Deleting files or directories, just like moving them, is restricted only by the permissions of the PARENT
directory in which they reside, not on their own permissions.
This can be explained via the way a Linux file system works (with inodes and stuff), but I won't go into details.
Since you've done a
chmod ugo=rwx upload/
you've given write access to everybody. This means that chad can move around and delete anything in that directory.
Note that this is of course extremely insecure.
An example: you put a file in there that has permissions u=rw only, owned by your user, in which you store
some secrets like passwords.
Chad can then do, using only FTP:
rename your_secret_file his_file
This actually "moves" the file from one name to the other, so it is permitted!
chown chad his_file
Since he has become the owner after the rename, he can change the permissions of the file, making it for
instance readable, so he can find out your secrets.
One solution can be to restrict the permissions on the "upload" directory, but this can - if done incorrectly - lead to a situation where uploading is also impossible.
A better idea is to configure your FTP server so that it defines more clearly what is allowed and what is not.
|