I have created a new user (foo
) and when he logs in via ftp he cannot edit the files in the directory to which he has access.
In the directory he can log into ls -l
gives me:
-rw-rw-r-- 1 root www-pub 6427 Nov 17 04:21 index.html
The user belongs to the group www-pub
. Here is the output of cat /etc/group
to demonstrate that he is indeed in that group:
...
www-pub:x:1001:ftpuser,www-data,foo
foo:x:1002:
*edit the permissions on the containing directory are:
drwxrwsr-x 5 root www-pub 4096 Nov 17 02:53 thecontainingdir
and the one above that:
drwxrwsr-x 49 root www-pub 4096 Nov 16 02:40 thenextdirup
So since he can log in via ftp and since the file he needs to edit has the correct permissions to let the group www-pub
read and write the file and he is a member of that group, why can't he edit it (or upload anything)?
Only when I change the file to 777
can he edit it. It's as if he's NOT in the group... but he is! What's going on?
In a nutshell, v3.2.5 of vsftpd will not work with a writeable root inside chroot() so you need to either make the user's root folder not writeable, upgrade to a new version (and set some conf settings) or downgrade to an older version.
Details
OK, the problem stemmed from me using vsftpd version 2.3.5 (the latest package available for my server). This version of vsftpd requires that the ftp users home directory NOT have write privileges. Yes, you read that correctly. So in my case, I wanted the user to be able to ftp into a web root and start editing. Can't do it. I had to create another directory above the web root, make that the user's home directory, make it not writeable and then the user could ftp in, navigate down to the web root and edit/upload as expected.
This solution sucks in my case as I have a number of users operating at varying depths in several virtual directories but at least it works (and I am using rewrites to keep folks from getting confused). Now I need to always make sure there is a "wrapper" directory around anything I want to assign a particular user to.
The main suggestions I found online:
(this not only didn't work, it caused the daemon to have trouble restarting. I suspect this works IF you have a later version (3.0+) of vsftpd)
(I removed the current version and started trying to get an older version to work with my server but ran into so many missing and failed dependencies that I gave up. Others online had some luck going back to version 2.3.2 or up to 3.x if you can compile your own)
Some other suggested solutions put forth by one of the people behind vsftpd that I found online:
(for me this wouldn't work because I couldn't have a single local root)
(this simply would not work on my server.)
(I cannot compile on this server.)