Multiple permissions

[Cheesepie]

Hi,
I have apache installed on a debian box using vsftp. It has a seprate system user for the FTP. I cant transfer files because it it chowned to the main user accout, for executing via apache I assume. When I chown it to the FTP accout I can transfer files but not view them over the internet (could be to do with apache) also cant view anything from the server.

Is there a way to make multiple permissions; ftp account can read + write and system user can read, write + execute?

Thanks,
-cheese

[syd05]

Hi,

For the problem you have reported, create a new group & make the system user and FTP user a part of this new group. Change ownership of file / dir ; command like 'chown -R system_user:new_group_name file/dir_name'. This would change the ownership of the files/dir so that you could set the requisite multiple permissions

command like 'chmod -R 766 filename/dir_name' would give you RWX permissions for user (system user in your case), RW permission for the group and other. You could also set it to 760 to deny any permission for others (except for user/group)

--Syd

[Cheesepie]

This is what I did:
Created a group called web-user.
Created a ftp used called ftp-user.
Added ftp-user to the web-user group along with "me", the system user.

chown me:ftp-user webdirectory

chmod +x webdirectory (766, 7760 does not work)


Now I can upload files via ftp but cannot view any files over the web or locally, the file/dir appears with a cross though it and access denied when opened.

However if I create the file locally, on the me account, it can be viewed (also no cross though it)

Where have I gone wrong

Edit: Cannot get dir lising via ftp after disconnecting and reconnecting.

[syd05]

Hi

You could give the command chmod -R 777 webdirectory ( not safe option ). This would assign RWX permissions for everyone. If you face no problem for ftp-user account and me account; this would rule out any cause of failure other that permissions. You could then revert back to original permissions and continue with the following

Try chown -R me:web-user webdirectory & chmod -R +x webdirectory (Note the -R parameter which assigns rights recursively). I wonder why chmod 766 does not work?

What's the output of the 'ls -l webdirectory' command? What rights and ownership is shown there eg. one or two of the files which you say have a cross against the name in when accessing over web?

Also issue the command ls -l one directory level above webdirectory and update about the permissions listed for webdirectory itself. When you click the file in the web interface what's the error in apache log file?

Is everything working fine for the me acccount and problem exists only for ftp-user account. Break up your troubleshooting here into steps each specific to ftp-user and me account.

--Syd

[Cheesepie]

I followed your instrustions and only ftp has access. The uploaded files have a cross throgh them as they can only be access by the ftp-user account. This also means it cannot be accessed by apache when trying to view some files I just get the 403 forbidden. If I change the ownership to "me" (the account apache is running under) I can view it over the web but FTP does not work (Error: 500 cannot change directory).

The only way I see of solving this is chowning each directory to "me" after uploading it, but that gets tedious.

Its appearing as if there is one or the other owner/ accont that has rights to view it...

[syd05]

Hi,

I wrongly assumed that chown -R would apply to newly created directories. You are right that you would have to chown newly created directories since with ftp upload the ownership would be assigned to the user who uploaded the files

I assume as per config the ftp-user and me user are members of web-user group. Try the command chmod -R g+s web-directory. If ls -l shows that the user & group owner for the web-directory are me & web-user respectively, then the command would cause all new files created in the directory to have same group ownership as the parent. So when you upload file as ftp-user, the files/dir should have group ownership of web-user (inheriting from parent directory)

I'm not conversant with umasks but there is an option of setting umask value in the ftp config files. Setting it to 002 (default is 022) would perhaps set file permissions of 664 and dir permissions of 774.

If it does not work then a ls -l output for webdirectory and the directory one level above webdirectory would help

--Syd

[Cheesepie]

I did chmod -R g+s (webdir) then uploaded a file in a folder via FTP and it still said access forbidden when viewed over the web. So in the webdir I did ls -l and it spat out drwx--S-- 2 ftp-user web-user 4096 (date and time) webdir

By this I assume this is owned by "ftp-user" which is part of the "web-user" group and therefore cannot be viewed across the net because apache is running under "me"

And the result from doing this from the dir above is: drwxrwsrwx 3 me web-user 4096 (date and time) www This was created by hand on the me account

[syd05]

Hi,

File ownership seems fine to me. Since you have uploaded the files as ftp-user, the owner is the same and group id web-user. User "me" is also a member of web-user

But the file permissions are wrong because of which the apache user is not able to access it over the web. ls -l output should be
drwxrwS-- 2 ftp-user web-user 4096 (date and time) webdir. This would give the group read and write rights. But the ls -l output as provided by you does not show those rights for the group hence i feel files not accessible on web since the apache process is running as user "me" which is a member of web-user but web-user does not have rights. That's why when you change the ownership from ftp-user to "me" it works on web

In a nutshell, in addition to user owner permissions (which is fine) group permissions of rws need to be given. chmod -R g+rws webdir. That's how I see it to be....

--Syd

[Cheesepie]

So it was down to the permissions. It all works now

Many thanks for the help.