ProFTP limiting me 1

[JCrou82]

I have proFTP installed on a rh linux 7.0 machine. I can download files and create new folders and create new files. What I can't do is upload any new files or overwrite any existing files. I also can't chmod any directories or files. I also attempted to change the settings in proftpd.conf settings, but nothing seems to take in effect. Do I need to restart the ftpd services or worse yet, reboot the server?

Any help or links to a tutorial on proftpd would be very much appreciated...thanks in advance.

 

[sonofepson]

A restart should not be needed, that configuration file is re-read with each new connection.

The proFTP FAQ may have the information you need:

http://proftpd.linux.co.uk/docs/faq/linked/faq.html

 

[JCrou82]

thank you, i will look into this. And post back if i need more help or if i find the info i was looking for.

 

[fluid11]

I think you do need to restart the proftpd service. Kill it and then start it. Did you add the "AllowOverwrite On" directive to the proftpd.conf file?


ChrisP

 

[JCrou82]

I modified the .conf file to allowoverwrite, but I still can't upload or create a new file. It seems as if some commands just aren't being read or anything. I have uncommented the commands I want read. Is there a tutorial or an "easier" sample .conf file that I could try to emulate. I tried reading the protpd.org site documentation, and I'm lost. They don't give you examples for some of the commands and directive. Can any one give me a hand.

what I want to do is i want to ftp to /usr/local/apache/htdocs and be able to read, write, and delete the files. I want full access to the htdocs directory and any sub-directories.

This is what my conf file looks like:
# This sample configuration file illustrates creating two
# virtual servers, and associated anonymous logins.

ServerName "ftpserver.com"
ServerType standalone
#This is used if not running on command line
#ServerType inetd


# Port 21 is the standard FTP port.
Port 21

# Default IP Address
DefaultAddress 12.345.678.90

# Global creates a "global" configuration that is shared by the
# main server and all virtualhosts.

<Global>
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
</Global>

# Set the user and group that the server normally runs at.
User root
Group root

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Maximum seconds a data connection may &quot;stall&quot;
TimeoutStalled 300

# Default directory
<Directory /usr/local/apache/htdocs>
AllowOverwrite on
</Directory>

# First virtual server
<VirtualHost 12.345.678.90>

ServerName &quot;Webserver FTP&quot;

MaxClients 1
MaxLoginAttempts 3

# DeferWelcome prevents proftpd from displaying the servername
# until a client has authenticated.
DeferWelcome on

# Limit normal user logins, because we only want to allow
# guest logins.
<Limit LOGIN>
DenyAll
</Limit>

# Next, create a &quot;guest&quot; account (which could be used
# by a customer to allow private access to their web site, etc)
<Anonymous /usr/local/apache/htdocs/>
User loginname
Group users
AnonRequirePassword on

<Limit LOGIN>
AllowAll
</Limit>

HideUser root
HideGroup root

# <Directory /usr/local/apache/htdocs/*>
# AllowOverwrite on
# <Limit READ WRITE DELETE>
# AllowAll
# </Limit>
# </Directory>


# A private directory that we don't want the user getting in to.
<Directory logs>
<Limit READ WRITE DIRS>
DenyAll
</Limit>
</Directory>

</Anonymous>

</VirtualHost>


It's as if none of it seems to be actually working. I set up DefaultDir and nothing.

Thank You in advance

 

[fluid11]

Try something like this...




ServerType standalone
DefaultServer on
Port 21
Umask 007
MaxInstances 10
AllowOverwrite on
UseReverseDNS off
IdentLookups off

<Limit ALL>
Order deny,allow
</Limit>

<VirtualHost 192.168.1.1>
ServerName &quot;Chris's Linux FTP Server&quot;
DefaultRoot /ftp
Port 21
User proftpd
Group proftpd
AllowOverwrite On
DisplayLogin ./readme.txt
ExtendedLog /root/access.log read,write
ExtendedLog /root/auth.log auth

<Limit Login>
DenyGroup !proftpd
</Limit>

<Limit READ DIRS>
DenyGroup !proftpd
</Limit>

<Limit WRITE>
DenyGroup !admins
</Limit>

<Directory /ftp/upload/*>

<Limit WRITE>
AllowGroup proftpd
DenyAll
</Limit>

</Directory>

</VirtualHost>



Make sure to add any users who need to connect to the &quot;proftpd&quot; group and set the permissions on /ftp equal to 770...

chown proftpd.proftpd /ftp -R
chmod 770 /ftp -R

Whenever you see a &quot;Deny !somegroup&quot;, it means deny everybody EXCEPT somegroup. The ! (pronounced &quot;bang&quot means NOT.

