ProFTP and file permissions

fireman949 · 03-09-2004, 03:32 PM

I have installed ProFTP. I am somewhat of a linux newbie. I wanted to separate system users from ftp users. I thought it was a good idea since I'm not as familiar with linux as I'd like to be so I figured that would be a little more secure. I am setting this up as a webserver for several people to upload content to so they each need to be able to access only their own directories.

The server is running standalone and running as nobody/nobody. I have setup the Auth files as such:
AuthUserFile /wwwroot/passwords/ftpd.passwd
AuthGroupFile /wwwroot/passwords/ftpd.group

I have created some test users and assigned them their own home directory and DefaultRoot ~ to keep them there. I was having problems uploading anything, I was getting "Access Denied" for all users. I went to the directories and changed the chmod from 766 to 777 on the directories of the users (no ownership change). When I attempted to upload after changing permissions, I was able to send anything I wanted. When I checked on these files they were there. The problem is, no matter what user I uploaded with (keep in mind these are not system users), the owner/group of the file was always operator/games. The permissions on the files/directories were 644 which is fine for webserving.

**Interesting to note, when connected via "ftp localhost" with a test users, files appear as test/games instead of operator/games **

Here are my questions.

1.) Should I set my webhosting directory owner/group to operator/games or is there a way to change what permissions an ftp'd file gets?

2.) Since the ftp users are system users, the uploaded files can't be owned by 'user1' if user1 is only a ftp user (in my ftp.passwd file) and not a system user right?

3.) I can change a directory to operator/group and change the permissions back to 766 and ftp will still work, is that the way I should go about it?

Thanks in advance,
Eric

DaHammer · 03-09-2004, 04:26 PM

Normally with FTP, you want people to be able to upload/download files, but not be able to delete files that are already there. So generally all files are owned by a specific user & group like ftp, with umask of something like 022. But you can change that to pretty much anything you want in the proftp.conf using the "User", "Group" & "Umask" directives. I'm not sure about having them belong to an ftpuser that isn't a system user though. If not, then what you could do is give every user a system account and set their shell to /bin/false or /sbin/nologin so that it's not possible for them to get shell access. And then set up proftp to jail them into their home directories when they log in. I also wouldn't use a umask such as 766. Doing so will allow anyone to write on that file/directory.

fireman949 · 03-09-2004, 10:49 PM

Here is a screen shot from a recent local ftp test. I was using user "eudorafiredept.org" from my ftp.passwd file. I uploaded file 'test' to the home directory (chmod 777) and it worked. No other directories within the home directory would accept a file. You can see in the screen shot that when I uploaded the file 'test' it showed to be owned by eudorafiredept.org and group webmasters (as setup in ftp.passwd and ftp.group). When I quit ftp and was viewing the folder, you can see it is owned by 4578 (the eudorafiredept.org uid in ftp.passwd) and the group is now 'games'.

Is that right???

Help is appreciated.