[SOLVED] Prevent subdirectory creation while allowing file creation
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Prevent subdirectory creation while allowing file creation
I am using CentOS 5.6 with ext3. Users will login ftps (I'm using vsftpd), but I'm hoping to solve this at the file system level.
vsftpd is set to chroot them. ftps is working fine. Each user will own their subdirectory - no one else will have access.
*They should be able to write files in their chrooted directory but NOT write subdirectories.*
I've checked man on vsftpd.conf and briefly looked into selinux on this topic. I've looked on the Internet and see others that have posted about this, but with no real answer.
I could do a cron every minute to delete files that don't belong but don't like that solution.
I want them to be prevented during initial creation of a subdirectory.
cmds_denied
This options specifies a comma separated list of denied FTP commands (post login. USER, PASS, QUIT and others are always allowed pre-login). If a command appears on both this and cmds_allowed then the denial takes precedence. (Added in v2.1.0).
Thanks to both of you! My vsftpd version is older than 2.1.0 so I had to use the cmds_allowed stanza. For the complete list of commands, I went to http://viki.brainsware.org/?en/cmds_allowed.
If it helps someone, my syntax is (minus MKD):
cmds_allowed=ABOR,ACCT,ALLO,APPE,CDUP,CWD,DELE,EPRT,EPSV,FEAT,HELP,LIST,MDTM,MODE,NLST,NOOP,OPTS,PAS S,PASV,PORT,PWD,QUIT,REIN,REST,RETR,RMD,RNFR,RNTO,SITE,SIZE,SMNT,STAT,STOR,STOU,STRU,SYST,TYPE,USER, XCUP,XCWD,XMKD,XPWD,XRMD,ADAT,AUTH,CCC,CLNT,CONF,ENC,GET,LPRT,LPSV,MGET,MIC,MPUT,PBSZ,PROT,PUT
Actually, my knowledge of vsftpd is pretty limited; what I always do is go here https://security.appspot.com/vsftpd/vsftpd_conf.html which is the official conf page as re-directed from the home site vsftpd.beasts.org
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.