Linux – ProFTPd and www-data group

ftplinuxproftpdwebmin

What I'm trying to do is create a ftp user that can update and modify files in an apache2 v2.4 (with www-data) web directory.

I have a single user: UserA (names changed to protect the guilty)
The folder is /var/www/vhosts; chowned to www-data:www-data
UserA has been addded to the www-data group.
The UserA's home directory is set to /var/www/vhosts

I have ProFTPd setup and running.
UserA connects fine.

The problem is ownership of the folders/files.
all files are set to 644 as normal
all folders are set to 755.

since UserA is not the owner, it falls under the group policies and files cannot be added, deleted, or modified because of the limitations.

Is there any way to masquerade UserA as www-data so they can perform the job?

Am I thinking of this the right way? is there another way to do it?
Thanks
The user connects via FTP to the web folder

Best Answer

If I understand the question correctly, you would like to FTP into your web server and upload files to the webroot. The owner and group of the files (and directories?) are www-data:www-data.

What may paritally be happening (been a while since I used ProFTP) is the umask of userA is configured in ProFTP with a differnt umask than what the shell uses. This can make troubleshooting confusing.

I would try the following:

add userA to the www-data group (as you have done)
assign mode 0775 to the vhosts directory (eg: chmod 0775)
apply SGID (eg: chmod g+w+s vhosts) on vhosts so any files there have group perms applied

This should accomplish:

userA uploads a file which lands in vhosts owned by userA but with www-data group ownership
since the vhosts directory does not have the sticky bit set (set above to 0775) any user in the www-data group with group-write access to vhosts can delete/modify the file

NOTE: pay particular attention to apparmor and possibly SElinux. You may need to adjust configuration of those utilities (if installed) to allow the webserver or ProtFTP to write there.

NOTE: For a recommended,secure alternative to FTP, look into WinSCP/SFTP. By generating a OpenSSH key pair, you can drop your public key in the www-data user's home directory and "masquerade" as the web server when you login over WinSCP. This allows for encrypted communication, more secure authentication, and less rigamarole with the permission twiddling.

Related Solutions

Ftp – Understanding Permissions with ProFTPD (Especially Group Write)

According to the docs, you cannot set the SGID bit in the umask directive; it says: "Any arguments supplied must be an octal number, in the format 0xxx."

http://proftpd.org/docs/directives/linked/config_ref_Umask.html

As joschi alludes to, what you really want is "Umask 0002" - a umask is bitwise to the object, not an absolute CHMOD setting. You only need to specify it once (not "umask 0002 0002") as the first will apply to all.

Linux FTP folder permissions issue

Firstly I would make sure that the user was created by the ftp user itself just to eliminate any variables. if this is the case then try making sure that you have permission to view the directory itself:

 chgrp -R ftp <directory>

and then verifying with ls -l to make sure the group really is ftp

if you still have problems I would highly recommend using a web administration interface such as Webmin, as it automatically installs common servers such as http, mail, ftp, squid etc... and sets up their respective directories and users with no hassle.

Hope that helps RayQuang

Best Answer

Related Solutions

Ftp – Understanding Permissions with ProFTPD (Especially Group Write)

Linux FTP folder permissions issue

Related Topic