I want a user to connect to my server with winscp and to change files in website folder.
Owner of folders and files is nginx.
I have added nginx group to my sftp user as primary group, but still can not change files.
I also disabled SElinux, but still I get.
Permission denied.
Error code: 3
Error message from server: Permission denied
What else I need to do so sftp user can edit files and save changes?
Jan 28 21:22:44 192.168.0.4 systemd[3041]: pam_unix(systemd-user:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:22:44 192.168.0.4 sshd[2934]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:22:54 192.168.0.4 sshd[3071]: Accepted password for purple from 84.52.167.179 port 54540 ssh2
Jan 28 21:22:54 192.168.0.4 sshd[3071]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:25:52 192.168.0.4 sshd[3280]: Accepted password for root from 84.52.167.179 port 54598 ssh2
Jan 28 21:25:52 192.168.0.4 sshd[3280]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:25:52 192.168.0.4 sshd[3289]: error: Connection from user root 84.52.167.179 port 54598: refusing non-sftp session
Jan 28 21:25:52 192.168.0.4 sshd[3280]: pam_unix(sshd:session): session closed for user root
Jan 28 21:26:28 192.168.0.4 sshd[3336]: Accepted password for root from 192.168.0.2 port 52699 ssh2
Jan 28 21:26:28 192.168.0.4 sshd[3336]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: gkr-pam: unable to locate daemon control file
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: gkr-pam: stashed password to try later in open session
Jan 28 21:29:11 192.168.0.4 accounts-daemon[826]: request by system-bus-name::1.90 [gdm-session-worker [pam/gdm-password] pid:3317 uid:0]: cache user ârootâ
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: pam_unix(gdm-password:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Jan 28 21:29:12 192.168.0.4 polkitd[823]: Registered Authentication Agent for unix-session:21 (system bus name :1.106 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 28 21:29:14 192.168.0.4 gdm-launch-environment][1094]: pam_unix(gdm-launch-environment:session): session closed for user gdm
Jan 28 21:29:14 192.168.0.4 polkitd[823]: Unregistered Authentication Agent for unix-session:c1 (system bus name :1.31, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jan 28 21:29:23 192.168.0.4 sshd[1004]: Received signal 15; terminating.
Jan 28 21:29:23 192.168.0.4 sshd[4176]: Server listening on 0.0.0.0 port 22.
Jan 28 21:29:23 192.168.0.4 sshd[4176]: Server listening on :: port 22.
Jan 28 21:29:38 192.168.0.4 sshd[4192]: Accepted password for root from 192.168.0.2 port 53339 ssh2
Jan 28 21:29:38 192.168.0.4 sshd[4192]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:29:55 192.168.0.4 sshd[2934]: pam_unix(sshd:session): session closed for user purple
Jan 28 21:29:55 192.168.0.4 sshd[3071]: pam_unix(sshd:session): session closed for user purple
Jan 28 21:30:24 192.168.0.4 sshd[4260]: Accepted password for purple from 84.52.167.179 port 54634 ssh2
Jan 28 21:30:24 192.168.0.4 systemd[4285]: pam_unix(systemd-user:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:30:24 192.168.0.4 sshd[4260]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:30:35 192.168.0.4 sshd[4315]: Accepted password for purple from 84.52.167.179 port 54642 ssh2
Jan 28 21:30:35 192.168.0.4 sshd[4315]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)
this is winscp log
Permission denied.
Error code: 3
Error message from server: Permission denied
What is the output of âid purpleâ?
What is the output of âls -rtld /html/opencart/system/startup.phpâ
What is the output of âls -rtld /html/opencart/systemâ
What happens if you copy to a new file name, not overwriting an existing file?
ls -rtld /html/opencart/system/startup.php
ls: cannot access â/html/opencart/system/startup.phpâ: No such file or directory
this is real path
ls -rtld /var/www/html/opencart/system/startup.php
-rw-râr-- 1 nginx nginx 3265 Jun 24 2024 /var/www/html/opencart/system/startup.php
ls -rtld /html/opencart/system
ls: cannot access â/html/opencart/systemâ: No such file or directory
this is real path
ls -rtld /var/www/html/opencart/system
drwxr-xr-x 6 nginx nginx 144 Dec 21 20:28 /var/www/html/opencart/system
user purple home directory is
/var/www
I donât want to have access to other directories
There is a command âid â which gives some information about a user, e.g. the user id and all groups assigned to that user. The output would have told me if the group ânginxâ is correctly set for user purple.
The directory and file do not have write permission for the group, that is why your user purple cannot write to the directory, even if he is member of group nginx.
You have to run âchmod g+wâ to add write permission for both directories and for files you want to manipulate:
chmod g+w /var/www/html/opencart/system
chmod g+w /var/www/html/opencart/system/startup.php
Not really, since that only means the appropriate user and group can write to the directory. If you were to set 777 then that would be a security risk, as then itâs world writable.
If the user is not a member of the group when 775 is set, then they cannot write to the directory either. So 775 wouldnât be a security risk. That said you want to set 775 only on the directories, files at this point should be 664 or 660 if they arenât meant to be world readable.
As @FrankCox said, you need to allow the group to read/write if you want the user in that group to be able to read/write.
It should be possible to test this outside of nginx.
Just create a folder that can be accessed by the sftp user, and then see if you can write to it. mkdir /some/folder
set the owner to e.g. purple to start with, then try to upload a file to it.
Depending on a million things, you may (or may not) be able to write to it, for example an sftp server might be configured to only allow the client access to specific folders, e.g. userâs home directory. In addition, check the umask the sftp server, sometimes it will enforce a restriction. Thereâs an insane feature in the sftp spec where it tries to issue chmod based on what the client wants to to.
A possible bigger issue is whether you expect nginx to be able to write to the folders that it owns, e.g. letâs put some adverts into that home page.
Hi
I tested all. user purple can only write on its own folder and thats all no any other folders are not possible. I give that user a root permission and still cant write. I usually add user and than add it to group wheel and thats it. that user can do the same as root. Now I give this user also root permission and put it in all groups but canât write to any folder on server only on its own in home
Check the full directory paths from top to bottom, e.g. for
/var/www/html/opencart
do this:
ls -rtld /var
ls -rtld /var/www/
ls -rtld /var/www/html
E.g. for /var it might look like this:
drwxr-xr-x. 20 root root 4096 Jan 28 14:36 /var
If you have a â+â at the end of the first string ( instead of the dot )
your system might use additional ACL information.
(
E.g. I had a similar problem a few days back and the culprit was this:
foobarzoo@client:~$ ls -rtld /media/foobarzoo
drwxr-xâ+ 4 root root 4096 Jan 20 19:18 /media/foobarzoo
Because of the â+â at the end of âdrwxr-xâ+â additional ACLs were in use
and I had to use tools âgetfaclâ and âsetfaclâ to add access to that path.
)
Members of group nginx (execpt account nginx) cannot modify that directory.
chmod 2775 /var/www/html
Would grant that missing write access (and set the group sticky bit that helps to keep files in the directory with group nginx).
On security concern do note that account nginx does have write access. Who is nginx? A web server process? If it has vulnerability, then attacker could use the web server process to write to these directories already. Therefore, adding your purple1 to group and giving the group write access does not open up the machine much (unless you tell the password of purple1 to everyone).
Besides, you did add purple1 to group wheel, which means that purple1 can use sudo to do things like root could âŚ
thank you I will try this.
Yes I added purple user to wheel group so it could edit opencart files, but still can not edit any files at all on server, which is verry strange. Usually that worked and whatever user I created it has root rights on all files. But here not.