LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-27-2011, 06:37 PM   #1
bweddell
LQ Newbie
 
Registered: Jul 2011
Posts: 11

Rep: Reputation: Disabled
Prevent subdirectory creation while allowing file creation


I am using CentOS 5.6 with ext3. Users will login ftps (I'm using vsftpd), but I'm hoping to solve this at the file system level.

vsftpd is set to chroot them. ftps is working fine. Each user will own their subdirectory - no one else will have access.

*They should be able to write files in their chrooted directory but NOT write subdirectories.*

I've checked man on vsftpd.conf and briefly looked into selinux on this topic. I've looked on the Internet and see others that have posted about this, but with no real answer.

I could do a cron every minute to delete files that don't belong but don't like that solution.

I want them to be prevented during initial creation of a subdirectory.

Anyone have a suggestion?
 
Old 07-27-2011, 06:53 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
try "cmds_allowed=" and specify all commands (ABOR,APPE,CWD,DELE,HELP,LIST,MDTM,etc,etc) except "MKD"?
 
Old 07-28-2011, 12:46 AM   #3
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,417

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
Alternately
Quote:
cmds_denied
This options specifies a comma separated list of denied FTP commands (post login. USER, PASS, QUIT and others are always allowed pre-login). If a command appears on both this and cmds_allowed then the denial takes precedence. (Added in v2.1.0).

Default: (none)
if you have a recent enough version
 
1 members found this post helpful.
Old 07-28-2011, 08:29 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by chrism01 View Post
Alternately
Quote:
cmds_denied
Missed that option... Nice find!
 
Old 07-28-2011, 11:24 AM   #5
bweddell
LQ Newbie
 
Registered: Jul 2011
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thanks to both of you! My vsftpd version is older than 2.1.0 so I had to use the cmds_allowed stanza. For the complete list of commands, I went to http://viki.brainsware.org/?en/cmds_allowed.

If it helps someone, my syntax is (minus MKD):
cmds_allowed=ABOR,ACCT,ALLO,APPE,CDUP,CWD,DELE,EPRT,EPSV,FEAT,HELP,LIST,MDTM,MODE,NLST,NOOP,OPTS,PAS S,PASV,PORT,PWD,QUIT,REIN,REST,RETR,RMD,RNFR,RNTO,SITE,SIZE,SMNT,STAT,STOR,STOU,STRU,SYST,TYPE,USER, XCUP,XCWD,XMKD,XPWD,XRMD,ADAT,AUTH,CCC,CLNT,CONF,ENC,GET,LPRT,LPSV,MGET,MIC,MPUT,PBSZ,PROT,PUT
 
Old 07-31-2011, 09:54 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,417

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
@unSpawn: Thx

Actually, my knowledge of vsftpd is pretty limited; what I always do is go here https://security.appspot.com/vsftpd/vsftpd_conf.html which is the official conf page as re-directed from the home site vsftpd.beasts.org

HTH others
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux prevent snapshot lv creation Dig Linux - Server 8 04-07-2010 04:25 PM
creation of file system shirshbansal Linux - Kernel 3 03-24-2010 03:19 PM
Allowing the creation of MYSQL databases by a user rustyz82 Linux - Software 5 06-26-2006 02:11 AM
File Creation Time? enine Linux - General 9 05-17-2006 12:46 PM
file creation in C ratheesh Programming 1 01-08-2004 06:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration