FTP, permissions help

Odins_Son · 02-16-2006, 06:10 PM

I needed to allow a person access to my server via ftp to edit and change some webpages.

I created a user called rob and I made his home directory /var/www/html. The html directory is owned by root and all the web directories in the html directory are owned by apache. How can I get it so that user rob can log in via ftp and access everything in the /var/www/html?

Any help on this would be greatly appreciated.

This is the error I get when trying to log in. I'm guessing its an issue with perms or directory ownership.

error loading directory...
425 Failed to establish connection.
421 Timeout.
disconnected

pljvaldez · 02-16-2006, 06:27 PM

First, which FTP server are you using?

Second, is there a reason you want him to have access to /var/www/html instead of his ~/public_html? Apache has a config file that will allow you to give each person their own directory for html. In the web browser, they would just type www.mysite.com/~rob/.

For that matter, I suppose you could just create a symbolic link from /var/www/html/index.html to /home/rob/public_html/index.html... Then he could change his files whenever he wanted to and the symbolic link would allow www.mysite.com to actually point to rob's directory. (Note I haven't tried this before, but don't see why it wouldn't work...)

Odins_Son · 02-19-2006, 01:29 PM

got everything to work and it works fine while I have the server using the 20,21 ports.

However, I want my ftp to listen on a different port. When I make vsftpd listen on port 16000 I cannot connect.

here is the error I get:

500 Illegal PORT command.
Attemping PASV mode transfer...
PASV
227 Entering Passive Mode (209,89,7,231,110,127)
LIST
Connect socket #840 to 209.89.7.231, port 28287...
timeout
Error loading directory...
425 Failed to establish connection.

btmiller · 02-19-2006, 02:32 PM

FTP expects to use certain ports in ways other protocols do not. It looks like you're using passive mode FTP. Passive mode FTP uses a random port for data and (in your case) port 16000 for commands (normal is 21). In this case it looks like it picked port 28287 to receive the data stream connection from the client. If that port is blocked by a firewall, this won't work.

jcliburn · 02-19-2006, 04:03 PM

In order to allow passive mode traffic through the server's firewall, use the pasv_max_port and pasv_min_port options in vsftpd.conf. Then modify iptables to allow traffic on the port range you defined.

Odins_Son · 02-19-2006, 06:15 PM

Awsome...thanks guys

Odins_Son · 02-21-2006, 10:26 AM

I'm still having an issue with this I did set the pasv_max_port=195 and pasv_min_port=200 and I opened these ports on my firewall. However, the client still tries to connect on a random port. I did restart the service as well.

pljvaldez · 02-21-2006, 10:30 AM

I think min needs to be less than max. Above you said min=200 and max=195. Maybe putting them the other way around would help?

Odins_Son · 02-21-2006, 02:41 PM

Yeah, thats what I actually had and it still won't connect. Client keeps going into pasv mode and then tries a random port.

jcliburn · 02-21-2006, 05:09 PM

Here are all the options I have set in my vsftpd.conf.

Code:

[root@petrel vsftpd]# grep -v "#" /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES

pam_service_name=vsftpd
userlist_enable=YES
pasv_max_port=11001
pasv_min_port=11000

I run vsftpd from within xinetd. Here's the relevant xinetd conf file.

Code:

[root@petrel xinetd.d]# cat /etc/xinetd.d/vsftpd
# default: on
# description:
#   The vsftpd FTP server serves FTP connections. It uses
#   normal, unencrypted usernames and passwords for authentication.
# vsftpd is designed to be secure.
service ftp
{
        flags                   = IPv6
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/vsftpd
#       server_args             += local_enable=YES
#       server_args             +=
#       log_on_success          += DURATION USERID
#       log_on_failure          += USERID
        nice                    = 10
        disable                 = no
}

On the client side, I use unkerberized ftp (not the one in /usr/kerberos/bin). When you type "which ftp", what is returned?