LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-26-2007, 11:20 AM   #1
linuxdevil
LQ Newbie
 
Registered: Oct 2007
Posts: 2

Rep: Reputation: 0
Default ownership of files and directories


Hello all,

I would like to know how to set up a directory in such a way that new files and directories have the same owner and group of the parent directory. Is this possible?

The scenario is an (S)FTP server where people can put their stuff, but I want the files they create to be owned by a standard user, not the specific user that actually created the file. I know how UNIX file permissions work, and I have researched Access Control Lists, but I haven't found the solution there. I have considered using the SUID bit, but that only works for groups and not the file owner.

As an example: what I would like to have is the following. I have a directory /projects in which people can put their stuff. All files in this directory are to be owned by the user "userx" and group-owned by the group "groupx". Normally, when user "joan" creates a file in this directory, it is owned by user "joan" and group "joan", but I would like this new file to be owned by user "userx" and group "groupx".

How can I do this? Thanks for your help!

Regards,

Martijn
 
Old 10-26-2007, 12:31 PM   #2
complich8
Member
 
Registered: Oct 2007
Distribution: rhel, fedora, gentoo, ubuntu, freebsd
Posts: 104

Rep: Reputation: 15
As far as I know, there's no simple way to do this in the filesystem directly.

But there's a couple workarounds you can use, depending on your circumstances.

(1) run proftpd or pure-ftpd, using the ssl extensions as appropriate. Benefits: you don't have to give your users system user access. Drawbacks: you're still running an ftpd, and it's ftp-over-ssl, not sftp (less common, possibly less client support). This is probably the simplest solution though...

(2) set up samba, bound to talk only to localhost, with a share defined that includes something like "force user = theuseryouwant" and "force group = thegroupyouwant" (which will override file owners to that user). Then you could smbmount that share into the directory your sftp users are accessing. A bit roundabout, but you could probably make it work I'd think. I'd probably not go that route unless you're married to sftp...

(3) I'm not sure, but maybe there's a way to accomplish that directly through the sftp configuration directives in sshd_config. That's definitely further down that rabbit hole than I've ever gone though.
 
Old 10-26-2007, 12:39 PM   #3
WAJEDUR REHMAN
Member
 
Registered: Aug 2007
Posts: 43

Rep: Reputation: 15
Files in directories with sticky bit set can only be removed by the owner and root, regardless of the write permissions of the directory.

The sgid permission for directory means that files created in it the directory will inherit its group affiliation from the directory, rather than inheriting it from user

Last edited by WAJEDUR REHMAN; 10-26-2007 at 12:53 PM.
 
Old 10-29-2007, 08:45 AM   #4
linuxdevil
LQ Newbie
 
Registered: Oct 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you for your help. I have evaluated your possible solutions, but I decided to go for setting the set-group-ID bit, so that new files and directories inherit the group of the parent directory. I have not found a practical solution to have the file owner set to a default uid.

Option 1 is not feasible for my setup since my users have an sftp client that does not support ftp over ssl, and they have no administrative rights to install other software and I would like to keep the instructions for accessing the server to be as simple as possible.

Option 2 would not work since I have different directories with different groups, so setting a fixed user and group for all ftp access does not work. Also it would complicate the server administration, which should also be possible for linux novices also.

Option 3 I have investigated, but I have found no such option in the sshd_config. This is an issue to be handled by the sftp-server subsystem. The sftp server program does not allow any configuration apart from setting log options. I have looked into the source code and I tried a number of changes to the source, but I found out that the limitation is an inherent security feature from Linux, which is that only the superuser can change the ownership of files and directories. The server runs with the uid and gid of the user that is connected to the sftp server, meaning that files and directories are created with his own uid and gid, which cannot be changed.

I have changed the default umask of the files created by the sftp-server by letting ssh call a shell script that sets the umask first before running the sftp-server. This has the desired effect that new files have group read-write permissions and no world permissions, which is what I want.

I am now looking into setting up a crontab that traverses the directory and changes the ownership of newly created files and directories to the ones that I would like to have.

If anyone finds a solution for setting the user id of new files and directories by an sftp-server, please post it here.
 
Old 06-02-2011, 06:25 AM   #5
D1b1
LQ Newbie
 
Registered: Jun 2011
Posts: 1

Rep: Reputation: Disabled
Third party solution

We have run into the same issues. We are setting up accounts on s development server so that our designers can work on Drupal sites. We have installed and customized the aegir project to handle the provisioning work. The issue we have is that for a number of reason, security being the biggest, all lies have to be owned by aegir. Things start having issues when cronies processes that run as aegir can not control sftp files with alt owners.

We have used lsynd to handle these type of issues. Lsyncd runs as a a daemon and watches for file system changes. It's very scriptable, so with a little bash work we are able to alter the owner to aegir as files are uploaded.

Hope this helps.
 
  


Reply

Tags
default, file, inheritance, owner, permission, security, sftp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing ownership of directories; /var/log/messages questions Micro420 Linux - General 6 04-21-2006 08:39 PM
CHMOD directories.sub-directories.files zerojosh Linux - Software 2 11-19-2005 03:22 PM
Keeping ownership of files rtcary Linux - Newbie 2 07-17-2005 04:14 PM
ownership of directories cwolf78 Linux - Software 3 05-08-2005 11:37 PM
Ownership of new Files in SAMBA ghight Linux - Software 6 02-06-2003 10:40 AM


All times are GMT -5. The time now is 09:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration