Error message from server permission denied

I am using WinSCP and keep on experiencing this error every time I try to replace/overwrite a file. I have been able to transfer/overwrite a file before with out any problem but not anymore.

The exact error message:

Cannot create remote file ‘var/lib/tomcat6/webapps/…./myfilename.filepart’.
Permission denied.
Error code: 3
Error message from server: Permission denied

I have tried changing the ownership which I was successful at because when I refreshed, from tomcat6, it is now under my login name. But I am still denied. This is giving me a very hard time testing our reports as I just need to see if it’s already working i n the deployed app.

I also tried tweaking some of the options in the WinSCP preferences such as Drag & Drop and Endurance but nothing made any difference.

I reinstalled PuTTY and WinSCP, but nothing changed.

I am able to replace my file by coming out 1 notch from the file path (ex. var/lib/myfolder/myproject/web-inf/report, back 1 notch to var/lib/myfolder/myproject/web-inf/)
then type

sudo chown myuser:myuser report -R

but my reports will have errors, so I had to type
sudo chown tomca6:tomcat6 report -R then the error will be cleared and I now can view my replaced file.

This is very inconvenient as I have to do this every time.
Is there anything I can do to fix this? thanks

The SFTP Permission denied error happens when you SFTP into a server and try to add, remove or modify a file or directory. Still, the SFTP server does not allow you, and instead, it throws back permission denied, error: code 3.

To solve the SFTP permission denied error, you’ll need to verify that the user account you are using to SFTP has the proper permissions. Then, in the SFTP server, find the file or directory and change ownership or update its permissions.

Table of Contents

1. File Permissions and Ownership
2. A Closer Examination
3. Fixing the SFTP permission denied error on a Windows SFTP Server
4. How to solve the SFTP Permission denied on a Linux SFTP Server
5. Alternative ways to solve the Permission denied error
6. Conclusion

1. File Permissions and Ownership

Whether your server is Linux or Windows-based, the SFTP permission denied is always a result of inconsistent or misconfigured user permissions. To solve this problem, you’ll need to find the reasons why your specific user doesn’t have the necessary rights to add, edit, or remove a file or directory.

Before digging deeper, let’s remember the fundamentals.

• A user account is a set of configurations and information that tells the OS, which files and folders a user has access to, what it can do with them, and other settings like preferences or network resources. A properly configured user account should authenticate and authorize you to use specific resources, including SFTP.
• User account types Every user account has a specific kind that determines their permission level and their actions at the OS level. For instance, there are admin users in Windows and root users in Linux.
• A user group is a collection of user accounts with the same permissions and security rights. Every user account is a member of at least one group.

File and folder permissions

Permissions are the authorization and access rights methods for allowing users and groups to do a particular action. For example, with configured permissions, the SFTP server determines which users and groups can access which files or folders (and what they can do with them).

To determine your user account type, its group, and permissions, continue to the next section.

2. A Closer Examination

This error is also known as the permission denied error code 3. It happens due to an SFTP server’s user permission to a file or directory being denied. In other words, the server is rejecting access to its files and folders for a specific (or all) user.

On a Linux machine, the SFTP error permission denied looks as follows:

On Windows, while using a client such as WinSCP or Bitvise, the message looks something like this:

How to fix the SFTP permission denied

To solve the permission denied error, you’ll need to access the SFTP server via SSH, with superuser or root privileges. There, you’ll verify all your files/folders permissions and ensure they are granted correctly. Ensure you are using the correct usernames and that such usernames belong to the right group. Finally, grant read/write access for your user on those specific directories.

A quick note: There is a similar error message; the SFTP permission denied (public key). When you get this error, you cannot even access the (SSH or SFTP) server. The error message states that the server is denying access due to an incorrect public key authentication. Check the credentials (username and password) from the local client and ensure you are using the correct SSH public key. If the problem occurs network-wide, check the authorized_keys ownership and permissions on the server.

3. Fixing the SFTP permission denied error on a Windows SFTP Server

The first step to fixing the SFTP permission denied is to gather enough data on users, groups, and their permissions over specific files and directories.

• To see the users on Windows, open the Run dialog box (Win+R), type “lusrmgr.msc”, and hit enter. This action will open the Local Users and Groups snap-in. There, you’ll be able to see the Users along with their groups.

• In windows, you can also use the command “net user /domain username” to learn about those users’ users and group memberships.

• If you want to know the permission level on a specific file or folder, right-click on it, and select “Properties”.
• Go to Security > Group or user names > Permissions for “username”.
• In this window, you’ll see all the user accounts and groups with permissions for that specific file or folder. When you select a user or group, you’ll see its assigned permissions under the “Permissions for Users”.

• If you found that the file or folder doesn’t have the necessary permissions for that particular user, then that might be why the SFTP permission denied error.
• To modify permissions and ownership, click on “Advanced”.
• If you want to add a user to that specific file or folder or change “Ownership”, click on “Add”. You can also click on “Change” right after the “Owner” name.

• Click on “Select a principal”. A new window will open > “Select User or Group”.
• On the bottom blank field, enter the user’s object name.

• You can find your object name using the “Check Names” option on the left.
• If you can’t find it try the following: From the local computer (SFTP client).
  • In the Windows search box, type “Computer.
  • Right-click on “This PC” and select “Properties”.
  • You’ll find the object name listed under, Computer name, domain, and workgroup settings.

4. How to solve the SFTP Permission denied on a Linux SFTP Server?

So, what do you need to fix the SFTP permission denied error on a Linux SFTP server? Start by determining the users, groups, and permission levels to specific files and directories.

• On the Linux SFTP server, access the console terminal. You can use Ctrl+Alt+T or from the Search bar via the Linux dashboard. Or use SSH if you have remote access.
• On the terminal, issue a “$whoami” command to see the current username. In addition, you can also use the command “$ groups” to identify the user’s group membership.
• Use a “ls -l” command to list the files, directories, and permissions. This command will also help you see each user and their group. 

• The first column from the output represents the permission level. The third and fourth columns represent the file/directory owner username and group. And The last column is the file name, directory, or symbolic link.
• For instance, the 8th line shows a directory (d) named “jack”. This directory belongs to user “jack”, in the group “staff”. The folder has a permission level defined as “drwxr-xr-x”, which means user Jack should be able to read, write, and execute (rwx). At the group level, all members should read and execute (no write). Finally, everybody else is also allowed to read and execute (no write).

SFTP Permission Denied Solutions

If the target file or directory belongs to someone else or doesn’t allow reading, writing, and executing, you’ll need to:

• Change ownership
• Modify permissions

For both solutions described below, you’ll need superuser or root privileges in the SFTP server.

Solution 1. Change the ownership of the file or directory or change the user to a new group

First, you’ll need to determine the current owner of the file/directory (use ls -l). Then, if it is incorrectly assigned, you’ll need to change its ownership with the “chown” command.

$ ls -l

$ chown [user] [file]

• You can also assign the user to the right group to read and write the directory or file. Finally, use the “usermod” command to modify the user account by appending it (-a) to a target group (G).

$ ls -l 

$ usermod -a -G [target group]

Solution 2. Set the permissions on files or directories

Use the command “chmod” to modify the permissions on the target file or directory. The syntax of the command is as follows:

$chmod [options] [permissions] [target_file_name]

• The [permissions] on the command define the user’s (owner) permissions for the file, the group members who own the file or directory, or anyone else (others) that also plays a role on the file or directory. Permissions can be represented with alphanumeric characters or octal numbers.
• Let’s say, you as the owner of the file named TEST, want to modify the file with a new set of permissions, so that:
  • You (the user) can read, write, and execute (rwx)
  • All the group members can read and execute (rx)
  • And all others can read and execute (rx).

In alphanumeric representation:

$chmod u=rwx,g=rx,o=rx TEST

In octal numbers:

$chmod 755 TEST

As an example, if you are trying to transfer an HTML document to a server via SFTP to the directory “/usr/local/bin” and from the “ls-l” command, you found out that this directory is owned by root with permission 775, you’ll only need to add your “trusted user” to the root’s group.

5. Alternative ways to solve the Permission denied error

Most of the time, the SFTP permission denied error results from the poor user, groups, and permissions management. To avoid this error, you’ll need to look for client/server solutions that allow you more accessible and fine-grain administration of user accounts and permissions.

If using OpenSSH for Windows (or Linux), constantly update it to the latest version. In addition, do not limit yourself to a single SFTP client solution, but try others. Try other SFTP/SSH server solutions, as some old projects are deprecated or abandoned. If possible, try SFTP client and server from the same vendor—for instance, Bitvise or Serv-U MFT.

a. The Serv-U MFT – FREE TRIAL

SolarWinds’ Serv-U file Managed File Transfer is a simple and easy-to-use secure file transfer solution. The Managed File Transfer (MFT) solution supports FTP, FTPS, SFTP, HTTP, and HTTPS (over IPv4 or IPv6). In addition, it provides centralized remote file transfer management and automation capabilities from a web console.

The Serv-U MFT solution integrates with an existing Active Directory and LDAP server to help you control permissions and user access for large networks. It synchronizes all user account information and simplifies authentication. With the Serv-U MFT, you can configure limits and customize settings for all file transfer operations of users, groups, domains, and servers. Change user and groups, or modify directories, files, and permissions, all from one place.

Highlights

• Supports an unlimited number of user accounts and domains.
• Create an SSH private key or load one.
• Manage users, groups, and directories from the same console.
• Keep track of your server and domain logs for easier troubleshooting.

Download: Serv-U MFT Server is deployable on-premises. It installs on Windows or Linux platforms. Click here for a fully functional 14-day free trial.

b. Bitvise

Bitvise is an SSH end-to-end solution for Windows. It provides SSH Server and SSH Client and supports file transfer protocols SFTP and SCP. The SSH Client for Windows includes a terminal emulator, graphical and command-line file transfer, and tunneling features. The Bitvise SFTP client is compatible with a wide variety of clients.

Highlights: 

• 2FA. Implement Two-Factor Authentication (2FA) with SFTP clients.
• Create a virtual filesystem. SFTP clients can be restricted to single or multiple directories in a virtual filesystem.
• Support for virtual accounts. Bitvise allows you to create and manage virtual accounts backed by the identity of Windows accounts.
• And a lot more.

Note: Bitvise creates these virtual accounts (BvSsh_VirtualUsers) with SSH server permission, but still, it will use Windows to provide the security context for the session. So if you are logging in to the SFTP server with such accounts and haven’t updated the filesystem permissions (on the root directory), you’ll get the SFTP permission denied.

