'Re: [Proftpd-user] Forcing ownership of files and directories'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       proftpd-users
Subject:    Re: [Proftpd-user] Forcing ownership of files and directories
From:       TJ Saunders <tj () castaglia ! org>
Date:       2012-11-16 17:09:53
Message-ID: alpine.DEB.2.00.1211160903270.3940 () familiar ! castaglia ! org
[Download RAW message or body]


> > > and directories to a specific user. We need this because our customers
> > > maintain websites through multiple ftp accounts, and the website in apache
> > > is
> > > running with that specific user. All users, including the apache user, are
> > > in
> > > the same group.
> > > [...]
> > > A file created within a directory created by a web application can't be
> > > deleted with ftp. The ftp user has no write permissions on the directory:
> > > the
> > > directory is not owned by the logged in user, and it's not group writable.
> > > 
> > Do you chroot all of your FTP users?  If so, you might be able to do
> > something like the following: instead of using UserOwner/GroupOwner
> > directives, use AuthUserFile/AuthGroupFile for your FTP accounts.  In the
> > AuthUserFile, keep the same user names, passwords, etc -- but change the
> > UID/GID so that all users have the same UID/GID as the system user
> > 'apache'.
> Unfortunately not. We're trying to set up a very flexible system where every
> person has exactly one ftp account, which can be used to maintain a specific
> (to that account) set of websites. So, one account is used to maintain
> multiple sites, and each site can be maintained by multiple accounts.
> 
> This is a bit too much for standard unix permissions. I'm even considering
> ACLs to achieve this.

Another possibility (depending on your filesystem type) is to mount the 
filesystem with the web directories using the 'bsdgroups' or 'grpid' 
filesystem option:

  grpid or bsdgroups / nogrpid or sysvgroups

    These options define what group id a newly created file gets.
    When grpid is set, it takes the group id of the directory in
    which it is created; otherwise (the default) it takes the fsgid
    of the current process, unless the directory has the setgid  bit
    set, in which case it takes the gid from the parent directory,
    and also gets the setgid bit set if it is a directory itself.

If this can be done in your case, then it would cause new directories and 
files, created by the webapp, to have the group ownership of the owning 
directory.  And as long as that directory is owned by a group in which the 
logged-in FTP user belongs, it might work -- but then it depends on the 
mode/perms of the webapp-created directories.  (Webapp-created files 
should be OK; they can be deleted as long as the FTP user has write 
permissions on the directories containing the files to be deleted.)

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   And ever has it been that love knows not its own depth until the
   hour of separation.

     -Kahlil Gibran

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
ProFTPD Users List   <proftpd-users@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic