webserver ftp upload setup

[slinky2004]

i'm trying to set up my webserver(slackware) using proftpd so that i can ftp up to it and drop my updated pages right into the /var/www/htdocs folder anybody know how i should go about doing this? i've edited inetd.conf so that ftp starts up, but i have a couple of questions:

1. proftpd isnt listed as a process by ps, why is that?

2. my anonymous ftp user, "ftp", doesnt have access to any folder except /home/ftp when i ftp into the server, but for some reason when i do a "su ftp" ftp has read/write access to all of the folders on my system, why is that?

3. how can i set up an account like the anonymous ftp account except it only has read/write access to the /var/www/htdocs directory so that i can make site updates with it? of course i would password protect it

[catch]

my anonymous ftp user, "ftp", doesnt have access to any folder except /home/ftp when i ftp into the server, but for some reason when i do a "su ftp" ftp has read/write access to all of the folders on my system, why is that?

Prolly cause you created (uploaded) all of those files with the ftp account.

how can i set up an account like the anonymous ftp account except it only has read/write access to the /var/www/htdocs directory so that i can make site updates with it? of course i would password protect it.

I can't even think how many systems I've seen exploited (included apache.org) as the result of ftp_root falling under http_root.

My advice would be to use ssh and upload your files with scp. Leave ftp and http seperate, otherwise you are just making things needlessly complicated and with greater surface exposure and consequently more difficult security administration.

cheers,

catch

[zencoder]

Originally posted here by slinky2004
proftpd isnt listed as a process by ps, why is that?

Because it isn't running. You stated you edited the inetd.conf...inetd is the super-daemon. Basically, it watches the ports/services listed in it's conf for traffic, and initiates the necessary servers when needed.

my anonymous ftp user, "ftp", doesnt have access to any folder except /home/ftp when i ftp into the server, but for some reason when i do a "su ftp" ftp has read/write access to all of the folders on my system, why is that?

Where are you executing su ftp? If you prepend a command with su the command is run as root (with some exceptions. Read below.)

how can i set up an account like the anonymous ftp account except it only has read/write access to the /var/www/htdocs directory so that i can make site updates with it? of course i would password protect it

Why would you want to do this? Does your regular user have write permissions to /var/www/htdocs? Use it.

But more importantly, why are you using FTP at all? Why not SFTP, SCP, RSYNC... You're running slackware, so I'd assume you have OpenSSH setup and running. If memory serves, a simple change in /etc/ssh/sshd.conf (or whatever) will allow you to use sftp, scp, etc. to copy files to the server in a MUCH more secure manner.

* For details, see the man pages. Yes. I said it. RTFM. I'm not preaching, I'm not bitching, I've given you some direction, but the details are left to the student as an excercise in proficiency.

[catch]

Zencoder... that was a little good advice mixed with a little crazyness.

Where are you executing su ftp? If you prepend a command with su the command is run as root (with some exceptions. Read below.)

System: Juliet (Odessa_TS)
(Trusted Solaris - config_rev:7.34.094)
login: catch
Password:
Last login: Wed Mar 23 16:36:04 from Ophelia (Desktop_W2k)
[catch@Juliet catch]$ su ftp
Password:
[ftp@Juliet catch]$ do stuff as user ftp

su = switch user
su != run as root
su with no arguments switches to the superuser account

su - run a shell with substitute user and group IDs

- man su page

He was using "su ftp" to login to the ftp account to check the permissions or move stuff around or god knows why really.

cheers,

catch

[slinky2004]

basically, i wanted to do this so i could update my website quickly using the synchronization feature in dreamweaver or frontpage. i probably would be doing it from another computer on my lan, which is behind a firewall/router so i'm not that worried about getting hacked unless i have to foward the ftp service for some reason. my question about the ftp account is: how is it that when i login to the ftp server with it, it only can see the ftp folder: /home/ftp, but if i do a "su ftp", (which logs me in as the ftp user) it can read/write anything on the entire drive? basically i was just doing this to see what the anonymous ftp user's privs were and trying to get an idea how you configure a similar account. i had thought that ftp account privs were based on real account privs, that would be set up with chmod and chown and stuff but based on this, i guess not?

[Maestr0]

If your ftp user can read and write anything, you have done something seriously wrong (I highly doubt this is the case, make sure you actually have WRITE permissions to stuff). If your ftp user can read files all over the system, then this normal. most files have at least read access for everyone by default. The reason you only see /home/ftp when logged into the FTP server is because your ftp server has a nice default config and wont let users traverse directories beyond their home directory (also normal) If the FTP sever allows the following of symlinks (I suggest you find your ftpd.conf and give it a good look over), you can create a symlink to /var/www/html (sub your DOCROOT here) in the /home/ftp directory. I would then use groups to allow access for user 'ftp' to the docs/directories needed. If the DOCROOT is group is apache (or webuser or www-data, whatever your webserver runs as, hopefully NOT root) then add the ftp user to the Apache (or appropriate) group, this should allow write permission in that directory without resorting to the evils of worldwriteable files.

Sidenotes: SFTP is possible with newer versions of DW, and I would reccomend that over standard FTP.
Zencoder: I believe you are confusing the 'su' command with 'sudo'

-Maestr0

[slinky2004]

yeah, my ftp user doesnt have write privs on everything, but why does it show "drwxr-xr-x" ls -al as the ftp user? doesnt that mean the user can delete, read write, execute?(i dont remember what the "d" means). also, i created a new account, "www", for uploading stuff and set it's home directory to /var/www/htdocs, but for some reason it couldnt write to the directory, even after a chmod 755 as root. i had to do a "chown -R www.users /var/www/htdocs" for www to be able to write anything in that folder. why is that? i thought as long as a user had read/write privs on a folder they could write to it.

[Maestr0]

d (Directory)rwx(read/write/xecute for owner)r-x(read/xecute for group)r-x(read/xecute for world)
= drwxr-x-r-x

So only the owner has write privs. That is a 755. If you want to give read/write its a 6 (for static htmkl this is ok) for read/write/xecute you need a 7 (you need execute perms on the directory for scripts like php, but I would NOT make directory in your webroot have a 7 for world. (BAD) Use the groups permissions like 773 (only the webserver user needs to be able to xecute, but be aware the apache user (if thats the owner and group, has full permissions so scripts could be used to alter the files in the web directory) You could tighten it better but may want to wait until the site is done before really clamping down your perms.

-Maestr0

man chmod, man chgrp