Download: Bitvise SSH Server is available to Download for a fully functional 30 days trial. Τhe limited Bitvise SSH server personal edition is offered free of charge.

6. Conclusion

In this troubleshooting guide to “SFTP permission denied,” we went through the steps of tracing and solving this infamous error. To get a hint on where to start, go to the SFTP server and analyze the permissions and ownerships of the user’s files and folders. If a user (or group) doesn’t have the necessary permissions (rwx) over their directory, then it is very likely that this is the source of the SFTP permission denied.

As per suggestions from the post, go ahead and update those permissions. Using alternative solutions such as Serv-U or Bitvise will also help you avoid mistakes when managing user and permissions (especially in Windows servers). Such solutions provide better management and more flexibility when configuring users and permissions.

SFTP troubleshooting FAQs

What ports does SFTP use?

SFTP uses only one port – FTPS uses two. The SFTP system operates vier the Secure Shell protocol, so it uses the port allocated to SSH. This is TCP port 22.

What is 550 Permission denied?

550 relates to the permissions on a file or directory. It is a notation convention that is common in Unix and Unix-like operating systems, such as Linux and macOS. Permissions in this file system have three positions that denote the access rights for the current user, the current user’s group, and others (outside of the current user’s group). This is why there are three numbers in 550. Each number relates to read, write, and execute. These can be expressed as rwx, which would make 550 into r-xr-x—. A number is allocated to read, another to write, and then another to execute permissions. The numbers associated with the permission rights of the subject are added up. These allocations are execute=1, write=2, and read=4. So the possible values for each number in the access permissions are 0, 1, 2, 3, 4, 5, 6, and 7. 5 can only be made up of 1 + 4, which is execute + read. So, 550 means user = read and execute, group = read and execute, other = no access.

How do I give permission to chmod 777?

In Unix, Linux, or macOS, you change the permissions on a file or directory with the chmod command. The quickest way to do this is to use the numerical notation for permissions. The three positions in 777 relate to the user, the user’s group, and others. Full access provides read, write, and execute permissions, which is represented by the number 7, so chmod 777 file.txt gives read, write, and execute permission to the user, the user’s group, and everyone else on the file called file.txt.

Are you stuck with the error ‘SFTP error #3 permission denied’? We can help you in fixing it.

Usually, this error occurs mainly due to permission errors.

At Bobcares, we often receive requests to solve SFTP errors as part of our Server Management Services.

Today, let’s discuss this error in detail and see how our Support Engineers fix it easily.

Why SFTP error #3 permission denied?

We always suggest our customers to transfer files via SFTP due to its security features.

However, we have come across many errors related to SFTP. One among them one is SFTP error #3 permission denied.

We’ve seen this error occurring due to problem with the permissions or due to file transfer resume option.

Among these both, the most common cause is permission error.

How we fix this permission denied error?

Recently, one of our customers approached us with a permission denied error. He was using WinSCP and whenever he tries to replace/overwrite a file, he was getting the following error.

Cannot create remote file 'filename'.
Permission denied.
Error code: 3
Error message from server: Permission denied

WinSCP or Windows Secure Copy is a free and open-source SFTP or SCP client for Microsoft Windows.

Our Support Engineers checked and found out permission errors. This occurs mainly when the user does not have the create permissions to the folder.

So, WinSCP fails to create a temporary file for the transfer. Let’s check the major two ways we follow to resolve this error.

1. Write permissions

As we have already said, these errors occur mainly due to some permission errors. So, we grant the user or group with write permissions to the folder.

For instance, if Ubuntu is the user, then we need to execute the below command in the folder on the Ubuntu server.

sudo chown -R ubuntu:ubuntu .

2. Disable transfer to temporary files

WinSCP supports resuming file transfers with SFTP and FTP. It will store the file being transferred to a temporary filename first.

And, renaming it to the target name occurs only once the transfer successfully finishes.

But, disabling this transfer to a temporary file will resolve the permission denied error.

For that, we follow the below steps:

1. Firstly, select Preferences.
2. Then, navigate to Transfer > Endurance page.
3. After that, under the “Enable transfer resume/transfer to a temporary file name for” section, we choose the Disable option.

[Still confused with this error?- We’ll help you.]

Conclusion

In short, the SFTP error #3 permission denied occurs due to incorrect permissions of files/folders. Today, we have discussed this error in detail and saw how our Support Engineers easily fix it.

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

Although SFTP is an easy-to-use and secure file transfer protocol, many people frequently face one of the most infamous SFTP errors, the “SFTP permission denied.”

As the error output reads, this issue is due to the lack of permissions to access a file or directory. Generally, you would still have access to the SFTP server via SSH, but you won’t be able to change a specific file or directory. Another similar error message is the “SFTP permission denied (public key),” where you won’t even be able to access the server via SFTP or SSH.

In this post, we’ll go through the two cases. First, we’ll learn to check and update the user/group file/folder permissions, and second, we’ll figure out why we are getting authentication/access permission denied due to the public key.

To illustrate a clearer picture of the “sftp permission denied” error scenario, we’ll use an AWS EC2, Ubuntu (Focal-20.04-amd64-server). We will use the default user “ubuntu” and add a new sftp01 user. By default, AWS doesn’t grant “root” SSH access to the EC2 instances due to security’s best practices.

