webserver ftp upload setup
Results 1 to 8 of 8

Thread: webserver ftp upload setup

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    172

    webserver ftp upload setup

    i'm trying to set up my webserver(slackware) using proftpd so that i can ftp up to it and drop my updated pages right into the /var/www/htdocs folder anybody know how i should go about doing this? i've edited inetd.conf so that ftp starts up, but i have a couple of questions:

    1. proftpd isnt listed as a process by ps, why is that?

    2. my anonymous ftp user, "ftp", doesnt have access to any folder except /home/ftp when i ftp into the server, but for some reason when i do a "su ftp" ftp has read/write access to all of the folders on my system, why is that?

    3. how can i set up an account like the anonymous ftp account except it only has read/write access to the /var/www/htdocs directory so that i can make site updates with it? of course i would password protect it

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    1,004
    my anonymous ftp user, "ftp", doesnt have access to any folder except /home/ftp when i ftp into the server, but for some reason when i do a "su ftp" ftp has read/write access to all of the folders on my system, why is that?
    Prolly cause you created (uploaded) all of those files with the ftp account.

    how can i set up an account like the anonymous ftp account except it only has read/write access to the /var/www/htdocs directory so that i can make site updates with it? of course i would password protect it.
    I can't even think how many systems I've seen exploited (included apache.org) as the result of ftp_root falling under http_root.

    My advice would be to use ssh and upload your files with scp. Leave ftp and http seperate, otherwise you are just making things needlessly complicated and with greater surface exposure and consequently more difficult security administration.

    cheers,

    catch

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Re: webserver ftp upload setup

    Originally posted here by slinky2004
    proftpd isnt listed as a process by ps, why is that?
    Because it isn't running. You stated you edited the inetd.conf...inetd is the super-daemon. Basically, it watches the ports/services listed in it's conf for traffic, and initiates the necessary servers when needed.

    my anonymous ftp user, "ftp", doesnt have access to any folder except /home/ftp when i ftp into the server, but for some reason when i do a "su ftp" ftp has read/write access to all of the folders on my system, why is that?
    Where are you executing su ftp? If you prepend a command with su the command is run as root (with some exceptions. Read below.)

    how can i set up an account like the anonymous ftp account except it only has read/write access to the /var/www/htdocs directory so that i can make site updates with it? of course i would password protect it
    Why would you want to do this? Does your regular user have write permissions to /var/www/htdocs? Use it.

    But more importantly, why are you using FTP at all? Why not SFTP, SCP, RSYNC... You're running slackware, so I'd assume you have OpenSSH setup and running. If memory serves, a simple change in /etc/ssh/sshd.conf (or whatever) will allow you to use sftp, scp, etc. to copy files to the server in a MUCH more secure manner.

    * For details, see the man pages. Yes. I said it. RTFM. I'm not preaching, I'm not bitching, I've given you some direction, but the details are left to the student as an excercise in proficiency.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Zencoder... that was a little good advice mixed with a little crazyness.

    Where are you executing su ftp? If you prepend a command with su the command is run as root (with some exceptions. Read below.)
    System: Juliet (Odessa_TS)
    (Trusted Solaris - config_rev:7.34.094)
    login: catch
    Password:
    Last login: Wed Mar 23 16:36:04 from Ophelia (Desktop_W2k)
    [catch@Juliet catch]$ su ftp
    Password:
    [ftp@Juliet catch]$ do stuff as user ftp

    su = switch user
    su != run as root
    su with no arguments switches to the superuser account

    su - run a shell with substitute user and group IDs
    - man su page

    He was using "su ftp" to login to the ftp account to check the permissions or move stuff around or god knows why really.

    cheers,

    catch

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    basically, i wanted to do this so i could update my website quickly using the synchronization feature in dreamweaver or frontpage. i probably would be doing it from another computer on my lan, which is behind a firewall/router so i'm not that worried about getting hacked unless i have to foward the ftp service for some reason. my question about the ftp account is: how is it that when i login to the ftp server with it, it only can see the ftp folder: /home/ftp, but if i do a "su ftp", (which logs me in as the ftp user) it can read/write anything on the entire drive? basically i was just doing this to see what the anonymous ftp user's privs were and trying to get an idea how you configure a similar account. i had thought that ftp account privs were based on real account privs, that would be set up with chmod and chown and stuff but based on this, i guess not?

  6. #6
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    If your ftp user can read and write anything, you have done something seriously wrong (I highly doubt this is the case, make sure you actually have WRITE permissions to stuff). If your ftp user can read files all over the system, then this normal. most files have at least read access for everyone by default. The reason you only see /home/ftp when logged into the FTP server is because your ftp server has a nice default config and wont let users traverse directories beyond their home directory (also normal) If the FTP sever allows the following of symlinks (I suggest you find your ftpd.conf and give it a good look over), you can create a symlink to /var/www/html (sub your DOCROOT here) in the /home/ftp directory. I would then use groups to allow access for user 'ftp' to the docs/directories needed. If the DOCROOT is group is apache (or webuser or www-data, whatever your webserver runs as, hopefully NOT root) then add the ftp user to the Apache (or appropriate) group, this should allow write permission in that directory without resorting to the evils of worldwriteable files.

    Sidenotes: SFTP is possible with newer versions of DW, and I would reccomend that over standard FTP.
    Zencoder: I believe you are confusing the 'su' command with 'sudo'

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  7. #7
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    yeah, my ftp user doesnt have write privs on everything, but why does it show "drwxr-xr-x" ls -al as the ftp user? doesnt that mean the user can delete, read write, execute?(i dont remember what the "d" means). also, i created a new account, "www", for uploading stuff and set it's home directory to /var/www/htdocs, but for some reason it couldnt write to the directory, even after a chmod 755 as root. i had to do a "chown -R www.users /var/www/htdocs" for www to be able to write anything in that folder. why is that? i thought as long as a user had read/write privs on a folder they could write to it.

  8. #8
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    d (Directory)rwx(read/write/xecute for owner)r-x(read/xecute for group)r-x(read/xecute for world)
    = drwxr-x-r-x

    So only the owner has write privs. That is a 755. If you want to give read/write its a 6 (for static htmkl this is ok) for read/write/xecute you need a 7 (you need execute perms on the directory for scripts like php, but I would NOT make directory in your webroot have a 7 for world. (BAD) Use the groups permissions like 773 (only the webserver user needs to be able to xecute, but be aware the apache user (if thats the owner and group, has full permissions so scripts could be used to alter the files in the web directory) You could tighten it better but may want to wait until the site is done before really clamping down your perms.

    -Maestr0

    man chmod, man chgrp
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •