Centos – Apache, Group Permissions and User Uploads

apache-httpdcentosftpgrouppermissions

I have a folder named "digitalgoods" with the following ownership — apache:apache residing outside of the htdocs folder and is therefore not accessible to the public. However I need the same folder to be accessible by a set group of users (Jack, John, James) — we'll call them all "uploaders".

I want the "uploaders" to be able to each upload files as easily as possible to the "digitalgoods" folder, where apache can then access to serve via purchase.

My question is what is the best way to set this up?? I am currently using SSH to access the server, but would it make more sense to install an ftp server for the users to gain access; and if so, what should I do from there in regards to accounts and permissions? Or should I set each user's home directory to "digitalgoods" and in some manner modify the permissions appropriately for access via SSH?

I am attempting to make uploading files as painless as possible for the client. Any help in this regard is appreciated.

Best Answer

There are 2 solutions using 2 different ftp servers

1 - Use proftpd with the VirtualServer feature and with a local user force. Snippet of a config file of mine:

ServerType standalone
DefaultServer on
AccessGrantMsg "User %u logged in."
DeferWelcome off

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c


<VirtualHost xxx.xxx.xxx.xxx>
ServerAdmin nwildner@xxx.xxx.xxx.xxx
ServerName  "FTP"
TransferLog /var/log/proftpd/transfer.log
ExtendedLog /var/log/proftpd/full.log ALL
DefaultRoot /var/www/digitalgoods
User                    apache
Group                   apache
AllowOverwrite          yes
MaxLoginAttempts        3
RequireValidShell       no
</VirtualHost>

Create the 3 users, and let them use the ftp. They will be "chrooted" to /var/www/digitalgoods and any file uploaded will have the permissions set to apache:apache

2 - Use vsftpd chroot, and create 3 users with the same userid than apache AND same home dir that will be chrooted(yeah, that´s a kludge but it shall work):

Contents of /etc/vsftpd/vsftpd.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
check_shell=NO
syslog_enable=YES
connect_from_port_20=YES
xferlog_std_format=NO
idle_session_timeout=3600
ftpd_banner=FTP XXX
chroot_local_user=YES
ls_recurse_enable=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=NO
userlist_deny=NO
tcp_wrappers=YES

Since we are using least privilege, we will have to declare the logins that will access this ftp at /etc/vsftpd/user_list

# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#
devel
manuals

Create 2 users (/etc/passwd) and use the same userid of the apache user(again, its a damn kludge but at least you will have 2 users uploading to their chrooted homes with the same permission). With the check_shell=NO you don´t need to give a valid shell to those users

[root@]# grep 'apache\|desenv\|man\|' /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
devel:x:48:48::/var/www/digitalgoods:/sbin/nologin
manuals:x:48:48::/var/www/digitalgoods:/sbin/nologin

Best Answer

Related Solutions

Apache – How to set secure permissions for multiple users and multiple websites

File permissions when removing user from git

Related Question