Sftp with winscp in folder of website - permission denied

I want a user to connect to my server with winscp and to change files in website folder.
Owner of folders and files is nginx.
I have added nginx group to my sftp user as primary group, but still can not change files.
I also disabled SElinux, but still I get.
Permission denied.
Error code: 3
Error message from server: Permission denied

What else I need to do so sftp user can edit files and save changes?

What does /var/log/secure say?

What does the winscp log say?

This is log from file secure

Jan 28 21:22:44 192.168.0.4 systemd[3041]: pam_unix(systemd-user:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:22:44 192.168.0.4 sshd[2934]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:22:54 192.168.0.4 sshd[3071]: Accepted password for purple from 84.52.167.179 port 54540 ssh2
Jan 28 21:22:54 192.168.0.4 sshd[3071]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:25:52 192.168.0.4 sshd[3280]: Accepted password for root from 84.52.167.179 port 54598 ssh2
Jan 28 21:25:52 192.168.0.4 sshd[3280]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:25:52 192.168.0.4 sshd[3289]: error: Connection from user root 84.52.167.179 port 54598: refusing non-sftp session
Jan 28 21:25:52 192.168.0.4 sshd[3280]: pam_unix(sshd:session): session closed for user root
Jan 28 21:26:28 192.168.0.4 sshd[3336]: Accepted password for root from 192.168.0.2 port 52699 ssh2
Jan 28 21:26:28 192.168.0.4 sshd[3336]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: gkr-pam: unable to locate daemon control file
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: gkr-pam: stashed password to try later in open session
Jan 28 21:29:11 192.168.0.4 accounts-daemon[826]: request by system-bus-name::1.90 [gdm-session-worker [pam/gdm-password] pid:3317 uid:0]: cache user ‘root’
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: pam_unix(gdm-password:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:29:11 192.168.0.4 gdm-password][3317]: gkr-pam: gnome-keyring-daemon started properly and unlocked keyring
Jan 28 21:29:12 192.168.0.4 polkitd[823]: Registered Authentication Agent for unix-session:21 (system bus name :1.106 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jan 28 21:29:14 192.168.0.4 gdm-launch-environment][1094]: pam_unix(gdm-launch-environment:session): session closed for user gdm
Jan 28 21:29:14 192.168.0.4 polkitd[823]: Unregistered Authentication Agent for unix-session:c1 (system bus name :1.31, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jan 28 21:29:23 192.168.0.4 sshd[1004]: Received signal 15; terminating.
Jan 28 21:29:23 192.168.0.4 sshd[4176]: Server listening on 0.0.0.0 port 22.
Jan 28 21:29:23 192.168.0.4 sshd[4176]: Server listening on :: port 22.
Jan 28 21:29:38 192.168.0.4 sshd[4192]: Accepted password for root from 192.168.0.2 port 53339 ssh2
Jan 28 21:29:38 192.168.0.4 sshd[4192]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
Jan 28 21:29:55 192.168.0.4 sshd[2934]: pam_unix(sshd:session): session closed for user purple
Jan 28 21:29:55 192.168.0.4 sshd[3071]: pam_unix(sshd:session): session closed for user purple
Jan 28 21:30:24 192.168.0.4 sshd[4260]: Accepted password for purple from 84.52.167.179 port 54634 ssh2
Jan 28 21:30:24 192.168.0.4 systemd[4285]: pam_unix(systemd-user:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:30:24 192.168.0.4 sshd[4260]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)
Jan 28 21:30:35 192.168.0.4 sshd[4315]: Accepted password for purple from 84.52.167.179 port 54642 ssh2
Jan 28 21:30:35 192.168.0.4 sshd[4315]: pam_unix(sshd:session): session opened for user purple(uid=2005) by purple(uid=0)

this is winscp log
Permission denied.
Error code: 3
Error message from server: Permission denied

here is a full log

What is the output of “id purple”?
What is the output of “ls -rtld /html/opencart/system/startup.php”
What is the output of “ls -rtld /html/opencart/system”

What happens if you copy to a new file name, not overwriting an existing file?

ID purple is 2005

ls -rtld /html/opencart/system/startup.php
ls: cannot access ‘/html/opencart/system/startup.php’: No such file or directory

this is real path
ls -rtld /var/www/html/opencart/system/startup.php
-rw-r–r-- 1 nginx nginx 3265 Jun 24 2024 /var/www/html/opencart/system/startup.php

ls -rtld /html/opencart/system
ls: cannot access ‘/html/opencart/system’: No such file or directory

this is real path
ls -rtld /var/www/html/opencart/system
drwxr-xr-x 6 nginx nginx 144 Dec 21 20:28 /var/www/html/opencart/system

user purple home directory is
/var/www
I don’t want to have access to other directories

There is a command “id ” which gives some information about a user, e.g. the user id and all groups assigned to that user. The output would have told me if the group “nginx” is correctly set for user purple.

