People, Tal is using a simple, old-fashioned solution (ftp server) -
why not give simple, old-fashioned answers? While ACL's are modern and much more flexible, there's still quite a lot that can be done with plain old unix-style permissions (and you certainly don't need to compile new kernels for that). Tal Rosenstein wrote: With plain-old unix permissions, being the *owner* of a file/directory means you can freely change it's permissions. I believe many ftp servers allow users to use the 'chmod' command by default, so there's not much point in setting the user's own permission to anything other than rwx (at least not security-wise. It might be useful as some kind of convenience measure). However, a user does not have to own his home (certainly not her ftp home). The key to achieve (aproximately) what you want is by using groups: 1) Define 'incoming' and 'inout' members in group 'writers', 'outgoing' and 'inout' members in group 'readers' 2) Set permissions thus: flags user group dirname -------------------------------------- d-wx-ws--- inout writers incoming drwxr-s--- inout readers outgoing 3) Further notes: a) Note the 's' flags on the group perms (use 'chmod g+s <dirname>' to set it). This means that files generated under this dir will get the parent dir's group rather than their creator's main group. Assuming that 'incoming' has 'writers' as his main group & 'outgoing' has 'readers', this will only have effect on files written by the 'inout' login. b) Note that according to my first comment above, the fact that files generated by the 'incoming' login get the right permissions by default does not mean their'e safe - she can still chmod them to anything (unless you disable this feature in your ftp-server). Same goes for the 'inout' login, but I assume you should have no trouble with this. c) Make sure you set umask to 7 (disable all permissions for 'others' in files generated by this user) for these users. This is done by adding umask=7 to the GECOS (full name/comment) field in /etc/passwd. In Debian this can be done by an option to the adduser(8) command. e.g. 'adduser --gecos "umask=7,Incoming FTP Login" incoming' I'm not sure what you mean by "open a folder below his home". If you mean that permissions of newly created files are not as you expect - this can be probably solved by using the right umask (comment 3c above) and directory g+s (comment 3a above). cheers, Amit |
- Re: Ftp Access. Amit Aronovitch
- RE: Ftp Access. Tal Rosenstein
- Re: Ftp Access. Ilya Konstantinov
- Re: Ftp Access. Tzafrir Cohen
- RE: Ftp Access. Tal Rosenstein