Permissions and FTP daemons

Posted on 2002-04-23
Last Modified: 2013-12-15

I have this scenario:

I have a user "bob" whose $HOME is /var/www/html. Permissions on this directory are like so: drwxr-xr-x   15 bob bob         4096 Apr 19 15:52 html
I also have a user "foo" whose $HOME is /var/www/html/foo. Permissions on this dir are like so: drwxr-xr-x   55 bob bob         4096 Apr 15 16:13 foo
Now, there's a file in /var/www/html/foo/index.php whose permissions are like so: -rw-r--r--    1 bob bob    16263 Apr  3 17:04 /var/www/html/foo/index.php
If user "foo" does an FTP session, why _CAN_ he delete the file /var/www/html/foo/index.php ???
The users have different uids and gids.
I have tested this on wu-ftpd, pureftpd and proftpd and am running RedHat 6.2 and 7.2.

Maybe this can help?

[root@mirror root]# ls -al /var/www/html/foo/
total 472
drwxr-xr-x   55 bob      bob         4096 Apr 15 16:13 .
drwxr-xr-x   15 bob      bob         4096 Apr 19 15:52 ..
-rw-r--r--    1 bob      bob        16263 Apr  3 17:04 index.php
Question by:chaduka
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 40

Expert Comment

ID: 6962900
Tell me more about how you have FTP set up and how users establish their FTP session. I use wu-ftp and ProFTP and a user can't delete a file that they don't have rights to, so it must be something related to how you are using FTP.

Author Comment

ID: 6962926
Okay, I have managed to find out why. It's the directory permissions that are screwed up. Fact: directory permissions take precedence over any file permissions within that directory.
LVL 40

Accepted Solution

jlevie earned 100 total points
ID: 6963001
Yep, that'll do it. You need to make certain the directories of users are no more permissive than 755 (rwxr-xr-x). Other (world) read and search permission are needed in this case so that the web server can access the contents. In most other cases a home dir can be 700 (rwx------).

I good thing to do for a web server that hosts a number of virtual domains is to use ProFTP and configure it to chroot each user into their login directory. This, regardless of directory permissions, will prevent an FTP user from being able to delete or view files that aren't in their login dir. They can't even see anything else on the system.
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users


Author Comment

ID: 6963024
Yeah, well, on most boxes, I run ncftpd and it's got that chroot feature. Was just being buffled by the way this one was behaving, only to find out that a directory high up there, the /var/www directory, was set to drwxrwxrwx. /me cries. ..some people!

Author Comment

ID: 6963038
...well, just thought I should give you the points that were at stake anyway.
LVL 40

Expert Comment

ID: 6963081
NcFTP is great stuff. ProFTP is almost as good and has much of the same capabilities. The documentation for ProFTP isn't nearly as good though (IMHO).

Author Comment

ID: 6963115
I have gotten used to NcFTPd. I will try understand ProFTP. Heard PureFTPd is quite excellent as well.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question