LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-18-2010, 03:09 AM   #1
shokemyster
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Rep: Reputation: 0
Post Ubuntu: How do you give sftp root privilege to user?


Hello folks,

This is my first thread ever to make on the linux forum, and I just began using linux Ubuntu Lucid for my server.
Please bare with me because I think I am questioning such a basic question.

How do you give sftp root privilege to user?
I've made group "admin" and made 2 users under that group.
Trying to upload a file onto a server using SFTP with one of the user and it fails and says "Permission denied."

I gave full sudo/root permission to the group "admin" from /usr/sbin/visudo
I mainly use Tranmit4 but I also have filezilla.
Or is there a way to run sudo command on either ftp client application?

Please advise.
Thank you all!

Last edited by shokemyster; 09-18-2010 at 03:15 AM.
 
Old 09-18-2010, 03:21 AM   #2
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by shokemyster View Post
Hello folks,

This is my first thread ever to make on the linux forum, and I just began using linux Ubuntu Lucid for my server.
Please bare with me because I think I am questioning such a basic question.

How do you give sftp root privilege to user?
I've made group "admin" and made 2 users under that group.
Trying to upload a file onto a server using SFTP with one of the user and it fails and says "Permission denied."

I gave full sudo/root permission to the group "admin" from /usr/sbin/visudo
I mainly use Tranmit4 but I also have filezilla.
Or is there a way to run sudo command on either ftp client application?

Please advise.
Thank you all!
Did you give local user upload permission ?

paste your ftp configuration here

Regards,
 
Old 09-18-2010, 03:28 AM   #3
shokemyster
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Did you give local user upload permission ?
paste your ftp configuration here
Thanks for a reply sem007.

There is a permission file to configure for FTP connection!?
How do you do that?
 
Old 09-18-2010, 04:46 AM   #4
jmc1987
Member
 
Registered: Sep 2009
Location: Oklahoma
Distribution: Debian, CentOS, windows 7
Posts: 872

Rep: Reputation: 112Reputation: 112
Im not sure which ftp server you are using but your configuration file would be in /etc some where. What ftp server are you using.
 
Old 09-18-2010, 04:48 AM   #5
jmc1987
Member
 
Registered: Sep 2009
Location: Oklahoma
Distribution: Debian, CentOS, windows 7
Posts: 872

Rep: Reputation: 112Reputation: 112
If you got vsftp then it is /etc/vsftpd.conf
 
Old 09-18-2010, 08:07 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
How do you give sftp root privilege to user?
Please reconsider this approach. Giving root access to external facing services is NOT the way to go. If you could describe what you're trying to achieve we can almost certainly come up with a way to solve the problem that doesn't involve exposing root.
 
Old 09-18-2010, 08:56 AM   #7
shokemyster
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Thank you guys for reply.

I didn't even installed vsftpd... But I was able to access the SFTP with my SSH users and root.
Anyhow, I just installed vsftpd, googled a little bit on it(found this page: http://www.linuxhomenetworking.com/w...P_Server_Setup),
but I can't even access to FTP server thats ran by vsftpd...(I can log on with my SSH users still of course)

Before I get to the question I've stated, can anyone tell me good article on install VSFTPD on Ubuntu?
There are so many but I've found none that goes into depth such as config on iptables and etc...
 
Old 09-18-2010, 11:00 AM   #8
shokemyster
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Another question.

Is accessing onto the server with SFTP protocol with SSH root and accessing onto FTP server thats ran by VSFTPD different?
(I installed VSFTPD but I can't even access to it.)
Doesn't being able to access SFTP with SSH root means there is a ftp server already built in?
Or SFTP with SSH root with a FTP client is an another way of login into SSH like on the terminal?(just different appearance I suppose?)

Sorry for a dumb question...
 
Old 09-18-2010, 11:55 AM   #9
shokemyster
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Thank you for an advise Hangdog42.

Okay, I think what I have said might have over exaggerated the thing I want to achieve.
I'll put your advise in my head for future reference. I appreciate it.

And what I'm trying to achieve is to run a ftp server,
create ftp user, set password,
login onto the server with SFTP,
and making that user being able to read, list, make, delete(pretty much all file execution).

it'll be awesome if you guys could help up set up the vsftpd as well...
I've set the iptables for FTP

Quote:
-A INPUT -p tcp --dport 21 -j ACCEPT
and my ftp config is
Quote:
anonymous_enable=NO
local_enable=YES
write_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
ssl_enable=Yes
userlist_deny=No
userlist_enable=Yes
userlist_file=/etc/vsftpd.allowed_users
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
force_dot_files=YES
hide_ids=No
max_per_ip=2
max_clients=20
max_per_ip=2
max_clients=20
guest_enable=YES
guest_username=ftp
user_config_dir=/etc/vsftpd/vusers
Before accessing through SFTP, I used normal FTP (Port.21) to see if I could access but it doesn't seem to be working.

Thank you everybody for spending time for my help.
I really appreciate it.
 
Old 09-18-2010, 01:37 PM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
-A INPUT -p tcp --dport 21 -j ACCEPT
That isn't going to be sufficient. If you have a read of this description, you'll see that FTP uses a variety of ports, and port 21 is just the initial port used to establish the connection. How you solve this at the firewall level kind of depends upon your environment. If you are just using FTP within a LAN, or if the server is directly exposed to the internet, you can probably get by using the ip_conntrack_ftp module. However, if you have a router between your ftp server and the outside world, you may have to fix a range of ports for vsftpd to use in passive mode. On my server, I've got this in my vsftpd.conf:

pasv_min_port=50000
pasv_max_port=51000

That fixes the passive ports and in my firewall I've got this set of rules:

Code:
iptables -N FTPBAN
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTPBAN
iptables -A FTPBAN -m recent --set --name FTP
iptables -A FTPBAN -m recent --update --seconds 60 --hitcount 4 --name FTP -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 50000:51000 -j ACCEPT
The first part shuts down anyone trying to brute force the FTP server (and is entirely optional) and the second part allows the ports needed for passive and active FTP. I've also got my router set up to forward 20,21 and 50000-51000 to the FTP server
 
Old 09-18-2010, 01:41 PM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by shokemyster View Post
Another question.

