Re: Ftp Access.

[Amit Aronovitch]

People, Tal is using a simple, old-fashioned solution (ftp server) - why not give simple, old-fashioned answers? While ACL's are modern and much more flexible, there's still quite a lot that can be done with plain old unix-style permissions (and you certainly don't need to compile new kernels for that). Tal Rosenstein wrote: d-wxrwx---   5 incoming inout   4096 2005-03-30 10:51 incoming dr-xrwx---   6 outgoing inout   4096 2005-03-29 18:15 outgoing the group inout is the group of the user inout [which can put and delete files from all of the folders] With plain-old unix permissions, being the *owner* of a file/directory means you can freely change it's permissions. I believe many ftp servers allow users to use the 'chmod' command by default, so there's not much point in setting the user's own permission to anything other than rwx (at least not security-wise. It might be useful as some kind of convenience measure).  However, a user does not have to own his home (certainly not her ftp home). The key to achieve (aproximately) what you want is by using groups: 1) Define 'incoming' and 'inout' members in group 'writers', 'outgoing' and 'inout' members in group 'readers' 2) Set permissions thus: flags       user   group    dirname -------------------------------------- d-wx-ws---  inout  writers  incoming drwxr-s---  inout  readers  outgoing 3) Further notes:   a) Note the 's' flags on the group perms (use 'chmod g+s <dirname>' to set it). This means that files generated under this dir will get the parent dir's group  rather than their creator's main group. Assuming that 'incoming' has 'writers' as his main group & 'outgoing' has 'readers', this will only have effect on files written by the 'inout' login.   b) Note that according to my first comment above, the fact that files generated by the 'incoming' login get the right permissions by default does not mean their'e safe - she can still chmod them to anything (unless you disable this feature in your ftp-server). Same goes for the 'inout' login, but I assume you should have no trouble with this.   c) Make sure you set umask to 7 (disable all permissions for 'others' in files generated by this user) for these users. This is done by adding umask=7 to the GECOS (full name/comment) field in /etc/passwd. In Debian this can be done by an option to the adduser(8) command. e.g.   'adduser --gecos "umask=7,Incoming FTP Login" incoming'     The problem: =============== Whenever a user is logged on to the ftp with his user and tries to open a folder below his home dir [/home/incoming] Than the folder permission and owner is not kept. I'm not sure what you mean by "open a folder below his home".  If you mean that permissions of newly created files are not as you expect - this can be probably solved by using the right umask (comment 3c above) and directory g+s (comment 3a above).    cheers,      Amit