Page 1 of 1

proftpd configuration

Posted: Tue Feb 06, 2007 9:54 am
by raghavan20
i have a xampp installation running which has proftpd running.

i need to access a few web directories. they are at /opt/lampp/ and /var/www/. so i basically wanted to access these two paths as a available linux user. how do i do this? any suggestions.

Posted: Tue Feb 06, 2007 10:04 am
by Jenk
In what way do you need to access them? As a user? FTP? HTTP? Allow the proftpd process access? etc?

Posted: Tue Feb 06, 2007 10:19 am
by raghavan20
basically i wanted to access these from zend using ftp.

Posted: Tue Feb 06, 2007 10:43 am
by Chris Corbyn
Turn chroot'ing off by commenting out the line that says "DefaultRoot ~". Then you can get to "/" when you connect. Be aware of the (increased) security issues involved with doing this though. Definitely make sure that the <Anonymous > block has a DefaultRoot set in it.

Posted: Tue Feb 06, 2007 10:54 am
by raghavan20
d11wtq wrote:Turn chroot'ing off by commenting out the line that says "DefaultRoot ~". Then you can get to "/" when you connect. Be aware of the (increased) security issues involved with doing this though. Definitely make sure that the <Anonymous > block has a DefaultRoot set in it.
i dont really want a wayaround fix. i need to give access to those directories using a valid username and password combination. thanks for your replies.

Posted: Tue Feb 06, 2007 11:07 am
by Chris Corbyn
raghavan20 wrote:
d11wtq wrote:Turn chroot'ing off by commenting out the line that says "DefaultRoot ~". Then you can get to "/" when you connect. Be aware of the (increased) security issues involved with doing this though. Definitely make sure that the <Anonymous > block has a DefaultRoot set in it.
i dont really want a wayaround fix. i need to give access to those directories using a valid username and password combination. thanks for your replies.
So you want a user who can just access those directories?

Code: Select all

mkdir /home/username/var_www
mount --bind /var/www /home/username/var_www
mkdir /home/username/opt_lampp
mount --bind /opt/lampp /home/username/opt_lampp
Now "username" has access to those directories in his/her chroot ~/ directory. Put that in fstab too so it remounts at boot time.

Posted: Tue Feb 06, 2007 11:17 am
by raghavan20
d11wtq wrote:
raghavan20 wrote:
d11wtq wrote:Turn chroot'ing off by commenting out the line that says "DefaultRoot ~". Then you can get to "/" when you connect. Be aware of the (increased) security issues involved with doing this though. Definitely make sure that the <Anonymous > block has a DefaultRoot set in it.
i dont really want a wayaround fix. i need to give access to those directories using a valid username and password combination. thanks for your replies.
So you want a user who can just access those directories?

Code: Select all

mkdir /home/username/var_www
mount --bind /var/www /home/username/var_www
mkdir /home/username/opt_lampp
mount --bind /opt/lampp /home/username/opt_lampp
Now "username" has access to those directories in his/her chroot ~/ directory. Put that in fstab too so it remounts at boot time.
hello chris, here is an error message.

Code: Select all

linux:/home/rag # ls
.  ..  opt_lampp  var_www
linux:/home/rag # mount --bind /var/www /home/rag/var_www
mount: special device /var/www does not exist

Posted: Tue Feb 06, 2007 11:23 am
by Chris Corbyn
Does /var/www exist? Do a ls -l to make sure it's not a symlink to somewhere else.

Posted: Tue Feb 06, 2007 11:31 am
by raghavan20
d11wtq wrote:Does /var/www exist? Do a ls -l to make sure it's not a symlink to somewhere else.
yes www did not exist. i thought it existed by default. but your idea worked great chris. thanks very much again for your help this time. have a great day.

Posted: Tue Feb 06, 2007 11:35 am
by Chris Corbyn
Web roots vary from distro to distro. I always just set my own up at /srv/www. Some use /srv/www, some use /var/www some use /home/httpd etc. You can't rely on anything being in a "standard" place unless oit's integral to the operating system.

Posted: Wed Feb 07, 2007 4:49 am
by raghavan20
thanks for letting me know that chris.

now, i have a different problem. yesterday, i was only able to list and read all these web files because of R permission available for others in web files. Now, i should be able to write to web files otherwise it is not of much use.

i discovered that if i put use this piece of code in proftpd.conf then i can allow users to modify files in their home directories.

Code: Select all

# Set the user and group that the server normally runs at.
User                            nobody
#Group                          nogroup

# to home directories
DefaultRoot ~

<Directory ~>
      AllowOverwrite          on
</Directory>

but then i realized if i have allowOverwrite ON, then any user can bind some other files to their home directories and modify them.




current facts:

Code: Select all

1. apache is running under nobody.nogroup
2. proftptd is running under nobody
3. i want to allow developers like rag, mike to access web files

i thought i might do something like this:

Code: Select all

1. created a new group developers
2. added rag and mike to developers
3. changed ownership of web files to nobody.developers
4. changed permissions to 774 ( rwx rwx r-- )
i still got '550: overwrite permission denied'


so i did try somethingelse; i wanted to own all web files and see whether i could edit from ftp

Code: Select all

1. permissions are still 774
2. ownership is now, rag.nogroup
i still got '550: overwrite permission denied'



as i told you earlier, i really want something like this

Code: Select all

1. all developers should be able to access web files
2. all webdirectories can be bound to developers' home directories
3. php should be able to read, write and execute files.

Posted: Wed Feb 07, 2007 8:38 am
by Chris Corbyn
You need to create a group like you've done. Then you need to make certain users in that group. Next, you need to set the permissions on any directories to be writable to that group and make it sticky so those permissions apply to any files created in the directory. Next, you need to set a umask (the inverse of chmod) in proftpd.conf for those directories. That should work fine then.

Code: Select all

group add developers
usermod -G developers raghavan20
chgrp -R /opt/lampp
chmod -R g+rwxs /opt/lampp

#and the umask to use in proftpd.conf
002

Posted: Mon Feb 12, 2007 4:20 am
by raghavan20
thanks chris.

i did whatever you have said but it allows to edit only if the following is there in proftpd.conf

Code: Select all

<Directory ~>
        AllowOverwrite          on
</Directory>

current settings:
groups for rag:

Code: Select all

linux:/opt/lampp/etc # groups rag
rag : users dialout video developers
directory permissions:

Code: Select all

drwxrwxr--   8 nobody developers 4096 Feb  7 14:32 .
drwxr-xr-x  19 root   root       4096 Feb  7 14:32 ..
drwxrwxr--   6 nobody developers 4096 Feb  7 14:32 backend
drwxrwxr--   3 nobody developers 4096 Feb  7 14:32 businesslogic
drwxrwxr--   2 nobody developers 4096 Feb 12 10:12 configuration
drwxrwxr--   6 nobody developers 4096 Feb  7 14:32 frontend
-rwxrwxr--   1 nobody developers 5021 Feb  7 14:32 index.php
drwxrwxr--   2 nobody developers 4096 Feb  7 14:32 mailtemplates
drwxrwxr--   7 nobody developers 4096 Feb  7 14:32 reports

Posted: Mon Feb 12, 2007 4:50 am
by Chris Corbyn
Yeah it's a stupid default. You want that turned on. You still need permissions. Without that, you need to delete the file, then add it again - seems silly to me.