LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-04-2006, 03:30 AM   #1
citrus
Member
 
Registered: Dec 2003
Location: California
Distribution: Kubuntu 6.1
Posts: 548

Rep: Reputation: 30
file permisions


i have an ftp server

in there i have a dir called upload
i set
chmod ugo=rwx upload/


let say user chad creats a folder in there

ls -alc
total 16
drwxrwxrwx 3 citrus root 4096 Jan 4 08:26 .
drwxr-xr-x 7 citrus 1000 8192 Jan 4 06:40 ..
drwxr-xr-x 2 chad users 4096 Jan 4 08:26 s

and then another user creats a dir

ls -alc
total 20
drwxrwxrwx 4 citrus root 4096 Jan 4 08:29 .
drwxr-xr-x 7 citrus 1000 8192 Jan 4 06:40 ..
drwxr-xr-x 2 citrus users 4096 Jan 4 08:29 d
drwxr-xr-x 2 chad users 4096 Jan 4 08:26 s


why is it that user chad can delete the d directory?
and how do i fix that?
 
Old 01-04-2006, 06:06 AM   #2
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
Deleting files or directories, just like moving them, is restricted only by the permissions of the PARENT
directory in which they reside, not on their own permissions.
This can be explained via the way a Linux file system works (with inodes and stuff), but I won't go into details.

Since you've done a
chmod ugo=rwx upload/
you've given write access to everybody. This means that chad can move around and delete anything in that directory.
Note that this is of course extremely insecure.

An example: you put a file in there that has permissions u=rw only, owned by your user, in which you store
some secrets like passwords.
Chad can then do, using only FTP:
rename your_secret_file his_file
This actually "moves" the file from one name to the other, so it is permitted!
chown chad his_file
Since he has become the owner after the rename, he can change the permissions of the file, making it for
instance readable, so he can find out your secrets.

One solution can be to restrict the permissions on the "upload" directory, but this can - if done incorrectly - lead to a situation where uploading is also impossible.
A better idea is to configure your FTP server so that it defines more clearly what is allowed and what is not.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
smbmount is ignoring file permisions, I've searched, but have no answer lostboy Linux - General 6 10-15-2005 11:24 AM
file permisions speedemonV12 Linux - Newbie 8 07-19-2005 12:03 PM
file permisions on /.fluxbox e1000 Slackware 1 11-22-2003 06:30 AM
looking up file permisions starwind Linux - Newbie 1 10-15-2003 08:33 PM
Permisions ToeShot Linux - General 2 11-30-2001 01:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration