Hallo, ich habe einen nginx server am laufen und wollte nebenbei einen vsftp aufsetzen. Ich bekomme es aber nicht hin, das der neue Benutzer Schreibrechte hat ohne das www-data diese verliert.
Im Wesentlichen bin ich so vorgegangen:
Code
apt-get -y install vsftpd
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -subj "/C=/ST=/L=/O=/OU=/CN=*.domain.tld"
Danach die Config angepasst:
Code
# Run standalone vs. from an inetd – start daemon from an initscript
listen=YES
#
# Disallow anonymous FTP.
anonymous_enable=NO
#
# Allow local users to log in.
local_enable=YES
#
# Allow per-user configuration for local users.
user_config_dir=/etc/vsftpd_user_conf
#
# Enable FTP write commands – controlled with cmds_allowed list.
write_enable=YES
#
# Don’t allow recursive listing – prevents excessive I/O usage.
ls_recurse_enable=NO
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Display directory listings with the time in your local time zone.
# Default is to display GMT.
use_localtime=YES
#
# Activate logging of uploads/downloads, but not in xferlog format
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# Uploaded files are owned by the uploader.
chown_uploads=NO
#
# Default log – enable and change for custom location/name
xferlog_file=/var/log/vsftpd.log
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120
#
# Don’t allow ASCII mangling on files when in ASCII mode.
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=NO
ascii_download_enable=NO
#
# Customize the login banner string:
ftpd_banner=Welcome to our FTP service.
#
# Customization
#
# Some of vsftpd's default settings don't fit the filesystem layout.
#
# Empty directory which isn’t writable by the ftp user. This directory is used
# as a secure chroot() jail when vsftpd does not require filesystem access.
secure_chroot_dir=/var/run/vsftpd/empty
#
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
#
# Location of the RSA certificate to use for SSL encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
#
# Allow PASV (passive ftp)
pasv_enable=YES
pasv_min_port=12000
pasv_max_port=12500
port_enable=YES
# enter your IP address on the line below – example: 184.37.445.210
pasv_address=$IP
pasv_addr_resolve=NO
#####################################################
listen_ipv6=NO
nopriv_user=www-data
chroot_local_user=YES
allow_writeable_chroot=YES
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
utf8_filesystem=YES
# Disable SSL session reuse (required by WinSCP)
require_ssl_reuse=NO
# Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
ssl_ciphers=HIGH
######################################################
#
# set chmod correctly for apache, see
# http://en.gentoowiki.com/wiki/Vsftpd
file_open_mode=0666
# Default umask for local users is 077 – replace with 022
local_umask=0006
#
Alles anzeigen
Hier bin ich mir denn nicht mehr so ganz sicher:
Code
groupadd wwwftp
adduser myftpusereins --gecos "" --no-create-home --disabled-password --home /etc/nginx/html --ingroup wwwftp
echo myftpusereins :meincoolespw | chpasswd
echo "myftpusereins :x:1001:1001:My Website,,,:/etc/nginx/html:/bin/false/" >> /etc/passwd
chown -R www-data:wwwftp /etc/nginx/html
chmod -R 775 /etc/nginx/html
useradd -g wwwftp -d /etc/nginx/html myftpusereins
chown -R www-data:wwwftp /etc/nginx/html
chmod -R 775 /etc/nginx/html
Alles anzeigen
Dann die /etc/pam.d/vsftpd bearbeiten:
Code
# Standard behaviour for ftpd(8).
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
@include common-account
@include common-session
@include common-auth
#auth required pam_shells.so
Aber so richtig will das nicht klappen. Das Zertifikat nimmt er nicht richtig an und das mit der rechtevergabe ist ja auch so eine sache.
Hat jemand da einen Tipp für mich?