httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy G. Wesemann" <timw...@voicenet.com>
Subject Re: FTP permissions to Apache Vhost
Date Tue, 07 May 2002 17:21:15 GMT
Jack,

You`ve got lots of problems. Your company isn`t hiring is it?  =]

See comments inline.


|> Hi, Timothy: Sorry if this is the wrong list, but actually,
since I'm
|> unsure of what will allow things to work the way I described,
I wasn't sure
|> what controlled the permissions needed. Sort of thought it
might be
|> Apache's <Directory> stuff.
|>
|> Thanks for your questions to clarify more. Here's what I have
now:
|>
|> 1) Yes, in ProFTP config, I have the "DefaultRoot ~" set so
that user land
|> in their own user accounts but cannot see other user
accounts/directories.

Okay, so I assume that the local user`s homedir in /etc/passwd
(or yp-type equiv.) is in the /usr/local/www/./vhost1/ format.

|> 2) As to the environment, I'm running a webserver and
mailserver, thus many
|> user accounts as a consequence and all are shells they can use
to
|> telnet/FTP to their homedir.

ouch.

|> 3) The ProFTP has this config setting on user:group and <Dir>
setting &
|> wonder if this is a possible conflict??:
|> PROFTP.CONF:
|> # Set the user and group that the server normally runs at.
|> User                            sageame
|> Group                           wheel

The people at proftpd allow ways to run the daemon as a non-root
user, but advise against it for various reasons. They also claim
that it is actually more secure to run it as root for reasons
that I cannot recall at this moment, but their reasoning seemed
fairly valid at the time that I read it.

|> # Normally, we want files to be overwriteable.
|> <Directory /*>
|>   AllowOverwrite                on
|> </Directory>

That`s okay. Sort of....... I would contemplate however that even
though your users are in a pseudo-chroot-jail, finding out if you
could change it to somethine similar to ~ as well.

|> As I now notice, would the above user"group conflicts with
Apache's www:www.

That doesn`t make any difference whatsoever.

|> 4) ...and yes, the docroots are all recursively owned by www

Ay, there`s the rub. How is a user supposed to modify their files
if they down`t own them????? This hurts my brain.

|> 5) Also FP writes okay to the present settings of www:www.....
just can't
|> get FTP to cooperate.

Precedence. FTP is is what you should get to work. THEN get the
M$ sh*t to play nicely with FTP and everything else.

|> 6) I can make the www/vhost1 a user account so that FTP lands
there at
|> login... just have that write problem. Should ProFTP be set to
www:www
|> too... possibly?

NO.

Remember unless you`re gonna get into some weird *NIX
group-type-stuff, or make everything world writeable... typically
a user must own a file in order to modify it (i.e. the 7 in chmod
755 *).

Good luck. And fell free to join the
proftp-user(AT)lists.sourceforge.net list or contact me
privately. I WILL NOT be posting off-topic to this list anymore.

Thank You.

--
Timothy G. Wesemann
Voicenet Systems Administration


----- Original Message -----
From: "Jack L. Stone" <jackstone@sage-one.net>
To: <users@httpd.apache.org>; <users@httpd.apache.org>
Sent: Tuesday, May 07, 2002 11:26 AM
Subject: Re: FTP permissions to Apache Vhost


