group readable and writable, and add that group to your "ftp" account. Using scp is probably a better solution anyway. -
Elliott Frisch about 10 yearsFTP won't allow you to restart Apache. What exactly are you asking about there? How to get the logs? You probably don't want to copy your logs like that... those files tend to be massive.
-
Ryan Prentiss about 10 years@ElliottFrisch No, I'm trying to figure out 1) exactly where I am supposed to upload my web files, and 2) how to give my local users permission to ftp to that destination.
-
Elliott Frisch about 10 yearsShould your local users have permission to delete all of the files? Normally, users serve content out of their home folders... if they actually own the entire site then
/var/www
is it. -
Ryan Prentiss about 10 years@ElliottFrisch Well the server is for one client who will being launching several of his own websites off of. So anyone accessing the server will more than likely be using the same ftp credentials. I guess I'm confused on several ends: what exactly is "/var/www", how is that location differs from the the apache location of "/etc/httpd" and then both locations' relation to the "/home/<username>" location. It seems only the "root" user has access to "/var/www" and "/etc/httpd" folders.
-
Elliott Frisch about 10 yearsFirst, "/etc/httpd" is for configuration (not content). Second, "/var/www" is for the primary host (not a virtual host). Third, for virtual hosting - you can make that directory somewhere else (but that's apache configuration, not ftp).
-