Rights question

15 posts / 0 new
Last post
#1 Sat, 10/22/2005 - 01:16
chosts

Rights question

I had to setup the domain name without the SSL enabled and without the virtual FTP setup (do I need virtual FTP? and I want to have SSL enabled).

There are 4 directories inside the new user domain directory. Directories are homes, log, cgi-bin, and public_html. All of those directories owned by the same user and have CHMOD setup to 755. But why when user ftp there, the only directory that he/she has rights to is homes. No rights to anything else.

Any ideas?

Thank you.

Sat, 10/22/2005 - 02:51
FaisalMehmood

If you want to setup a website with SSL and FTP you need to assign a dedicated IP address to it.

FTP will work on your users account, even without putting a dedicated IP address. This will mean that whenever a user conencts to his ftp://hisdomain.com he will in fact connect to your machine's shared IP address for all websites. This means that since the user is a unix user, he can connect to the FTP using his or her username and password and can start uploading to thier Directory.

I am not exactly sure what you were asking but hope this helps.

Sat, 10/22/2005 - 07:40
chosts

The problem that I have is that my user cannot see anything but homes directory and the user cannot create/add/update/modify/move anything anywhere there. This is only if he/she uses ftp.

Thank you.

Sat, 10/22/2005 - 13:20
FaisalMehmood

hmm this is wierd. You are saying that when the user connects using the FTP he does not see the other directories ? can you give me a test account ? i am sure joe would help you out if you dont want to give out a test account.

Sun, 10/23/2005 - 14:19
chosts

I reformatted it and will recreate in a couple of days. If it does it again, I will poste here the link and a username and a password.

Thank you.

Mon, 10/24/2005 - 01:30
FaisalMehmood

Okies .. thas cool.

Sun, 10/30/2005 - 20:17
chosts

I reinstalled it a few times and now installed it on different hardware but there is always the same problem. If I try to do ftp as a user, I do not have all rights there. You can check it here: http://71.39.99.110:10000 and ftp to the same ip address. Username and password are the same - mytest. If you use http, you could see all files and create files and folders. If you try to ftp, you cannot.

Also, can you tell me why when I placed index.html file there, it gives me a blank page anyway.

Thank you.

Mon, 10/31/2005 - 01:48
FaisalMehmood

Hi.

I would highly recommend you install the Usermin module and the virtualmin module. Although i am not too fluent with the Webmin GPL version. I can give you some hints here.

Before i give you those hints, let me tell you that the whole process of adding users in Virtualmin Pro is Quite Easy. And everything just works without questions problems etc etc.

Ok now coming to the point.

Go to the SYSTEM module in your webmin logged in as root. Over there you should see an option of users/groups if you dont see this you have to install the usermin module.

Click on it and add a user. If you have proftpd running then this user should be able to check his home directory on ftp without any problems.

Second option, in Virtualmin (if you have it installed) click on add new user when you click on the domain. Make sure ftp is enabled.

This is all i could think of.

Thanks.
Faisal.

Mon, 10/31/2005 - 09:59
chosts

If I check, it shows that I have proftpd running.

If I go to users/groups, click on user, I do not see any ftp option there.

The only ftp option that is in the Virtualmin is FTP virtual server enabled? and I cannot do it because Virtual FTP cannot be enabled unless a virtual IP address is allocated.

Also, why does not it show me my index.html file?

Thank you.

Mon, 10/31/2005 - 11:49 (Reply to #9)
Joe
Joe's picture

Hi Igor,

You've got three distinct issues here, and they are unrelated to each other, so I'll tackle them one at a time:

First up, the easy one: FTP Virtual Server is <i>not needed</i> for the vast majority of cases. You can forget it even exists and you'll probably never miss it. This feature allows one to provide anonymous access to a specific directory based on the hostname that was contacted. Because the FTP protocol has no room for name-based host information, this requires an IP for every hostname that you'd like to provide anonymous access for. The vast majority of users will simply never need this. So forget about this option entirely. There is a FAQ about this that explains it in a bit more detail at http://www.virtualmin.com/faq/one-faq?faq_id=1511#1831

Next, FTP users. In order for FTP to work for a user, the shell you have given them must exist in the /etc/shells file. If you don't give them a shell in /etc/shells, FTP in ProFTPd will fail. Byond that, I can't think of anything that would prevent a user from being able to access FTP--it is not something that needs to be configured per-user. Either the FTP server is on or off, and if it is on all valid users with a good shell should be able to access at least their home directory (configuration may chroot them into that directory, or it may allow them to roam). If this is not the problem in your case, we need some log entries from when you try to login as one of the failing users...FTP should just work, and there really isn't much that can go wrong in a default installation of ProFTPd.

