FTP permission Paradox - ftp

I've a VPS with debian, apache 2.0, php, everything! (nope, just the essential).
I need to give acccess to some user to specific folder. (different, but base is /var/www/ and every user should have a personal folder)
I managed to create accounts that have a specific home, and can't "browse" up (hard... but i did searching in WHOLE google).
Well, they can't create, modify enything in that folder (their home).
If I try with one of these account, it gives me:
Response: 550 Rename failed.
Well, I think: permission error, than i do
chown user path
/etc/init.d/vsftpd restart
I enter with user in ftp, and try to login, error:
Response: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
eError: Critical error: Could not connect to server
Well, I've to chown root path to let user access againt to fpt.
Again, no right to edit/create/delete, I think: OK! chmod 777 the entire folder and sub..
Response: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
eError: Critical error: Could not connect to server
So, this is an impasse, and obviously I'm doing something wrong.
I've now googled the error, and found: edit vsftpd.conf adding:
allow_writeable_chroot=YES
allow_writable_chroot=YES
(Just in case I had vsftpd-ext instead of vsftpd)
Here how I created the account for ftp
1) /# useradd -d path -s /dev/null user > /dev/null 2>&1
2) Edited etc/shells file adding this: /dev/null
3) Edited etc/vsftpd.conf removig comment on
local_enable=YES
write_enable=YES
Thanks to anyone can help, and sorry if my english is really bad, but I think you should blame Italian School System... okok, my fault!

Solution
After a lot of trouble (really, A LOT!), i found what was the problem, and fixed:
Problem is Debian 7 + vsftpd 2.x
This vsftpd versione doesn't allow allow_writeable_chroot=YES
Fortunately some angel found this bug and created a fixed version of vsftpd.
To use it just:
Add
deb http://ftp.cyconet.org/debian wheezy-updates main non-free contrib
to sources.list with this command
echo "deb http://ftp.cyconet.org/debian wheezy-updates main non-free contrib" >> /etc/apt/sources.list.
aptitude update
aptitude install -t wheezy-updates debian-cyconet-archive-keyring vsftpd
echo "allow_writeable_chroot=YES" >> /etc/vsftpd.conf
/etc/init.d/vsftpd restart
After doing this you can create an account and use writable root inside chroot(), with the method I posted in question.
Thanks to The Frontier Group

Related

openssh windows bad owner or permissions

I've installed openssh for windows and when I run ssh localhost I get
Bad owner or permissions on C:\Users\gary/.ssh/config
I've looked at these 2 questions https://superuser.com/questions/348694/bad-owner-or-permissions-error-using-cygwins-ssh-exe and https://serverfault.com/questions/253313/ssh-returns-bad-owner-or-permissions-on-ssh-config but none of the answers work for me. sshd is running as a service as the Local System user. I've run chmod 0600 C:\Users\gary\.ssh\config and chown gary C:\Users\gary\.ssh\config. I've also cleared the ACL by running setfacl -b C:\Users\gary\.ssh\config and then chmod 0600 C:\Users\gary\.ssh\config again. I've also tried changing the owner to SYSTEM and got the same error.
I'm not sure what else to do, is there anything wrong with my setup? I also have git installed which installed mingw, I deleted ssh and sshd from my git installation so they wouldn't be on my path.
Other commands I've run are
icacls "C:\Users\gary\.ssh\config" /setowner gary
chown -R gary:1049089 C:\Users\gary\.ssh
ls -la C:\Users\gary\.ssh\config shows
-rw-r--r-- 1 gary 1049089 229 Jan 3 14:43 'C:\Users\gary.ssh\config'
it keeps showing this even after changing the owner to SYSTEM, but in the file properties in file explorer it shows SYSTEM as the owner
This started popping up immediately after I created another user with Administrator privileges, and that account began inheriting access to my .ssh folder.
You do not need to change your permissions whatsoever.
Just go to .ssh, right-click Properties, Security Tab, Advanced. DISABLE INHERITANCE, then click on the Administrator user (the one that is not you) and Remove them. Apply. Done.
Use ssh client from Git instead of Windows inbuilt SSH client. E.g. set VS Code to use C:\Program Files\Git\usr\bin\ssh.exe instead of C:\Windows\System32\OpenSSH\ssh.exe.
Steps:
In VS Code navigated to [File] -> [Preferences] -> [Settings] -> Search remote.ssh.path
Input C:\Program Files\Git\usr\bin\ssh.exe
Alternatively:
Update PATH environment variable to point to Git bin before Windows System32.
Type "env" in Start bar to edit System (or account) environment variables.
Select Path and hit edit.
Add C:\Program Files\Git\usr\bin\ssh.exe to the list and move it to the top of the list.
Just got same issue after re-install windows. And easily fixed just by changing the file permissions to
SYSTEM & Administrators - Full Control
[your username] - Modify & as Owner
Note:
I'm still using Windows 10 built-in SSH client C:\Windows\System32\OpenSSH\ssh.exe & not using cygwin at all
For those still struggling with this, check this out: https://github.com/PowerShell/openssh-portable/pull/418. This was the case for me. It turns out that your computer should be named differently from your username... 🤷‍♂️ It will probably be fixed soon in future updates, because fix got into commit.
So again: if your computer name is the same as your username and you still haven't fixed this issue with permissions dialog, then probably renaming your computer could help.
Instead of using the properties box, you can use the one liner:
icacls .ssh /grant:r <yourUserName>:f /inheritance:r
/grant:r username:f -> grant and overwrite permissions, giving full permissions to username
/inheritance:r -> remove inherited permissions
Keep known_hosts writable with
icacls .ssh/known_hosts /grant:rw <username>:f /inheritance:r
I'm not sure what version of Windows you're running, but since this is recent I'd guess Windows 10. I recently found out that an OpenSSH client is installed by default as of the April 2018 update. I then found I had two instances of OpenSSH: the one I installed myself and the one Windows gave me. Uninstalling the one I had installed caused the error message you describe.
The solution that worked for me was to remove the user-installed OpenSSH as well as the C:\Users\username\.ssh folder, and let Windows 10 OpenSSH create the folder when you run the command the next time. I didn't have any configuration I was worried about losing, but if you do I'd suggest copying and pasting the contents of the files somewhere and recovering them afterwards.
Hope this helps!
Having the exact same issue today, this is how I solved it:
Go to C:\Users\username.ssh
Right-click the config file
Properties -> Security -> Advanced -> Disable Inheritance -> Disable
inheritance -> Remove all inherited permissions from this object ->
Apply -> Yes -> Ok -> Ok
Use FixUserFilePermissions.ps1 to fix permissions of client side files - keys and config files of current user.
git clone git#github.com:PowerShell/openssh-portable.git
cd openssh-portable/contrib/win32/openssh
.\FixUserFilePermissions.ps1 -Confirm:$false
On windows server this is due to permission problem. Need to remove access to other users for the following folders
.ssh - folder
Right click on this folder -> Select "Give access to" - > Click on "Remove Access"
Right click on this folder -> Select "properties" - > "Securities" - > Click on "Edit Permissions" - Remove other users except the ID you are logged in.
Repeat the same process for the folder under which you have .pem file. (Note: Keep .pem file in a separate folder)
For anyone, who still has troubles after applying the owner + modify (plus full control for admins): it did not work for me. Then I saw a solution to remove all other users (incl all admins), which did not help either.
This worked for me:
leave System and Administrators in place, with full control, as suggested above
leave the user itself in place, as owner, with modify, as suggested above
however, remove any other user or group. You probably need to go to advanced first, to disable inheritance of rights
after I removed an administrative user who was added by Windows after entering my folder (by passing through the UAC box), it worked for me again.
Hope this helps for anyone who encounters this specific issue :-)
If User is in Administrative group just keep configuration in
c:\programdata\ssh\ssh_config instead %USERPROFILE%.ssh\config, will work
after disabling inheritance, make sure you add your current user, else u cannot edit the file
For me it was fixed by running chmod 0644 config under ~/.ssh/. Earlier it was set to 755 which was causing "Bad owner or permissions on /home/home/.ssh/config"
I tried all the solutions above, and sadly still can't fix this issue. I'm pretty sure the permission of my ssh config is correct, this has been verified by the Explore GUI and the Get-Acl commands.
Then I finally find a way to solve it:
delete the entire .ssh folder and then open powershell and type ssh localhost. It will create a new .ssh folder for you, then you can apply the above permission tweaks(for me I only did one thing: disable inheritance).
So if other solutions doesn't work for you, maybe you can try this. Hope it's helpful.
PS: don't forget to backup your old .ssh folder before deleting it.
I was having this problem, and no amount of changing permissions or disabling inheritance on the config file would fix it. It turned out that it did not like my computer name and user name being the same, so I re-named my computer, allowed open ssh to re-create the config file, and the permissions are now correct. That was probably a bad idea to begin with, tbh.
I deleted C:\Users\user/.ssh/config and reran my stuff, then it worked.
However, if you have something valuable there, make a backup first, just in case!
After a domain change over, I started having this same problem. Went through all of the suggestions listed and nothing worked, including both chmod and chown solutions.
I ended up fixing the problem by copying the folder, pasting it, deleting the original, and then renaming it back to .ssh.
The problem seems from the files are owned/has-permission for more than one user.
1- Go to your ./ssh folder and for both config & id_rsa files. From the properties -> Security -> Advanced:
2- Make sure that the user that you are logged in with IS the only user there.
No group change or whatever,the first answer is right.Change to git ssh.exe
How?
uninstall win10's openssh in Settings
add path of git's ssh.exe to your Path
For me it was fixed by running chmod 0644 config under ~/.ssh/ when running WSL.
Rename the config file to something like config2
Open this file with notepad
Save As config (original name)
This worked for me.
I guess it was caused by the wrong path expression.
Bad owner or permissions on C:\Users\gary/.ssh/config
The /.ssh should be \.ssh. So I try to use git bash (the terminal tool when install git in Windows system) to run ssh command. It really works. But I don't really know if it is caused by the reason I guessed.
Hi guys after a troubleshoot for a day I found that this "m.. f.." config file should not stand in the .ssh/ path.
For VSCODE just set the config in 'C:\ProgrmaData\ssh\ssh_config' path as proposed in the second choice of the palette command, and forget .shh path for this configuration.
That worked fine for me.
Nota: there was also a known_host file also created here with strange VM names inside, I deleted also this file. and that helps
For me, re-editing the permission settings in Windows is too complicated. Regenerating another configuration in vscode does not work either.
I set a custom config file path to solve this problem.
["Remote SSH: Config file"]
The absolute file path to a custom SSH config file.
note: search this option by #ext:ms-vscode-remote.remote-ssh,ms-vscode-remote.remote-ssh-edit config file
This is because the config file cannot be accessed normally. We can create a new config file (this file needs to be accessible normally), such as D:/.ssh/config, and then specify the configuration file through the -F option: ssh -F D:/.ssh/config username#ip_address -p port
Delete the .config file, it has worked for me

Wireshark - you don't have permission to capture on that device mac

I installed Wireshark and during the installation it showed an error but the installation itself completed. When I ran the program and tried to capture packets on my network, it showed this error:
I'm new to mac so i don't even know how to properly ask.
Could someone help me?
According to User: gmale's answer on ask.wireshark.org, he solved his problem in this way and I'm sure that it could solve yours as well. It says:
1- Open Terminal
To see your exact user name (for me that was AliGht)
2- Type 'whoami'
3- execute the following commands:
cd /dev
sudo chown AliGht:admin bp*
and enter your computer password:
4- now type this command:
ls -la | grep bp
The last command will display a list of files such as:
5- Make sure all of them have your user name and admin as the user/group. For some reason, the last one didn't get assigned properly so I had to run the command:
sudo chown AliGht:admin bpf4
so the last command fixed my problem as you see in the last image:
Done!
If your WireShark is open then close it and open it again.
All credits of this tutorial goes to user gmale on ask.wireshark.org,
If you want to open WireShark always as administrator then take a look to another post which I created a shortcut for it via Applescript, and this is the only way which you can open the WireShark always as administrator even when you turn off/on your mac.
I don't know how to solve this problem, but if you want a temporary fix, you can use the following command:
$ sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
Wireshark provides the solution itself, along with the explanation of weird secrets:
add your user to the group "access_bpf" by commanding
sudo dseditgroup -o edit -a `whoami` -t user access_bpf
then launch Wireshark's script
sudo "/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF";
That's all, because (as the script explains):
# Unfortunately, macOS's devfs is based on the old FreeBSD
# one, not the current one, so there's no way to configure it
# to create BPF devices with particular owners or groups. BPF
# devices on macOS are also non-cloning, that is they can
# be created on demand at any time. This startup item will
# pre-create a number of BPF devices, then make them owned by
# the access_bpf group, with permissions rw-rw----, so that
# anybody in the access_bpf group can use programs that capture
# or send raw packets.
If you want to open WireShark always as administrator I suggest to use AppleScript:
Open AppleScript: By pressing cmd+space and write AppleScript Editor in the Spotlight Search as picture below:
Then from File --> Choose NEW
In the open window write:
do shell script "/Applications/Wireshark.app/Contents/MacOS/Wireshark" ¬
with administrator privileges user name "username" password "password"
Change the "username" and "password" with yours. If you don't know your username in terminal write "whoami" to see your username, password is your computer password!.
Mine is look like this:
Now export your script as Application, by going to --> File --> Export , and change File Format to Application write a name for your file and Save it on your desktop like following pictures:
DONE now run your App from Desktop, and by this way your WireShark runs always by Admin Permission.
I have faced the same problem in MacOS High Sierra (v10.13.6). I have clean-up all dependency files and folders but nothing works for me.
Using the terminal, if I run the following command then it is working -
sudo chmod o+r /dev/bpf*
sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
This should work.
Run the application from the terminal with the following command:
User$ **sudo Wireshark**
Wireshark should open and packet capture should work then.
Was having same issue with install and run permissions etc. Attempted a few of the above mentioned fixes and although they would come back with the desired result program still would not run properly even with uninstall/install in addition.Getting a bit overwhelmed with it not working after several remedies being attempted I came to one that was super simple and worked -
I simply set up/checked log in as root user. Here you can enable/disable root user account, enable log in account and change root password. So I just switched profiles from my Admin account to the Root account. (I am honestly not sure if its safe to do it this way, so thinking many of you have far more knowledge on this than me I'd appreciate your comments on that!) Also my understanding is that you cannot properly run sudo commands if root account is enabled - So probably just tuning it off if it were on would suffice, but I wanted a quick and easy install at that point. The steps are really easy:
support.apple.com/en-us/HT204012
Then just switch user accounts to root -Log in with "other" then type root and your password.
Now just install Wireshark and it should install and run properly!
**I don't think I would stay in root account after install.
Hope maybe this will help some!
I got same issue and then notice below document provide solution already.
https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallOSXInstall.html
2.5. Installing Wireshark under macOS
The official macOS packages are distributed as disk images (.dmg) containing the application bundle. To install Wireshark simply open the disk image and drag Wireshark to your /Applications folder.
In order to capture packets, you must install the “ChmodBPF” launch daemon. You can do so by opening the Install ChmodBPF.pkg file in the Wireshark .dmg or from Wireshark iself by opening Wireshark → About Wireshark selecting the “Folders” tab, and double-clicking “macOS Extras”.
The installer package includes Wireshark along with ChmodBPF and system path packages. See the included Read me first.html file for more details.
I do not want to modify my folder permissions on my system device files like the accepted answer, but I was able to get permissions by opening Wireshark like this:
sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
Bonus, you can add an alias to your ~/.zshrc:
alias ws="sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark"
Now execute the file: (or you can open a new terminal window)
source ~/.zshrc
Open wireshark with super user permissions:
ws

FTP on lampstack - Google cloud platform

So I installed a LAMP on a Google Cloud instance with debain wheezy7. Everything is working fine but I am not able to work the ftp. I am following this tutorial by digital ocean
I am stuck at this last step where I need to make vsftpd allow the user to write outside the chroot file.
The error is get is
hetunandu_gmail_com#lamp:~$ mkdir /root/hetunandu/files
mkdir: cannot create directory /root/hetunandu/files': Permission denied
Then when i use sudo with it i get this error
hetunandu_gmail_com#lamp:~$ sudo mkdir /root/hetunandu/files
mkdir: cannot create directory /root/hetunandu/files': No such file or directory
Where do I go from here?
Also I dont know how to get my username and password setup for FTP
I followed the tutorial and could not replicate your issue. I initially got "Permission denied" but you can circumvent this by running:
$ sudo su
and then
$ mkdir -p /root/$USER/files
Why not use /home/$USER ? not sure why you want to create the folders under /root.
As for your second question, regarding the username and password, I am not sure I understand. From the Developers Console > Compute Engine > VM Instances > click SSH and that should log you in with root privileges. then you can create all the users you want:
$ sudo adduser test_user
Please don't use FTP as it's an insecure clear-text protocol which will let others see your password and easily get access your instance, read/modify/delete your files, etc.
Instead, you should use secure protocols such as SCP or SFTP with public key authentication.
Here are some options to transfer files to/from your GCE VM instance:
sftp CLI tool, as described in this answer
gcloud compute copy-files, as described in this answer
WinSCP with SFTP

Laravel Homestead: Nginx failing to start on Vagrant. Need root password to access Nginx logs

Using Laravel Homestead to work with Laravel 4. After running vagrant up this morning, I was unable to access homestead.app:8000. I pinged it with no problem so I investigated my virtualbox and discovered that Nginx wasn't starting. I then attempted to view logs and I am denied permission from the /var/log/nginx directory which is owned by www-data adm.
My question then, what is the su or sudo password which would allow me to access that directory? The documentation is surprisingly void of any information as well as the Homestead.app Git repository. Thank you.
i had similar issue with laravel/homestead vagrant virtual machine and nginx not restarting. the error after running nginx -t was :
nginx: [crit] pread() "/etc/nginx/sites-enabled/sites-available" failed (21: Is a directory)
nginx: configuration file /etc/nginx/nginx.conf test failed
solution was to delete the symbolic link sites_available:
rm -Rf /etc/nginx/sites-enabled/sites-available
than it worked:
service nginx restart
elevate to root by typing sudo -s
A quick way to jump to a root account shell is to run the "sudo bash" command. That way, if you don't have to have to type "sudo" in front of each command. Since this VM is for development purposes I don't see it as a danger, but in real production Ubuntu runs with the root account locked down so you always go in and should stay in with user level privileges until you need to execute a higher level command. You "can" enable the root account and set a password, but jumping to it with sudo is the better method.
You can just look at the log using the root account password. So: sudo nano and then just enter your root user's password. A root is able to do anything on the system, so that always is a solution for this kind of problems.
If you forgot the root password, just search google to recover it.

I can't get Mercurial to serve under Apache on Mac OS X Lion

I'm trying to get Mercurial to serve using hgwebdir.cgi under Apache on Mac OS X Lion.
I followed the directions listed here:
http://www.popitandrockit.com/2010/05/mercurial-server-on-osx-106-snow.html
That article is for Snow Leopard (I guess no one's tried to do this on Lion yet?) but it mostly works. I did make the modification that I did not use https because the machine in question is behind my company's firewall.
It says that I should be able to access a repository at http://servername/repository_name but that doesn't work. I can, however, get a listing of them at http://servername/hg/, where /hg is the ScriptAlias address. So I should be able to get to a repository via http://servername/hg/repository_name, but instead I'm getting a nice Mercurial page telling me
An error has occured while processing your request:
repository /Users/username/Documents/repository_name not found
Well, the directory is valid and there is a valid repository there according to Mercurial (i.e., hg log and similar commands don't error out)
On the main page I'm getting similar errors in Apache:
[(date)] [error] [client (ip address)] error accessing repository at /Users/username/Documents/repository_name
Were I to guess I'd say it was some sort of access or permissions issue but I'm not familiar enough with Apache or Mac OS X Lion to venture a guess as to how to fix it.
This indeed looks like a permissions problem. On a standard Mac OS X Apache install the web user and group are _www, and you need to make sure these have read and write access. Also Mercurial complains if the hgrc file’s permissions do not match the user. There are two ways to fix it:
Make the repository owned by the Apache _www user. When you type:
ls -ld /Users/username/Documents/repository_name
It should show _www _www in the third and fourth column. If not, change the user of the directory:
sudo chown -R _www:_www /Users/username/Documents/repository_name
Note that if you change this, you should not access the repository on the file system from any other user, or else any newly created files will again have the wrong permissions.
Alternatively, explicitly add your user to the trusted section in your hgweb.config:
[trusted]
users=username
In this case you still need to make sure that the _www user has access at all. If you type:
ls -ld /Users/username/Documents/repository_name
It should show something like drwxrwxr-- in the first column (the middle rw are important) and _www in the fourth. If the files are not readable or writable by the group, use the chmod command to make them:
chmod -R go+rwX /Users/username/Documents/repository_name
And you can change the group of your repository to _www like so:
sudo chown -R :_www /Users/username/Documents/repository_name
Which of the two is preferable depends on your situation: if you’re trying to host your repository on a server I would say the first is preferable, it is simpler and a little more secure. If you’re trying to host it on your local workstation for convenience, the second is easier, because then you can still access the repository from your current user.
Note that for ad-hoc sharing it may be easier to just run hg serve on the command line.
I hope that helps.

Resources