0

I'm sorry for uber noobish question, I'm new to linux and trying to learn and practice secure LAMP administration for upcoming little project of mine.

I've installed vsftpd but can't setup permissions the way I want. It seems that files in /var/www must be owned by user www-data (default on ubuntu) so apache can read and write there, but I would like to upload files directly to /var/www and be able to edit them over FTP using notepad++ from windows box. Now, I can't access FTP with user www-data since I don't know the password, so I created new user webmaster but then apache can't access files due to different owner. In my anger I tried to set anonymous FTP access just to get this working, so in vsftpd.conf I've allowed login and file creation by anon and set it to make new uploads owned by nobody, but then I can't upload anything at all.

So how can I make this work? I want files in /var/www to be secure, only accessible by apache from within the system and ftp deamon. I'm talking of unsecured FTP for now, will try to learn FTPS or SFTP later.

My idea on production server was to login via SSH, enable FTP(S), beam files, disable FTP, logout. This is how it's being done in real world?

Thanks for your answers.

Resistance
  • 3
  • 2

2 Answers2

2

Please, do not allow anonymous connections to upload any files whatsoever. It will be used for distributing viruses and porn.

Apache only needs read access to the directories it's going to serve (in most configurations).

chown -R john:www-data web-data-folder and chmod 755 web-data-folder will give john write permissions to the directory and every file/folder within it, while retaining read and execute (folder listing) rights to both apache and any other user on the system. If you're paranoid you can use chmod 750 instead.

Now that I've basically given you the commands: Please read up on how chmod and chown works together. Every unix/linux/bsd-installation have manpages installed for them.

pauska
  • 19,532
  • 4
  • 55
  • 75
  • Thanks but this does not solve my problem. Uploaded files belongs to user webmaster (-rw-------) and apache (www-data:www-data) have no rights to read them. I would have to run `chmod -R 755 /var/www` every time I upload something. Think I'll set apache to run as user webmaster, this should solve it in easy way. – Resistance Nov 18 '09 at 01:34
1

Referring to the VSFTPD man page conf (http://vsftpd.beasts.org/vsftpd_conf.html), in your vsftpd.conf file, there is a configuration setting called local_umask.

By default, it is 077, which is what produces your -rw------- permission. To give every file a -rw-r--r-- permission, set local_umask to 022.

Remember to restart your vsftpd server once you change the conf file.

James
  • 1,001
  • 1
  • 6
  • 4
  • This is the answer I was looking for, thanks a bunch. I can't upvote yet, will come back here when/if I get more rep. – Resistance Nov 18 '09 at 12:24