| Hi, Timothy: Sorry if this is the wrong list, but actually,
since I'm
| unsure of what will allow things to work the way I described, I
wasn't sure
| what controlled the permissions needed. Sort of thought it
might be
| Apache's <Directory> stuff.
|
| Thanks for your questions to clarify more. Here's what I have
now:
|
| 1) Yes, in ProFTP config, I have the "DefaultRoot ~" set so
that user land
| in their own user accounts but cannot see other user
accounts/directories.
|
| 2) As to the environment, I'm running a webserver and
mailserver, thus many
| user accounts as a consequence and all are shells they can use
to
| telnet/FTP to their homedir.
|
| 3) The ProFTP has this config setting on user:group and <Dir>
setting &
| wonder if this is a possible conflict??:
| PROFTP.CONF:
| # Set the user and group that the server normally runs at.
| User                            sageame
| Group                           wheel
|
| # Normally, we want files to be overwriteable.
| <Directory /*>
|   AllowOverwrite                on
| </Directory>
|
| As I now notice, would the above user"group conflicts with
Apache's www:www.
|
| 4) ...and yes, the docroots are all recursively owned by www
|
| 5) Also FP writes okay to the present settings of www:www.....
just can't
| get FTP to cooperate.
|
| 6) I can make the www/vhost1 a user account so that FTP lands
there at
| login... just have that write problem. Should ProFTP be set to
www:www
| too... possibly?
|
| At 10:49 AM 5.7.2002 -0400, Timothy G. Wesemann wrote:
| >Jack,
| >
| >First off, I think your question might be better suited for
| >proftp-user(AT)lists.sourceforge.net. However, with that said
I`d
| >like to get a better idea of what you`re working with. In your
| >proftpd.conf, do you have something similar to "DefaultRoot
~",
| >if so what type of environment is this server running (i.e.
only
| >webserving, or are your user homedirs with mail and what not
| >being mounted on this machine?). Are you running in a yp/NIS+
| >environment and cannot modify the homedir`s? Are you NFS
mounting
| >homedirs on another device with a seperate authentication
means
| >on this machine so that the users can have different homedirs
on
| >this particular machine and now the users have different UID`s
in
| >different places? If you can get the customer into their
docroot
| >via FTP, then why doesn`t a user own their own files/dirs in
| >/usr/local/www/./vhost1/? Is the filesystem not allowing the
user
| >to write there, or is it a function of proftpd that I am
unaware
| >of? Are you setting up the FP permissions of that other than
the
| >user themself? (beware of chown-happy FP)... Are the docroots
| >recursively owned by www???
| >
| >--
| >Timothy G. Wesemann
| >Voicenet Systems Administration
| >
| >
| >----- Original Message -----
| >From: "Jack L. Stone" <jackstone@sage-one.net>
| >To: <users@httpd.apache.org>
| >Sent: Tuesday, May 07, 2002 10:35 AM
| >Subject: FTP permissions to Apache Vhost
| >
| >
| >| I'm running FBSD 4.5 and migrating several virtual host
| >domains/websites
| >| from a BDSi server and have what is probably a very basic
| >question about
| >| how to provide access to the virtual host's site via FTP
(and
| >using
| >| FrontPage as well). I did not handle such details at the old
| >server, but do
| >| now and want to set up the vhosts properly so the access is
| >similar as before.
| >|
| >| I do not place the vhost in user accounts. The document
paths
| >are
| >| structured as follows:
| >|
| >| /usr/local/www/maindomain
| >| /usr/local/www/vhost1
| >| /usr/local/www/vhost2
| >| /usr/local/www/vhost3 ....and so forth.
| >|
| >| Apache is set up for the main domain a a couple of the
vhosts
| >already, but
| >| they belong to me and I don't have any access problems,
being
| >the super
| >| user. Also, FrontPage2000 sets up and publishes fine. The
user
| >and group
| >| for Apache and FP is set to www:www.
| >|
| >| Now, however, I'm getting ready to move domains that belong
to
| >others
| >| without access except through FTP and Frontpage, but most
don't
| >want to use
| >| Frontpage and prefer FTP to upload content that has been
| >produced on their
| >| local machines. Fairly common method I imagine.
| >|
| >| I have fiddled with a test domain that I set up as a vhost
to
| >see how it
| >| could be accessed via FTP. BTW, my FTP is ProFTPD and is set
so
| >that the
| >| user only sees the contents that belong to them and so the
| >"root" they
| >| login to has to be a user account. In order to FTP login at
the
| >root of the
| >| vhost, I have to set up a "user" in the name of the vhost,
BUT,
| >cannot FTP
| >| upload/download to it because of permissions apparently.
| >|
| >| The obvious question I have is with the above setup, how do
I
| >give the
| >| vhost user access to the root of his "root" that would
appear
| >like this and
| >| he would see all of the content/directories contained below:
| >| /usr/local/www/vhost1/
| >| ...and point of entry would be /usr/local/www/vhost1/
| >|
| >| Better yet, to be identical to the old server setup, the
path
| >would be:
| >| /usr/local/www/vhost/data ...and the CGI directory is
| >accessible as:
| >| /usr/local/www/vhost/cgi-bin
| >| The user's FTP point of entry must still be:
| >| /usr/local/www/vhost/
| >| ...and be writable for that user.
| >|
| >| Again, Apache is set to www:www (and so is FP2000)
| >|
| >| Please help me with proper solutions to how to give the
"Vuser"
| >access via
| >| FTP....??? Thanks in advance for any help.
| >|
| >| .... our website: http://www.sage-one.net/
| >|
| >| Best regards,
| >|
| >| Jack L. Stone
| >| Server Admin
| >|
|
>| --------------------------------------------------------------
-
| >------
| >| To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
| >| For additional commands, e-mail: users-help@httpd.apache.org
| >|
| >|
| >
| >
|
>----------------------------------------------------------------
-----
| >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
| >For additional commands, e-mail: users-help@httpd.apache.org
| >
| >
| >
|
| .... our website: http://www.sage-one.net/
|
| Best regards,
|
| Jack L. Stone
| Server Admin
|
| ---------------------------------------------------------------
------
| To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
| For additional commands, e-mail: users-help@httpd.apache.org
|
|


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message