LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-24-2003, 01:40 AM   #1
dynamo|x
LQ Newbie
 
Registered: May 2003
Location: Atlanta
Distribution: Red Hat 9
Posts: 16

Rep: Reputation: 0
vsftpd and file/directory permissions


Hello guys. I am trying to setup my ftp server and here is what i am trying to do: root folder of my user is going to be /home/mp3. In the mp3 folder i will hold files that users can read but not write. Then under /home/mp3 i will create another subfolder public, there i want people to read/write but not delete. So it will look this:
/home/mp3 <-- Read only
/home/mp3/public <-- Read and Write

I have played with settings but unless i give users execute permissions on the public folder, the cannot cd into it. Can i control directory/file rights with the ftp server or it has to be done with native linux file permissions. Thank you
 
Old 05-24-2003, 07:42 PM   #2
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
Cool

Hi!

I do the same on my Linux box. I set each users home to whatever dir you want (/mp3 in your case) and set the login shell to /dev/null or /sbin/nologin. The /mp3 dir and everything under should be owned by root with the following rights:
drwxr-xr-x

This allows them to browse and D/L but not modify or erase. I have an Upload dir under /mp3 (in your scenario) with the following rights (also owned by root):
drwxr-x-wt

Once they login, they will go straight to the /mp3 dir and not be able to go higher in the tree. They can write to the Upload dir but can not even see what they are writing so they can't delete. Make sure they are in the chroot list or they can walk the tree and see things you may not want them too (like /etc/passwd)!!
 
Old 05-25-2003, 03:33 PM   #3
john0000
LQ Newbie
 
Registered: May 2003
Location: Allentown, PA
Distribution: Red Hat Linux 9
Posts: 6

Rep: Reputation: 0
I am also new to Linux, and I am also in the process of setting up my ftp server on Red Hat Linux using vsftp. It appears that I have followed enough instructions correctly to be able to log in to my server over the internet, forbid anonymous access, and allow two user accounts to access the ftp sites. The problem is I am able to cd to any directory on the machine. What I would like to do is have the following structure:

/ - Nobody has access here.
/home/ftpguys - Group A has access here.
/home/ftpguys/proj1 - Groups A & B have access here.

right now, when I log in, it puts the right people in the right starting directories, but they're able to cd all over the place. Any advice would be greatly appreciated.

John Marco Panettiere
 
Old 05-25-2003, 08:01 PM   #4
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
Hi,

Quote:
/ - Nobody has access here.
/home/ftpguys - Group A has access here.
/home/ftpguys/proj1 - Groups A & B have access here.
That should be pretty simple. Try changing the users home dir in Group A to /home/ftpguys and for Group B, make their home dir /home/ftpguys/proj1. Make sure everyone in those groups is in the chroot list file and you should be set!
 
Old 05-26-2003, 06:58 PM   #5
dynamo|x
LQ Newbie
 
Registered: May 2003
Location: Atlanta
Distribution: Red Hat 9
Posts: 16

Original Poster
Rep: Reputation: 0
Here is my question:

\mp3 dr-x------
\mp3\Upload drwx------

File owner= mp3 account
File group = mp3 group

I have to give my mp3 account execute permissions in order to change to the Upload folder, if i give them permissions to execute...they can delete my files in the upload folder. What can i do?

Thanks
 
Old 05-26-2003, 08:23 PM   #6
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
Like this:

First make sure all is owned by root
(chown -R root:root /mp3)

/mp3 - drwxr-xr-x
/mp3/Uploads - drwxr-x-wt

They can not delete from any of the folders under /mp3 and can't even see the files in /mp3/Uploads even though they can change to that dir and create subdirs and write files.

That is exactly how I have my ftp server set up (excluding dir names) and it works great for me. I would also set the home dir for the mp3 account to /mp3 and chroot them in the chroot file.

Let me know how it works for you.
 
Old 05-27-2003, 11:02 AM   #7
dynamo|x
LQ Newbie
 
Registered: May 2003
Location: Atlanta
Distribution: Red Hat 9
Posts: 16

Original Poster
Rep: Reputation: 0
TheOther1: thanks for your help

you see, i want my users to be able to read and write to the Upload folder, but not delete. I want them to see content of the Upload folder. Is it possible?

wt <-- What does it mean?


Thank you again
 
Old 06-01-2003, 09:37 PM   #8
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
Dynamo|X,

Sorry for not answering, I've been way too busy... Anyway, this is from the man page for chmod:

The letters `rwxXstugo' select the new permissions for the
affected users: read (r), write (w), execute (or access
for directories) (x), execute only if the file is a direc-
tory or already has execute permission for some user (X),
set user or group ID on execution (s), save program text
on swap device (t), the permissions that the user who owns
the file currently has for it (u), the permissions that
other users in the file's group have for it (g), and the
permissions that other users not in the file's group have
for it (o).

I am pretty sure that if you can write to a file, you can delete it... Think about this; if I open a text file, delete all of the text and save it then technically I performed a write but all of the data in the file is gone.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd & anonymous file permissions uncfleece Linux - Networking 2 01-01-2007 08:14 AM
VSFTPD file/directory issues. serksimper Linux - Enterprise 1 08-12-2005 02:12 AM
Vsftpd changes file permissions....how to correct? 88guy Linux - Software 1 05-25-2004 05:17 PM
Samba directory permissions and VSFTPD t3___ Linux - Software 5 05-12-2004 06:36 PM
File and Directory permissions plasmapudding Red Hat 3 09-09-2003 10:26 AM


All times are GMT -5. The time now is 05:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration