Ftp – Debian 6: setting up FTP just for website editing

ftpwebsite

I have a VPS using Debian 6.0. Currently, SSH is set to not accept password logins, and only key-based ones.

A person who needs to work on one particular website (a vhost) wishes to use FTP. He doesn't need/want SSH. How can I set up FTP access for him, enabling him to have write permissions for all files in the relevant directory, and only the relevant directory? The directory is /srv/www/domainname.com/public_html

Currently, all directories and files in that directory belong to www-data:www-data and are 644/755.

I've installed vsftpd and have been reading some guides, but they all seem to deal with allowing multiple users to have their own user-named directories which isn't what I'm after. I can't seem to work out how to simply define one FTP user with a password that has access to one directory of my choosing.

This is my first experience of setting up an FTP server.

Thanks.

Edit: have also found this – maybe I should be using ProFTPd, or can vsftpd also do what I want?

Best Answer

If you want to go with the SFTP only solution, I have created a blog post recently that describes exactly this including a few of the common errors: http://blog.frands.net/sftp-only-chroot-users-with-openssh-in-debian-166/

If you want to go with the FTP solution, vsftpd is indeed a fine choice. However, when a user uploads a file it will be set with his user and group following the defined umask. You could set the user's primary group to www-data and then create a umask that fits in vsftpd.

This is a quick-howto do what I suggested:

Create the user with the www-data group, no real shell and the correct home dir, set the password afterwards

useradd -d /path/to/his/domain.com -g www-data -s /bin/false theusername
passwd theusername

Make sure that vsftpd accepts his shell. cat /etc/shells and look for /bin/false (it should not be there by default) - if it not there, add it:

echo "/bin/false" >> /etc/shells

Next, edit the vsftpd config file. Touch these parameters: (if they are commented out, remove the #)

Disable anonymous access to the server

anonymous_enable=NO

Allow local users to use FTP

local_enable=YES

Allow file uploads

write_enable=YES

Set the umask, so the files the user uploads are also writable by group (www-data)

local_umask=002

Chroot the user so he cannot move out of his home dir

chroot_local_user=YES

Now, restart vsftpd

/etc/init.d/vsftpd restart

and you should be all set.

BUT!

FTP is generally insecure.
If SFTP is possible, use it.
Having the webserver allowed to write to files is a security flaw, unless the directory is used for uploads or files that the website commonly changes.

Related Solutions

Debian – Create FTP accounts with access to just some folders in the web directory

In this situation, you may install vsftpd and make settings that allow access via ftp for system users to his home directory that will be /var/www/mapuploader/USER1, /var/www/mapuploader/USER2, /var/www/mapuploader/USERN.

So. For Example:

useradd -d /var/www/mapuploader/userN -m -s /bin/bash userN

After this step you'll have a user acoount with the home dir as /var/www/mapuploader/user1, but you need to set the password for this user:

passwd userN

Ans type and re-type the new password, that you should use later to login via ftp. Now install vsftpd

apt-get install vsftpd

And add some changes to the default config file

nano /etc/vsftpd.conf

There you need to set some values for several variables:

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

chroot_local_user=YES

And the other variables do not touch. Save changes.

Now you need to restart vsftd to re-read the config file:

/etc/init.d/vsftpd restart

Now your system users can access your home directory via ftp.

Ftp – How to configure ProFTPD to provide a different anonymous FTP for each domain

Don't know if you still have this issue (9+ months on) but this configuration is working for me:

<VirtualHost example.edu>
        RequireValidShell                        off
        ServerName                      "Anonymous FTP Server"
        Port                            4001
        Umask                           027

        <Limit LOGIN>
                DenyAll
        </Limit>

        <Anonymous /home/ftp/>
                User                    ftp
                Group                   nogroup
                UserAlias               anonymous ftp

                <Limit LOGIN>
                        AllowAll
                </Limit>

                <Limit WRITE>
                        DenyAll
                </Limit>

                <Directory incoming>
                        <Limit WRITE>
                                AllowAll
                        </Limit>
                </Directory>
        </Anonymous>
        TransferLog             /var/log/proftpd/xferlogs/anon.log
        # pre-def for firewall.
        PassivePorts            49152 50000

</VirtualHost>

Best Answer

Related Solutions

Debian – Create FTP accounts with access to just some folders in the web directory

Ftp – How to configure ProFTPD to provide a different anonymous FTP for each domain

Related Topic