Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-20-2003, 09:55 PM
|
#1
|
LQ Newbie
Registered: Jan 2002
Posts: 25
Rep:
|
An odd case of FTP file permissions
I have a wierd situation that I hope somebody can help with. I wish to use a linux system to host an FTP site for an application to transfer files with.
Here are the issues:
- All users of this application use the same username and dump files into the same directory.
- Nobody should be able to re-read anything the put there.
- There is ONE file that everybody has full access to inside that directory
If I have to use different usernames that is OK though not preferable. Just just should not be able to read anything dumped there.
What permissions do I use and do I have to use a sticky bit?
seems every file that gets writen automatically can be read back and I don't want this.
Then to throw in a kick I need to give a windows sytem full access but I can deal with that later.
Thanx in advance
|
|
|
04-20-2003, 10:07 PM
|
#2
|
LQ Guru
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018
Rep:
|
It sounds like you would probably need a sticky bit, to prevent anyone with write access from deleting or renaming stuff. I know that's how it's handled with stuff like /tmp, which is world-writable (but not world-readable)
I guess what you'd need is for everyone to have write access, but no read access (chmod 222, effectively) but I am not sure how to let a user create a file, but not be its owner. (Since if they're the owner, they can chmod it, which you don't want if they're to be able to write to them).
|
|
|
04-20-2003, 10:19 PM
|
#3
|
LQ Guru
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018
Rep:
|
Maybe you can set UID on the directory? (is that even possible?)
From a secure programming howto:
# setuid, setgid - when set on an executable file, executing the file will set the process' effective UID or effective GID to the value of the file's owning UID or GID (respectively). All Unix-like systems support this. When setgid is set on a directory, files created in the directory will have their GID automatically reset to that of the directory's GID. When setgid is set on a file that does not have any execute privileges, this indicates a file that is subject to mandatory locking during access (if the filesystem is mounted to support mandatory locking); this overload of meaning surprises many and not universal across Unix-like systems.
If setting GID on a directory causes the created files to take on the GID, maybe there is a way to make created files take on the directory owner's UID?
I know you can set the umask for users, so that all created files are automatically non-readable, but like I said before, the user will still own the file and be able to change it to circumvent this.
Sorry I can't be of more help  Hard question!
|
|
|
04-20-2003, 10:32 PM
|
#4
|
LQ Newbie
Registered: Jan 2002
Posts: 25
Original Poster
Rep:
|
Hey that is great information thanx both of ya.
I think I got the most of it resolved. I set the directory to have wx-wx-wx and it works great in terms of file access however there is still that one file that needs to have full access (called latest.num) I am going to try that last suggestion with the set uid and I am hoping that that file will never change permissions but any new files will get the group ID that is locked down.
Thanx again.
|
|
|
04-20-2003, 10:36 PM
|
#5
|
LQ Newbie
Registered: Jan 2002
Posts: 25
Original Poster
Rep:
|
There isn't a way to have one file override the rest of the directory is there?
Say through ACL's? (which I dont' know how to use either)
|
|
|
04-20-2003, 10:38 PM
|
#6
|
LQ Guru
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018
Rep:
|
I tried out some stuff on my own box. You can set UID or GID on a directory. Setting GID (by using chmod g+s) causes any file created there to be in that directory's group. i.e., if you have a directory 'test' in group 'users' and the GID bit set, any file that anyone creates in 'test' has 'users' for its group.
You'd think the same thing would apply for the UID bit, but I just tried it and it did not work. I wonder what the UID bit does for directories, then? For files, I know it means that if you execute them, it gets that user's permissions. (which is why set UID root should be avoided where possible).
I also tried looking through the chattr man page, but didn't see anything that would apply in your case (you may want to check it out though)
Anyhow, you got me really curious now. Does anyone know if there's a way for a file to not be owned by its creator?
i.e., Bob creates the file, but after creation, Jim is the owner.
|
|
|
04-20-2003, 10:40 PM
|
#7
|
LQ Guru
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018
Rep:
|
Quote:
Originally posted by paradoxlight
There isn't a way to have one file override the rest of the directory is there?
Say through ACL's? (which I dont' know how to use either)
|
Not that I know of... does this full-access file need to be totally modifiable by your users? (read/write/execute/delete)?
Also, do you want users to be able to see the contents of the directory? I think you at least have to have that turned on (execute permission on the directory) for them to read or write any files in there.
Last edited by wapcaplet; 04-20-2003 at 10:41 PM.
|
|
|
All times are GMT -5. The time now is 10:43 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|