Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

proftpd: One user to administrate all

Hi all

I have configured proftpd using virtual users; various users have permission over directories etc.

Now I have to create a user (ftpadmin) that will have access to all folders and will be able to delete, move and/or rename files and directories.
Although ftpadmin has access and enough permissions from proftpd.conf it ISNT allowed to delete files that were created by an other user!!! (as the filesystem permissions are not sufficient)

Is any way to overcome this?! Do I have to use a umask different from 022 / 022 ?
Thank you
0
ampranti
Asked:
ampranti
  • 4
  • 3
3 Solutions
 
Maciej SsysadminCommented:
I have quite similar environment. I set one group for all files/directories, and umask to 002 (to have all new files with proper permissions). My 'admin' user belongs to something like 'ftpadmin' group (all files/dirs have this group set). As all users are virtual ones, whole ftp hierarchy belongs to one system user - all permissions are set by <Limit ...> entries.
0
 
amprantiAuthor Commented:
I have two group of users: admins (ftpadmin) & allusers (user1 & user2)

At the moment my files are created with user virtual ID and groupID: 1500.1500.
By using umask 002, also user1 and use2 can delete each other files. Correct?

Are u using "UserOwner" to change all users to proftpd.nogroup ?
May you give me an example of file configuration with permission set?

An other idea i had is to add ftpadmin to all groups. But:
Can a user belong to two groups?! Which group will be macthed when doing checks for permissions?!

Thank you
0
 
Maciej SsysadminCommented:
> By using umask 002, also user1 and use2 can delete each other files. Correct?
Yes, unless you use something like:
<Directory /dir/for/user1>
   <Limit ALL>
      AllowUser user1
   </Limit>
</Directory>
Which means - allow only user1 to do anything inside /dir/for/user1. You can also give permission for reading to user2 by adding another Limit (inside the same <Directory ...></Directory>). More about Limit directive: http://www.proftpd.org/docs/directives/linked/config_ref_Limit.html

> Are u using "UserOwner" to change all users to proftpd.nogroup ?
No. It doesn't really matter for me which user file/directory belongs to. All my virtual users are in one system group, and all files uploaded have this group set by default.

> Can a user belong to two groups?! Which group will be macthed when doing checks for permissions?!
IIRC there is a limit of max 16 groups per user. As for permissions - for reading all groups will be checked, for writing - I guess file will be created with user's 'main' group, but I'm too lazy to check it right now ;) (if I'm not wrong, then GroupOwner directive should be helpful) (on FreeBSD, where I have my proftpd installed, newly created files/directories have the same group as parent directory).
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
amprantiAuthor Commented:
So its enough to use umask 002 and add ftpdadmin to allusers group.

On the other hand I have to accept the fact that user1 and user2 will be able to change each other files (as have access to same directories and I cant  use LIMIT)
0
 
Maciej SsysadminCommented:
> So its enough to use umask 002 and add ftpdadmin to allusers group.
Yup.

> On the other hand I have to accept the fact that user1 and user2 will be
> able to change each other files (as have access to same directories and
> I cant use LIMIT)
You can try using GroupOwner directive to set for example 'ftpadm' group for all files/dirs (with umask 002 set). No users but ftpadmin should belong to this group. In such configuration users should not have possibility to edit/delete each others files (but I would use Limits instead :)).
Do you really cannot use LIMITs, or you just don't want to? May I know the reasons (I'm just curious :)).
0
 
amprantiAuthor Commented:
I dont want  because I am searching a way to implement that functionality easier than using  LIMIT.
(to tell the true I have no idea how can I do that using LIMIT|)!!

Any ideas ? ;-)
Both users must have access to write,upload/download, resume etc files but do not delete or alter files that dont own!
0
 
Maciej SsysadminCommented:
> Both users must have access to write,upload/download,
> resume etc files but do not delete or alter files that dont own!
Well, I already wrote it. Umask 002, different users, same group (ftpadm in my previous post). Owner of the file can do anything with this file, while other users cannot.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now