Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Permissions and FTP daemons

Posted on 2002-04-23
Medium Priority
Last Modified: 2013-12-15

I have this scenario:

I have a user "bob" whose $HOME is /var/www/html. Permissions on this directory are like so: drwxr-xr-x   15 bob bob         4096 Apr 19 15:52 html
I also have a user "foo" whose $HOME is /var/www/html/foo. Permissions on this dir are like so: drwxr-xr-x   55 bob bob         4096 Apr 15 16:13 foo
Now, there's a file in /var/www/html/foo/index.php whose permissions are like so: -rw-r--r--    1 bob bob    16263 Apr  3 17:04 /var/www/html/foo/index.php
If user "foo" does an FTP session, why _CAN_ he delete the file /var/www/html/foo/index.php ???
The users have different uids and gids.
I have tested this on wu-ftpd, pureftpd and proftpd and am running RedHat 6.2 and 7.2.

Maybe this can help?

[root@mirror root]# ls -al /var/www/html/foo/
total 472
drwxr-xr-x   55 bob      bob         4096 Apr 15 16:13 .
drwxr-xr-x   15 bob      bob         4096 Apr 19 15:52 ..
-rw-r--r--    1 bob      bob        16263 Apr  3 17:04 index.php
Question by:chaduka
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 40

Expert Comment

ID: 6962900
Tell me more about how you have FTP set up and how users establish their FTP session. I use wu-ftp and ProFTP and a user can't delete a file that they don't have rights to, so it must be something related to how you are using FTP.

Author Comment

ID: 6962926
Okay, I have managed to find out why. It's the directory permissions that are screwed up. Fact: directory permissions take precedence over any file permissions within that directory.
LVL 40

Accepted Solution

jlevie earned 300 total points
ID: 6963001
Yep, that'll do it. You need to make certain the directories of users are no more permissive than 755 (rwxr-xr-x). Other (world) read and search permission are needed in this case so that the web server can access the contents. In most other cases a home dir can be 700 (rwx------).

I good thing to do for a web server that hosts a number of virtual domains is to use ProFTP and configure it to chroot each user into their login directory. This, regardless of directory permissions, will prevent an FTP user from being able to delete or view files that aren't in their login dir. They can't even see anything else on the system.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 6963024
Yeah, well, on most boxes, I run ncftpd and it's got that chroot feature. Was just being buffled by the way this one was behaving, only to find out that a directory high up there, the /var/www directory, was set to drwxrwxrwx. /me cries. ..some people!

Author Comment

ID: 6963038
...well, just thought I should give you the points that were at stake anyway.
LVL 40

Expert Comment

ID: 6963081
NcFTP is great stuff. ProFTP is almost as good and has much of the same capabilities. The documentation for ProFTP isn't nearly as good though (IMHO).

Author Comment

ID: 6963115
I have gotten used to NcFTPd. I will try understand ProFTP. Heard PureFTPd is quite excellent as well.

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network Interface Card (NIC) bonding, also known as link aggregation, NIC teaming and trunking, is an important concept to understand and implement in any environment where high availability is of concern. Using this feature, a server administrator …
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question