LinuxQuestions.org

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - www-data (https://www.linuxquestions.org/questions/linux-newbie-8/www-data-796164/)

Hi all

I know this question has come up so many time's

any one care to point me to a fix to get this issue fixed, I've reinstalled my system ( Ubuntu 9.10 command line server ) server is next to me on the floor, I use another PC Ubuntu desktop 9.10 to gain access

I have installed a LAMP server with vsftpd, ssh, imagemagick, php5-gd, I'm planning on running on this server Joomla, Wordpress, Gallery, webmin

the only user that has been added is the admin user when you frist install the system, and sudo has not yet been changed, I use sudo for access to root as in sudo apt-get update

All i want to do is use a FTP program like gFTP or a win app on wine called winscp to upload files to /var/www to be able to run my site

So is there any fix to this problem that alot of people seem to be having I would love to know

Create a webdev user on the server; use scp (part of ssh pkg) to txmit files from the client to the server on that user eg

client:/home> scp file webdev@server:/home

If you add webdev user to the same group as the owner of var/www/ eg apache then add group write access to that dir path, the webdev user will be able to copy from his home dir to the /var/www. In fact, you should be able to scp direct from the client system to that dir as webdev user.

Don't know if Ubuntu has SELinux service; if so you may(?) have to change the context as well, but let's try the above first.

You have apache installed.
Why not make use of that fact and change the directory for the web root. (default site)

As admin, create directories in admins home directory like the following
www
www/html
www/cgi-bin

Make sure they all have permissions of 755

edit /etc/httpd/conf/httpd.conf as root

find the line

Code:

DocumentRoot "/var/www"

and change it to

Code:

DocumentRoot "/home/admin/www/html"

a bit further down you will find

Code:

<Directory "/var/www">

change that to

Code:

<Directory "/home/admin/www/html">

If you want to run cgi scripts go down until you find

Code:

ScriptAlias

and make it like

Code:

ScriptAlias /cgi-bin/ "/home/admin/www/cgi-bin/"

also a bit further down change the <Directory> line to read

Code:

<Directory "/home/admin/www/cgi-bin">

None of the lines you are changing should have # in front of them.

When you've done all those lines, save the file and restart apache.

You can now login over ftp using admin as the user name and whatever admins password is.

It doesn't have to be admin. It can be any user you want to create for the purpose. Just replace admin with the correct user name in the above instructions.

If you want to access the web server by another domain name (separate site) then you have to add a virtual host to httpd.conf with that domain name.
There are examples in the file. The default site is the one that will come up if you don't specify a virtual site.
Technically, every user on the server could have their own web site and domain names.

Thanks smoker

I don't use cgi myself in fact I never have, I do have subdomains so that wont change any thing will it when i add them in.

Thanks for the tip, that sounds alot easier to do.

TT ( karl )

sub domains can be done as virtual hosts.

Example virtual host section in httpd.conf

Code:

<VirtualHost *:80>



        ServerName sub.domain.com

        ServerAdmin me@domain.com

        DocumentRoot /home/<username>/www/html

        RewriteEngine on



        <Directory /home/<username>/www/html/>

                Allow from all

                AllowOverride All

                Order allow,deny

        </Directory>



        SetEnv SITE_ROOT /home/<username>

        SetEnv SITE_HTMLROOT /home/<username>/www/html



</VirtualHost>

Quote:

Originally Posted by smoker (Post 3902585)

Code:

DocumentRoot "/var/www"

and change it to

Code:

DocumentRoot "/home/admin/www/html"

a bit further down you will find

Code:

<Directory "/var/www">

change that to

Code:

<Directory "/home/admin/www/html">

If you want to run cgi scripts go down until you find

Code:

ScriptAlias

and make it like

Code:

ScriptAlias /cgi-bin/ "/home/admin/www/cgi-bin/"

also a bit further down change the <Directory> line to read

Code:

<Directory "/home/admin/www/cgi-bin">

Hey Smoker, I'm just getting into it now, this path

Code:

/etc/httpd/conf/httpd.conf

is not the same on my system, it's under

Code:

/etc/apache2

the files I would have to edit would be

Code:

/etc/apache2/sites-enabled/000-default

and

Code:

/etc/apache2/sites-available/default

and the same for ssl

Code:

/etc/apache2/sites-available/default-ssl

Will let you know

TT ( karl )

Quote:

Originally Posted by chrism01 (Post 3902577)

what do you mean by webdev, I haven't heard of that term before

TT ( karl )

Smoker, it did work, but I now have lost awstats and webalizer as well, I know you have tried to help, but I would rather try and get my user to upload to the original path instead ( /var/www )

TT ( karl )

webdev; just a generic made up name for a web development user ie you...

