Help - Search - Members - Calendar
Full Version: I want to have my cake and eat it too...
Linuxhelp > Support > Technical Support
DaveVT5
I have installed Fedora Core 4 with vsFTPd and Apache.

My goal is to have two web sites hosted via apache with seperate FTP access for each site. Lets start w/ FTP...

When I create a new user, eg 'David' the default home is /home/David
vsFTPd works great when I login as David. I can upload/download/create new directories without issue.

When I add a new user useradd -d /www/site1 site1 with a default folder outside of /home I am not able to upload files. I can still login and download.

So, with the default home I'm good to go, so on to Apache...

I have successfully been able to create virtual hosts for two web sites. The sites point to the /www/site1 and /www/site2 directories. Everything in this scenario works great. The problem is that I can't upload with user1 and user2 into these folders.

So when I try to change httpd.conf to point to /home/David I receive a 403 Forbidden error in my browser.

I have tried to chmod 755 /www/site1 but it doesn't help.

So, I can Either use vsFTPd or Apache, but not both. Hence the reference to cake.

I have spent over a day on this with no progress. I have tried to use PAM for virtual users in vsFTPd but I don't seem to have db_load installed and I can't figure out how to install it to even try to go down that path.

My issues seem to be related to setting permissions but I'm completely lost.

Please help!
Jim
Ya, thats a hard problem. This is what I would recomend. First, ditch vsFTP and just use straight sftp, its secure, its safe, its good. However you can do it with vsFTP if you want.

One of the ways you can do this is make the home directories, and make them 770 permisioned. Owned by the user, and group as something like servers. Then make both apache and vsFTP part of the the servers group. That way, the users can upload and download, and the servers can both get at it too. There are some security concerns with that, but I am not gonna go into all of those now.

Another way you can do it is vsFTP should be able to route the user into the /var/www folder when they log in. They key is then that the /var/www folder has to be owned by the user and grouped by apache. (770 again or 750 depending on what your doing with apache). That is a little more complicated and problimatic.

The key thing is that new files have to be created the right way. There are a couple different approaches to this. You can modify the umask settings of the user. Or you can make the user's primary group "servers" if you're going with my first option. All of these are messy.

One of the best ways, but slightly more complicated ways, is to make vsFTP and Apache both run under the same name. That way they will both have the same read/write permission.

I am not gonna hold your hand through each one of those, because, well, I have finals.. but if you need help I can help you down a path.
DaveVT5
Ok, thanks, I will look into adding both Apache & vsFTPd as the same user.

After some more research yesterday I discovered that its SELinux that is causing me issues. I'm still learning about it but from what I can tell, even if my permissions are set correctly (770, 777 etc) SELinux will prevent access as a security measure. From what I've read turning it off could help, however, as frustrating as this problem has been I would prefer to have things setup securely -- which is why I'm weary of setting groups the same or even vsFTP and Apache to the same user.

CODE
chcon -R -h -t httpd_sys_content_t /dir/where/www/root/will/be

I discovered this after some research and it partially corrected my problem. Once I ran this, Apache could begin to serve up pages from /home/user which is exactly what I was looking for.

However, once I did this, I could no longer view my www directory when I logged in via FTP.

More research discovered something called
CODE
public_content_rw_t
which would supposedly fix things. It came close. Now when I logged in via FTP I could see my www directory. The problem is that I can't upload files into the folder.

So, I am again at a loss. But I think I'm very close now... Any advice?
DaveVT5
I have also found these two parameters:
setsebool -P allow_httpd_anon_write=1 - and - setsebool -P allow_ftp_anon_write=1
The second (_ftp_) gives me a
QUOTE
Error setting boolean: Invalid boolean
error. Not sure if this is relevant.

I'm confused as to why I'm having such difficulties. It seems to me that many people would want to use FC4 to host multiple websites with FTP access. I'm a little perplexed as to why this is so difficult.

Thanks,
DaveVT5
I seemingly have fixed my problem. Seems like this would be documented somewhere but I couldn't find it...

CODE
setsebool -P allow_ftpd_anon_write=1


I can now login via vsFTPd and upload. So to recap, Here's what I did...

1) point your virtual host entry in apache to your the 'www' folder in a user's home directory
2) make sure there is an index.html file in there and then test it ... you should get a 403 access denied error.
3) change ownership so that SELinux allows Apache to read the files. Do this by typing chcon -R -h -t public_content_rw_t /home/username/www
4) now when you test in Apache it will work. But, vsFTPd will no longer give you write-access... to fix the error do what I listed above: setsebool -P allow_ftpd_anon_write=1

Everything should work...
jajtiii
Thanks for the recap. I was having a big problem with FTP and now see it is the SELinux that was hindering me.

appreciate it!

jt
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.