Hi there,

I run a Linux based Web Server with Centos installed and have tried to set up both SFTP and FTP to allow users to log in via an FTP application such as filezilla.

When i have set this up for the root user, it will let me log in through both SFTP and FTP and create/delete files and folders without any problems.

I then set up SFTP for a user called testuser; they can log in through filezilla but everytime they go into another directory from /var/www/html it says access deined; even though i have changed the permissions.

After giving up on SFTP i then set up FTP using vsftpd. The user was able to log in with Filezilla but again when they went to change directory it wouldn't have it.

I then changed the users home folder from /var/www/html to /home/testuser. The user was once again able to log in via filezilla but when i went to create a folder within the home directory it came up in Filezilla saying:
Response: 550 Create directory operation failed.

The permissions on the home/testuser directory are as follows:
drwxrwsrwx. 14 testuser ftp 4096 Jun 29 11:18 .

As you can see, i put the group as ftp as testuser belongs to the group called ftp

Anyone have any ideas why once i log in via filezilla i cannot do anything such as create a new directory?

Many thanks,

Mark

A typical, out-of-the-box installation of both SFTP and FTP configurations will not allow a non-privileged user to change out of their home directories. This is generally what you want. Otherwise one user could access/change another user's files.

Allowing root login by either SFTP or FTP is not recommended.

That error looks like a web server response. Error 550 indicates a server error to a browser. How do you have filezilla configured to connect to the server?

How are you changing the user's home folder?

A user's home folder should have That is, 644 permissions. Allowing group and world write ability only clouds your issue. Nothing on any server should ever require 777 permissions, especially if the server is on the 'net!

Are you running filezilla from a windows PC? If so, I highly recommend WinSCP as an S/FTP client. And SFTP over FTP whenever possible.

We're going to need more information about your ssh and ftp configurations, I think.

2 members found this post helpful.

Hi there and thanks you for your response.

I did have normal 701 permissions on the directory and having looked at a few forum posts people were recommending to try 755 and 777 permissions just to check if it actually works by changing them. I will change this back once i have got this working properly

On my server i have webmin installed and within this GUI i have told the user to have a home directory of /home/testuser (this was done automatically on webmin when the user was created). The directory does exist as this is the directory the user logs into when i log in via ftp

Also the user has the shell of /bin/bash and only has a primary group of ftp with no secondary groups

My sshd config file has a match statement for the ftp group but when i tried creating a directory without the match statement it did the same:
Match Group ftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

In my vsftpd config i have changed the following:
anonymous_enable=NO
local_enable=YES
write_enable=YES

I have not changed the user list files as the user can already log in via ftp. After all that i made sure that the ftp server and apache were restarted and still no effect.

The only reason i am using both SFTP and FTP is because i couldn't get SFTP working for any user and then whichever one i get working, i'll then drop the other i.e. drop SFTP once i get FTP working. The web server is hosted on the internet but is only used by me at the moment for file storage, but i need some people to be able to log in for uploading test website files

If you could direct me on how i can resolve this then that would be great as this has been wracking my brain for a long time and just cannot get anything working...i know SFTP and FTP can be temperamental to set up

I'll say again. Do not use 777 permies to "troubleshoot" -- if it won't work with 644 (or 755), then something else is wrong.

I've lost track of what problem we're trying to help you solve.
A non-privileged user should not be able to change out of his $HOME directory - if you're trying to allow this, don't.
He should be able to create directories and/or files in his $HOME directory - if that doesn't work, let us know what error you get, and which protocol you're using when you get it. Again, SFTP is preferred over FTP...it's secure.
I'm not sure what the match group has to do with anything. A user logged in with s/ftp to his home directory should have complete control within that directory.
I don't use vsftp...have you read the man page for that?
Did you try WinSCP?

Hi there and thank you for the reply.

Yes i do not wish the user to be able to change out of the home directory...when they log into FTP they should remain in this directory and only be able to do things within it, which at the minute is what happens with "testuser".

The problem i have is with the user called "testuser" being able to create directories, files or even write to the home directory once logged in.

I have now installed winscp and the error it spits out once i go to new->Directory once logged in as "testuser":
Create directory operation failed.

When i go to new->file and go to save using winscp it spits out:
Copying files to remote side failed.
Could not create file.

These are similar errors which i got when using filezilla.

At the moment i am still using FTP but the user just cannot create directory or upload files. Any ideas of settings i can look at?

Many thanks,

Mark

If the machine is in any way connected to the net, please uninstall the FTP daemon as a service to the rest of us. There is no way it can be made secure for login and upload. It's continued presence on the net will come back to bite you sooner or later.

SFTP is easier to set up since it works out of the box when you install the package providin the OpenSSH server. Chrooted SFTP is not hard but you do have to take into account that the target directory must be owned by root and not writable by anyone else.

Which directory do you want to chroot the accounts to? If you put them in their own home directory in /home/ it could look like this for permissions:

Then in conjunction with those permissions, in /etc/sshd_config you could have the following to lock any account in the group 'sftponly' into their respective home directories:

Technically that chroots them to /home but puts them into their home directory immediately. And with those permissions, they can't move around or even look in /home

However, if you want to really chroot them to their own home, then you'd have to nest their directories one level deeper.

Again, which directory do you want to chroot the accounts to?

Hi there,

I have applied them settings now; i added permissions onto both home and /home/testuser folders and also added in the section you mentioned into sshd_config

Basically all new users will be given a directory inside of /home and so it is their home folder i would like them to be chroot to. This will mean that they shouldn't even be allowed to go back from their folder into the home directory

When i log in via ftp and go to create a new directory it still says:
550 Create directory operation failed.

Here are my permissions sections on the home folder and test user folder:
Home:
drwx-----x. 4 root root 4096 Jun 29 16:19 .

testuser folder:
drwxr-s---. 14 testuser ftp 4096 Jun 29 11:18

What do you think i could try next to eliminate specific issues? As i say, root can do anything and it's just my new user who cannot

Hmm. I mean SFTP not FTP. FTP should be removed from the machine.

With those new settings, give it a try with SFTP and see if your user can log in and make a directory.

By the way, root should (almost) never be allowed to log in remotely.

Please respond with the results of the command

Ok so i took onboard your advice to ditch FTP and just keep SFTP on the server; i then tried to log in via SFTP and create a new directory and this time...it worked! I do not know what went wrong as the settings which you quoted; i am sure that i tried them before.

The testuser is able to create directories, upload files, remove files and rename etc. inside of their home folder...also they cannot go back to a previous directory which is good.

So the home directory has the right permissions on now and also the server access can no longer be accessed by FTP.

I am not sure if i need to do anything else but otherwise thank you all very much for your help...absolutely great as this has been wracking my mind for ages and so thank you.