?
Solved

Permissions and FTP daemons

Posted on 2002-04-23
7
Medium Priority
?
269 Views
Last Modified: 2013-12-15
Hi,

I have this scenario:

I have a user "bob" whose $HOME is /var/www/html. Permissions on this directory are like so: drwxr-xr-x   15 bob bob         4096 Apr 19 15:52 html
I also have a user "foo" whose $HOME is /var/www/html/foo. Permissions on this dir are like so: drwxr-xr-x   55 bob bob         4096 Apr 15 16:13 foo
Now, there's a file in /var/www/html/foo/index.php whose permissions are like so: -rw-r--r--    1 bob bob    16263 Apr  3 17:04 /var/www/html/foo/index.php
If user "foo" does an FTP session, why _CAN_ he delete the file /var/www/html/foo/index.php ???
The users have different uids and gids.
I have tested this on wu-ftpd, pureftpd and proftpd and am running RedHat 6.2 and 7.2.

Maybe this can help?

[root@mirror root]# ls -al /var/www/html/foo/
total 472
drwxr-xr-x   55 bob      bob         4096 Apr 15 16:13 .
drwxr-xr-x   15 bob      bob         4096 Apr 19 15:52 ..
-rw-r--r--    1 bob      bob        16263 Apr  3 17:04 index.php
0
Comment
Question by:chaduka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6962900
Tell me more about how you have FTP set up and how users establish their FTP session. I use wu-ftp and ProFTP and a user can't delete a file that they don't have rights to, so it must be something related to how you are using FTP.
0
 
LVL 1

Author Comment

by:chaduka
ID: 6962926
Okay, I have managed to find out why. It's the directory permissions that are screwed up. Fact: directory permissions take precedence over any file permissions within that directory.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 300 total points
ID: 6963001
Yep, that'll do it. You need to make certain the directories of users are no more permissive than 755 (rwxr-xr-x). Other (world) read and search permission are needed in this case so that the web server can access the contents. In most other cases a home dir can be 700 (rwx------).

I good thing to do for a web server that hosts a number of virtual domains is to use ProFTP and configure it to chroot each user into their login directory. This, regardless of directory permissions, will prevent an FTP user from being able to delete or view files that aren't in their login dir. They can't even see anything else on the system.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 1

Author Comment

by:chaduka
ID: 6963024
Yeah, well, on most boxes, I run ncftpd and it's got that chroot feature. Was just being buffled by the way this one was behaving, only to find out that a directory high up there, the /var/www directory, was set to drwxrwxrwx. /me cries. ..some people!
0
 
LVL 1

Author Comment

by:chaduka
ID: 6963038
...well, just thought I should give you the points that were at stake anyway.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6963081
NcFTP is great stuff. ProFTP is almost as good and has much of the same capabilities. The documentation for ProFTP isn't nearly as good though (IMHO).
0
 
LVL 1

Author Comment

by:chaduka
ID: 6963115
I have gotten used to NcFTPd. I will try understand ProFTP. Heard PureFTPd is quite excellent as well.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month12 days, 8 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question