4

Seems like this should be easy, but I'm really struggling here. I'm not well versed on Linux but I can get around. I just setup a new Ubuntu v20.04.2 Server and installed Apache2 on it. I then installed VSFTPD on it as well.

Now I'm trying to get it so when I login with user "remote" that I'm locked into the /var/www/html/ directory, but have write access to anything inside.

my vsftpd.conf file has the following uncommented settings:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
local_root=/var/www/html
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

When I set chown on the /var/www/html directory, now vsftpd refuses to connect because the root directory is writable. If I set it to default ownership (root) than I can't write to it when logged through FTP with the remote login.

How do I get my remote ftp login to have full access to the /var/www/html directory, but only to that directory (and it's subdirectories), all while being secure?

DauntlessRob
  • 765
  • 1
  • 7
  • 17

1 Answers1

7

You may need to add a few more options to your vsftpd.conf file. This is generally the settings that I've used in the past:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=0022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
file_open_mode=0777

This allows local accounts to set the default permissions (umask) for the files uploaded. For the mask to work properly anon_upload_enable and anon_mkdir_write_enable needs to be set to YES. If these are not set, then the uploaded files will see 700 permissions applied, which is of no value.

The file_open_mode option sets the default setting of files. Even though the value is 777, the local_umask setting of 022 ensures the files are given a 755.

Once this is set, you can restart the FTP server for everything to take effect.

For user accounts, it's often easiest to have their home directory set as the Apache root, and add them to the www-data group.

sudo adduser ftpuser
sudo usermod -d /var/www -m ftpuser
sudo usermod -a -G www-data ftpuser

Be sure to change ftpuser to whatever you'd like people or services to use when signing in to the web server.

From here we can ensure the proper permissions are set in the /var/www directory:

sudo chgrp -R www-data /var/www
sudo chmod -R g+w /var/www

Next we can set the directory and all sub-directories below it to "set GID", meaning all new files and directories created under /var/www are owned by the www-data group. The second command will ensure files are properly set:

sudo find /var/www -type d -exec chmod 2775 {} \;
sudo find /var/www -type f -exec chmod ug+rw {} \;

And that's that

matigo
  • 1,321
  • 1
  • 6
  • 16
  • Thank you for responding! That helped a lot. – DauntlessRob Jun 04 '21 at 21:56
  • Yes thanks a ton. I am trying to launch my own LAMP server and having a hard time getting the file access right and ownership rights correct [never had to think about it using Docker or a premade server image.] – Leroy105 May 03 '23 at 05:30