Apache / VSFTPD Conventions

[SpoonTech]

Hi,

I've installed LAMP on my HP Microserver running Ubuntu 12.04, and just wanted to ask some questions regarding convention.

I note that apache uses /var/www as its default location, yet www is given root permissions to start with.
I have also installed vsftpd as an ftp server.

I would like to have one FTP account to access

/storage

another to access

/home/hpserver/Media/

and another to access

/var/www.

On http://ubuntuforums.org/showthread.php?t=958515 , someone did this:

mkdir /home/ftp_user/www_dev
mount --bind /var/www/dev/ /home/ftp_user/www_dev

Which seems a bit overkill to me, surely there is a better way around this, what is the convention, as I'm sure a lot of you have an Apache / vsftpd setup?

I was having problems with a virtual ftp user in the /home directory. I am quite new to this so am battling to grasp some of the info, and linux users don't always post the best help =)

 

[icyrus]

Apache first.

/var/www is the convention as you stated. The file permissions are set to root but that is normal as it prevents Apache (which will generally run as www-data) from writing files without you specifically giving it permission to.

For vsftpd:

I am a bit rusty with vsftpd configs as it has been a while since I've used anything other than SFTP but if I understand you correctly you want to have 3 virtual users who access 3 different home directories?

As to the chroot jail, whether it is necessary will depend on your security requirements.

 

[nand]

I know that by default, vsftpd doesn't allow you to access home directories of users. I can't remember exactly, but I also think user/pam logins are also disabled. So by default, vsftpd allows only anonymous users read access.
All of that is easily changeable within it's configuration file.

Apache on debian-based systems use the www-data group and user, which is set to /var/www. I use a naming convention for websites to make a tree of domains/sub-domains under /var/www. So you will have something like this:

/var/www/example.net
/var/www/example.net/subdomain
/var/www/google.com
/var/www/google.com/maps

You can use the www-data user for ftp access, or create users for each domain.

As for vsftpd, there's a few things one can do.
If you wanted to create a user for /storage, you can create a user and set it's home directory to /storage. The same applies to the others. Just ensure that directory permissions are solid, or else the ftp user may be able to leak back into the file system.
vstpf opens it's shell in the user who logs in's home directory, there are a few other things you can do with the configuration to keep them there as well. Just remember that there is an additional option within the configuration file that actually allows the users write permissions as well.

I personally prefer to use SFTP for this, since you can essentially jail the user within their home directory using a sub-shell of ssh.
There's a couple of advantages as well, since you are locking them into their home directory and forcing a ftp shell into them.