1. The “SFTP permission denied” error

Regardless of which SFTP client you use, when you SFTP into a server and try to replace, edit, delete, or overwrite a file or directory, you get “an SFTP permission denied” error message.

An example:

Cannot create remote file ‘ver’.

Permission denied.

Error code: 3

Error message from server: Permission denied

In Windows, while using an SFTP client, like WinSCP or FileZilla, the message looks like this:

Generally, you are successfully connecting via SFTP or SSH with the same user, but you can’t modify, change, or overwrite the file via SFTP. But if you cannot even connect via SFTP or SSH, you might be getting a similar error message that reads “SFTP permission denied (public key)”.

The reason for these error messages is generally due to incorrect or lack of permissions. For example, you might have read, write, execute permissions on your local file (or folder), but the remote folder (or file) might not be accepting your actions (read, write, or execute). 

File permissions 101

Since this error is most likely related to incorrect permissions, you’ll have to figure out why you don’t have the authorization to edit, change, or upload a file or directory.

• Log in to the SFTP server using SSH and use the command “$ whoami” to see your username.
• Suppose the user logged in to the SFTP server does not have the necessary permissions (such as read command, “ls”) to a specific directory or file. In that case, you’ll get a message like: “ls: cannot open directory ‘/root’: Permission denied”.

For security reasons, some cloud providers like AWS separate root access from other users. In this case, my “ubuntu” user does not have access to the root user’s folder. This is simply because both users belong to different groups with different permissions. 

• Use “$ls -l” to get a long detailed list of files, directories, and permissions. This command will help you see whether your user (within a group) has the correct permissions to a file. The below screenshot shows the output of this command.

• The relevant output columns:
  • (1)-Permission level The first character, (l or d), represents a symbolic link or directory, while (-) represents a regular file. The next set of three characters (rwx, where: r=read, w=write, x=execute, and – = no permission) represent user permissions, the next three represent group permissions, and the last three characters are “others” permissions.
  • (2, 3)-User and group The next column (2 and 3) represents the file or directory owner and the group.
  • (4) – Name of the file, directory, or symbolic link.

So, what we can get from the output is that the file (-) “test.txt” belongs to the user/group (ubuntu/ubuntu). As for the permission level, “-rw-rw-r—” the “user” and “group” can both read and write, while all others can only read.

• To troubleshoot the SFTP permission denied, you’ll need to determine if your “other” user belongs to the group with read and write (rw) permissions (for instance, “ubuntu” in this case).
• Use the “$ groups” command to see the group your current user is associated with. So, in this example, the user “ubuntu” does not belong to the “root” group, so it does not have access to /root folder, as initially stated. The “sudo” group is the one granting elevated privileges.

Solutions: How to fix the SFTP permission denied?

So now that we know how to check users, groups, and their file/folder permissions, let’s solve the “SFTP permission denied” error. Bear in mind that the majority of commands here require higher privilege to execute.

The command (ls -l) is handy to let you see the permissions of the target directory or file. If the file or directory belongs to another user, group or it does not allow either writing (for instance, drwxr-xr-x) for the group and other users, you’ll need to grant the right set of permissions.

Solution 1. Assign the user without permission to a group with permissions to the file or directory

Use the (ls- l) command to see the owner and group a file belongs to. If it belongs to a different group your user does not belong to, you’ll need to assign your user to this group.

Use the following command to assign your user to the group permission instead of reading and writing (rw). After doing this, try SFTP again.

• $ sudo usermod -a -G [target group] $USER

Solution 2. Use the (chown) command to change ownership of the single file or directory

Rather than assign a new group to your user, you can change the ownership of a file or directory. For example, let’s say the “sftp01” user gets an SFTP permission denied every time it wants to edit or overwrite the “test01.txt” file. To see who owns this specific file, go to the folder where you are getting the sftp permission denied and do a (ls -l), then use (chown) to change the ownership.

• $ sudo chown [user] [file]

NOTE: If you are working under an admin or root role, be careful not to change the entire ownership of a directory and subdirectory with -R recursive ownership, as this can affect access and authentication to the SFTP server (we’ll get to this later). 

Solution 3. Grant the appropriate permission

Use the “chmod” command to change the file or directory permissions. The suggested permission levels when using the chmod are 755 for file and 644 for directory permission. 

• chmod 755: Read and execute access for everyone. Read, write, and execute access for the owner of the file. For example, when you do a “$chmod 755 examplefile”, you allow everyone to read and perform the file, while only the owner is entitled to read, write, and execute the file.
• chmod 777: Use the chmod 777 (-rwxrwxrwx) if you want to allow everyone, including the owner, group, and others, to read, write, and execute. Granting this level of “openness” is not a good security practice, but you can use it for testing purposes.
• chmod 644: The user (or owner) can read, write but can’t execute. The group and others can read but can’t write and execute. This command is suggested for directories.

The “$sudo chmod 775 [filename]” command will change the permission structure of the file. As mentioned above, with (-rwxrwxr-x) (775), the file will be readable and executable by everyone (r-x) “others”.

Use Recursive to add permission subdirectories as well

You can use the “sudo chmod -R [mode] [file or directory]”. The [-R] changes files and directories recursively, so use this with care.  It allowss the user to read, write, or execute to all sub-directories and files.

Solution 4. Permission denied due to failed authentication

Another variation for the SFTP permission denied is due to authentication. You can’t even access your SFTP server from the SFTP client. If you get the “Permission denied (public key),” you won’t be able to access and authenticate to the server via SSH.

To solve this issue, try the following:

• Check your username You might be using the incorrect username, but correct public key and thus get the permission denied error. Check whether you are using the correct username in your SFTP client. But still, if the username is correct but is not authorized to use the key, you’ll also get permission denied (public key).
• Permissions at the server are incorrect This is because the permission to the files under the home directory changed. Users might be locked out if the “authorized_keys” (under /.ssh/authorized_keys, for Linux Ubuntu) file permission or ownership changed. An admin has to log in with root access or connect via the serial console to adjust the home directory file permissions. As mentioned earlier, applying “chmod -R” incorrectly can affect all home directory subdirectories, including .ssh and authorized_keys files.
• Check the SSH public key (.pub) on the local computer Make sure you are using the correct public key in the authorized_keys file. To add a new public key to an SFTP client with FileZilla. Go to Settings > Connection > SFTP > click on “Add key file…” Browse through your local files and import the right key.

Configuring permissions with alternative SFTP server tools

Our methodology for selecting SFTP tools and software

We reviewed the network monitoring tools and software market and analyzed the options based on the following criteria:

• An autodiscovery system to log all network devices
• A network topology mapper
• The ability to collect live network devices statuses by using SNMP
• A facility to analyze network performance over time
• Access and file control
• A free trial period, a demo, or a money-back guarantee for no-risk assessment
• A good price that reflects value for money when compared to the features offered

1. SolarWinds SFTP/SCP Server – FREE TOOL

The Solarwinds SFTP/SCP server is a free tool for reliable and secure file transfers. It is easy to use, light and runs as a Windows service. In addition, SFTP provides advanced SFTP features such as concurrent transfers from multiple devices or limits access by authorizing a specific or range of IPs.

Key Features:

• Offers SFTP, FTP, and TFTP
• Transfer files up to 4 GB in size
• Good for distributing device configurations
• Can be automated
• Receives multiple files simultaneously

This tool pushes OS images, configuration files, updates, backup files, or transfer files up to 4GB. In addition, this SFTP server provides primary authentication access to the server and only allows one folder for all users.

Website Link: https://www.solarwinds.com/free-tools/free-sftp-server

Free Download!

2. SolarWinds Serv-U FTP/MFT Server – FREE TRIAL

The SolarWinds Serv-U FTP/MFT Server is a more advanced SFTP server that lets you handle large and multiple file transfers. It supports up to 250 users, 100 concurrent sessions, up to 3 domains and allows a fine-grained access control over those resources.

Key Features:

• Paid tool for Windows Server
• FTPS, SFTP, and HTTPS
• PCI DSS, HIPAA, FISMA, SOX compliance
• P2P file sharing possible

With Serv-U, you can easily change and update user and folder access and permissions. In addition, it provides a directory access rule-based control that allows you to change permissions on files and directories.

Website Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server

Download 14-day Free Trial!

Final Words

The “SFTP permission denied” error message occurs when your SFTP server doesn’t allow your user (within a group) to modify or overwrite a file or directory. To solve this, you’ll have to SSH into the SFTP server, find the file/directory and identify its current permission mode and ownership. Then, you’ll have to change the permissions as specified in this post. The second SFTP permission denied (public key) message occurs when you are logging with an incorrect user, public key, or the user doesn’t have the necessary permission to access the key file in the server.

Alternatively, you can use an SFTP server such as SolarWinds Serv-U FTP/MFT Server, which gives you more flexibility when configuring permissions. This tool will help you avoid the “SFTP permission denied” and fix it for all the SFTP users.

SFTP permission denied FAQs

How do I fix SFTP error?

SFTP errors can be caused by a number of different problems. However, the most frequently encountered errors revolve around a failure to connect to the remote device. This failure can be due to four reasons and these need to be checked:

1. Check the destination address has been entered correctly.
2. Check that the correct port is being used.
3. Check that you have an active access account on the remote device.
4. Check that you typed in your credentials correctly.

Troubleshooting SFTP permission denied

Although SFTP is an easy-to-use and secure file transfer protocol, many people frequently face one of the most infamous SFTP errors, the “SFTP permission denied.”

As the error output reads, this issue is due to the lack of permissions to access a file or directory. Generally, you would still have access to the SFTP server via SSH, but you won’t be able to change a specific file or directory. Another similar error message is the “SFTP permission denied (public key),” where you won’t even be able to access the server via SFTP or SSH.

In this post, we’ll go through the two cases. First, we’ll learn to check and update the user/group file/folder permissions, and second, we’ll figure out why we are getting authentication/access permission denied due to the public key.

To illustrate a clearer picture of the “sftp permission denied” error scenario, we’ll use an AWS EC2, Ubuntu (Focal-20.04-amd64-server). We will use the default user “ubuntu” and add a new sftp01 user. By default, AWS doesn’t grant “root” SSH access to the EC2 instances due to security’s best practices.

1. The “SFTP permission denied” error

Regardless of which SFTP client you use, when you SFTP into a server and try to replace, edit, delete, or overwrite a file or directory, you get “an SFTP permission denied” error message.

Cannot create remote file ‘ver’.

Permission denied.

Error code: 3

Error message from server: Permission denied

In Windows, while using an SFTP client, like WinSCP or FileZilla, the message looks like this:

Generally, you are successfully connecting via SFTP or SSH with the same user, but you can’t modify, change, or overwrite the file via SFTP. But if you cannot even connect via SFTP or SSH, you might be getting a similar error message that reads “SFTP permission denied (public key)”.

The reason for these error messages is generally due to incorrect or lack of permissions. For example, you might have read, write, execute permissions on your local file (or folder), but the remote folder (or file) might not be accepting your actions (read, write, or execute).

File permissions 101

Since this error is most likely related to incorrect permissions, you’ll have to figure out why you don’t have the authorization to edit, change, or upload a file or directory.

• Log in to the SFTP server using SSH and use the command “$ whoami” to see your username.
• Suppose the user logged in to the SFTP server does not have the necessary permissions (such as read command, “ls”) to a specific directory or file. In that case, you’ll get a message like: “ls: cannot open directory ‘/root’: Permission denied”.

For security reasons, some cloud providers like AWS separate root access from other users. In this case, my “ubuntu” user does not have access to the root user’s folder. This is simply because both users belong to different groups with different permissions.

• Use “$ls -l” to get a long detailed list of files, directories, and permissions. This command will help you see whether your user (within a group) has the correct permissions to a file. The below screenshot shows the output of this command.

• The relevant output columns:
  • (1)-Permission level The first character, (l or d), represents a symbolic link or directory, while (-) represents a regular file. The next set of three characters (rwx, where: r=read, w=write, x=execute, and – = no permission) represent user permissions, the next three represent group permissions, and the last three characters are “others” permissions.
  • (2, 3)-User and group The next column (2 and 3) represents the file or directory owner and the group.
  • (4) – Name of the file, directory, or symbolic link.

So, what we can get from the output is that the file (-) “test.txt” belongs to the user/group (ubuntu/ubuntu). As for the permission level, “-rw-rw-r—” the “user” and “group” can both read and write, while all others can only read.

• To troubleshoot the SFTP permission denied, you’ll need to determine if your “other” user belongs to the group with read and write (rw) permissions (for instance, “ubuntu” in this case).
• Use the “$ groups” command to see the group your current user is associated with. So, in this example, the user “ubuntu” does not belong to the “root” group, so it does not have access to /root folder, as initially stated. The “sudo” group is the one granting elevated privileges.

Solutions: How to fix the SFTP permission denied?

So now that we know how to check users, groups, and their file/folder permissions, let’s solve the “SFTP permission denied” error. Bear in mind that the majority of commands here require higher privilege to execute.

The command (ls -l) is handy to let you see the permissions of the target directory or file. If the file or directory belongs to another user, group or it does not allow either writing (for instance, drwxr-xr-x) for the group and other users, you’ll need to grant the right set of permissions.

Solution 1. Assign the user without permission to a group with permissions to the file or directory

Use the (ls- l) command to see the owner and group a file belongs to. If it belongs to a different group your user does not belong to, you’ll need to assign your user to this group.

Use the following command to assign your user to the group permission instead of reading and writing (rw). After doing this, try SFTP again.

• $ sudo usermod -a -G [target group] $USER

Solution 2. Use the (chown) command to change ownership of the single file or directory

Rather than assign a new group to your user, you can change the ownership of a file or directory. For example, let’s say the “sftp01” user gets an SFTP permission denied every time it wants to edit or overwrite the “test01.txt” file. To see who owns this specific file, go to the folder where you are getting the sftp permission denied and do a (ls -l), then use (chown) to change the ownership.

NOTE: If you are working under an admin or root role, be careful not to change the entire ownership of a directory and subdirectory with -R recursive ownership, as this can affect access and authentication to the SFTP server (we’ll get to this later).

Solution 3. Grant the appropriate permission

Use the “chmod” command to change the file or directory permissions. The suggested permission levels when using the chmod are 755 for file and 644 for directory permission.

• chmod 755: Read and execute access for everyone. Read, write, and execute access for the owner of the file. For example, when you do a “$chmod 755 examplefile”, you allow everyone to read and perform the file, while only the owner is entitled to read, write, and execute the file.
• chmod 777: Use the chmod 777 (-rwxrwxrwx) if you want to allow everyone, including the owner, group, and others, to read, write, and execute. Granting this level of “openness” is not a good security practice, but you can use it for testing purposes.
• chmod 644: The user (or owner) can read, write but can’t execute. The group and others can read but can’t write and execute. This command is suggested for directories.

The “$sudo chmod 775 [filename]” command will change the permission structure of the file. As mentioned above, with (-rwxrwxr-x) (775), the file will be readable and executable by everyone (r-x) “others”.

Use Recursive to add permission subdirectories as well

You can use the “sudo chmod -R [mode] [file or directory]”. The [-R] changes files and directories recursively, so use this with care. It allowss the user to read, write, or execute to all sub-directories and files.

Solution 4. Permission denied due to failed authentication

Another variation for the SFTP permission denied is due to authentication. You can’t even access your SFTP server from the SFTP client. If you get the “Permission denied (public key),” you won’t be able to access and authenticate to the server via SSH.

To solve this issue, try the following:

• Check your username You might be using the incorrect username, but correct public key and thus get the permission denied error. Check whether you are using the correct username in your SFTP client. But still, if the username is correct but is not authorized to use the key, you’ll also get permission denied (public key).
• Permissions at the server are incorrect This is because the permission to the files under the home directory changed. Users might be locked out if the “authorized_keys” (under /.ssh/authorized_keys, for Linux Ubuntu) file permission or ownership changed. An admin has to log in with root access or connect via the serial console to adjust the home directory file permissions. As mentioned earlier, applying “chmod -R” incorrectly can affect all home directory subdirectories, including .ssh and authorized_keys files.
• Check the SSH public key (.pub) on the local computer Make sure you are using the correct public key in the authorized_keys file. To add a new public key to an SFTP client with FileZilla. Go to Settings > Connection > SFTP > click on “Add key file…” Browse through your local files and import the right key.

Configuring permissions with alternative SFTP server tools

1. SolarWinds SFTP/SCP Server – FREE TOOL

The Solarwinds SFTP/SCP server is a free tool for reliable and secure file transfers. It is easy to use, light and runs as a Windows service. In addition, SFTP provides advanced SFTP features such as concurrent transfers from multiple devices or limits access by authorizing a specific or range of IPs.

Key Features:

• Offers SFTP, FTP, and TFTP
• Transfer files up to 4 GB in size
• Good for distributing device configurations
• Can be automated
• Receives multiple files simultaneously

This tool pushes OS images, configuration files, updates, backup files, or transfer files up to 4GB. In addition, this SFTP server provides primary authentication access to the server and only allows one folder for all users.

• Completely free SFTP server
• In-depth user authentication options
• Can set limits based on events such as deleting, uploading, and downloading – great for larger teams

• Is designed more for a technical audience, with an abundance of features and customization options

2. SolarWinds Serv-U FTP/MFT Server – FREE TRIAL

The SolarWinds Serv-U FTP/MFT Server is a more advanced SFTP server that lets you handle large and multiple file transfers. It supports up to 250 users, 100 concurrent sessions, up to 3 domains and allows a fine-grained access control over those resources.

Key Features:

• Paid tool for Windows Server
• FTPS, SFTP, and HTTPS
• PCI DSS, HIPAA, FISMA, SOX compliance
• P2P file sharing possible

With Serv-U, you can easily change and update user and folder access and permissions. In addition, it provides a directory access rule-based control that allows you to change permissions on files and directories.

• Supports FTP, FTPS, and SFTP file transfers, making it a more flexible option than some of its competitors
• Robust search features are ideal for large file transfers over long periods of time
• Built with the enterprise in mind
• Supports drag and drop transfers, making it an easy option for end-users
• Built-in schedule works well for EDI and other regular transfers

• Would like to see a longer trial period for testing

Final Words

The “SFTP permission denied” error message occurs when your SFTP server doesn’t allow your user (within a group) to modify or overwrite a file or directory. To solve this, you’ll have to SSH into the SFTP server, find the file/directory and identify its current permission mode and ownership. Then, you’ll have to change the permissions as specified in this post. The second SFTP permission denied (public key) message occurs when you are logging with an incorrect user, public key, or the user doesn’t have the necessary permission to access the key file in the server.

Alternatively, you can use an SFTP server such as SolarWinds Serv-U FTP/MFT Server, which gives you more flexibility when configuring permissions. This tool will help you avoid the “SFTP permission denied” and fix it for all the SFTP users.

SFTP permission denied FAQs

How do I fix SFTP error?

SFTP errors can be caused by a number of different problems. However, the most frequently encountered errors revolve around a failure to connect to the remote device. This failure can be due to four reasons and these need to be checked:

1. Check the destination address has been entered correctly.
2. Check that the correct port is being used.
3. Check that you have an active access account on the remote device.
4. Check that you typed in your credentials correctly.

What is chmod command in SFTP?

In Unix and Unix-like operating systems, including Linux and macOS, chmod changes file permissions. Access permissions to files are levied in three groups – the user, the user’s group, and everyone else. There are three possible access levels for each category of accessor: read, write, and execute. Each position in the chmod command can have one, two, or all three of these rights. Chmod can be expressed by letters or numbers. The letters that the system uses are r (read), w (write), and x (execute). The number-based system is a little more complicated. Each position is represented by a number that is the sum of all permissions for that accessor type. In this scheme 1 = execute, 2 = write, and 4 = read. So, 7 represents read, write, and execute and 5 would signify read and execute.

What port is SFTP?

SFTP uses the security system of SSH for protection. It is an FTP session that runs inside an SSH session. Thus, SFTP uses the same port that is assigned to Secure Shell (SSH), which is TCP port 22.

Источник

Для удобства работы с удаленными Linux серверами и обычными машинами многие начинающие пользователи использую программу WinSCP. Она и вправду очень удобная и простая в использование в отличии например от PuTTY, напоминает обычный проводник Windows. Но важно понимать что WinSCP это клиент который предназначен для копирования файлов, конечно с его помощью можно настраивать config и изменять другие файлы. Но выполнить какую либо команду не получиться, например, запустить службу или установить её. Для этих целей придется обратиться к PuTTY. Сегодня рассмотрим ошибку «Доступ запрещен, код ошибки 3» которая может появиться во время каких либо действий с файлами, копирования, перемещения, изменения и т.д. Говорит это о том что у Вас не хватает прав, но давайте обо всем по порядку.

Что делать если во время работы с файлом появляется ошибка «Не могу заново открыть файл ‘/»

И так Вы работаете с фалами на удаленном сервере через клиента WinSCP, Вам потребовалось скажем скачать (переместить, изменить, переименовать и т.д.) это файл к себе на компьютер.

Скачать WinSCP — https://winscp.net/eng/download.php

Вы как обычно кликаете ПКМ мыши и выбираете «Получить» но видите сообщение об ошибке следующего вида.

Ошибка

Не могу заново открыть файл «/…/»

Доступ запрещен.

Код ошибки: 3

Сообщение ошибки от сервера: Permission denied (В разрешении отказано)

Все это говорит о том что у Вас просто напросто не прав на изменение этого файла. Определить это можно если посмотреть на колонку «Права», в данном случае видим что чтение и запись разрешены только владельцу файла «root». Для работы с файлами под обычным пользователям права должны выглядеть в этой колонке как и папки выше.

Можно определенному пользователю дать права «root» изменив настройки sftp сервера. Данный способ описан практически в каждой статье которую вы найдете в поиске. Но в этом случае обычный пользователь сможет удалять изменять системный файлы и файлы конфигурации. В результате можно положить сервер.

В нашем же случае гораздо проще изменить права необходимого файла. Для этого придется воспользоваться программой PuTTY.

Скачать PuTTY — https://www.putty.org/

Скачиваем и запускаем программу, для подключения вводим ip адрес удаленного сервера.

В открывшемся окне сначала авторизуемся под обычным пользователем, потом с помощью команды «su» получаем «root» права, и запускаем файловый менеджер «mc».

Находим необходимый файл, выделяем его и на панели инструментов открываем раздел «Файл» и выбираем пункт «Права доступа».

В открывшемся окне отмечаем пункты, если есть группы отмечаем «Чтение для групп»,» Запись для групп», если групп нет тогда «Чтение для других» и «Запись для других» либо можете отметить и то и то.

После этого необходимо переподключиться к удаленной машине в клиенте WinSCP.

После этого все возможные действия (копирование, перемещение, изменение и т.д.) с фалом должны быть доступны.

The following tutorial worked for me and provides helpful screenshots. Logging in as a regular user with sudo permissions simply required tweaking a few WinSCP options:
http://cvlive.blogspot.de/2014/03/how-to-login-in-as-ssh-root-user-from.html

Set Session/File protocol to: SCP, enter host/instance ip, port — usually 22, and regular username. Enter password credentials if the login requires it.
Add the user’s corresponding Private key file in Advanced/SSH/Authentication.

Unchecking Advanced/SSH/Authentication/attempt «keyboard interactive» authentication should allow Advanced/Environment/SCP Shell/Shell/Shell: sudo su — to provide sudo permissions for accessing webserver directories as a non-owner user.

---

Update: 08/03/2017

WinSCP logging can be helpful to troubleshoot issues.

winscp.net/eng/docs/logging:

[WinSCP] Logging can be enabled from Logging page of Preferences dialog.
Logging can also be enabled from command-line using /log and /xmllog
parameters respectively, what is particularly useful with scripting.
In .NET assembly, session logging is enabled using
Session.SessionLogPath1).

Depending on WinSCP connection errors, some server installations may need a directive added to the (Ubunto, CentOS, other-Linux-Server) /etc/sudoers file to not require TTY for a specified user. Creating a file in /etc/sudoers.d/ (using a tool such as Amazon Command Line Interface or PuTTY) may be a better option than editing /etc/sudoers. Some /etc/sudoers versions recommend it:

This file MUST be edited with the ‘visudo’ command as root.
Please consider adding local content in /etc/sudoers.d/ instead of
directly modifying this file.
See the man page for details on how to write a sudoers file.

When editing a sudoers file (as root) through the command-line, the ‘visudo’ command should be used to open the file as it will parse the file for syntax errors. /etc/sudoers.d/ files are typically owned by root and chmoded with minimal permissions. The default /etc/sudoers file may be referenced as it should automatically have recommended chmod permissions on installation. e.g.: 0440 r—r—— .

superuser.com/a/869145 :

visudo -f /etc/sudoers.d/somefilename

Defaults:username !requiretty 

Helpful Links:

• Stackoverflow: stackoverflow.com/questions/25688850/cloud-init-how-to-add-default-user-to-sudoers-d
  • www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos

WinSCP Forum:
— winscp.net/forum/viewtopic.php?t=3046
— winscp.net/forum/viewtopic.php?t=2109

WinSCP Doc: https://winscp.net/eng/docs/faq_su

With SCP protocol, you can specify following command as custom shell
on the SCP/Shell page of Advanced Site Settings dialog:

sudo -s

[…]

Note that as WinSCP cannot implement terminal emulation, you need to
have sudoers option requiretty turned off.

Instructions in Ubuntu Apache /etc/sudoers recommend adding directives to /etc/sudoers.d rather than editing /etc/sudoers directly. Depending on the installation, adding directive to /etc/sudoers.d/cloud-init may work as well.

It may be helpful to create an SSH test user with sudo permissions by following the steps provided in instance documentation to ensure that the user has recommended instance settings and any updates to server sudoer files can be effected and removed without affecting other users.