Proftpd virtual users and Apache permissions

[hexagon]

Hello there.

 

I have a problem / question related to proftpd's virtual users and their connection to apache.

 

Now, i have a froxlor install with proftpd conecting to mysql for it's virtual user/group ids

 

Apache works with www-data:www-data. Php works with apache's mod_php5

 

Connecting through ftp with a virtual user works, i can upload files, delete them, etc and they are set with permissions as expected (eg: uid 10045 guid 10045)

 

The problem arises when i try to set write permissions on certain files/folder. Setting 775 does not allow apache to write, but setting it to 777 does. I'm not liking the ideea of setting write permissions to all so i hope you can guide me to a solution.

 

In froxlor's database table ftp_groups, i can see www-data as a member of that virtual group. ( Question: how is this interpreted by the system, as i'm under the impression that only proftpd has access to this data, and not apache / linux?  )

 

I'm interested in a fix, but more interested in understanding how this works, as to be able to tackle it in the future.

 

Thank you.

 

PS: Please let me know if you need config/log file dumps.

[d00p]

Install and configure libnss-mysql (there is a configuration template for this in froxlor -> login as admin -> configuration -> chose your distro -> Others (system) -> libnss). This might solve this issue...

[d00p]

According to others on this forum telling I'm a shitty supporter I should ask you the following:

 

Do you want

 

A ) help - which includes thinking and doing things on your own as we guide you or

 

B ) support - which means, you dont have to do anything as we do all the work

[hexagon]

)) no, you're not a shitty supporter. I've solved a lot of issues in the past based on your postings on this forum.

 

What i want is help to personally solve this problem, but first of all i want to understand the issue.

 

Thank you for your time / support.

[d00p]

Glad to hear that

 

The users in the ftp_users and ftp_groups tables are not only ftp users but also the "system" users for the customers (the customers directory is owned by this user as you already mentioned).

 

The user "www-data" (or to be super-correct: the value of the froxlor-setting "Webserver user") is added automatically by froxlor but is only used for FCGID and php-fpm users.

 

If you set up "libnss-mysql" the user www-data is in the group of the customer(s) and you will see the usernames instead of the uid/gid on your filesystem (not required for mod_php though!)

 

Regarding your permission problems with proftpd/user/775/777 - could you provide some error-log (client and server-side)?

[hexagon]

Not really. That's what initially turned me to post to the forum. I can't really see anything in the logs. I just see a couple of PHP Posts in the access log and nothing in the error log. But i'll try to give you something.

 

These logs where generated with an fresh opencart installation while trying to upload an image.

 

Folder has 775 permissions:

 

Apache access log: (only line i see)

213.233.96.12 - - [13/Feb/2015:19:19:46 +0200] "POST /clients/***/admin/index.php?route=common/filemanager/upload&token=c82670b43e5b774366d7eb31c8937899&directory= HTTP/1.1" 200 976 "http://***.com/clients/***/admin/index.php?route=setting/setting&token=c82670b43e5b774366d7eb31c8937899" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"

Apache error log:

nothing...

 

 

This is the exception thrown by opencart's ajax uploader:

SyntaxError: JSON.parse: unexpected character at line 1 column 1 of the JSON data

OK

<b>Warning</b>: move_uploaded_file(/var/customers/webs/***/***.com/clients/***/image/catalog/bgfit.png): failed to open stream: Permission denied in <b>/var/customers/webs/***/***.com/clients/***/admin/controller/common/filemanager.php</b> on line <b>275</b><b>Warning</b>: move_uploaded_file(): Unable to move '/tmp/phpFnVKMp' to '/var/customers/webs/***/***.com/clients/***/image/catalog/bgfit.png' in <b>/var/customers/webs/***/***.com/clients/***/admin/controller/common/filemanager.php</b> on line <b>275</b>{"success":"Success: Your file has been uploaded!"}

This is from opencart's own logger:

2015-02-13 17:19:54 - PHP Warning:  move_uploaded_file(/var/customers/webs/***/***.com/clients/***/image/catalog/bgfit.png): failed to open stream: Permission denied in /var/customers/webs/***/***.com/clients/***/admin/controller/common/filemanager.php on line 275
2015-02-13 17:19:54 - PHP Warning:  move_uploaded_file(): Unable to move '/tmp/phpFnVKMp' to '/var/customers/webs/***/***.com/clients/***/image/catalog/bgfit.png' in /var/customers/webs/***/***.com/clients/***/admin/controller/common/filemanager.php on line 275