Actually, an acl would be more secure; no need to allow the group to write to those dirs:

Code:

setfacl -m d:u:youruser:rw /var/www

http://linux.die.net/man/1/setfacl

I see

I've reset apache2 back to /var/www

the group that has that path is www-data and its group is www-data going by details in webmin

My only user which is admin, EG: my nick has the same group as the nick EG: tommytomato

I've tried before to add tommytomato to the www-data group and I wasn't able to write to the directory and tommytomato home directory is /home/username

TT ( karl )

Basically, apache installs as someuser:somegroup. This varies on different distros and I don't have Ubuntu.
If you go from a fresh install of apache, you can do

ls -l /var/www

to see what the default ownership & group is. As I said, no need to allow apache to write to those dirs (for security). Add an acl to allow your user to write there.
If you

cat /etc/passwd

you can see current registered users info.

/var/www is owner by root and its group is root too from I can see

Code:

ls -l /var/www

total 8

-rw-r--r-- 1 root root  177 2010-03-17 21:13 index.html

drwxr-xr-x 2 root root 4096 2010-03-19 07:24 webalizer

acl is that like so ? I did try this 2 days ago with NO luck

Quote:

Originally Posted by sayan_acharjee (Post 3901559)

I mean you need to create an access control list for the user allowing it to to read-write-execute in the directory, I am not talking about the usual chmod driven permission.
Here is how you can do this:
edit the /etc/fstab file in the following manner:

The mount point can be different depending on the way your system is partitioned, if the /var partition is mounted somewhere else then you need to edit that line by putting ,acl option after defaults.
Then remount that partition:

Set the acl:

http://www.linuxquestions.org/questi...952/page2.html

TT ( karl )

Post #30 on that page shows how to setup the partition for acls; except use the acl format of mine above. It ensures that all files/dirs get acl set (d = default). Read that man page link of mine first.

See also
http://rute.2038bug.com/index.html.gz
http://www.linuxtopia.org/online_boo...ion/index.html - RHEL, but concepts are same as are most cli cmds.

I read that stuff and It don't make alot of sence right now, but I gave it a shot.

I edited the file sudo vim /etc/fstab and I added acl to the line

Code:

UUID=00a855d6-4164-4d31-8f8f-9920870dc190 / ext4 errors=remount-ro,acl 0 1

then I did

Code:

sudo mount -o remount,acl /

and then

Code:

sudo setfacl -m d:u:tommytomato:rw /var/www

and I still cant write to that folder lol, only tommytomato home directory

TT ( karl )

Are you sure that SELinux is disabled for vsftpd?

I'll have a look at the vsftpd.conf file now

TT ( karl )

See if write option is enabled or not, look for this entry:

Quote:

# Uncomment this to enable any form of FTP write command.
write_enable=YES

Quote:

Originally Posted by sayan_acharjee (Post 3904038)

See if write option is enabled or not, look for this entry:

Yer thats OK, I see that I dont have SELinux if going by this quick search I did to find what SELinx was, LOL, never heard of it before.

I read that the path is

Code:

/etc/selinux/config

I dont think its installed I did whereis and got

Code:

selinux:

TT ( karl )

To view selinux is enabled or not, run this command:

Quote:

#sestatus

I guess you've checked that write_enable=YES,anon_upload_enable=YES and anon_mkdir_write_enable=YES in the vsftpd.conf file?

Quote:

Originally Posted by sayan_acharjee (Post 3904050)

To view selinux is enabled or not, run this command:

I guess you've checked that write_enable=YES,anon_upload_enable=YES and anon_mkdir_write_enable=YES in the vsftpd.conf file?

