0

My web files are located in /var/www/html/example.com/web/

Permissions are:

drwxr-xr-x 20 root   root  4096 Aug 13 18:22 var
... same for www and html ...
drwxr-xr-x 4  root   root  4096 Aug 13 18:22 example.com
drwxr-xr-x 10 apache root  4096 Aug 13 18:22 web

I have an FTP user "ftpuser" but I don't want them to be able to access any of the files in /var/www/html/

However, if I try chmod o-rx on ANY of the parent level folders, it gives a 403 Forbidden error, even though the user Apache still has RX permissions on web.

How can I stop ftpuser from changing into those directories and reading the files, without blocking access from users visiting through a browser?

Note - the strange thing is I have another server setup similarly, where I simply did chmod o-rx on the example.com folder, and everything remained web accessible.

andrewtweber
  • 449
  • 1
  • 10
  • 18

2 Answers2

1

You have a few options, but what I would do is install suPHP, if my assumption that you're using Apache is correct; if not, I hope my answer gets you on the right path anyway.

It allows you to run PHP scripts as non-web-server users. You can then tell the FTP server to lock users in their $HOME, and move the DocumentRoot into ftpuser's home folder. You haven't mentioned which Linux distribution you're using, but here is a guide for installing in Ubuntu, and here is one for CentOS 6.

The other options involve messing with ftpuser's home folder location, and I'd avoid it for standardisation reasons - suPHP will do the job perfectly, and without messing with your system configuration unduly.

The only important thing to note with suPHP is that the permissions must be 100% correct, or you'll get server errors. I can't post more than 2 links yet, so just Google "fix suphp permissions" and choose the "piyecarane.wordpress.com" pagge (first link for me currently).

n00b
  • 11
  • 2
  • Sorry for the confusion but the FTP user is unrelated to the web files so I wouldn't want the root in their folder. Had to accept the other answer but thanks :) – andrewtweber Sep 16 '13 at 21:20
1

just set the webserver (apache,www,www-data, whatever it is on your distro as owner)

chown -R apache:root /var/www/html
chmod -R o-rwx /var/www/html/

(Those commands should give exactly what you asked for. I'm not convinced it is what you want as it denies ftpuser any access at all to any files even remotely related to public serving...

if you want ftp user to have access to: /var/www/html/example.com/web/ then run the above commands and then the following:

chown -R ftpuser:apache /var/www/html/example.com/web/
chmod -R g+rx /var/www/html/example.com/web/

These are not perfect permissions but they should be close to getting the job done. (and you will probably have to grant ftpuser rx on all parent directories of: /var/www/html/example.com/web/

This question is probably better suited for super-user or linux

From your posted permissions, I am guess you just need to chown -R apache:root the example.com/ directory then do chmod o-rx to strip access from everyone but the webserver (and root). Your final alternative involves extended attributes (like ntfs permissions).

Daniel Widrick
  • 3,488
  • 2
  • 13
  • 27
  • Yes, that is what I want. The FTP user is unrelated to the website that's being hosted. I think my problem was I was trying to remove o-rx permissions from one folder, and changing ownership to apache on a different folder. Looking at it now it's embarrassingly simple, probably sitting at the computer too long – andrewtweber Sep 16 '13 at 21:14
  • we've all had those days <3 – Daniel Widrick Sep 16 '13 at 21:16