In my example, all users can read everything in /ftp, and they can only write to /ftp/upload. Members of the &quot;admins&quot; group can read/write everywhere.

Use this as a template and customize it to fit your needs.

Oh, and by the way, you don't need the <VirtualHost> containers, but I like to use them because it makes it easy to add them at a later date if you end up needing Vhosts.


ChrisP

 

[JCrou82]

Thank you fluid11. It helped by fixing other problems I had, but i still can't upload any files. Also I don't have an directory specifically aimed for uploads. I want to be able to upload, create a new file, create a new directory, overwrite a file all within the same directory, which is /usr/local/apache/htdocs. Basically an administrative FTP user who has access to do everything within the /usr/local/apache/htdocs directory. Whenever I attempt to upload a PDF file i get a 550 error? But this error also occurs when I attempt to overwrite a file.

Thank you for all your help so far.

 

[fluid11]

Look above where you see &quot;DenyGroup !admins&quot;. Change that to !proftpd and everybody in the proftpd group will be able to read/write everywhere. Just remove the &quot;Directory /upload/ftp&quot;, that was only there as an example.


ChrisP

 

[JCrou82]

I may have fixed it, but I'm not sure if this is safe or not. Basically I have to set all directories within /htdocs to have 777 permissions. Meaning ANYONE can read, write and execute. The webserver is behind a firewall and ftping is only allowed within the network, so I CAN'T FTP from home. That's ok with me. But will setting every directory up with that type of permission, place a big security risk for me? Also is there a different way of doing this without setting permissions to 777 so that I can go back to have the permissions at 755. Also I can't chmod though i can upload, create a new file and overwrite. Is there some settings in RH Linux that I have to change to allow me to chmod as an ftp user?

Thanks again

 

[JCrou82]

when i posted my latest post, i didn't see fluid11's post. I'm sorry to inform that even after removing from <directory /ftp/upload> to </directory> inclusive, it still didn't work. I tried changing !admins to !proftpd but that didn't do it either. I think I'm gonna revert to setting all the directories to 777. that seems to work ok, unless there is a real big security risk.

thanks

 

[fluid11]

Of course its a security risk. chmod the <ftp> directory to 770. Whatever user and group that proftpd is running as, should be the owners of the <ftp> directory. Whatever user that you try to connect with should be in the &quot;proftpd&quot; group also (gpasswd -a someuser proftpd). If this is what you have already, post your proftpd.conf file and give us an &quot;ls -l /ftp&quot;, or wherever your DefaultRoot is set to.




ChrisP

 

[marsd]

Proftpd as you have found doesn't have the ability to change fs permissions It's acl's are layered on top.

The way I dealt with this problem was to create a webadmin user.
permissions 12 webadmin root 16384 Nov 13 14:18 htdocs
Then I allowed:
<Directory />
<Limit DIRS DELE READ WRITE >
DenyUser !webadmin
</Limit>
</Directory>

Which works pretty well.YMMV.

Remember that if you change permissions to 770 for htdocs you probably are locking out access to your website...

 

[fluid11]

&quot;Remember that if you change permissions to 770 for htdocs you probably are locking out access to your website...&quot; --> it depends on which user Apache (I'm assuming you use Apache) is running as. If Apache ran as the &quot;proftpd&quot; user and group that you created, you won't have a problem. In that case, you probably don't want to call the user and group &quot;proftpd&quot;. You should make up a different name. Maybe run ProFTPd and Apache as the &quot;webuser&quot; user and &quot;webgroup&quot; group, and then do a &quot;chown webuser.webgroup /htdocs -R&quot;.


