VSFTPD folder permission failure in Centos 7

[ricardo.claus]

Dear,
I am configuring the VSFTPD ftp server in Centos 7.
The connection normally occurs. However, I am having difficulty in allowing a folder.
The home folder of my ftp user is: /var/www/html/files/
This user has no shell enabled.
Inside the files folder, there is a protocol folder. Turns out I can not access the protocol folder. I get error that it is not possible to list the folder.

Look at the permissions of the folder:

# ls -l /var/www/html/files/
total 128100
-rwxr-xr-x 1 ftpuser ftpuser 2 Dec 13 20:54 file.txt
drwxrwx --- 2 ftpuser ftpuser 105095168 Dec 13 17:33 protocol
drwxr-xr-x 2 ftpuser ftpuser 10 Dec 13 21:41 test

Obvervação: The test folder and the garbage file.txt I created using the filezilla.

# ls -l /var/www/html/files/protocol
-rwxrwx --- 1 ftpuser ftpuser 99310 Oct 4 2016 005664026.57f3f83965ffe.pdf
-rwxrwx --- 1 ftpuser ftpuser 98864 Oct 24 2016 005668584.580df8d86ebed.pdf
-rwxrwx --- 1 ftpuser ftpuser 99307 Nov 25 2016 005677621.58388fdaf1ee6.pdf
-rwxrwx --- 1 ftpuser ftpuser 99540 Dec 14 2016 005679540.585129c4b112c.pdf


The following commands I executed but to no avail:

chown ftpuser: ftpuser -R /var/www/html/files/
chmod -R 755 /var/www/html/files/
chmod 770 /var/www/html/files/protocol/
chmod -R 770 /var/www/html/files/protocol/


Follow the contents of my vsftpd.conf file

anonymous_enable = YES
local_enable = YES
write_enable = YES
local_umask = 022
# anon_upload_enable = YES
# anon_mkdir_write_enable = YES
dirmessage_enable = YES
xferlog_enable = YES
connect_from_port_20 = YES
# chown_uploads = YES
# chown_username = whoever
# xferlog_file = / var / log / xferlog
xferlog_std_format = YES
# idle_session_timeout = 600
# data_connection_timeout = 120
# nopriv_user = ftpsecure
# async_abor_enable = YES
# ascii_upload_enable = YES
# ascii_download_enable = YES
# ftpd_banner = Welcome to blah FTP service.
# deny_email_enable = YES
# banned_email_file = / etc / vsftpd / banned_emails
#
chroot_local_user = YES
# chroot_list_enable = YES
# chroot_list_file = / etc / vsftpd / chroot_list
# ls_recurse_enable = YES
listen = NO
listen_ipv6 = YES
pam_service_name = vsftpd
userlist_enable = YES
tcp_wrappers = YES
anonymous_enable = NO
local_enable = YES
write_enable = YES
local_umask = 022
chroot_local_user = YES
allow_writeable_chroot = YES
log_ftp_protocol = YES

Anyone have any tips on how to solve the permission problem?

[hunter86_bg]

You need to relable (semanage fcontext) the files, as by the default ftp cannot access http labeled content.
If you want both apache and vsftpd to access those files , you can use either 'public_content_rw_t' or 'public_content_ro_t' SELinux contexts.

[ricardo.claus]

Dear Hunter86_bg,
Thanks for the support.
SElinux is fully disabled.
I need to have an FTP but the files are also accessed by Apache.

[ricardo.claus]

Other important information.
I logged in with the ftpuser user in the shell, got into the folder protocol, created folder and files. I have not received any permission errors denied. I can view all the files inside the folder by the shell, and also view inside the FTP.

[pjsr2]

I am not sure if I understand your problem correct. Let me try:
-1- You have a website with files in /var/www/html/.
-2- You want to be able to upload files to this website using the vsftpd server as user ftpuser and store those files in the /var/www/html/files/ directory
-3- Users can browse files that are uploaded to the /var/www/html/files/ directory through the web server.
Your problem is that users can not access files in the /var/www/html/files/protocol through their web browser.
Is my understanding of the problem correct?

Assuming that you use the Apache web server, the httpd process is running as the user apache (group: apache).
The user apache does not have permissions to read the /var/www/html/protocol directory, nor to read any of the files in that directory.

You should set the permissions as follows:

Code: Select all

# Set owner and group
chown ftpuser:ftpuser -R /var/www/html/files/
# Recursively set permissions on directories.
find /var/www/html/files/ -type d -exec chmod 755 {} \;
# Recursively set permissions on files. Files should not have execute permission.
find /var/www/html/files/ -type f -exec chmod 644 {} \;

Why are you disabling SELinux?

[ricardo.claus]

Dear Pjsr2

I temporarily disabled SElinux in order to solve the permission problem. Once it is resolved, I will activate it.

Answers:
1 - I do not have a website running at this address. It is just a storage, where we perform the files through FTP.
2 - Correct, we have an application that connects via ftp and sends the files using ftpuser
3 - The problem in question is about FTP access. Using the Filezilla software, I can not see the contents of the folder. Only within FTP I do not have access to the folder. Via shell, I can access it normally.

In root folder /var/www/html/files/, I can create folders and files successfully, and all changes are viewed by FTP access.

I applied recursive chmod, but the problem still persists

# ls -l /var/www/html/files/protocol
-rwxrwx --- 1 ftpuser ftpuser 99310 Oct 4 2016 005664026.57f3f83965ffe.pdf
-rwxrwx --- 1 ftpuser ftpuser 98864 October 24 2016 005668584.580df8d86ebed.pdf
-rwxrwx - - 1 ftpuser ftpuser 99307 Nov 25 2016 005677621.58388fdaf1ee6.pdf

[pjsr2]

Since you do not intend to access any uploaded files through your web server, don't put them under /var/www/html
The directory /var/www/html is intended for your web pages and has special permissions and SELinux attributes for that.

When you access with FileZilla, ar you logging in as the ftpuser?

# ls -l /var/www/html/files/protocol
-rwxrwx --- 1 ftpuser ftpuser 99310 Oct 4 2016 005664026.57f3f83965ffe.pdf
-rwxrwx --- 1 ftpuser ftpuser 98864 October 24 2016 005668584.580df8d86ebed.pdf
-rwxrwx - - 1 ftpuser ftpuser 99307 Nov 25 2016 005677621.58388fdaf1ee6.pdf

These are all plain documents, not executable programs. They should not have execute permissions set.

[ricardo.claus]

Dear pjsr2

By chatting with the system developer, a web application searches for files in this FTP directory.
In this case, Apache is required for the application to search the files (read and write) through the URL http://domain/files

In this case, what do you advise?
I am wrong to put the folders inside /var/www/ ?

[pjsr2]

In that case, you were right indeed to put the files in directory /var/www/html/files/
When you also need to be able to write files through Apache, then also the apache user needs write permissions.

When you access with FileZilla, ar you logging in as the ftpuser?

[ricardo.claus]

Dear pjsr2

That's right, I use the ftpuser user in Filezilla.
I think I found the cause of the problem.
The protocol folder, in which I referred to the access problem by Filezilla, raised the problem because the folder has 2116160 files.
The same problem occurred using WinSCP. It is impossible to read this folder using an FTP client, due to the large amount of files.
When you try to access this folder, you receive the error: 150 Here comes the directory listing.
So the problem was not permission, which I suspected.

As our application only reads and writes one file at a time, then there are no problems with this folder.

Thank you all for the help.
My greetings!