Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> I want to have my cake and eat it too..., Permission? error - vsFTPd and HTTPd
DaveVT5
post Dec 7 2005, 02:09 PM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 4
Joined: 7-December 05
Member No.: 5,830



I have installed Fedora Core 4 with vsFTPd and Apache.

My goal is to have two web sites hosted via apache with seperate FTP access for each site. Lets start w/ FTP...

When I create a new user, eg 'David' the default home is /home/David
vsFTPd works great when I login as David. I can upload/download/create new directories without issue.

When I add a new user useradd -d /www/site1 site1 with a default folder outside of /home I am not able to upload files. I can still login and download.

So, with the default home I'm good to go, so on to Apache...

I have successfully been able to create virtual hosts for two web sites. The sites point to the /www/site1 and /www/site2 directories. Everything in this scenario works great. The problem is that I can't upload with user1 and user2 into these folders.

So when I try to change httpd.conf to point to /home/David I receive a 403 Forbidden error in my browser.

I have tried to chmod 755 /www/site1 but it doesn't help.

So, I can Either use vsFTPd or Apache, but not both. Hence the reference to cake.

I have spent over a day on this with no progress. I have tried to use PAM for virtual users in vsFTPd but I don't seem to have db_load installed and I can't figure out how to install it to even try to go down that path.

My issues seem to be related to setting permissions but I'm completely lost.

Please help!
Go to the top of the page
 
+Quote Post
Jim
post Dec 7 2005, 11:25 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,280
Joined: 19-November 03
From: University of Minnesota- TC
Member No.: 1,828



Ya, thats a hard problem. This is what I would recomend. First, ditch vsFTP and just use straight sftp, its secure, its safe, its good. However you can do it with vsFTP if you want.

One of the ways you can do this is make the home directories, and make them 770 permisioned. Owned by the user, and group as something like servers. Then make both apache and vsFTP part of the the servers group. That way, the users can upload and download, and the servers can both get at it too. There are some security concerns with that, but I am not gonna go into all of those now.

Another way you can do it is vsFTP should be able to route the user into the /var/www folder when they log in. They key is then that the /var/www folder has to be owned by the user and grouped by apache. (770 again or 750 depending on what your doing with apache). That is a little more complicated and problimatic.

The key thing is that new files have to be created the right way. There are a couple different approaches to this. You can modify the umask settings of the user. Or you can make the user's primary group "servers" if you're going with my first option. All of these are messy.

One of the best ways, but slightly more complicated ways, is to make vsFTP and Apache both run under the same name. That way they will both have the same read/write permission.

I am not gonna hold your hand through each one of those, because, well, I have finals.. but if you need help I can help you down a path.


--------------------
--Jim Lester
jim@linuxhelp.net

Distro: Gentoo
System: AMD Athlon 3000+ XP 2.166 GHz
NVIDIA nForce2 IGP Chipset
1GB 333 MHz DDR SDRAM
NVIDIA nForce2 Dual Head 64 MB Graphics

Server Distro: CentOS
Go to the top of the page
 
+Quote Post
DaveVT5
post Dec 8 2005, 08:38 AM
Post #3


Whats this Lie-nix Thing?
*

Group: Members
Posts: 4
Joined: 7-December 05
Member No.: 5,830



Ok, thanks, I will look into adding both Apache & vsFTPd as the same user.

After some more research yesterday I discovered that its SELinux that is causing me issues. I'm still learning about it but from what I can tell, even if my permissions are set correctly (770, 777 etc) SELinux will prevent access as a security measure. From what I've read turning it off could help, however, as frustrating as this problem has been I would prefer to have things setup securely -- which is why I'm weary of setting groups the same or even vsFTP and Apache to the same user.

CODE
chcon -R -h -t httpd_sys_content_t /dir/where/www/root/will/be

I discovered this after some research and it partially corrected my problem. Once I ran this, Apache could begin to serve up pages from /home/user which is exactly what I was looking for.

However, once I did this, I could no longer view my www directory when I logged in via FTP.

More research discovered something called
CODE
public_content_rw_t
which would supposedly fix things. It came close. Now when I logged in via FTP I could see my www directory. The problem is that I can't upload files into the folder.

So, I am again at a loss. But I think I'm very close now... Any advice?
Go to the top of the page
 
+Quote Post
DaveVT5
post Dec 8 2005, 08:51 AM
Post #4


Whats this Lie-nix Thing?
*

Group: Members
Posts: 4
Joined: 7-December 05
Member No.: 5,830



I have also found these two parameters:
setsebool -P allow_httpd_anon_write=1 - and - setsebool -P allow_ftp_anon_write=1
The second (_ftp_) gives me a
QUOTE
Error setting boolean: Invalid boolean
error. Not sure if this is relevant.

I'm confused as to why I'm having such difficulties. It seems to me that many people would want to use FC4 to host multiple websites with FTP access. I'm a little perplexed as to why this is so difficult.

Thanks,
Go to the top of the page
 
+Quote Post
DaveVT5
post Dec 8 2005, 11:12 AM
Post #5


Whats this Lie-nix Thing?
*

Group: Members
Posts: 4
Joined: 7-December 05
Member No.: 5,830



I seemingly have fixed my problem. Seems like this would be documented somewhere but I couldn't find it...

CODE
setsebool -P allow_ftpd_anon_write=1


I can now login via vsFTPd and upload. So to recap, Here's what I did...

1) point your virtual host entry in apache to your the 'www' folder in a user's home directory
2) make sure there is an index.html file in there and then test it ... you should get a 403 access denied error.
3) change ownership so that SELinux allows Apache to read the files. Do this by typing chcon -R -h -t public_content_rw_t /home/username/www
4) now when you test in Apache it will work. But, vsFTPd will no longer give you write-access... to fix the error do what I listed above: setsebool -P allow_ftpd_anon_write=1

Everything should work...
Go to the top of the page
 
+Quote Post
jajtiii
post Dec 13 2005, 01:21 PM
Post #6


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 13-December 05
Member No.: 5,854



Thanks for the recap. I was having a big problem with FTP and now see it is the SELinux that was hindering me.

appreciate it!

jt
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 20th October 2017 - 01:56 AM