The directory and file do not have write permission for the group, that is why your user purple cannot write to the directory, even if he is member of group nginx.

You have to run “chmod g+w” to add write permission for both directories and for files you want to manipulate:
chmod g+w /var/www/html/opencart/system
chmod g+w /var/www/html/opencart/system/startup.php

This should fix your issue.

thank you
uid=2005(purple) gid=977(nginx) groups=977(nginx),2005(purple)
when I check a folders and files it is writable already.


but is it not security risk if I set all files and folders to 775?
now folders are 755 and files 644

The user is an individual, in this case nginx.

A group can have several users, in this case nginx.

755 allows only the user named nginx to write to the directory.

If you want members of the group named nginx to be able to write to the directory as well, you have to set the permissions to allow that.

Not really, since that only means the appropriate user and group can write to the directory. If you were to set 777 then that would be a security risk, as then it’s world writable.

If the user is not a member of the group when 775 is set, then they cannot write to the directory either. So 775 wouldn’t be a security risk. That said you want to set 775 only on the directories, files at this point should be 664 or 660 if they aren’t meant to be world readable.

As @FrankCox said, you need to allow the group to read/write if you want the user in that group to be able to read/write.

chmod -R g+w /var/www/html/opencart

Ok I did that but files still can not be edited and saved.

You may need to set group sticky bit:

chmod g+s /var/www/html/opencart

otherwise it’s most likely trying to change the group ownership when saving.

I did this but still can not edit and save files.
sorry.
Permission denied.
Error code: 3
Error message from server: Permission denied

I have created new user
adduser purple1
passwd purple1
usermod -aG wheel purple1

but still it is not possible to edit files and save it.
groups purple1
purple1 : purple1 wheel nginx
Really don’t know why???

It should be possible to test this outside of nginx.
Just create a folder that can be accessed by the sftp user, and then see if you can write to it.
mkdir /some/folder
set the owner to e.g. purple to start with, then try to upload a file to it.

Depending on a million things, you may (or may not) be able to write to it, for example an sftp server might be configured to only allow the client access to specific folders, e.g. user’s home directory. In addition, check the umask the sftp server, sometimes it will enforce a restriction. There’s an insane feature in the sftp spec where it tries to issue chmod based on what the client wants to to.

A possible bigger issue is whether you expect nginx to be able to write to the folders that it owns, e.g. let’s put some adverts into that home page.

Hi
I tested all. user purple can only write on its own folder and thats all no any other folders are not possible. I give that user a root permission and still cant write. I usually add user and than add it to group wheel and thats it. that user can do the same as root. Now I give this user also root permission and put it in all groups but can’t write to any folder on server only on its own in home

Check the full directory paths from top to bottom, e.g. for
/var/www/html/opencart
do this:
ls -rtld /var
ls -rtld /var/www/
ls -rtld /var/www/html

E.g. for /var it might look like this:
drwxr-xr-x. 20 root root 4096 Jan 28 14:36 /var

If you have a “+” at the end of the first string ( instead of the dot )
your system might use additional ACL information.

(
E.g. I had a similar problem a few days back and the culprit was this:

foobarzoo@client:~$ ls -rtld /media/foobarzoo
drwxr-x—+ 4 root root 4096 Jan 20 19:18 /media/foobarzoo
Because of the “+” at the end of “drwxr-x—+” additional ACLs were in use
and I had to use tools “getfacl” and “setfacl” to add access to that path.
)

1 Like

Thank you.
I did this
ls -rtld /var
drwxr-xr-x. 23 root root 4096 Dec 21 20:18 /var

ls -rtld /var/www/
drwxr-xr-x. 6 root root 67 Jan 22 01:25 /var/www/

ls -rtld /var/www/html
drwxr-xr-x. 4 nginx nginx 78 Jan 22 01:25 /var/www/html

Members of group nginx (execpt account nginx) cannot modify that directory.

chmod 2775 /var/www/html

Would grant that missing write access (and set the group sticky bit that helps to keep files in the directory with group nginx).


On security concern do note that account nginx does have write access. Who is nginx? A web server process? If it has vulnerability, then attacker could use the web server process to write to these directories already. Therefore, adding your purple1 to group and giving the group write access does not open up the machine much (unless you tell the password of purple1 to everyone).

Besides, you did add purple1 to group wheel, which means that purple1 can use sudo to do things like root could …

thank you I will try this.
Yes I added purple user to wheel group so it could edit opencart files, but still can not edit any files at all on server, which is verry strange. Usually that worked and whatever user I created it has root rights on all files. But here not.

I did this
chmod 2775 /var/www/html
But I still can not edit existing files in opencart. I can add new file but existing can not edit and save