ChrisP

 

[marsd]

------------------------------------------------------
Forbidden

You don't have permission to access / on this server.
------------------------------------------------------

It doesn't matter who owns it chris. For individuals
to be able to browse webpages stored on your website
in htdocs then &quot;everyone&quot; permissions must be suitable for
them to at least read and the webserver to exec the docs.
770 doesn't cut it.
755 is minimal for the directory permissions.
So since htdocs is the problem directory it's a little
more complicated.

 

[fluid11]

I already have my Apache/ProFTPd server set up that way and it works great...

[root@cp

http://www]#

ls -l
total 8
drwsrws--- 3 webuser webgroup 4096 Sep 24 03:36 htdocs


Apache runs as the webuser user and the webgroup group. ProFTPd uses a different user/group by default, but I have a VirtualHost that runs as webuser/webgroup that serves out the htdocs directory via FTP.

The FTP users need to belong to the webgroup group to access the site via FTP.

Only Apache server itself needs read access to your htdocs directory. The Apache user sends out the requested web pages.

I've had this setup going for about a year now. I really locked down security as much as possible on both the web and ftp server.


ChrisP

 

[marsd]

That's a pretty individual config, never seen it
done like that. Certainly not in the docs.
How does it work for cgi and accessing directories
outside the root for rw ops?

 

[fluid11]

I don't run any CGI on the site, only PHP. Its done the same way. FollowSymLinks is disabled, so this is the only directory I need to worry about. As long as the Apache user has access, it can hand out requested pages.


ChrisP

 

[JCrou82]

ok I think I've figured out now what to with the help of the posts from both fluid11 and marsd. Setting the directories to 770 does work, under these specifications:

The user that apache is running ?on/as/under? is in the same group that the webfiles belongs to. In my case apache is running ?on/as/under? the user nobody in the group nobody. all of my webfile directories were set 755 under the group root. If i change the group to nobody and set the directory to 770, I was still able to view the website. What I did also to test what fluid11 posted, with regards to creating a user webuser in a webgroup group, i modified the user proftp to be part of the nobody group and was able to upload, write, overwrite, and create directories. But in order to chmod a directory or file, the proftp user has to be the owner of the file/directory. The issues I was having, now that I reflect on it, were due to user and group permissions in Linux, not proftpd, though the suggestions to modify the proftpd.conf file helped me solve other issues.

I just have some questions.
-What does the -R mean in the chown?
-How do I set up Proftpd to run as webuser user, webgroup group? In Apache, I think I just change the settings in the .conf file that at the present time are set to user nobody, group nobody, right?
-How do I change all subdirectories under and including htdocs to be owned by webuser and group webgroup without going through every single subdirectory? Is it possible?
-Can I create a user webuser that will only be used for apache and proftpd and nothing else? Also is there a way to create the user webuser without RH creating the group webuser? In other words can I create the group webgroup and then create the user webuser and add him/her to the webgroup group withouth RH creating a group named webuser?

Thank you and your posts sent me to an all day lesson in learning about users, groups and permissions, something I had very limited knowledge about. Thanks fluid11 and marsd and everyone else who posted as well as to future posters.

 

[fluid11]

1. What does the -R mean in the chown? --> look at your third question

2. How do I set up Proftpd to run as webuser user, webgroup group? In Apache, I think I just change the settings in the .conf file that at the present time are set to user nobody, group nobody, right? --> use the 'user' and 'group' directives in the proftpd.conf file

3. How do I change all subdirectories under and including htdocs to be owned by webuser and group webgroup without going through every single subdirectory? Is it possible? --> look at your first question

4. Can I create a user webuser that will only be used for apache and proftpd and nothing else? Also is there a way to create the user webuser without RH creating the group webuser? In other words can I create the group webgroup and then create the user webuser and add him/her to the webgroup group withouth RH creating a group named webuser? --> To not create the &quot;webuser&quot; group, specify a different primary group when you create &quot;webuser&quot;. Specify the &quot;webgroup&quot; group. This is how you should do it anyway...

groupadd webgroup
useradd webuser -g webgroup


ChrisP