ProFTPD problem with permissions during upload files to public_html

SamotniQ

Verified User
Joined
Nov 21, 2008
Messages
17
Location
Poland
Hello,

I have installed ProFTPD Version 1.3.5 on my server. When I upload files to /home/$user/domains/$domain_name/public_html/ UID and GID are set to $user:$user. This permission should be properly set to: $user:apache ... How can I solve this problem?

Below is my proftpd.conf file:


ServerName "server"
ServerType standalone

Port 21
PassivePorts 35000 35999
UseReverseDNS off
TimesGMT off
TimeoutLogin 120
TimeoutIdle 600
TimeoutNoTransfer 900
TimeoutStalled 3600

ScoreboardFile /var/run/proftpd/proftpd.pid

TransferLog /var/log/proftpd/xferlog.legacy
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format. Its used by DirectAdmin to determine user usage
LogFormat userlog "%u %b %m %a"
ExtendedLog /var/log/proftpd/62.141.41.19.bytes WRITE,READ userlog

AuthUserFile /etc/proftpd.passwd
DefaultServer on
AuthOrder mod_auth_file.c

#AuthPAM off

#SQ
<IfModule mod_cap.c>
CapabilitiesEngine on
CapabilitiesSet +CAP_CHOWN
</IfModule>
#SQ

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd.tls.log
TLSProtocol SSLv23
#TLSProtocol TLSv1
TLSVerifyClient off
TLSRequired off

#Certificates
TLSRSACertificateFile /etc/exim.cert
TLSRSACertificateKeyFile /etc/exim.key
#TLSCACertificateFile /etc/ftpd/root.cert.pem

TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>
<Global>
PassivePorts 35000 35999
DeferWelcome on

RequireValidShell no


DefaultRoot ~
DirFakeUser on ftp
DirFakeGroup on ftp

User ftp
Group ftp
#UserAlias anonymous ftp

AllowStoreRestart on
AllowRetrieveRestart on

ListOptions -a
ShowSymlinks on
<IfModule mod_facts.c>
##Enable this with proftpd 1.3.4b+ to fix FileZilla MLSD
##http://www.proftpd.org/docs/modules/mod_facts.html#FactsOptions
# FactsOptions UseSlink
</IfModule>

Umask 022
DisplayLogin welcome.msg
DisplayChdir readme
AllowOverwrite yes
IdentLookups off
ExtendedLog /var/log/proftpd/access.log WRITE,READ write
ExtendedLog /var/log/proftpd/auth.log AUTH auth

#
# Paranoia logging level....
#
#ExtendedLog /var/log/proftpd/paranoid.log ALL default

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd.tls.log
TLSRSACertificateFile /etc/exim.cert
TLSRSACertificateKeyFile /etc/exim.key
</IfModule>
</Global>


Include /etc/proftpd.vhosts.conf
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Why they should be set to user:apache? That have no sense at all, files are correctly set to user:user cause that's they way they should be set.

Regards
 

SamotniQ

Verified User
Joined
Nov 21, 2008
Messages
17
Location
Poland
SeLLeRoNe thanks for your reply. Apache 2.x is running as apache user:

apache 12668 0.0 0.5 157048 22068 ? S 17:30 0:00 /usr/sbin/httpd -k start -DSSL

When my clients upload files using FTP (proftpd) server directly to: /home/$user/domains/$domain/public_html for example with any CMS including web creator ex. Joomla, Wordpress default rights are:

# file: index.php
# owner: $user
# group: $user
user::rw-
group::r--
other::r--

All scripts to configure CMS using included creator are running with "apache" user rights, so Apache can`t create and write any configuration to files (ex. MySQL setting - hosts, user, password etc.).

So the best way for me is set owner as $user and group to apache to all files uploaded to: /home/$user/domains/$domain/public_html and set permission to:
# file: index.php
# owner: $user
# group: apache
user::rw-
group::rw-
other::r--

Of course I can correct manually this settings using chown commands, but this is not good solution for a large number of customers.
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
That's definitly the bad way to go.

You should better use mod_ruid2 or php_fcgi (i use mod_ruid2) to be able to have user:user and let WP and other software be able to write configs files aswell without need to change ownership of files and/or their permissions.

Regards
 
Top