FTP using VSFTPD “Access Denied”

Posted on

FTP using VSFTPD “Access Denied” – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, permissions, ftp, configuration, vsftpd.

I’m running Ubuntu 10.04 i386. I use Cyberduck (FTP GUI client) to connect to my server mysub.domainname.com (changed here).

This is what I want to be able to do:

1) Change apache2 root from /var/www to /home/myuser/webroot to serve files like index.html

2) Allow FTP to write in /home/myuser/webroot

3) Allow myuser to login with his user/pass combo with FTP and read/write anywhere within myuser folder

Apache2 root folder works fine. Going to myserver.com/index.html works. But I can’t get FTP to write, even though I changed these lines in etc/vsftpd.conf:

listen=YES
#listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
#local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log
#xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
#ftpd_banner=Welcome to blah FTP service.
#deny_email_enable=YES
#banned_email_file=/etc/vsftpd.banned_emails
# chroot_list_enable below.
#chroot_local_user=YES
#chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem

The problem

Whenever I try to create a folder in /home/myuser or /home/myuser/webroot I get error Create directory operation failed. in my FTP program, Cyberduck.

Maybe helpful info:

drwxrwsr-x 2 myuser www-data 4096 2011-04-18 03:04 webroot

and I changed the permissions here too:

-rw-rwSr-- 1 myuser root 69 2011-04-18 02:14 index.html

…BUT no luck. I still can’t upload or write using FTP. Any suggestions or pointers would be great, I’m pretty squarely lost on this one.

UPDATE:

I tried enabling anonymous logins for FTP, and I could not even get that to work…I think the only solution is to completely purge system of vsftpd and apache2 and just start over

Solution :

For permissions, you need to have the folder and files in it owned by myuser so that they can be accessed from the myuser account.

If apache (or your scripts) needs to write to the folder, then the best thing to do is use chgrp to assign the specific locations that should be written to to the www-data group, then chmod g+w that location or file. If you are giving write access to a folder, chmod g+sw will give write access to the folder and ensure that files created there will also belong to the www-data group.

The files and directories in this case would look something like:

drwxrwxr-x 2 myuser   www-data    4096 2011-04-18 03:04 webroot
-rw-rw-r-- 1 myuser   www-data    1000 2011-04-18 03:04 index.html
drwxrwsr-x 2 myuser   www-data    4096 2011-04-18 03:04 folderwithg+ws

You would want to be very careful giving write access to files and folders to apache though, otherwise an attacker might figure out a way to make your scripts overwrite themselves or replace index.html, or whatever.

Otherwise, if apache does not need to write to your document directory, the permissions should be fine as it is long as all of the subdirectories and files are world readable (and directories are world accessible).

For SSL/TLS, you’re missing

ssl_enable=YES

You can force users to use encryption:

force_local_logins_ssl=YES
force_local_data_ssl=YES

And there is a ssl_ciphers= option as well, if you want to limit it to HIGH or a specific list of ciphers. If you want “implicit SSL” (instead of AUTH SSL or AUTH TLS commands to start encryption, the encryption is negotiated at the beginning of the connection) then that is implicit_ssl=YES

Leave a Reply

Your email address will not be published. Required fields are marked *