Finally, the index.html file. Did you put it in ~/public_html? Is it owned by the domain owner user and group owned by the domain owner group? If you created the file as root, Apache might not have read access to the file. You can also check the access_log file in ~/logs to see if the request is actually going to your virtual domain or if it is not getting to the right virtual host. It may be that your Apache configuration is broken with regard to the NameVirtualHost and VirtualHost sections. If you don't have a NameVirtualHost entry, you'll get some errors in the root Apache error_log (in /var/log/httpd/error_log on Red Hat-based systems) when starting up when it reaches the VirtualHost sections. If you have a broken VirtualHost section, it could cause several different types of problem, including the one you're describing. Once we know what kind of problem it is we can correct it pretty easily--and figure out why it is happening in your Virtualmin created domains...Virtualmin should create correct entries for you, though it is possible that other changes made directly in the Apache module or by hand or using some other admin tool (like yast or linuxconf) could have broken it.

Hope this helps get you on the right track. Once we know a bit more, we should be able to figure out exactly what's going wrong.

--

Check out the forum guidelines!

Mon, 10/31/2005 - 18:42
chosts

Thank you for your reply.

I understand that I do not need virtual FTP. I mentioned it just to let you know that this is the only ftp option that I have when I create/modify user.

I do not understand what do you mean by &quot;give them a shell in /etc/shells&quot;. I do have /etc/shells and this is what is in the file:
/bin/sh
/bin/bash
/sbin/nologin
/bin/ksh
/bin/tcsh
/bin/csh
/bin/zsh
/bin/false
Should there be something else? Do I have to add something every time I create a new user?

I created index.html file when I logged it as my test user in the user's public_html directory, so the user is an owner. There is nothing interestin in the error_log file and I do have NameVirtualHost * entry. This is my VirtualHost entry.
&lt; VirtualHost *:80 ]
SuexecUserGroup &quot;#501&quot; &quot;#501&quot;
ServerName mytest.com
ServerAlias www.mytest.com
DocumentRoot /home/mytest/public_html
ErrorLog /home/mytest/logs/error_log
CustomLog /home/mytest/logs/access_log common
ScriptAlias /cgi-bin/ /home/mytest/cgi-bin/
&lt; Directory /home/mytest/public_html ]
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
&lt; / Directory ]
&lt; / VirtualHost ]
I am not a pro but it seems OK to me.

Any ideas?

Thank you.

Mon, 10/31/2005 - 22:39 (Reply to #11)
Joe
Joe's picture

Hi Igor,

Ok, you've got /bin/false in your /etc/shells, which is the default &quot;FTP only&quot; account shell type. This should be fine. I just mean that a user must have their login shell set to one of the shells in /etc/shells in order for the server to allow them to login. When you look at your user account that should have access but doesn't, what is their login shell? Is it one in the /etc/shells file?

Yes, your virtual host definitions also look fine.

I have no idea what could be causing these two issues, and I've never seen anything like it. I'm sure it is something simple in both cases, it's just a matter of figuring out what it is. This is a GPL installation, correct? Where did your Apache and ProFTPd packages come from? And was the Apache rebuilt?

--

Check out the forum guidelines!

Tue, 11/01/2005 - 07:40
chosts

Thank you for your reply.

When I check user shell, it is /bin/sh. This is one of the shells in /etc/shells.

I installed this FC4 from CDs that I downloaded from Redhat. After I installed it, I run regular yum update. I did not do anything different. After I installed it, I modified Apache and Postfix as it is specified in the documentation on webmin.com. That is it. Nothing special.

Thank you.

Tue, 11/01/2005 - 15:17 (Reply to #13)
Joe
Joe's picture

Ok, so you're not using ProFTPd? (ProFTPd is not in Fedora Core 4...vsftpd is the default ftp server there, and is not configurable by Webmin/Virtualmin. You can use it with Virtualmin, but you have to configure it yourself.)

Now that I re-read your original post, I see that the user is able to login via FTP, but only gets his home directory. This is the chroot setting within the ftp server. However, what is wrong with the user only seeing his home directory? The domain owner has everything he needs to maintain his site and services within it. Maybe I'm still misunderstanding what problem it is that you're seeing?

As for the Apache...In order for users to be able to run CGI scripts, you'll have to rebuild it with the suexec directory pointing at /home rather than /var/www. But HTML pages will probably still work fine.

You might also be running into SELinux issues. FC4 enables SELinux by default, and it does not permit quite enough in user home directories to run a virtual server out of it (it's getting close--I have a Virtualmin server running with SELinux enabled, and I only had to tweak a couple of things to make it all work...and I think by the time of FC5 we'll be able to run with SELinux enabled). Try turning of selinux by running the following, as root:

setenforce 0

You'll need to edit /etc/selinux/config to turn it off permanently, if this proves to be the culprit.

--

Check out the forum guidelines!

Tue, 11/01/2005 - 21:19
chosts

You are right, vsftpd is default for Fedora Core 4 but I removed it and installed ProFTPd.

As soon as I disabled SELinux, my ftp works. Great.

I still cannot see the pages when open Internet explorer. It shows me the blank page. I am not sure what to do about this.

When you say that I have to rebuild Apache, do you mean that I have to reinstall it? Is there any way just to change a setting to point to the different directory?

Thank you.