permission issue with vsftp 2

[Griffyn]

Hi all,

I'm a linux semi-newbie. I've installed Ubuntu server 9, Webmin and vsftp in a virtual machine. I want this ftp service to provide read-only anonymous access to a single folder, and write access via authentication to the the same single folder.

It's so our employees can make large files available to overseas clients. At this point, we're happy to have everything lumped into one folder.

I'm guessing I need to modify the permissions on the /home/ftp folder so that the local (authenticated) users can upload their files to it, but I can't figure out. Linux permissions are confusing to me

Some command line stuff would be awesome.

 

[Noway2]

Linux / Unix file permissions are deceptively simple. The permissions are broken into three groups: root, group, and others. In each group, there are permissions for read, write, and execute (rwx). These permissions can be represented as a single octal digit(0-7), one for each group.

The ls command with the -l, lower case L, switch will display the permissions for the given directory. There are two primary commands associated with the permissions. CHMOD and CHOWN. The CHMOD can be used to eitehr explicity set the permissions or it can be used with (+/-)R,W,X modifiers. For example, you can issue chmod 700 'file' to allow root (only) read, write execute access or you can saw chmod +x 'file' to add executable status (to others typically) to the file. Chown, is used to set the owner and group for a file. By default, the file will be owned by the user that created it and their group. When you have a "secure" file you can set the owner to root with read and write access, but allow others read access.

If you are looking for more information, wikipedia has a decent article on the subject:

http://en.wikipedia.org/wiki/File_system_permissions

 

[Annihilannic]

Do all of the local users have individual accounts, or are you using a single account for local uploads?

Annihilannic.

 

[Griffyn]

I was going to use a single account for local uploads.

 

[Annihilannic]

In that case the (usually) default directory permissions of 755 (drwxr-xr-x) should be fine, as long as the upload user owns it (set with chown as descirbed by Noway2 above). Anyone, including anonymous users, will be able to read the directory, but only the upload user will be able to write.

Any files created in the directory will be automatically owned by the upload user (because they created it), so the same rules will apply.

Annihilannic.

 

[Griffyn]

Thanks for all that guys - I'm sure I'll have no trouble doing what I need.

One more question on topic though: Is it possible to restrict vsftp so that the anonymous users cannot see a directory listing, and can only access individual files via URL?

Because our simple plan was to dump files for multiple clients into one folder, it may make things a bit safer if they can only see the files that we tell them are there.

 

[Annihilannic]

Try turning off the dirlist_enable option for them perhaps?

http://vsftpd.beasts.org/vsftpd_conf.html

Without looking... I'm pretty sure vsftpd has ways of configuring certain options for certain (or anonymous) users.

Annihilannic.

 

[Griffyn]

oops - must have missed it on my way through the config options. thanks again.

 

[Griffyn]

mmm, almost there. I just can't seem to allow anonymous access! My vsftp.conf file (excluding lines beginning with #):

anon_mkdir_write_enable=NO
anon_upload_enable=NO
anonymous_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
chroot_local_user=NO
connect_from_port_20=YES
dirmessage_enable=YES
listen=YES
local_enable=YES
local_umask=002
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
secure_chroot_dir=/var/run/vsftpd
write_enable=YES
xferlog_enable=YES

I can upload/delete files with an authenticated user, and the others permission on those uploaded files is read-only. When I use eg. internet explorer. I either get nothing (empty folder) when I go to ftp://myftpsvr, or a DNS/server error when I try ftp://myftpsvr/pic.gif (which does exist)

In Firefox, I get a popup error "550 Failed to change directory" no matter what URL I try.

With a FTP client (and anonymous access), I can connect, and see the folder list, but get a "550 failed to open file" error when I try to transfer it.

The /etc/vsftpd.chroot_list file contains

ftp

Last bit of help?

 

[Annihilannic]

Have you placed the directories in question under the "ftp" user's home directory? i.e. /var/ftp? That is where anonymous users will land by default when they connect.

Annihilannic.

 

[Griffyn]

I'm putting the files in /home/ftp. No subfolders further than that. All users folders appear under /home.

 

[Annihilannic]

Have you changed the "ftp" user's home directory to match? i.e. the one listed in /etc/passwd?

Annihilannic.

 

[Griffyn]

I looked in /etc/passwd - I won't repost anything because I'm not sure how private any of it is, but it lists /home/ftp, not /var/ftp

 

[Annihilannic]

I see.. could you post the output of find /home/ftp -ls, so we can check the permissions (assuming it hasn't already been filled with hundreds of files of course!)?

Annihilannic.

 

[Griffyn]

2191177    4 drwxrwxr--   2 root     ftp          4096 Sep  2 15:30 /home/ftp
2191182    0 -rw-rw-r--   1 staff    users           0 Sep  2 12:12 /home/ftp/pic.gif

The ftp user only belongs to the nogroup group, which I presume means no groups at all.

 

[Griffyn]

I notice that the size of pic.gif is 0 - must have got clobbered while I've been testing. I've uploaded a new copy that is 37K, and no change.

 

[Annihilannic]

I just did a quick test in a CentOS 4.6 VM. I didn't touch the vsftpd config, just started the service, created a user useradd -d /var/ftp/incoming upload, and gave them a password. I can now upload files into the incoming directory (but nowhere else), and connect through IE and FF anonymously and download them again.

This is what the permissions look like:

[root@punchbag vsftpd]# find /var/ftp -ls 281025    8 drwxr-xr-x   4 root     root         4096 Sep  2 15:29 /var/ftp
281026    8 drwxr-xr-x   2 root     root         4096 Jul 25  2008 /var/ftp/pub
284333    4 drwxr-xr-x   2 upload   root         4096 Sep  2 15:36 /var/ftp/incoming
284340    4 -rw-r--r--   1 upload   upload        295 Sep  2 15:32 /var/ftp/incoming/testfile.txt
[root@punchbag vsftpd]#

Perhaps try and get that much working first before experimenting with disabling directory listings, etc (although I think you haven't tried that yet judging by your config file?).

Annihilannic.

 

[Griffyn]

I did a purge and install of vsftp, and now I've got anonymous access - so I'll make a snapshot here and try to lock it down.

Thanks heaps for your help.