LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-20-2003, 09:55 PM   #1
paradoxlight
LQ Newbie
 
Registered: Jan 2002
Posts: 25

Rep: Reputation: 15
An odd case of FTP file permissions


I have a wierd situation that I hope somebody can help with. I wish to use a linux system to host an FTP site for an application to transfer files with.

Here are the issues:
- All users of this application use the same username and dump files into the same directory.
- Nobody should be able to re-read anything the put there.
- There is ONE file that everybody has full access to inside that directory

If I have to use different usernames that is OK though not preferable. Just just should not be able to read anything dumped there.

What permissions do I use and do I have to use a sticky bit?
seems every file that gets writen automatically can be read back and I don't want this.

Then to throw in a kick I need to give a windows sytem full access but I can deal with that later.

Thanx in advance
 
Old 04-20-2003, 10:07 PM   #2
wapcaplet
LQ Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
It sounds like you would probably need a sticky bit, to prevent anyone with write access from deleting or renaming stuff. I know that's how it's handled with stuff like /tmp, which is world-writable (but not world-readable)

I guess what you'd need is for everyone to have write access, but no read access (chmod 222, effectively) but I am not sure how to let a user create a file, but not be its owner. (Since if they're the owner, they can chmod it, which you don't want if they're to be able to write to them).
 
Old 04-20-2003, 10:19 PM   #3
wapcaplet
LQ Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
Maybe you can set UID on the directory? (is that even possible?)

From a secure programming howto:

# setuid, setgid - when set on an executable file, executing the file will set the process' effective UID or effective GID to the value of the file's owning UID or GID (respectively). All Unix-like systems support this. When setgid is set on a directory, files created in the directory will have their GID automatically reset to that of the directory's GID. When setgid is set on a file that does not have any execute privileges, this indicates a file that is subject to mandatory locking during access (if the filesystem is mounted to support mandatory locking); this overload of meaning surprises many and not universal across Unix-like systems.

If setting GID on a directory causes the created files to take on the GID, maybe there is a way to make created files take on the directory owner's UID?

I know you can set the umask for users, so that all created files are automatically non-readable, but like I said before, the user will still own the file and be able to change it to circumvent this.

Sorry I can't be of more help Hard question!
 
Old 04-20-2003, 10:32 PM   #4
paradoxlight
LQ Newbie
 
Registered: Jan 2002
Posts: 25

Original Poster
Rep: Reputation: 15
Hey that is great information thanx both of ya.
I think I got the most of it resolved. I set the directory to have wx-wx-wx and it works great in terms of file access however there is still that one file that needs to have full access (called latest.num) I am going to try that last suggestion with the set uid and I am hoping that that file will never change permissions but any new files will get the group ID that is locked down.

Thanx again.
 
Old 04-20-2003, 10:36 PM   #5
paradoxlight
LQ Newbie
 
Registered: Jan 2002
Posts: 25

Original Poster
Rep: Reputation: 15
There isn't a way to have one file override the rest of the directory is there?
Say through ACL's? (which I dont' know how to use either)
 
Old 04-20-2003, 10:38 PM   #6
wapcaplet
LQ Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
I tried out some stuff on my own box. You can set UID or GID on a directory. Setting GID (by using chmod g+s) causes any file created there to be in that directory's group. i.e., if you have a directory 'test' in group 'users' and the GID bit set, any file that anyone creates in 'test' has 'users' for its group.

You'd think the same thing would apply for the UID bit, but I just tried it and it did not work. I wonder what the UID bit does for directories, then? For files, I know it means that if you execute them, it gets that user's permissions. (which is why set UID root should be avoided where possible).

I also tried looking through the chattr man page, but didn't see anything that would apply in your case (you may want to check it out though)

Anyhow, you got me really curious now. Does anyone know if there's a way for a file to not be owned by its creator?

i.e., Bob creates the file, but after creation, Jim is the owner.
 
Old 04-20-2003, 10:40 PM   #7
wapcaplet
LQ Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
Quote:
Originally posted by paradoxlight
There isn't a way to have one file override the rest of the directory is there?
Say through ACL's? (which I dont' know how to use either)
Not that I know of... does this full-access file need to be totally modifiable by your users? (read/write/execute/delete)?

Also, do you want users to be able to see the contents of the directory? I think you at least have to have that turned on (execute permission on the directory) for them to read or write any files in there.

Last edited by wapcaplet; 04-20-2003 at 10:41 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp changes file permissions! seran Linux - General 2 07-13-2005 08:34 AM
setting permissions on a file after uploading via FTP dgsr2002 Linux - Newbie 4 10-21-2004 08:15 PM
ftp: howto work with file-permissions Schmurff Mandriva 1 06-20-2004 09:52 PM
File/Folder Permissions with FTP scottpioso Linux - Security 8 03-12-2004 03:19 PM
locking a usage policy file/ftp file permissions gbow Linux - Newbie 0 02-16-2004 06:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration