What I'm trying to do is create a ftp user that can update and modify files in an apache2 v2.4 (with www-data) web directory.
I have a single user: UserA (names changed to protect the guilty)
The folder is /var/www/vhosts; chowned to www-data:www-data
UserA has been addded to the www-data group.
The UserA's home directory is set to /var/www/vhosts
I have ProFTPd setup and running.
UserA connects fine.
The problem is ownership of the folders/files.
all files are set to 644 as normal
all folders are set to 755.
since UserA is not the owner, it falls under the group policies and files cannot be added, deleted, or modified because of the limitations.
Is there any way to masquerade UserA as www-data so they can perform the job?
Am I thinking of this the right way? is there another way to do it?
Thanks
The user connects via FTP to the web folder
Best Answer
If I understand the question correctly, you would like to FTP into your web server and upload files to the webroot. The owner and group of the files (and directories?) are
www-data:www-data
.What may paritally be happening (been a while since I used ProFTP) is the
umask
of userA is configured in ProFTP with a differntumask
than what the shell uses. This can make troubleshooting confusing.I would try the following:
add
userA
to thewww-data
group (as you have done)assign mode
0775
to thevhosts
directory (eg:chmod 0775
)apply SGID (eg:
chmod g+w+s vhosts
) onvhosts
so any files there have group perms appliedThis should accomplish:
userA uploads a file which lands in
vhosts
owned byuserA
but withwww-data
group ownershipsince the
vhosts
directory does not have the sticky bit set (set above to0775
) any user in thewww-data
group with group-write access tovhosts
can delete/modify the fileNOTE: pay particular attention to
apparmor
and possiblySElinux
. You may need to adjust configuration of those utilities (if installed) to allow the webserver or ProtFTP to write there.NOTE: For a recommended,secure alternative to FTP, look into WinSCP/SFTP. By generating a OpenSSH key pair, you can drop your public key in the
www-data
user's home directory and "masquerade" as the web server when you login over WinSCP. This allows for encrypted communication, more secure authentication, and less rigamarole with the permission twiddling.