LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   vsftpd and file/directory permissions (https://www.linuxquestions.org/questions/linux-security-4/vsftpd-and-file-directory-permissions-61495/)

dynamo|x 05-24-2003 01:40 AM

vsftpd and file/directory permissions
 
Hello guys. I am trying to setup my ftp server and here is what i am trying to do: root folder of my user is going to be /home/mp3. In the mp3 folder i will hold files that users can read but not write. Then under /home/mp3 i will create another subfolder public, there i want people to read/write but not delete. So it will look this:
/home/mp3 <-- Read only
/home/mp3/public <-- Read and Write

I have played with settings but unless i give users execute permissions on the public folder, the cannot cd into it. Can i control directory/file rights with the ftp server or it has to be done with native linux file permissions. Thank you

TheOther1 05-24-2003 07:42 PM

Hi!

I do the same on my Linux box. I set each users home to whatever dir you want (/mp3 in your case) and set the login shell to /dev/null or /sbin/nologin. The /mp3 dir and everything under should be owned by root with the following rights:
drwxr-xr-x

This allows them to browse and D/L but not modify or erase. I have an Upload dir under /mp3 (in your scenario) with the following rights (also owned by root):
drwxr-x-wt

Once they login, they will go straight to the /mp3 dir and not be able to go higher in the tree. They can write to the Upload dir but can not even see what they are writing so they can't delete. Make sure they are in the chroot list or they can walk the tree and see things you may not want them too (like /etc/passwd)!!

john0000 05-25-2003 03:33 PM

I am also new to Linux, and I am also in the process of setting up my ftp server on Red Hat Linux using vsftp. It appears that I have followed enough instructions correctly to be able to log in to my server over the internet, forbid anonymous access, and allow two user accounts to access the ftp sites. The problem is I am able to cd to any directory on the machine. What I would like to do is have the following structure:

/ - Nobody has access here.
/home/ftpguys - Group A has access here.
/home/ftpguys/proj1 - Groups A & B have access here.

right now, when I log in, it puts the right people in the right starting directories, but they're able to cd all over the place. Any advice would be greatly appreciated.

John Marco Panettiere

TheOther1 05-25-2003 08:01 PM

Hi,

Quote:

/ - Nobody has access here.
/home/ftpguys - Group A has access here.
/home/ftpguys/proj1 - Groups A & B have access here.
That should be pretty simple. Try changing the users home dir in Group A to /home/ftpguys and for Group B, make their home dir /home/ftpguys/proj1. Make sure everyone in those groups is in the chroot list file and you should be set!

dynamo|x 05-26-2003 06:58 PM

Here is my question:

\mp3 dr-x------
\mp3\Upload drwx------

File owner= mp3 account
File group = mp3 group

I have to give my mp3 account execute permissions in order to change to the Upload folder, if i give them permissions to execute...they can delete my files in the upload folder. What can i do?

Thanks

TheOther1 05-26-2003 08:23 PM

Like this:

First make sure all is owned by root
(chown -R root:root /mp3)

/mp3 - drwxr-xr-x
/mp3/Uploads - drwxr-x-wt

They can not delete from any of the folders under /mp3 and can't even see the files in /mp3/Uploads even though they can change to that dir and create subdirs and write files. :cool:

That is exactly how I have my ftp server set up (excluding dir names) and it works great for me. I would also set the home dir for the mp3 account to /mp3 and chroot them in the chroot file.

Let me know how it works for you.

dynamo|x 05-27-2003 11:02 AM

TheOther1: thanks for your help

you see, i want my users to be able to read and write to the Upload folder, but not delete. I want them to see content of the Upload folder. Is it possible?

wt <-- What does it mean?


Thank you again

TheOther1 06-01-2003 09:37 PM

Dynamo|X,

Sorry for not answering, I've been way too busy... Anyway, this is from the man page for chmod:

The letters `rwxXstugo' select the new permissions for the
affected users: read (r), write (w), execute (or access
for directories) (x), execute only if the file is a direc-
tory or already has execute permission for some user (X),
set user or group ID on execution (s), save program text
on swap device (t), the permissions that the user who owns
the file currently has for it (u), the permissions that
other users in the file's group have for it (g), and the
permissions that other users not in the file's group have
for it (o).

I am pretty sure that if you can write to a file, you can delete it... Think about this; if I open a text file, delete all of the text and save it then technically I performed a write but all of the data in the file is gone.


All times are GMT -5. The time now is 12:03 PM.