It's a Centos 6 running apache server and vsftpd server. Problem is not about connection, it's about displaying folder from local_root directory.
Here is /etc/vsftpd/vsftpd.conf :
# Example config file /etc/vsftpd/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this ou$
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you w$
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# The target log file can be vsftpd_log_file or xferlog_file.
# This depends on setting xferlog_std_format parameter
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# The name of log file when xferlog_enable=YES and xferlog_std_format=YES
# WARNING - changing this filename affects /etc/logrotate.d/vsftpd.log
#xferlog_file=/var/log/xferlog
#
# Switches between logging into vsftpd_log_file and xferlog_file files.
# NO writes to vsftpd_log_file, YES to xferlog_file
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do AS$
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
## Heading ##
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
chroot_local_user=YES
local_root=/var/www
user_sub_token=$USER
Here is ls -l output in / folder :
[root#daniel /]# ls -l
total 98
dr-xr-xr-x. 2 root root 4096 2015-05-14 04:43 bin
dr-xr-xr-x. 5 root root 1024 2015-05-12 15:33 boot
drwxr-xr-x. 20 root root 3820 2015-06-05 02:30 dev
drwxr-xr-x. 103 root root 12288 2015-06-05 03:03 etc
drwxr-xr-x. 5 root root 4096 2015-05-08 06:54 home
dr-xr-xr-x. 11 root root 4096 2015-05-08 05:13 lib
dr-xr-xr-x. 9 root root 12288 2015-06-04 03:25 lib64
drwx------. 2 root root 16384 2015-05-08 04:13 lost+found
drwxr-xr-x. 2 root root 4096 2011-09-23 14:50 media
drwxr-xr-x. 2 root root 0 2015-06-05 02:29 misc
drwxr-xr-x. 2 root root 4096 2011-09-23 14:50 mnt
drwxr-xr-x. 2 root root 0 2015-06-05 02:29 net
drwxr-xr-x. 3 root root 4096 2015-05-08 05:13 opt
dr-xr-xr-x. 167 root root 0 2015-06-05 02:29 proc
dr-xr-x---. 10 root root 4096 2015-06-04 03:02 root
dr-xr-xr-x. 2 root root 12288 2015-05-24 03:34 sbin
drwxr-xr-x. 7 root root 0 2015-06-05 02:29 selinux
drwxr-xr-x. 2 root root 4096 2011-09-23 14:50 srv
drwxr-xr-x. 13 root root 0 2015-06-05 02:29 sys
drwxrwxrwt. 3 root root 4096 2015-06-05 03:28 tmp
drwxr-xr-x. 13 root root 4096 2015-05-08 05:04 usr
drwxr-xr-x. 22 root root 4096 2015-06-04 02:57 var
This folder is displayed in browser or ftp connection(ftp 192.168.1.10) but /var/www is not :(.
Also ls -l /var/www :
[root#daniel /]# ls -al /var/www
total 84
drwxrwxr-x+ 11 root root 4096 2015-06-04 05:32 .
drwxr-xr-x. 22 root root 4096 2015-06-04 02:57 ..
drwxrwxr-x+ 3 root root 4096 2015-05-22 06:09 site1.com
drwxrwxr-x+ 3 root root 4096 2015-05-22 05:30 site2.com
drwxrwxr-x+ 2 root root 4096 2015-06-02 05:59 cgi-bin
drwxrwxr-x+ 3 root root 4096 2015-05-20 05:55 error
drwxrwxr-x+ 2 root root 4096 2015-06-04 05:32 ftp
drwxrwxr-x+ 2 root root 4096 2015-05-22 03:55 html
drwxrwxr-x+ 3 root root 4096 2015-05-20 05:58 icons
drwxrwxr-x+ 3 root root 4096 2015-05-22 05:30 site3.com
drwxrwxr-x+ 2 root root 4096 2015-05-19 07:26 usage
And also selinux bools for ftp :
[root#daniel /]# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
Sorry for this too long question, but I tried to expose all details you need to solve this problem.
Thanks in advance for your help!
Solution to your problem is:
setsebool -P allow_ftpd_full_access=1
In your vsFTPD conf file:
• chroot_local_user = YES
• allow_writeable_chroot=YES
Related
I am new working with system.d and services on ubuntu/debian. I'm trying to serve multiple sites on the same Apache2.
viktor#viktor-i7-7700k:~$ ls -la /etc/apache2/
total 96
drwxr-xr-x 8 root root 4096 fev 3 16:13 .
drwxr-xr-x 133 root root 12288 fev 3 16:13 ..