Here's what I got

Code:

sestatus

The program 'sestatus' is currently not installed.  You can install it by typing:

sudo apt-get install policycoreutils

sestatus: command not found

I was going to use the command sudo apt-get install selinux

vsftpd is like so

Code:

# Example config file /etc/vsftpd.conf

#

# The default compiled in settings are fairly paranoid. This sample file

# loosens things up a bit, to make the ftp daemon more usable.

# Please see vsftpd.conf.5 for all compiled in defaults.

#

# READ THIS: This example file is NOT an exhaustive list of vsftpd options.

# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's

# capabilities.

#

#

# Run standalone?  vsftpd can run either from an inetd or as a standalone

# daemon started from an initscript.

listen=YES

#

# Run standalone with IPv6?

# Like the listen parameter, except vsftpd will listen on an IPv6 socket

# instead of an IPv4 one. This parameter and the listen parameter are mutually

# exclusive.

#listen_ipv6=YES

#

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=YES

#

# Uncomment this to allow local users to log in.

local_enable=YES

#

# Uncomment this to enable any form of FTP write command.

write_enable=YES

#

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

#local_umask=022

#

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

anon_upload_enable=YES

#

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

anon_mkdir_write_enable=YES

#

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

#

# If enabled, vsftpd will display directory listings with the time

# in  your  local  time  zone.  The default is to display GMT. The

# times returned by the MDTM FTP command are also affected by this

# option.

use_localtime=YES

#

# Activate logging of uploads/downloads.

xferlog_enable=YES

#

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

#

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=whoever

#

# You may override where the log file goes if you like. The default is shown

# below.

#xferlog_file=/var/log/vsftpd.log

#

# If you want, you can have your log file in standard ftpd xferlog format.

# Note that the default log file location is /var/log/xferlog in this case.

#xferlog_std_format=YES

#

# You may change the default value for timing out an idle session.

#idle_session_timeout=600

#

# You may change the default value for timing out a data connection.

#data_connection_timeout=120

#

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

#

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

#

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that on some FTP servers, ASCII support allows a denial of service

# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd

# predicted this attack and has always been safe, reporting the size of the

# raw file.

# ASCII mangling is a horrible feature of the protocol.

#ascii_upload_enable=YES

#ascii_download_enable=YES

#

# You may fully customise the login banner string:

#ftpd_banner=Welcome to blah FTP service.

#

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd.banned_emails

#

# You may restrict local users to their home directories.  See the FAQ for

# the possible risks in this before using chroot_local_user or

# chroot_list_enable below.

#chroot_local_user=YES

#

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

#chroot_local_user=YES

#chroot_list_enable=YES

# (default follows)

#chroot_list_file=/etc/vsftpd.chroot_list

#

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

#ls_recurse_enable=YES

#

#

# Debian customization

#

# Some of vsftpd's settings don't fit the Debian filesystem layout by

# default.  These settings are more Debian-friendly.

#

# This option should be the name of a directory which is empty.  Also, the

# directory should not be writable by the ftp user. This directory is used

# as a secure chroot() jail at times vsftpd does not require filesystem

# access.

secure_chroot_dir=/var/run/vsftpd/empty

#

# This string is the name of the PAM service vsftpd will use.

pam_service_name=vsftpd

#

# This option specifies the location of the RSA certificate to use for SSL

# encrypted connections.

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

Another question thou

How do I undo what I did before

Code:

sudo setfacl -m d:u:tommytomato:rw /var/www

Or wouldn't that have taken affect yet ?

I found vid about acl's

Here's what I've learnt

to create a new group

Code:

sudo groupadd menewgroup

then add user to that group and create password

Code:

sudo useradd -Gmenewgroup newuser

then do the newuser password

Code:

sudo passwd newuser

add acl to fstab file then reboot later

then mount

Code:

sudo mount -o remount /

then give permissions for it

Code:

sudo setfacl -Rdm g:menewgroup:rwx var/www

Not sure about the permissions, I want to be able to upload/writet/mod and allow appz like joomla, wordpress, gallery to write/delete and so on when you use CMS software

I'm still lost but I'm giving it ago and trying to under stand it

TT ( karl )

I can see this line in vsftpd.conf:

Quote:

#chown_uploads=YES

Remove the # from the front, don't know it will work or not but I found it like this in my vsftpd.conf file which is working properly.

You can see the effective acl in the folder with the following command:

Quote:

#getfacl /var/www

To remove acl from that directory you can use:

Quote:

#setfacl -x u:username /var/www

Cheers for that

So does one need to install SELinux for this to happen

does what I've learnt make any sense, I haven't actually done it yet, I write it all down on paper to try understand it better first then hit the command line, I'm trying to keep the system as clean as possible with installing to many programs

TT ( karl )

No, you don't need selinx to make it work.
By the way, which is the error gftp is throwing when you are trying to upload? There should be an error no, like 553 or 550.

Its a 533 Sayan

TT ( karl )

Quote:

Originally Posted by sayan_acharjee (Post 3904078)

I can see this line in vsftpd.conf:

Remove the # from the front, don't know it will work or not but I found it like this in my vsftpd.conf file which is working properly.

You can see the effective acl in the folder with the following command:

To remove acl from that directory you can use:

I un comment the chown_uploads=YES still throws up a 533

TT ( karl )

when running this command

Code:

#sudo setfacl -x u:username /var/www

doesn't it remove the user from the list ? because it's still there

Code:

tommytomato@rockinghamgateway:~$ sudo setfacl -x u:tommytomato /var/www

tommytomato@rockinghamgateway:~$ getfacl /var/www

getfacl: Removing leading '/' from absolute path names

# file: var/www

# owner: root

# group: root

user::rwx

group::r-x

other::r-x

default:user::rwx

default:user:tommytomato:rw-

default:group::r-x

default:mask::rwx

default:other::r-x



tommytomato@rockinghamgateway:~$

TT ( karl )

As you have created the acl with d: its still there with the default option, use this instead:

Quote:

setfacl -x d:u:tommytomato /var/www

Quote:

Originally Posted by sayan_acharjee (Post 3904103)

As you have created the acl with d: its still there with the default option, use this instead:

That did it cheers, I'm going to try what I learnt by creating new group and new user and see if that makes a difference to the issue I'm working on

so the d stands for default ?

TT ( karl )

Well I dont know whats going on at all, I did what I learnt, it did even create its home directory the new user is not able to login via FTP at all

comes up with a 500 error

TT ( karl )

Can you please post the permissions of /var/www directory?
Here is the permissions assigned to the directory of my system which is used by user h11 to upload files with gftp:

Quote:

drwxrwsrwx+ 2 h11 ftp 4096 2010-03-18 16:51 /var/h11

here the + sign indicates that an acl is implemented on the directory, and here the directory name and user name is same.
Its working fine in my system, see if you can get some ideas from this.

I'm not sure but is the sudo command not working, it created the group and user using sudo, or should I sudo passwd and try that way ?

TT ( karl )

Quote:

Originally Posted by sayan_acharjee (Post 3904131)

Can you please post the permissions of /var/www directory?
Here is the permissions assigned to the directory of my system which is used by user h11 to upload files with gftp:

here the + sign indicates that an acl is implemented on the directory, and here the directory name and user name is same.
Its working fine in my system, see if you can get some ideas from this.

Code:

tommytomato@rockinghamgateway:/var/www$ ls -l

total 8

-rw-r--r--  1 root root  177 2010-03-17 21:13 index.html

drwxr-xr-x+ 2 root root 4096 2010-03-19 07:24 webalizer

drwxr-xr-x+ 3 root root 4096 2010-03-19 07:24 www

TT ( karl )

drwxr-xr-x+ 3 root root 4096 2010-03-19 07:24 www

Here the owner and the group is assigned as root thats why its not letting other users to write on it, change it to ftp, use this command:

Quote:

#chown ftp:ftp -R /var/www

I hope it will work now :)

Quote:

Originally Posted by sayan_acharjee (Post 3904143)

drwxr-xr-x+ 3 root root 4096 2010-03-19 07:24 www

Here the owner and the group is assigned as root thats why its not letting other users to write on it, change it to ftp, use this command:

I hope it will work now :)

done, gftp gives

Quote:

553 Could not create file.
Could not download /home/tommytomato/Desktop/rgwlogo.jpg from local filesystem
There were 1 files or directories that could not be transferred. Check the log for which items were not properly transferred.Loading directory listing /var/www from server (LC_TIME=en_AU.UTF-8)

TT ( karl )

I'm out of options right now, I'll look in to it and if I can come up with something I'll let you know.

No probs, I haven't installed any thing but what i said about the lamp, only changes I have made are from this post were chatting on, I used to use root all the time when I had the system up and running on Ubuntu 9.04 but we had a bad power hit here at home and it killed by server box, so I got another one and put on Ubuntu 9.10, I undo what I've done and set it back to default with the admin user only..

TT ( karl )