Hi,
I have a vsftp server and two users for up and download.
If user Alice uploads a file, the owner is set to Alice as expected "-rw-r--r-- alice ftpuploadgroup"
Now Bob can login to the same folder and is able to rename the uploaded file.
Bob can also rename an uploaded folder, but can't rename a file in that folder ....
I'm confused, as I don't get why this is possible at all.
Some vsftp magic? :)
Can someone explain that to me?
Thanks and regards . Götz
I have a vsftp server and two users for up and download.
If user Alice uploads a file, the owner is set to Alice as expected "-rw-r--r-- alice ftpuploadgroup"
Now Bob can login to the same folder and is able to rename the uploaded file.
Bob can also rename an uploaded folder, but can't rename a file in that folder ....
I'm confused, as I don't get why this is possible at all.
What are the permissions and ownership on the directory the uploads go in? If its group is 'ftpuploadgroup' and has group write permissions than any member of that group can rename files in that directory. If a user creates a directory, then that will have rwxr-xr-x permissions so they won't be able to rename files within that directory.
P.
Am 13.07.17 um 14:46 schrieb Pete Biggs:
I have a vsftp server and two users for up and download.
If user Alice uploads a file, the owner is set to Alice as expected "-rw-r--r-- alice ftpuploadgroup"
Now Bob can login to the same folder and is able to rename the uploaded file.
Bob can also rename an uploaded folder, but can't rename a file in that folder ....
I'm confused, as I don't get why this is possible at all.
What are the permissions and ownership on the directory the uploads go in? If its group is 'ftpuploadgroup' and has group write permissions than any member of that group can rename files in that directory. If a user creates a directory, then that will have rwxr-xr-x permissions so they won't be able to rename files within that directory.
The permissions for the upload folder are drwx-wx--- and the owner is Bob group is ftpuploadgroup
Alice is member of that group, but should only drop files in.
The files are ownd by Alice, and I'm bit iritated, taht Bob can rename tham ... as Bob only has read permision (from the group)
The files in a subfolder have the same permissions and Bob cant change tham...
Thanks for your feedback . /G
On 13/07/2017 14:38, Götz Reinicke - IT Koordinator wrote:
Am 13.07.17 um 14:46 schrieb Pete Biggs:
I have a vsftp server and two users for up and download.
If user Alice uploads a file, the owner is set to Alice as expected "-rw-r--r-- alice ftpuploadgroup"
Now Bob can login to the same folder and is able to rename the uploaded file.
Bob can also rename an uploaded folder, but can't rename a file in that folder ....
I'm confused, as I don't get why this is possible at all.
What are the permissions and ownership on the directory the uploads go in? If its group is 'ftpuploadgroup' and has group write permissions than any member of that group can rename files in that directory. If a user creates a directory, then that will have rwxr-xr-x permissions so they won't be able to rename files within that directory.
The permissions for the upload folder are drwx-wx--- and the owner is Bob group is ftpuploadgroup
Alice is member of that group, but should only drop files in.
The files are ownd by Alice, and I'm bit iritated, taht Bob can rename tham ... as Bob only has read permision (from the group)
The files in a subfolder have the same permissions and Bob cant change tham...
Thanks for your feedback . /G
He does not have read only permission from the group. He is the folder owner and so can change things within that folder. You need to change the folder to something other than Bob. The sub dir does not have the same permissions. Alice is the owner.
What is the end goal you want. E.g. Bob and Alice and can upload, Bob can read files both he and Alice upload but Alice can only read her files. Perhaps we can suggest permissions that would do what you want?
Regards,
Tris
************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@bgfl.org
The views expressed within this email are those of the individual, and not necessarily those of the organisation *************************************************************
Am 13.07.17 um 17:10 schrieb Tris Hoar:
On 13/07/2017 14:38, Götz Reinicke - IT Koordinator wrote:
Am 13.07.17 um 14:46 schrieb Pete Biggs:
I have a vsftp server and two users for up and download.
If user Alice uploads a file, the owner is set to Alice as expected "-rw-r--r-- alice ftpuploadgroup"
Now Bob can login to the same folder and is able to rename the uploaded file.
Bob can also rename an uploaded folder, but can't rename a file in that folder ....
I'm confused, as I don't get why this is possible at all.
What are the permissions and ownership on the directory the uploads go in? If its group is 'ftpuploadgroup' and has group write permissions than any member of that group can rename files in that directory. If a user creates a directory, then that will have rwxr-xr-x permissions so they won't be able to rename files within that directory.
The permissions for the upload folder are drwx-wx--- and the owner is Bob group is ftpuploadgroup
Alice is member of that group, but should only drop files in.
The files are ownd by Alice, and I'm bit iritated, taht Bob can rename tham ... as Bob only has read permision (from the group)
The files in a subfolder have the same permissions and Bob cant change tham...
Thanks for your feedback . /GHe does not have read only permission from the group. He is the folder owner and so can change things within that folder. You need to change the folder to something other than Bob. The sub dir does not have the same permissions. Alice is the owner.
What is the end goal you want. E.g. Bob and Alice and can upload, Bob can read files both he and Alice upload but Alice can only read her files. Perhaps we can suggest permissions that would do what you want?
Thanks Tris, thanks Peter,
the goal is, that the FTP server is a Dropbox for Alice, so she can upload files and folders and is not able to see the uploaded files (drwx-wx--- for the main older).
Bob should be able to rename the files and folders by ftp. (and of course be able to download them.)
If this is not possible with the standad permissions, I'm fine, in the past Users did not try to upload folders and others did not rename ...Than we look for an other workflow.
But hey, may be you have an idea on a god permission set.
Regards . Götz
Götz Reinicke - IT Koordinator [goetz.reinicke@filmakademie.de]:
the goal is, that the FTP server is a Dropbox for Alice, so she can upload files and folders and is not able to see the uploaded files (drwx-wx--- for the main older).
Bob should be able to rename the files and folders by ftp. (and of course be able to download them.)
If this is not possible with the standad permissions, I'm fine, in the past Users did not try to upload folders and others did not rename ...Than we look for an other workflow.
You might want to look at proftpd - it has its own configs for permissions/ownerships of uploaded files - which is over and above the OS permissions/ownerships
It's been a while since I used it - but I remember being able to do some 'funky stuff' in this regards ...
James Pearson
the goal is, that the FTP server is a Dropbox for Alice, so she can upload files and folders and is not able to see the uploaded files (drwx-wx--- for the main older).
Bob should be able to rename the files and folders by ftp. (and of course be able to download them.)
If this is not possible with the standad permissions, I'm fine, in the past Users did not try to upload folders and others did not rename ...Than we look for an other workflow.
There is a much more fine-grained ACL system in Linux which sits on top of the standard file permissions. Have a look at, for instance,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
or 'man acl'
With this you will be able to give specific users different access permissions on the files created.
As someone else said, ProFTPD also has a finer-grained permission system - you can change access according to which user is logged in via FTP and you can change which commands they have access to. In other words you allow Alice access to a subset of commands which allow her to upload files and create directories but not rename them.
P.
On Fri, Jul 14, 2017 at 10:02:05AM +0100, Pete Biggs wrote:
the goal is, that the FTP server is a Dropbox for Alice, so she can upload files and folders and is not able to see the uploaded files (drwx-wx--- for the main older).
There is a much more fine-grained ACL system in Linux which sits on top of the standard file permissions. Have a look at, for instance,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
or 'man acl'
This, though old, also gives a very good explanation of ACLs. http://tech.trailmax.info/wp-content/uploads/2010/10/default_ACL.pdf
On Fri, 14 Jul 2017 07:53, Götz Reinicke - IT Koordinator wrote:
Am 13.07.17 um 17:10 schrieb Tris Hoar:
On 13/07/2017 14:38, Götz Reinicke - IT Koordinator wrote:
Am 13.07.17 um 14:46 schrieb Pete Biggs:
I have a vsftp server and two users for up and download.
If user Alice uploads a file, the owner is set to Alice as expected "-rw-r--r-- alice ftpuploadgroup"
Now Bob can login to the same folder and is able to rename the uploaded file.
Bob can also rename an uploaded folder, but can't rename a file in that folder ....
I'm confused, as I don't get why this is possible at all.
What are the permissions and ownership on the directory the uploads go in? If its group is 'ftpuploadgroup' and has group write permissions than any member of that group can rename files in that directory. If a user creates a directory, then that will have rwxr-xr-x permissions so they won't be able to rename files within that directory.
The permissions for the upload folder are drwx-wx--- and the owner is Bob group is ftpuploadgroup
Alice is member of that group, but should only drop files in.
The files are ownd by Alice, and I'm bit iritated, taht Bob can rename tham ... as Bob only has read permision (from the group)
The files in a subfolder have the same permissions and Bob cant change tham...
Thanks for your feedback . /GHe does not have read only permission from the group. He is the folder owner and so can change things within that folder. You need to change the folder to something other than Bob. The sub dir does not have the same permissions. Alice is the owner.
What is the end goal you want. E.g. Bob and Alice and can upload, Bob can read files both he and Alice upload but Alice can only read her files. Perhaps we can suggest permissions that would do what you want?
Thanks Tris, thanks Peter,
the goal is, that the FTP server is a Dropbox for Alice, so she can upload files and folders and is not able to see the uploaded files (drwx-wx--- for the main older).
Bob should be able to rename the files and folders by ftp. (and of course be able to download them.)
If this is not possible with the standad permissions, I'm fine, in the past Users did not try to upload folders and others did not rename ...Than we look for an other workflow.
But hey, may be you have an idea on a god permission set.
Regards . Götz
At least one possibilities with "standard unix permissions": The Dropbox-Folder and any subfolders are owned by user Bob and the ftpuploadgroup group with rights (drwx-wx---) or even added setgid bit (drwx-ws---). That way user Alice can upload files into these folders, but can't see into the folders, while Bob as the owner of the folder has the needed rights to manage the contents. But if the files / sub-folders have no group write bit the things get iffy in a very subtle and ugly way.
So your dropbox folder should look like this: [code] ls -la dropbox-folder [/code] drwx-ws--- bob ftpuploadgroup 60 14. Jul 13:13 . dr-xr-xr-x ftp ftp 120 14. Jul 13:12 .. -rw-rw-r-- alice ftpuploadgroup 421 14. Jul 13:13 test-drop-file
IMHO the first thing Bob should do is to set group write bit, claim ownership of the files, then move them elsewhere. [code] chmod -R g+w dropbox-folder/* chown -R bob:ftpuploadgroup dropbox-folder/* mv -t target-dir dropbox-folder/* [/code]
If necessary, put the first two commands (with absolute paths) into a shell script, mark it executeable put it in /usr/local/bin and allow Bob to use it with sudo.
YMMV, but at least for me this arangement works. - Yamaban.
The permissions for the upload folder are drwx-wx--- and the owner is Bob group is ftpuploadgroup
Alice is member of that group, but should only drop files in.
The files are ownd by Alice, and I'm bit iritated, taht Bob can rename tham ... as Bob only has read permision (from the group)
A directory is just a special file which holds information on other files (such as names and the inodes those names point to). As such in order to rename a file you need write permission to the directory special file (i.e. '.') - the ownership and permissions of the file in question are not involved in renaming.
The files in a subfolder have the same permissions and Bob cant change tham...
Because Bob does not have write permission to the directory.
As someone else said, tell us what your aim is and we can try and tell you what file/directory permissions need to be applied. It may be that what you are trying to do is not possible within the standard Unix permissions, but some filesystems have extended ACLs which could help.
P.
Am 13.07.17 um 17:59 schrieb Pete Biggs:
The permissions for the upload folder are drwx-wx--- and the owner is Bob group is ftpuploadgroup
Alice is member of that group, but should only drop files in.
The files are ownd by Alice, and I'm bit iritated, taht Bob can rename tham ... as Bob only has read permision (from the group)
A directory is just a special file which holds information on other files (such as names and the inodes those names point to). As such in order to rename a file you need write permission to the directory special file (i.e. '.') - the ownership and permissions of the file in question are not involved in renaming.
The files in a subfolder have the same permissions and Bob cant change tham...
Because Bob does not have write permission to the directory.
As someone else said, tell us what your aim is and we can try and tell you what file/directory permissions need to be applied. It may be that what you are trying to do is not possible within the standard Unix permissions, but some filesystems have extended ACLs which could help.
P.
Hi and thanks to all suggestions. We currently go with the "old" way: the users do the up- and download as told in the last years so we dont have to change permissions or the server software and next year we may change the system totally.
This is an upload ftp server for one annual event, so.
Learned some things and thanks again . Götz
-
Götz Reinicke - IT Koordinator -
James Pearson -
Pete Biggs -
Scott Robbins -
Tris Hoar -
Yamaban