Linux sftp permission denied

SFTP permission denied on files owned by www-data

I have a pretty standard server set up running Apache and PHP. An app I am running creates files and these are owned by the Apache user www-data . Files that I upload via SFTP are owned by my own user charlesr . All files are part of the www-data group. My problem is that I cannot modify or overwrite any of the files via SFTP which are owned by www-data , even though charlesr is part of the www-data group. I can modify the files no problem via a SSH session. So I’m not sure what to do. How do I give my SFTP session permissions to modify www-data owned files? For a bit of background, these are the notes I wrote for myself when setting-up the server:

Now set up permissions on `/var/www` where your files are served from by default: $ sudo adduser $USER www-data $ sudo chgrp -R www-data /var/www $ sudo chmod -R g+rw /var/www $ sudo chmod -R g+s /var/www Now log out and log in again to make the changes take hold. The previous set of commands does the following: 1. adds the current user ($USER) to the `www-data` group; 2. changes `/var/www` to belong to the `www-data` group; 3. adds read/write permissions to the group that `/var/www` belongs to; 4. sets the SGID bit on `/var/www`; this final point bears some explaining. 

And then I go on to explain to myself what setting the SGID bit means (i.e. all files created in /var/www become part of the www-data group automatically). UPDATE It seems that the problem was caused by the app itself or, more specifically, the application framework (Kohana) setting certain files it writes to 0644 (rw-r—r—); i.e. not group writable. This, coupled with the fact that the files are also owned by www-data meant that I could not edit the files via SFTP when logged-in as charlesr . I’m not sure why I could edit the files via SSH. My guess is that I must have used sudo. Here is the permissions strategy I now use thanks to the tireless help of Marty Fried, who pointed out the flaws in my previous strategy and also helped me marinade in the world of Linux permissions until I finally grokked it. Thanks Marty!

Overview

  • Files and directories in /var/www should be owned by root:webmasters
  • All devs should be members of the webmasters group
  • All directories in /var/www should be set to: 2775 or u=rwx,g=rwxs,o=rx (rwxrwx-r-x)
  • All files in /var/www should be set to: 0664 or ug=rw,o=r (rw-rw-r—)

The following should be owned by www-data:webmasters (i.e. these are the directories that Apache needs to be able to write to):

HOWTO

To set up permissions on /var/www where your files are served from by default:

  1. sudo addgroup webmasters
  2. sudo adduser $USER webmasters
  3. sudo chown -R root:webmasters /var/www
  4. sudo find /var/www -type f -exec chmod 664 <> \;
  5. sudo find /var/www -type d -exec chmod 775 <> \;
  6. sudo find /var/www -type d -exec chmod g+s <> \;
  7. sudo chown -R www-data:webmasters application/cache/ [etc. ]
Читайте также:  Foo

Now log out and log in again to make the changes take hold.

The previous set of commands does the following:

  1. Create a new group called webmasters ; all users who need write access to the app files will be added to this group.
  2. adds the current user ( $USER ) to the webmasters group.
  3. changes the owner of /var/www to root and the group to webmasters group.
  4. adds 664 permissions (-rw-rw-r—) to all files in /var/www .
  5. adds 775 permissions (drwxrwxr-x) to all directories in /var/www .
  6. sets the SGID bit on /var/www and all directories therein; this final point bears some explaining. Note also that you can also put a 2 at the front of your chmod octal (e.g. 2644) to do the same thing.
  7. sets the owner to www-data (Apache’s user) and group of the supplied directory to webmaster . This ensures the directory is writable by Apache and anyone in the webmasters group. Do the same for all other directories that need to be writable.

2 Answers 2

Ubuntu.com has pretty good serverguides, such as Apache guide. Where did you get your procedures you so carefully wrote down? I’ve never had to go to that much trouble for any of the servers I’ve set up, although I’m open to the possibility that I haven’t been doing it right — also, I haven’t actually install servers for anything that is very public, or very large, so there could be security holes that I don’t know about.

However, I’ve never needed to be a member of the www-data group, and no source files in www are owned by www-data. My understanding is that this is used by Apache only for its own files, and it will not have write permissions to any of the other files itself, because in theory, no important files will allow www-data to have write permission. I’d guess that files owned by www-data would give read-only permission to everyone else, and nobody should have write permission to its files. I could be totally wrong, of course, and if I am, I hope someone will tell me and point me to actual documentation that explains differently (not to some forum where a random internet user like me has produced instructions that worked for him).

Perhaps I’m missing something, but your problem should be fairly straightforward. The user that is logged in using sftp needs to be a member of the group www-data, and the files you are trying to modify must have write permissions for the group www-data. It doesn’t make sense to me that you can modify the files using ssh, but not using sftp; are you sure you are logging in to the same account for both? In sftp, you can enter commands such as !groups to list your groups, or !whoami to check what login name you are using. The results should match what you see using ssh (with the same commands minus the exclamation point).

You also should be able to use chmod, chown, chgrp from sftp if you have permission to do so.

Читайте также:  Настройка dhcp сервера linux debian

By the way, I think your list has at least one pretty bad command:

This gives the world write permission to every file and folder in /var/www. This sounds like a bad idea. Normally, only root has write permission to these directories, unless specific ones need more permission, usually only single directories.

Note: This was an error on my part. Thanks to DonalLafferty for pointing this out, that it specifies «g», not «a», so it only changes group permissions. My tired old eyes (or a bad font) must have read it as «a».

Edits for clarification

Normally, files created by Apache are read-only for both the www-data group and all other users, same as the root-owned files in /var/www. So, there should be no reason to make anyone a member of www-data. The issue is giving everyone write access, which is a different case. This should be done by making specific directories available within your site, and this is done simply by using chmod, either with sudo, since it is probably owned by root, or by making the owner yourself and not using sudo.

If you have more devs that need access to the entire site, that is when you want to make a user+group such as «webmasters», make it the owner of the site, give write permissions to that group, and make all devs members of that group. So the listing for the site directories would be something like:

drwxrwxr-x ## webmasters webmasters #### ####-##-## ##:## mysite.com 

I’ve since realized that you don’t really need to create a user «webmasters», just a group. Then the files can be owned by root:webmasters, ie root is the owner, but webmasters is the group.

In answer to questions below, the files that Apache writes will be owned by www-data, and group www-data. These files are not normally something you write to, so non-members of www-data may have read-only access — I think it depends on the directory permissions. If you do need more than occasional write access, then adding yourself to the group might be useful. Usually you make specific directories world writable for content saved by Apache. Consider also that most shared web hosting running Apache without shell access would not even have a way to set up groups.

But, Apache can read files even owned by root. Almost all files have world-readable access, just not writable. So, unless you want to change this, Apache doesn’t need to be in the webmasters group.

This is all basic Linux setup, not really Apache. Apache only cares about access from within the web server, and that’s set by the config files. For this reason, the Ubuntu documentation link I included in my post should be considered a better source than a public wiki.

By the way, the O’Reilly Apache Cookbook says «Document directories, such as htdocs, cgi-bin, and icons, will have to have permissions set in a way that makes the most sense for the development model of your particular web site, but under no circumstances should any of these directories or files contained in them be writable by the web server user.»

Читайте также:  Linux cron не работает

Finally, using ACLs is a good way to set file permissions if you need more control. It may even be a good way to set them all the time, and is something I should investigate.

Источник

Permission Denied при попытке что-либо удалить\изменить\залить по SFTP. В чём неправ?

Здравствуйте. Решил, вот, на Debian Jessie отказаться от FTP в пользу SFTP. Для этого создаю группу:

и помещаю в неё пользователя:

useradd oleg -G sftpusers -m -d /home/oleg -s /bin/false

Задаю пароль для пользователя:

Указываю владельца и права доступа к директории пользователя:

chown root:oleg /home/oleg chmod 750 /home/oleg

В файле /etc/ssh/sshd_config добавляю пользователя в список разрешённых к подключению:

AllowUsers sferg oleg AllowGroups sferg oleg

В том же файле заменяю параметр:

Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Далее, в конец того же файла добавляю строчки:

Match Group sftpusers ChrootDirectory %h ForceCommand internal-sftp

Теперь подключаюсь через SFTP с помощью Midnight Commander — список файлов получаю. Однако, не удаётся ни удалить файл, ни отредактировать, ни залить. Permission Denied. В чём неправ?

P.S. Пробовал подключаться с помощью WinSCP — та же история: файлы пользователя видны, но удалить\отредактировать\залить ничего нельзя.

P.P.S. Понимаю, что косяк с правами доступа, но что-то не могу сообразить, где именно.

Обратил внимание, что имеющиеся файлы редактировать-таки можно. Нельзя заливать новые и удалять имеющиеся.

Источник

SFTP upload file Permission denied

I’m trying to upload excel file using SFTP to linux machine from my local windows PC. Here is my code:

private void uploadToSftp() < try < ChannelSftp sftpClient = null; Channel channel = null; JSch jsch = new JSch(); Session session = jsch.getSession("username", "host", 22); session.setPassword("password"); Properties config = new Properties(); config.put("StrictHostKeyChecking","no"); session.setConfig(config); session.connect(); channel = session.openChannel("sftp"); channel.connect(); sftpClient = (ChannelSftp) channel; sftpClient.cd("/var/www/folder"); File localFile = new File("C:\\Workspace\\upload-file\\test.xlsx"); sftpClient.put(localFile.getAbsolutePath(),localFile.getName()); sftpClient.disconnect(); channel.disconnect(); session.disconnect(); >catch (JSchException e) < e.printStackTrace(); >catch (SftpException e) < e.printStackTrace(); >> 
3: Permission denied at com.jcraft.jsch.ChannelSftp.throwStatusError(ChannelSftp.java:2873) at com.jcraft.jsch.ChannelSftp._put(ChannelSftp.java:594) at com.jcraft.jsch.ChannelSftp.put(ChannelSftp.java:475) at com.jcraft.jsch.ChannelSftp.put(ChannelSftp.java:365) 

Well, it looks like a Permission denied error. What credentials and authentication type are you using? Are you sure they’re OK?

1 Answer 1

You seemed to upload your local file «C:\Workspace\upload-file\test.xlsx» to remote directory, «/var/www/folder» on SFTP.

I guess you have all permissions for reading,writing,executing etc on your local file(«C:\Workspace\upload-file\test.xlsx»), but your remote folder, «/var/www/folder», might not accept your application’s access including «upload» action.

The most simplest way to solve this issue is just granting all permission for all users to do anything in your upload target directory(«/var/www/folder»). Please try this linux commands for checking permission on your upload folder.

If you see your /var/www/folder/ directory is not allowed writing or reading(ex:drwxr-xr-x) for normal users, please grant permissions for this folder with the follwing command.

chmod 777 /var/www/folder //check permission again. ls -ld /var/www/folder 

If you can check the target folder’s permission is enough(drwxrwxrwx), please run your application again.

NOTE: Giving all permissions for other users is not considered a good practice. Please just do this solution for test, and change the permission setting fit to your specification later. For more detail, Please check this link(Click).

Источник

Оцените статью
Adblock
detector