LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   public_html not viewable to vsFTPd users but is viewable to HTTP users (https://www.linuxquestions.org/questions/linux-networking-3/public_html-not-viewable-to-vsftpd-users-but-is-viewable-to-http-users-453351/)

Luth_AC 06-10-2006 01:06 AM
public_html not viewable to vsFTPd users but is viewable to HTTP users
 
So, some key points from my vsftpd.conf file:

local_umask=022
chroot_local_user=YES
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=virtual
write_enable=YES
anon_mkdir_write_enable=YES
anon_upload_enable=YES


I've set up apache so that users have public_html files that are visible to the HTTP world, and it works fine. I can go to myIP/~virtual and see the contents of /home/virtual/public_html/, but when I FTP into the box, I cant see the /public_html/ subdirectory. I can upload files, and see other files in the /home/virtual/ directory, but /public_html/ remains hidden.

I created the /public_html/ directory as follows:
# mkdir /home/virtual/public_html
# chcon -R -t httpd_user_content_t /home/virtual/public_html/

Now, if I dont chcon the directory, I -can- see it on FTP, but I cant write to it, and HTTP can NOT see the folder. So its a step sideways, at best.

I've read a few dozen posts/websites/guides about setting this up, but I havent found a solution. I even read through a handfull of russian sites; they didnt know any better than anyone else.

I'm pulling my hair out over this one. If someone can help, PLEASE DO. My AIM/YIM is "Luth Crew", my MSN is LuthCrew@hotmail.com . I've been screwing with this for nearly 48 hours straight (i'm so tired), so please please help if you can.

btmiller 06-10-2006 01:29 PM
The problem looks like it's related to SELinux. In particular, based on your note about chcon, it is because the ftp login session somehow doesn't have the proper SELinux priveliges to access the public_html directory. You either need to muck with your SELinux policy to allow a vsftp anonymous login to access a directory with the httpd_user_context. Or, if you don't need SELinux (which is a serious security layer developed in part by the US National Security Agency), I'd honestly either disable it outright or set it to permissive mode. This should get things working while you can tweak the context. From my experience, SELinux is only necessary if you're dealing with a machine with very sensitive data or need to strictly limit users. Since you seem to want to allow guest access ot a public HTTP directory, security doesn't seem to be a giant concern here (to say the least). In fact I'm not sure what you're trying to do, but it looks rather peculiar at first blush.

Luth_AC 06-10-2006 01:41 PM
I'll boot up and try disabling SELinux, seeing if that works.

All I'm trying to do is upload a webpage to apache's virtual host directory. :) I tried CHROOTing them to /var/www/html, but it wouldnt allow the FTP users to CD to that directory. So I set up public_html accounts, thinking that if they could upload there, at least it would be viewable to the HTML world, and I could simply redirect. But that failed as well.

I'm easy. Linux isnt. ;)

So, I've had a few people try to help me out with this, but we couldnt figure it out. Whats the proper way to allow one or two FTP users (not anonymous) to upload to the HTML directory? :newbie:

In general, is leaving SELinux disabled a bad thing for a simple at-home webserver? Is it going to be worth the hassle to poke through the options to find which combination is going to allow me to see and write to the public_html directories? I'm not familiar with SELinux enough to know off-hand what they might be.
*edit*

Turning off SELinux did allow me to see the /home/virtual/public_html/ directory, but not write to it. I changed the owner of the directory to virtual:virtual and permissions to 775, and I can now write to it, but not overwrite files or delete them. So, completely useless for updating a website. However they ARE being seen by the HTML world, so thats good.

btmiller 06-10-2006 02:27 PM
In general, the best way to do what you want is to create accounts for each user who needs to edit the Web site. Then, create a group called webmaster or whatever, and make the Web directory writeable by that group. That will allow each member of the webmaster group to put files into that directory. Make sure that you set their umask in VSFTP to 002, not 022. That way, members of the webmaster group will have write accwaa to files uploaded by other members (make sure all files uploaded are actually owned by the webmaster group, either by making the webmaster group the priumary group of all users uploading files or by chmod g+s'ing your web directory to force new files created to take the same group as the parent directory). This should accomplish what you want. I'd suggest reading one of the many tutorials on how Unix style permissions work for more information.

As for SELinux, if you're just running a simnple home webserver. particular if you're just serving static content, then it is probably overkill. Still it wouldn't be a bad thing to learn about. I've been meaning to do some further reading on it myself.


All times are GMT -5. The time now is 05:22 AM.