Question

Apache cannot read uploaded files by ftp users (Centos 8)

Posted March 21, 2021 244 views
ApacheCentOS 8

Hi, if I upload files with “ftp1” user (the ftp user) apache cannot read/write these files.

For example if I upload the file “info.php” to website directory /var/www/website and then I go to browser and type “http://server_ip/info.php! I get "Access denied.”.

I noticed that the files uploaded by ftp users have this permission: -rw------- 1 ftp1 ftp1 26 Mar 21 10:04 info.php , when the apache files have -rw-rwxr--+ 1 apache apache 405 Feb 6 2020 index.php .

About the FTP config, I set /var/www/website as ftp user home, and then I run these commands:

usermod -a -G ftp1 apache
setfacl -R -m u:ftp1:rwx /var/www/website

Thank you in advance.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers
by Brian Boucheron
When you first create a new CentOS 8 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions. This guide will cover setting up a non-root user with sudo, and setting up a basic firewall.

Hi @Xenon032,

You’ve almost got it. You are correct it’s because of Apache not being able to access files from ftp1.

-rw-------   1 ftp1   ftp1      26 Mar 21 10:04 info.php

Adding the Apache under the ftp1 would work as well however in that case you’ll need to make sure your files that you upload should have permissions for groups to read/execute. They should look like

-rw-r--r--

This can be made by executing:

chmod 644 info.php

Regards,
KFSys

  • Hi, I have analyzed the permissions and I configure the whole thing like that:

    1) I set up /var/www/webserver as ftp user home.

    2) Then I run these commands for granting the ftp user to have access to apache files:

    usermod -a -G ftpuser apache
    setfacl -R -m u:ftpuser:rwx /var/www/website
    

    3) Next I set that the files created inside the /var/www/webserver directory will inherit the apache group:

    find /var/www/website -type d -print0 | xargs -0 chmod g+s
    

    4) I set these parameters inside the vsftpd configuration:

    file_open_mode=0777
    local_umask=022
    

    0777-022=755 , so all the uploaded files with ftp will have the 755 permission.

    The result

    Now I am able to upload/delete files inside /var/www/webserver with ftp user and apache can read this files successfully.
    Now the permission of the web server are like that:

    /var/www 755 root:root

    /var/www/website 755 apache:apache

    Directories inside /website 770 apache:apache

    Files inside /website 664 apache:apache

    Files uploaded by ftp 755

    My question is: is it secure to use these permissions on a webserver? Thank you.

    • Hi @Xenon032,

      The permissions you gave me as an example are correct and are secure enough.

      Usually, because how permissions work, folders tend to have 755 and files 644. You’ve followed that rule so everything should be fine!

      Regards,
      KFSys

      • And about the folders inside /website that have 770?

        • The permissions 770 are quite permissive, that true.

          Basically, what those permissions mean, is the following:

          The user owning this file has - 7 - read, write,execute.
          The group owning this file has - 7 - read, write, execute
          Everyone else has - 0 - no permissions.

          It’s still okay but in case any other user is assigned to the same group, they will have all permissions as well.