Is accessing onto the server with SFTP protocol with SSH root and accessing onto FTP server thats ran by VSFTPD different?
(I installed VSFTPD but I can't even access to it.)
Doesn't being able to access SFTP with SSH root means there is a ftp server already built in?
Or SFTP with SSH root with a FTP client is an another way of login into SSH like on the terminal?(just different appearance I suppose?)

Sorry for a dumb question...
Yes, SFTP and FTP are two different beasts that have nothing to do with each other. To add to the confusion there is also FTPS which uses SSL to encrypt the FTP traffic (normal FTP is not encrypted) or running FTP over an SSH tunnel.
 
Old 09-19-2010, 12:58 AM   #12
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
As above, SFTP & FTP (+/- S) are very different. sftp is a built-in part of the ssh pkg (along with scp) and runs on port 22. Has absolutely nothing to do with 'normal' FTP as used by eg vsftpd.
Start by deciding which you are going to use eg sftp and remove vsftpd before you get any more confused.
As recommended, don't allow root access via any ssh tool; its proabably the most popular target for crackers.
Instead, use your own id with a strong passwd, then su - up to root (another strong passwd for root) if you need root powers later.
Filezilla works well for sftp
 
Old 09-19-2010, 11:29 AM   #13
shokemyster
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Thank you Hangdog2 for detailed information.
I appreciate it a lot.
I'm remotely controlling the hosted linux server so it seems like I need to set the config for passives.

and chrism01, thank you for replying too.
Yes, I'm very confused now. FTP transfer is the most important thing for me when it comes to server.
So I want to clear everything...
I thought I was a geek enough to manage and run Linux server from scratch but there are so much to learn then I thought...
And what do you mean by
Quote:
Start by deciding which you are going to use eg sftp and remove vsftpd before you get any more confused.
???


But I'm still confused
Okay, so please tell me if I'm stating the right thing or not.

SFTP is part of the SSH connection and when you connect with user,
user does NOT have permission to any file, unless the file or folder was made by the user.

For FTP or FTPS, the user privilege is controlled by the user config, and file/folder permission matters for editing.

Thank you guys for your support!!!
 
Old 09-19-2010, 12:48 PM   #14
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
SFTP is part of the SSH connection and when you connect with user,
user does NOT have permission to any file, unless the file or folder was made by the user.
Yeah, thats pretty much right. Their ability to do things is largely the same as if they were logged into the machine directly.

Quote:
For FTP or FTPS, the user privilege is controlled by the user config, and file/folder permission matters for editing.
That is also pretty much correct.


So now I'm going to throw one more thing your way. Security. Since you will be exposing SSH and potentially FTP to the Internet, you do need to think about detecting and mitigating the brute force attacks that are going to come. So some of the questions you need to think about are:

- Will you use password or key-based SSH authentication?
- Do you have a way of monitoring what files get uploaded?
- Can you lock down access to specific IP addresses?
- Do you have a process for installing patches and upgrading the system?
- Do you have a backup/restore strategy in place in case the worst happens?
- Have you completely and totally eliminated the chance for root to log in via SSH or FTP?
- Do you have a process for monitoring logs?
- Have you shut down all unneeded services?
 
Old 09-22-2010, 05:30 AM   #15
shokemyster
LQ Newbie
 
Registered: Sep 2010
Posts: 9

Original Poster
Rep: Reputation: 0
Sorry everyone for replying late.
I was figuring out the whole vsftpd working.

Hangdog42, when I was going through your questions, I figured I need to do SSL connection for vsftpd,
because I'm going to connect from the internet.

I was able to access the ftp server fine, until I added ssl_enable=YES.

Here is my vsftpd.conf and iptables. (I changed ports to something unpredictable for better security)

Quote:
pasv_min_port=50000
pasv_max_port=51000
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
listen_port=3721
ftp_data_port=3720
rsa_cert_file=/etc/vsftpd/vsftpd.pem
local_enable=YES
write_enable=YES
chroot_local_user=YES
pam_service_name=vsftpd
Quote:
-N FTPBAN
-A INPUT -p tcp --dport 3721 -m state --state NEW -j FTPBAN
-A FTPBAN -m recent --set --name FTP
-A FTPBAN -m recent --update --seconds 60 --hitcount 4 --name FTP -j DROP

-A INPUT -i eth0 -p tcp --dport 3720 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 3721 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 50000:51000 -j ACCEPT
I used filezilla with FTPS port 3715, and I'm not able to connect.
Please help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
give a user selective privilege using sudo dolceinter1 Red Hat 5 11-09-2008 02:27 PM
How to give a user only ftp server privilege using sudo? dolceinter1 Linux - Newbie 1 11-05-2008 08:56 AM
how to create sftp user only in red hat 4 not ftp user ..only sftp user princeu28 Linux - Newbie 1 10-14-2008 09:10 AM
run a specific script with root privilege as any user(possibly with ssh) z940303 Programming 5 09-05-2007 09:20 PM
assign user with root privilege and permisssion to access system files eyt Linux - General 6 07-27-2007 01:02 PM


All times are GMT -5. The time now is 02:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration