Hello all,
I have a CentOS server running on Amazon EC2. I've set up Apache, PHP, etc and have also got FTP working. Apache runs as user "apache".

When I log into FTP (using user mgm, which I created) I'm not able to do anything. I can't upload, edit or delete anything, though I can download.

My "www" directory is stored at "/mnt/www/". This is not a shared server so I'm the only person who will ever be logging in so no need for multiple users here.

I just want to know how I can give my "mgm" user the right permissions to add, edit and delete via FTP. At the same time if PHP creates a file I need to be able to manage these via FTP also.

Currently, all PHP created files have owner "apache". The majority of the other files have owner "505" - which I assume is the ID of my "mgm" user, though not 100% sure.

How do I go about changing this?
Many thanks!

Quick question what application are you using for ftp?

On the server, I'm not sure... vsftp isn't running and I couldn't find any other active FTP services. I port scanned and only 22 and 80 were open. If I'm thinking correctly, this means that all FTP is encrypted via SSH, right?

As a client I'm using WinSCP and logging in using SFTP.

Hi,

Might be a write permission issue, check you /etc/passwd file and see the user and group ids for user mgm.

First check. You have an FTP server running on the Cent server? Forget the fancy port scanning etc, if you are on the command line of that Cent server and type Do you get a banner and a prompt for a username/password?

Also set the owner as, mgm for the folders which you are trying to upload, and make sure you have 755 for folders and 644 for files.

@120 - Yes, I am prompted for username and password. It also told me it was vsFTPD 2.0.5

@siranjeevi - I took a look in the passwd file and the ID for user "mgm" is 500. I couldn't see the number 505 in there anywhere for any of the users. I know I could set the user to mgm for all of the folders/files within my www directory, but will this intefere with apache? Will this cause any issues with my sites? I really don't want to screw anything up and then having downtime for my sites. Currently they're working fine.

And then, what about when PHP creates/uploads a file - the file owner will be "apache", which means I wont be able to do anything with it without manually changing. My sites receive several hundred file uploads daily so this would be a real pain.

Thanks!

Forgetting the issue of permissions for one moment because I'm concerned when you say 'nothing happens';

Crossing off the obvious:
When you FTP into the server from a remote location, do you also get that vsFTPD 2.0.5 banner?

Do you have any firewall issues with IPTABLES blocking port 20/21?
(Look with "iptables -nvL")

Do you have SELinux running in enforcing mode?
(Check with either: "sestatus" or "grep SELINUX /etc/selinux/config")

Does your remote client have some kind of Windowze Firewall/Security that is blocking incoming connections on port 20?
It may be worth checking your FTP client and setting it from 'Active' to 'Passive' to see if that helps

Finally, as far as permissions go - if you chmod your upload directory to 777 ("chmod 777 /your/upload/directory") that would normally allow anyone to write there (apache and all). That said, uploading via php is usually via the /tmp directory - so it would be interesting to see if your apache user can write to that. You can test that with something like: "sudo -u apache touch /tmp/caniwritehere.tmp" or "su apache -c "touch /tmp/caniwritehere.tmp" {change apache to mgm to test that}

This may, at least, put you into the ballpark of the failure. It is also worth looking at any logs for the FTP Daemon or the SELinux audit log: /var/log/audit/audit.log - perhaps the config or vsFTPD is worth looking at too. In the long run to put the correct permissions to an upload I'd look at setting a default umask for ftp. But don't run before you can walk.

HTH

Your "mgm" user account is an unprivileged user and as such it has no rights to access, read or write if permissions do not allow it. People will often (suggest you) weaken security by allowing everybody write rights to directories and files. Now a web server is a daemon that runs in its own account for several reasons, including security, and allowing it and everybody to write to directories it reads from probably is the best way to fsck up real good. While adding users to a common group may work to some extent the best option is to use POSIX ACL's (access control lists). Also see the Centos Deployment Guide: Setting Access ACLs.

Listen, as long as the folder has read and execute permission to other users, and as long as files have read permission to other users the apache user can access the files in the folders, to allow PHP to upload contents you can follow a guide lines in this site "http://www.mysql-apache-php.com/fileupload-security.htm" and ok., if you don't want to take risk, we can stop doing this further.