This is how the folder permissions look:

drwxr-xr-x  6 10042 10042 4096 Feb 13 03:23 admin
drwxr-xr-x  6 10042 10042 4096 Dec  8 23:36 catalog
-rw-rw-rw-  1 10042 10042 1417 Feb 13 02:56 config.php
-rw-r--r--  1 10042 10042  197 Dec  8 23:34 crossdomain.xml
drwxrwxr-x  6 10042 10042 4096 Dec  8 23:35 image
-rw-r--r--  1 10042 10042 7231 Dec  8 23:35 index.php
-rw-r--r--  1 10042 10042  383 Dec  8 23:35 php.ini
-rw-r--r--  1 10042 10042  416 Dec  8 23:38 readme.md
drwxr-xr-x 11 10042 10042 4096 Dec  8 23:38 system

Now switching to 777 permissions:

 

 

Apache access log:

213.233.96.12 - - [13/Feb/2015:19:25:17 +0200] "POST /clients/***/admin/index.php?route=common/filemanager/upload&token=c82670b43e5b774366d7eb31c8937899&directory= HTTP/1.1" 200 422 "http://***.com/clients/***/admin/index.php?route=setting/setting&token=c82670b43e5b774366d7eb31c8937899" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"

Apache error log:

nothing

 

 

Now opencart uploads the file, and returns a success message:

Success: Your file has been uploaded!

And opencart's own logger now dosn't record nothing (on account that there is no error )

 

This is how the folder permissions look:

drwxr-xr-x  6 10042 10042 4096 Feb 13 03:23 admin
drwxr-xr-x  6 10042 10042 4096 Dec  8 23:36 catalog
-rw-rw-rw-  1 10042 10042 1417 Feb 13 02:56 config.php
-rw-r--r--  1 10042 10042  197 Dec  8 23:34 crossdomain.xml
drwxrwxrwx  6 10042 10042 4096 Dec  8 23:35 image
-rw-r--r--  1 10042 10042 7231 Dec  8 23:35 index.php
-rw-r--r--  1 10042 10042  383 Dec  8 23:35 php.ini
-rw-r--r--  1 10042 10042  416 Dec  8 23:38 readme.md
drwxr-xr-x 11 10042 10042 4096 Dec  8 23:38 system

This is all i could gather/test. Let me know if you have any ideas, or tips on where to look for more.

 

Thanks.
 

[Ithariel]

Can you check the groups of www-data?

groups www-data

You should see a list of all groups, www-data is a member. If the only group is www-data you have the problem. 

[hexagon]

Only one group:

root@testserver:~# groups www-data
www-data : www-data

Ok, so here lies the problem. Now what?

 

How do i make the system include www-data in the virtual groups ?

[Ithariel]

As d00p stated you have to install and configure libnss. If that is done, www-data is member of every customers group and can access with 775 (7 - the user, 7 the group, 5 everyone else)

[hexagon]

Although i remember installing libnss in one or more occasions (i did a lot of test installs/configs before installing froxlor live into production) i suppose you are right that in this install i might be missing.

 

I'll install it and check back with the results.

 

Thanks.

[hexagon]

You were right.

 

I've installed libnss onto the production server (before i've tested it on a virtual machine) and for now it seems to work.

 

After the installation, apache required a restart to get things going.

 

Thank you very much to both of you for your help.

 

If you have time and predisposition, can you elaborate a little on how libnss-mysql works ?

 

From what i've searched and read online, it basically provides an authentification interface to a mysql database.

 

Then nscd comes into play. It checks local authorization mechanisms (eg: passwd/shadow) then checks libnss-mysql which pulls info from the database.

 

How wrong am i ?

 

Thank you again for your time.

[Ithariel]

With libnss and nscd you can have virtual system users which are stored in the database. If you have any trouble with user permissions, you can adjust the nscd config with lower/higher caching values or add an nscd restart into the apache init script.

[hexagon]

I think i'll go and read the man page to maybe understand a little better that config file.

 

Thank you again for your answers.