Solved

Permissions and FTP daemons

Posted on 2002-04-23
7
263 Views
Last Modified: 2013-12-15
Hi,

I have this scenario:

I have a user "bob" whose $HOME is /var/www/html. Permissions on this directory are like so: drwxr-xr-x   15 bob bob         4096 Apr 19 15:52 html
I also have a user "foo" whose $HOME is /var/www/html/foo. Permissions on this dir are like so: drwxr-xr-x   55 bob bob         4096 Apr 15 16:13 foo
Now, there's a file in /var/www/html/foo/index.php whose permissions are like so: -rw-r--r--    1 bob bob    16263 Apr  3 17:04 /var/www/html/foo/index.php
If user "foo" does an FTP session, why _CAN_ he delete the file /var/www/html/foo/index.php ???
The users have different uids and gids.
I have tested this on wu-ftpd, pureftpd and proftpd and am running RedHat 6.2 and 7.2.

Maybe this can help?

[root@mirror root]# ls -al /var/www/html/foo/
total 472
drwxr-xr-x   55 bob      bob         4096 Apr 15 16:13 .
drwxr-xr-x   15 bob      bob         4096 Apr 19 15:52 ..
-rw-r--r--    1 bob      bob        16263 Apr  3 17:04 index.php
0
Comment
Question by:chaduka
  • 4
  • 3
7 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Tell me more about how you have FTP set up and how users establish their FTP session. I use wu-ftp and ProFTP and a user can't delete a file that they don't have rights to, so it must be something related to how you are using FTP.
0
 
LVL 1

Author Comment

by:chaduka
Comment Utility
Okay, I have managed to find out why. It's the directory permissions that are screwed up. Fact: directory permissions take precedence over any file permissions within that directory.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
Comment Utility
Yep, that'll do it. You need to make certain the directories of users are no more permissive than 755 (rwxr-xr-x). Other (world) read and search permission are needed in this case so that the web server can access the contents. In most other cases a home dir can be 700 (rwx------).

I good thing to do for a web server that hosts a number of virtual domains is to use ProFTP and configure it to chroot each user into their login directory. This, regardless of directory permissions, will prevent an FTP user from being able to delete or view files that aren't in their login dir. They can't even see anything else on the system.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:chaduka
Comment Utility
Yeah, well, on most boxes, I run ncftpd and it's got that chroot feature. Was just being buffled by the way this one was behaving, only to find out that a directory high up there, the /var/www directory, was set to drwxrwxrwx. /me cries. ..some people!
0
 
LVL 1

Author Comment

by:chaduka
Comment Utility
...well, just thought I should give you the points that were at stake anyway.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
NcFTP is great stuff. ProFTP is almost as good and has much of the same capabilities. The documentation for ProFTP isn't nearly as good though (IMHO).
0
 
LVL 1

Author Comment

by:chaduka
Comment Utility
I have gotten used to NcFTPd. I will try understand ProFTP. Heard PureFTPd is quite excellent as well.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now