Ok I have three accounts and 2 folders for use with the FTP. All are set to sbin/nologin and are chrooted to their home directory.
Folders - Owner - Group - Permissions
/shared upload download rwxr-xr-x
/shared/status upload status rwxr-xr-x
User - Home
The upload user has access to do anything withing /shared. They can read/write/enter in both /shared and the subdir /status
The download user is used for reading (not writing!) from /shared. I don't really care if they can also read from /status as long as they cannot write anything anywhere
The status user is only used to load an image from /shared status embedded on a webpage ("If you can see this image <img src="ftp://status
email@example.com/online.gif"> then the FTP is up") and it cannot write anything or read files outside the status folder.
What I'm concerned is that I have upload having ownership of the folders, and not root or korff. Is this a security hole?