-rw-r--r-- 1 root root 7224 ago 12 18:33 apache2.conf
drwxr-xr-x 2 root root 4096 fev 3 16:13 conf-available
drwxr-xr-x 2 root root 4096 fev 3 16:13 conf-enabled
-rw-r--r-- 1 root root 1782 jul 16 2019 envvars
-rw-r--r-- 1 root root 31063 jul 16 2019 magic
drwxr-xr-x 2 root root 12288 fev 3 16:13 mods-available
drwxr-xr-x 2 root root 4096 fev 3 16:13 mods-enabled
-rw-r--r-- 1 root root 320 jul 16 2019 ports.conf
drwxr-xr-x 2 root root 4096 fev 3 16:13 sites-available
drwxr-xr-x 2 root root 4096 fev 3 16:13 sites-enabled
I need to configure three instances of server to listen on ports 8081, 8082, and 8083 respectively. For example, on visiting http://host1.com:8081, http://host2.com:8082 and http://host3.com:8083 the HTML pages are in var /var/mysites/host1/index.html, /var/mysites/host2/index.html and /var/mysites/host3/index.html respectively should be rendered by default. Also, we should be able to start, to stop and restart the apache serer using the following commands:
sudo apache2ctl-host1 start; sudo apache2ctl-host2 start; sudo apache2ctl-host1 start;
sudo apache2ctl-host1 stop; sudo apache2ctl-host2 stop; sudo apache2ctl-host1 stop;
sudo apache2ctl-host1 restart; sudo apache2ctl-host2 restart; sudo apache2ctl-host1 restart;
To test my instances, it was required these conditions:
The Apache2 webserver installation is verified by running the dpkg --get-selections | grep apache2 command.
The server instances are started by running sudo apache2ctl-host1 start; sudo apache2ctl-host2 start; sudo apache2ctl-host3 start;
The port is verified by running the sudo lsof -i:8081 | grep apache2, sudo lsof -i:8082 | grep apache2and sudo lsof -i:8083 | grep apache2 commands.
Th HTML conted is fetched by running the curl host1.com:8081,curl host2.com:8082 and curl host3.com:8083 commands.
The page must not be a 403 or 404 error page, ie., the following commands must exit with non-zero code:
curl host1.com:8081 | grep 403\ Forbidden
curl host1.com:8082 | grep 403\ Forbidden
curl host1.com:8083 | grep 403\ Forbidden
curl host1.com:8081 | grep 404\ Not \ Found
curl host1.com:8082 | grep 404\ Not \ Found
curl host3.com:8083 | grep 404\ Not \ Found
Also, the HTML files /var/save/mysites/host1/index.html, /var/save/mysites/host2/index.html and /var/save/mysites/host3/index.html and the rendered HTML files snhoud be exactly same.
You should just use one apache and configure it to listen on 3 (or more) different ports using the "listen" option:
Listen 10080
Listen 10443
Listen 20080
Listen 20443
Then you can configure any virtualhost you need, to respond on a specific port:
<Virtualhost *:10080>
ServerName aDomain.com
#Other conf
</virtualhost>
<Virtualhost *:10443>
ServerName anotherDomain.com
#Other conf
</virtualhost>
<Virtualhost *:20080>
ServerName aThirdOne.Domain.io
#Other conf
</virtualhost>
<Virtualhost *:20443>
ServerName another.Domainof.any.kind
#Other conf
</virtualhost>
More details and configuration options can be found on the official documentation: https://httpd.apache.org/docs/2.4/vhosts/examples.html
I have centos in VMware and hosted a web application.
This is the url I try to access my page. There is also another demo page "demo.php" that I create for test. its fine can access and prints contents: "its ok." but when I try to my app page which in same directory the browser says:
Forbidden
You don't have permission to access /WP/View/Home/localobjects.php on this server.
http://192.168.118.129/WP/View/Home/localobjects.php
How can I fix this?
Files Permissions in directory.
-rw-r--rwx. 1 root root 272 Apr 2 00:49 activedirectoryusers.php
-rw-r--rwx. 1 root root 236 Apr 17 01:22 configuration.php
-rw-r--rwx. 1 root root 324 Mar 30 00:59 dashboard.php
-rw-r--r--. 1 root root 107 Apr 15 08:28 deneme.php
drwxr-xrwx. 2 root root 4096 Apr 17 01:22 Ipageimplementations
-rw-r--rwx. 1 root root 257 Apr 17 00:52 localobjects.php
-rw-r--rwx. 1 root root 224 Mar 28 18:41 policy.php
-rw-r--rwx. 1 root root 257 Apr 13 01:58 timeintervals.php
Here is a cheatsheet…
Directories must have the permissions "drwxr-xr-x".
You set them with chmod 755 [directory name].
Files must have the permissions "-rw-r--r--".
You set them with chmod 644 *php for all the php files in a folder. If you have other files which must be seen on the web (.css, etc.) chmod them accordingly.
To get the "magic numbers" you have three digits:
the first one is for the owner
the second one is for the owner's group
the third is for the rest of the world
Numbers are the sum of:
4: readable
2: writeable
1: executable
In doubt, make a directory at a time: if you give wrong permissions (not executable, like files) to a folder you can't browse it.
I want to add public key authorization to my sftp chroot directory but I allways get:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/test/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
Couldn't read packet: Connection reset by peer
Chroot works because authorization with password is possible.
I have other account on this host without chroot and it works with this key.
I tried many times, but still it doesn't work.
On server in auth.log there is only:
Connection closed by xxx [preauth]
This is my directory:
ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 23 root root 4096 May 3 14:46 ..
drwxr-xr-x 3 root root 4096 May 3 16:45 backup
/sftp/backup:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:45 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming
/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
drwx------ 2 backup sftpusers 4096 May 3 21:06 .ssh
/sftp/backup/incoming/.ssh:
total 12
drwx------ 2 backup sftpusers 4096 May 3 21:06 .
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 ..
-rw------- 1 backup sftpusers 391 May 3 21:06 authorized_keys
My user:
backup:x:1002:1003::/incoming:/usr/sbin/nologin
My ssh config:
Match Group sftpusers
ChrootDirectory /sftp/%u
AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Please help.
I attempted this solution (putting AuthorizedKeysFile into the Match block) and sshd -T complains:
/etc/ssh/sshd_config line 153: Directive 'AuthorizedKeysFile' is not allowed within a Match block
(RHEL 6.6, openssh 5.3p1-104)
SOLUTION: The authorized_keys file (and the user's .ssh directory) must exist in the home directory location defined by /etc/passwd, outside of the chroot directory.
For example (using the OP usernames/uids):
/etc/passwd:
backup:x:1002:1003::/home/backup:/sbin/nologin
Create directory /home/backup, owned by root
Create directory /home/backup/.ssh, change ownership to backup, chmod 700 /home/backup/.ssh
Copy the authorized_keys file to /home/backup/.ssh, chmod 400 authorized_keys
ls -laR /home
/home:
total 12
drwxr-xr-x 3 root root 4096 Jul 9 12:25 .
drwxr-xr-x 3 root root 4096 Sep 22 2014 ..
drwxr-xr-x 3 root root 4096 Jul 9 12:25 backup
/home/backup:
total 12
drwxr-xr-x 3 root root 4096 Jul 9 12:25 .
drwxr-xr-x 3 root root 4096 Jul 9 12:25 ..
drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .ssh
/home/backup/.ssh:
total 12
drwx------ 3 backup sftpusers 4096 Jul 9 12:28 .
drwxr-xr-x 3 root root 4096 Jul 9 12:25 ..
-r-------- 3 backup sftpusers 391 Jul 9 12:29 authorized_keys
/etc/ssh/sshd_config becomes:
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
The chroot directory structure is then:
ls -laR /sftp/
/sftp/:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 23 root root 4096 May 3 14:46 ..
drwxr-xr-x 3 root root 4096 May 3 16:45 backup
/sftp/backup:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:45 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 incoming
drwxr-xr-x 3 root root 4096 May 3 16:55 home
/sftp/backup/incoming:
total 12
drwxr-xr-x 3 backup sftpusers 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
/sftp/backup/home:
total 12
drwxr-xr-x 3 root root 4096 May 3 16:55 .
drwxr-xr-x 3 root root 4096 May 3 16:45 ..
drwx------ 2 backup sftpusers 4096 May 3 21:06 backup
/sftp/backup/home/backup:
total 12
drwx------ 3 backup sftpusers 4096 May 3 21:06 .
drwxr-xr-x 3 root root 4096 May 3 16:55 ..
Note: /sftp/backup/home/backup is empty, it's only there to provide a path that will look like the non-chroot /home/backup -- the .ssh directory is /home/backup/.ssh not /sftp/backup/home/backup/.ssh
Problem resolved.
I have changed it:
AuthorizedKeysFile /sftp/backup/incoming/.ssh/authorized_keys
to:
AuthorizedKeysFile /sftp/%u/.ssh/authorized_keys
Stephen Buchanan's answer (which works around RHEL6's inability to set AuthorizedKeys in a Match block) splits keys into /home and contents into /sftp, but it is possible to keep everything together under /home instead.
You do this by creating the user's chroot under their home directory. For example, in sshd_config, set the chroot to /home/<user>/sftp:
Match Group sftphome
ChrootDirectory /home/%u/sftp
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
As before, ensure /home/<user> is owned by root and place .ssh keys in /home/<user>/.ssh such that the user has read permissions. Now create /home/<user>/sftp/home/<user>, with all directories owned by root except for the last <user>, which should be owned by the user. Finally, ensure the user's home directory is /home/<user> in /etc/passwd.
Now when the user logs in, the ssh key is looked up in /home/<user>/.ssh as per /etc/passwd, a chroot is done into /home/<user>/sftp, and then a cd is done into /home/<user> inside the chroot. In other words, the user's remote working directory will appear as /home/<user>.
You can optionally bind mount directories under /home/<user>/sftp/home/<user>, or anywhere under /home/<user>/sftp (which is / from the user's point of view).
It's possible to omit the sftp/ directory, create /home/<user>/home/<user> and chroot into /home/<user>, but this can be confusing as the .ssh directory and any other files will show up for the user in their /. The sftp/ directory keeps things clean.
Note: In practice, if a user's home directory is missing, sftp will normally just cd into /. You could abuse this property by not creating /home/<user> inside the chroot, so the user starts in / instead of /home/<user>. This is a bit fragile, but could come in handy.
You need to add AuthorizedKeysFile /sftp/%u/.ssh/authorized_keys in your /etc/ssh/sshd_config file. It is better if you added it in the match block.
I am currently creating an application that requires separate users running duplicate programs. They cannot run under root because of security reasons, so they are initiated by a Java app that I am working on, and I am starting them with runuser -l. However, I cannot cd into a directory, even though it is owned by the user, and the user has 770 permissions in the folder.
Here's what I'm running:
runuser -l lp1 -c 'java \-jar /root/Desktop/workspace/LitePanel/servers/server1/server.jar \-Xms1024M nogui'
And the output of this is:
runuser: warning: cannot change directory to /root/Desktop/workspace/LitePanel/bin/servers/server1/: Permission denied
Here's an ls -all:
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 .
drwxr-xr-x. 7 root root 4096 Jan 30 14:02 ..
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 server1
Inside the directory:
drwxrwx---. 2 lp1 lp1 4096 Jan 31 03:07 .
drwxr-xr-x. 3 root root 4096 Jan 30 14:03 ..
-rwxrwx---. 1 lp1 lp1 9170551 Jan 31 03:07 server.jar
And here's /etc/passwd:
lp1:x:501:501::/root/Desktop/workspace/LitePanel/bin/servers/server1/:/bin/false
Anyone know why this is happening? It looks like the user has the necessary permissions to do this.
You have said that the directory itself has permissions 770 and is owned by the user, but what about its parents? I believe the cd command will need at least read access (and possibly execute) on the parent directories.
Story: I deleted a directory LogViewer from the document root that was browseable and working perfectly. Later I decided to add it back but now apache wont show it.
drwxr-xr-x. 12 user group 4096 Jun 19 15:16 272
drwxr-xr-x. 12 user group 4096 Jun 19 15:17 273
drwxr-xr-x. 3 user group 4096 Jun 20 08:06 LogViewer
The 272 and 273 directories are browsable and work.
Output of ls -lZ:
drwxr-xr-x. user group system_u:object_r:httpd_sys_content_t:s0 272
drwxr-xr-x. user group system_u:object_r:httpd_sys_content_t:s0 273
drwxr-xr-x. user group unconfined_u:object_r:user_home_t:s0 LogViewer
What I've Tried:
I have restarted apache multiple times. I've stopped it, and started it. I've refreshed the browser, I've cleared cookies and all temp files.
My Question: Wtf?
As per: SELinux doc
To make a folder viewable from a special user public HTML folder, it
needs to have a type that httpd has permissions to read, presuming the
Apache HTTP Server is configured for UserDir and the Boolean value
httpd_enable_homedirs is enabled.
Try this command:
chcon -R -t httpd_user_content_t LogViewer