|
chmod rights over ftp/telnet
I'm a little baffled at the moment. We have a Red Hat Enterprise Linux 4 box which ultimately will be replacing our win32 apache box to host our intranet pages, and probably internet too (we're merging with an organisation that has theirs hosted externally.. no one has worked out which way we're going yet with that :D)
I'm not too hot on locking up the box, but got the redhat firewall running restricting services, and our hardware firewall locks down the incoming traffic onto site. On site I can telnet to the box to admin it where needed, but externally only have ftp access. Root cannot login over ftp, but can over telnet which is fine as far as I'm aware? Two user accounts have been made, one for myself and one for the boss so that we can ftp into the server and upload any new webcontent, both of which exist in a webteam group. Apache has its own user account and group. Following advice in an Apache2 book on how to secure it under linux, I've run "chmod -R 2570 *" from the root of the htdocs folder, and "chown -R httpd.webteam", so that apache can read and execute but not modify files, and in theory both mine and my boss's accounts can read/write/execute all files. We've tested this and both of us can upload, delete and modify files over ftp or through telnet. However, neither of us can "chmod" any files over ftp which we'd like to do where possible. Obviously I'd rather not have root enabled for ftp access! An example file having run "ls -l": -r-xrws--- 1 httpd webteam 13671152 Jul 1 14:34 moodle-latest-15.tgz I know I'm possibly missing something obvious, can anyone advise me on what I've messed up :D? |
Re: chmod rights over ftp/telnet
first, why do u use telnet? it is unsecure. u should prefer ssh. it is secure and also u can transfer files via ssh (scp).
i dont know what ftp server do u use. but all them must have an option for file create mode. so the files should be able to created with that rights. take a look at the config file of your ftp server. good luck. |
Re: Re: chmod rights over ftp/telnet
Quote:
Its definately a user rights thing, we can create files, not chmod them which we need to do. I can log in to a console screen and face exactly the same thing, can't change file rights that I have full rights to as part of the webteam group. |
Only the owner (httpd in this case) and root can change a file's permission
|
Howzit
U have to set the stick bit permisson on the group permission so that when any user access a common directory for everybody they are able to creat a file and it gives them all the same user and group perms for everbody. Sticky bit perms look like this drwxrwsr_x as u can see the s represents the srticky bit when it is active. Read more on the following site http://www.geocities.com/tipsforlinux/articles/028.html cheers |
Quote:
Is there another way I can allow specified users chmod rights without compromising security? Quote:
|
Howzit
U have two ways in doing this: 1. U can create a group and then set the sticky bit so that everyone that belongs that group will have the same permissons when creating a file not sure if u will be able to change the perms for each individual. e.g drwxrwsr_x "chmod 1775 xyz" 2. Creating a directory then set the sticky bit to the directory where everyone that creates a file in that directory remains the owner and then he is able to change the perms and allow other people to ready and edit that file. e.g drwxrwsrwt "chmod 2755 xyz" Hope this helps cheers |
Sorry to be a pain, I still can't resolve this.
I tried your suggestion in option 1, in a testing area. I created the folder whilst logged in as root, and then chowned it the same way as the htdocs and subfolders are: drwxrwxr-t 2 httpd webteam 4096 Aug 3 09:34 testfolder Nice t mark showing sticky bit :D I then logged in with my account, which is part of the webteam, and was able to upload and chmod files I'd put there. When I got my boss to log in, who's account is also part of the webteam group, he wasn't able to chmod the file. :scratch: Am I just barking up the wrong tree here, asking the impossible? |
Howzit
This is what s wrong with your setup if u use 1755 for example this will allow a user to creat files in that directory and keep his original permissions e,.g - create directory /tmp/tony where tony is the common area for everyone - set permissions chmod 1755 /tmp/test - permissions look like this drwxr_xr_t for test - when users creat their files in this directory then perms they originally had remain the same (e.g user name tony group tony) - cd /tmp/test - touch test1 ( create a empty file) - ls -la - test will look like this rw_rw_r_ tony tony test1 if u use 2755 this will allow u to have a common area where the group name always set to the one u specify no matter what the group name was for the original user - create directory /tmp/tony where tony is the common area for everyone - set permissions chmod 2775 /tmp/test1 - permissions look like this drwxrwsr_x for test1 - when users creates their files in this directory then perms they recieve is the one set originally by the local directory but this is only true for the group as the user perms remain the same for the user that created it (e.g user name tony group tony) - cd /tmp/test1 - original perms for the test1 directory is root:test1 - touch test2 ( create a empty file) - ls -la - test will look like this rw_rw_r_ tony test1 test2 In both cases u are able to change the perms This |
This doesn't fix anything.. sure the default group for any files created in the folder is now webteam, but still only the file creator can change its CHMOD rights, no matter what permissions are set on the folder, be it 2775, 1775, 7775, or anything, I just keep coming back to "chmod: changing permissions of `test1': Operation not permitted"
I guess I'm just going to have to create a common login account for myself and the boss, otherwise we're never going to be able to administer the website.:( |
| All times are GMT -5. The time now is 06:23 AM. |