[RESOLVED] How to allow sudo user to sftp files

General support questions
Post Reply
User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

[RESOLVED] How to allow sudo user to sftp files

Post by igorek24 » 2014/12/12 19:11:07

I have created an admin user (admin). when I connact to my server with sftp client and try to create/modify any file in /var/www/html directory, I get Promission denied. Anyone knows how to give that user rw promissions to /var/www/html?
Thanks.
Last edited by igorek24 on 2014/12/13 01:24:56, edited 1 time in total.

lightman47
Posts: 1148
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: How to allow sudo user to sftp files to /var/www/html?

Post by lightman47 » 2014/12/12 20:51:27

I did the following to my cgi-bin folder to which I post pages via ftp. You substitue html below (assume user name is admin):

su -
built a group for this purpose, and added admin to it
cd /var/www
chgrp -R {groupname} cgi-bin
chmod -R 775 cgi-bin
reboot

While this may not be the correct way, it works for me.
Note: I'd consider another account name for this task instead of admin. In all the break-in attempts to my server, the #2 account they hammer trying to guess passwords/login as is "admin", with #1 being root.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

Re: How to allow sudo user to sftp files to /var/www/html?

Post by igorek24 » 2014/12/12 22:29:56

Ok, here is what I did:

Code: Select all

$ sudo groupadd webgrp
$ sudo usermod -G webgrp admin                              # adding admin user to webgrp group
$ sudo usermod -G webgrp apache                             # adding apache user to webgrp group
$ sudo usermod -G webgrp railo                              # adding railo user to webgrp group
$ sudo chown -R apache:webgrp /var/www/html

When I reboot, admin account loses the sudo privileges. What am I doing wrong?

Btw. I'm aware of the admin user name, it was used as an example. I don't use common user names such as admin, administrator, etc. and root is always disabled.
Last edited by igorek24 on 2014/12/12 22:45:15, edited 1 time in total.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: How to allow sudo user to sftp files to /var/www/html?

Post by gerald_clark » 2014/12/12 22:35:01

Why are you changing the owner:group to apache:ebmweb when the group you created is webgrp?

None of this has anything to do with sudo privileges for user admin.

User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

Re: How to allow sudo user to sftp files to /var/www/html?

Post by igorek24 » 2014/12/12 22:51:29

gerald_clark wrote:Why are you changing the owner:group to apache:ebmweb when the group you created is webgrp?

None of this has anything to do with sudo privileges for user admin.
Sorry, it was changed to webgrp. I have updated my post. I know that this steps has nothing to do with sudo. User can't use sudo anymore with the following message: admin is not in the sudoers file. This incident will be reported.

lightman47
Posts: 1148
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: How to allow sudo user to sftp files to /var/www/html?

Post by lightman47 » 2014/12/12 22:55:02

sudo is (as designed) a TEMPORARY privilege elevation. You sudo (your tasks) then exit. It was never intended to survive reboots and shouldn't, for many security reasons.
Remember - importing/building packages will likely "byte you in the butt" come update time, long after you'd forgotten you did that! Use repos whenever possible.

User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

Re: How to allow sudo user to sftp files to /var/www/html?

Post by igorek24 » 2014/12/12 23:35:14

lightman47 wrote:sudo is (as designed) a TEMPORARY privilege elevation. You sudo (your tasks) then exit. It was never intended to survive reboots and shouldn't, for many security reasons.
I get the message when I do for exemple sudo systemctl restart httpd when I could do that before I added the admin user to a webgrp group. Sudo is not the problem and I understand what sudo is/does, the problem is that I don't have write permissions when I try to create/edit files in /var/www/html and after I take the steps above, admin user cant do for example sudo systemctl restart httpd.

Lets start from the beginning.

For example I have a user admin that is in sudoers. By default, when I connect to sftp with the client using admin user, I can only create/ edit files/folders in admin's home directory. My goal is to give that user write permissions to /var/www/html so I can upload and edit files there. My question is does anyone have any idea what the steps are to give that user write permissions and still keep apache/railo as owner of /var/www/html? What I attempted to do is create a group called webgrp, add admin,railo and apache users to that group and change the ownership to apache user and webgrp group and it didn't work.

User avatar
igorek24
Posts: 90
Joined: 2013/11/13 06:11:37

Re: How to allow sudo user to sftp files to /var/www/html?

Post by igorek24 » 2014/12/13 01:22:21

Solved it. Here is what I did to make it work:

Code: Select all

$ sudo gpasswd --add admin webgrp 
$ sudo gpasswd --add apache webgrp
$ sudo gpasswd --add railo webgrp
$ sudo chown -R apache:ebmweb /var/www/html
$ sudo chmod -R 775 /var/www/html
When I was doing

Code: Select all

usermod -G
it was removing that user from all of the groups and adding it to whatever group I specified. I needed to add a to parameters like this

Code: Select all

usermod -aG user group
or safer way is to do

Code: Select all

gpasswd --add user group
and thats what I did.

Thanks to everyone who took the time to respond.

Post Reply

Return to “CentOS 7 - General Support”