I have a certain directory under /usr that I want to make available through vsftp to a specific user. The easiest way to do this, I believe, is to create a symlink from the user's home directory to this directory. The catch is I want/need them to be able to delete/upload files as well. Root is the group and user owner of the files.
What is the "proper" way to give rights for this user?
Thanks, James
James Pifer wrote:
I have a certain directory under /usr that I want to make available through vsftp to a specific user. The easiest way to do this, I believe, is to create a symlink from the user's home directory to this directory. The catch is I want/need them to be able to delete/upload files as well. Root is the group and user owner of the files.
What is the "proper" way to give rights for this user?
There really isn't. If you're going to give the person write access to /usr you'd better really trust that person. If you trust that person enough to do that, you might as well just allow them to have root access through sudo so you can keep track of their activities.
There really isn't. If you're going to give the person write access to /usr you'd better really trust that person. If you trust that person enough to do that, you might as well just allow them to have root access through sudo so you can keep track of their activities.
Let me give a few more details. The person will have to access this through a portal, which will only allow access to the directories that I specify. The backend portal process will connect to the system using vsftp. So the user will not have wide open access to the system and they will not even know the login info.
So it sounds like I need to do chmod on all the files under that directory?
Do files inherently inherit the rights of the directory that contains them? My concern is with new files that get created, even by root. If they are in the directory that I give access to, it's assumed the user can do what they want with it, as update or delete.
Thanks, James
On Wed, Feb 22, 2006 at 01:50:36PM -0500, James Pifer wrote:
There really isn't. If you're going to give the person write access to /usr you'd better really trust that person. If you trust that person enough to do that, you might as well just allow them to have root access through sudo so you can keep track of their activities.
Let me give a few more details. The person will have to access this through a portal, which will only allow access to the directories that I specify. The backend portal process will connect to the system using vsftp. So the user will not have wide open access to the system and they will not even know the login info.
So it sounds like I need to do chmod on all the files under that directory?
Two points of information:
#1: To chmod an entire tree (everything under directory "X" and X itself) do :
chmod -R [permissions] X
the "-R" causes it to do every file and directory within and under "X"
#2: This is a risky configuration. You probably should not do this to "/usr". arbitrarily changing permission on system files WILL break your system.
I suggest creating another directory else and letting the user(s) upload files to that safe place, then moving the files into your system yourself after they arrive. (Or have some trusted admin do it.
Do files inherently inherit the rights of the directory that contains them? My concern is with new files that get created, even by root. If they are in the directory that I give access to, it's assumed the user can do what they want with it, as update or delete.
Thanks, James
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Two points of information:
#1: To chmod an entire tree (everything under directory "X" and X itself) do :
chmod -R [permissions] X
the "-R" causes it to do every file and directory within and under "X"
#2: This is a risky configuration. You probably should not do this to "/usr". arbitrarily changing permission on system files WILL break your system.
I suggest creating another directory else and letting the user(s) upload files to that safe place, then moving the files into your system yourself after they arrive. (Or have some trusted admin do it.
I really can't move the files. BUT, I will not be modifying /usr. I will be modifying the rights to one directory under /usr and its subs. So if there's a directory like /usr/thisisit, thisisit is where the chmod will happen. Otherwise /usr will be left completely as is.
Thanks for all the info.
James
On Wed, 22 Feb 2006 at 1:50pm, James Pifer wrote
There really isn't. If you're going to give the person write access to /usr you'd better really trust that person. If you trust that person enough to do that, you might as well just allow them to have root access through sudo so you can keep track of their activities.
Let me give a few more details. The person will have to access this through a portal, which will only allow access to the directories that I specify. The backend portal process will connect to the system using vsftp. So the user will not have wide open access to the system and they will not even know the login info.
So it sounds like I need to do chmod on all the files under that directory?
Do files inherently inherit the rights of the directory that contains them? My concern is with new files that get created, even by root. If they are in the directory that I give access to, it's assumed the user can do what they want with it, as update or delete.
In situations like this I tend to want to use ACLs rather than rely on standard *nix permissions. Look at 'man setfacl' and experiment.
Also, as others have pointed out, it'd be *really* nice if you could relocate the files that need to be accessed out of /usr.
On Wed, 22 Feb 2006, James Pifer wrote:
Let me give a few more details. The person will have to access this through a portal, which will only allow access to the directories that I specify. The backend portal process will connect to the system using vsftp. So the user will not have wide open access to the system and they will not even know the login info.
So it sounds like I need to do chmod on all the files under that directory?
If you mean /usr/<somenewdirectory>, yes that would be ok, thought not a good idea. It should be in /home, or /usr/local. DO NOT chmod /usr/*. You will regret it.
Do files inherently inherit the rights of the directory that contains them? My concern is with new files that get created, even by root. If
Not unless the set user or set group bits are set.
they are in the directory that I give access to, it's assumed the user can do what they want with it, as update or delete.
This is usually configurable via the ftp server. For instance you can configure it so uploaded files are 'invisible'.
Thanks, James
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
------------------------------------------------------------------------ Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com "Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one." Thomas Paine
If you mean /usr/<somenewdirectory>, yes that would be ok, thought not a good idea. It should be in /home, or /usr/local. DO NOT chmod /usr/*. You will regret it.
Right, it would be:
chmod [rights] /usr/<specifieddirectory> -R
In the future it's possible it could be moved to /usr/local, that would make more sense. at the current time it's not a simple move... although, a symlink might work ok. Might have to try that.
James
On Wed, 2006-02-22 at 13:24 -0500, James Pifer wrote:
I have a certain directory under /usr that I want to make available through vsftp to a specific user. The easiest way to do this, I believe, is to create a symlink from the user's home directory to this directory. The catch is I want/need them to be able to delete/upload files as well. Root is the group and user owner of the files.
What is the "proper" way to give rights for this user?
Thanks, James
James,
It might be safer to put the files in the user's home directory and make a link from within /usr. If that can be tolerated.
Bob...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Feb 22, 2006 at 01:24:35PM -0500, James Pifer wrote:
I have a certain directory under /usr that I want to make available through vsftp to a specific user. The easiest way to do this, I believe, is to create a symlink from the user's home directory to this directory. The catch is I want/need them to be able to delete/upload files as well. Root is the group and user owner of the files.
What is the "proper" way to give rights for this user?
Okey, several others have responded, so if you are in no mood for some redundant and, why not say, anal comments and considerations, please ignore this one :)
1) The ideal /usr tree is the one your can keep mounted read-only. I like to do that on all my servers.
2) FTP might not be the ideal solution for you. FTP protocol is not safe, and easily intercepted. All login data travels in plain text
3) You REALLY should avoid doing stuff like this on /usr. For one, it violates the FHS (maybe LSB too ?). There is no real reason for your stuff to be on /usr in a case like that.
4) If after what everyone else commented, you still want to put things under /usr, at least make sure your /usr/XXXXX directory is on a separated filesystem.
And, just to be my usual anal self, mixing FTP and /usr is a REALLY, REALLY bad idea.
Best Regards,
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-
Bob Chiodini -
Chris Mauritz -
James Pifer -
Jeff Kinz -
Jim Wildman -
Joshua Baker-LePain -
Rodrigo Barbosa