Uploads by web server cannot be read by FTP user

Question

I have a www user under whichs runs the web server.

I also have a ftp user that belongs also to the wheel group.

The problem is that whatever file is uploaded by http via web server, than runs under the www user, that file cannot be read by the owner of that folder, a home folder.

What changes should I do to overcome this?

Why is www in the wheel group? If you've enabled sudo and left it as defaults, this could potentially be very bad. — James L, Jan 15 '11 at 20:46
If it's not true, please update your question with details that are true, so that we can give a more useful answer — James Polley, Jan 15 '11 at 22:48

score 2 · Accepted Answer · answered Jan 15 '11 at 21:11

If you're running a system which supports ACLs, you could use the following commands to allow the user access to all files in their home directory by default. I think this would be better than moving groups around:
setfacl -d -R -m user:ftpuser:rwx /home/ftpusers_home
setfacl -R -m user:ftpuser:rwx /home/ftpusers_home

They should then be able to read, write or execute any file in their home directory. If the first command fails with a "bad usage" or similar command, you may need to run this first:
mount -o remount,acl /mount_point where mount_point is whichever partition the FTP user's home directory is in. If you need to do this, you'll also have to edit your /etc/fstab for the changes to survive a reboot, let us know if you need help with this.

setfacl: acl_get_file() failed: Operation not supported – Pentium10 Jan 15 '11 at 23:19 — Pentium10, Jan 15 '11 at 23:19
did you try the mount command? – James L Jan 16 '11 at 01:16 — James L, Jan 16 '11 at 01:16

score 0 · Answer 2 · answered Jan 15 '11 at 22:45

Just belonging to the same group (which I'm going to be generous and assume isn't wheel, because that would be bad) isn't sufficient.

For instance, if the files created by the web server have permissions set to "600", the ftp-user being in the right group isn't going to help, as the group doesn't have rights to read the file.

Even if the perms are sufficient to allow the group members to read the file, you also need to make sure that the right group is being set. If www-data's primary group is www-data, the file is going to initially be created with the group set to www-data. You'll need to make sure that it gets chrgrped to the shared group before the ftp user can read the files.

One way to accomplish this is to set group of the folder into which the web server is saving its files to the shared group. Files created inside the folder should then get their group set to the shared group, not to www-data's default group.

Lookup "setgid directories" for one common solution to this. — covener, Jan 17 '11 at 15:01

score 0 · Answer 3 · answered Jan 15 '11 at 23:44

0

I like the acl idea, but if you can't do that there's always the brute-force method of setting up a cronjob (probably run by root) that runs every few minutes and sets permissions on files in the directory as appropriate. Ugly, but it works.

answered Jan 15 '11 at 23:44

Phil Hollenback

14,947
4
35
52

Uploads by web server cannot be read by FTP user

3 Answers3