Welcome to the Linux Foundation Forum!

FTP file security

sonicblaze
sonicblaze Posts: 2
in Linux Security

Hi!

I have an FTP server, chrooted to a directory, /ftproot. I have a couple hundred users whom use this for nothing but uploading files for someone else to download. So, everyone uses the same login.

This is currently running on a Windows box, and works great. Files can get created and uploaded, but not overwritten or deleted. So everyone can upload files, no one can ever overwrite them or delete them.

I am transferring this task over to a linux box, but having problems with setting up that type of security. I need to allow people to upload files and create folders, but not overwrite or delete anything even if they are the owner. I am running VSFTP, and have the file_open_mode set to 440 to set all new files, but they can still delete the new files in which they have R only permissions(I assume this is because they have RW on the root folder).

I've goofed around with setting up ACL's with setfacl, but I can't seem to find what the right combination of permissions/defaults is. I either lock myself out all together from doing anything, or I have full access to create/delete.

Anyone know what the correct permissions would be for the ACL list, or else maybe a different way of going about this?

Comments

  • mfillpot
    mfillpot Posts: 2,177
    You are talking about setting the directory permissions with a sticky bit. chmod +t {directory} or chmod 1666 {directory}. This sticky bit sets the permissions on all files within the specified directory to block all users who are not the owner of the file or the owner of the directory from deleting or modifying the files within the directory.

    More info on the sticky bit can be found on the wikipedia page, http://en.wikipedia.org/wiki/Sticky_bit

    If you incorporate separate logins into the ftp server, then these permissions would be sufficient.
  • sonicblaze
    sonicblaze Posts: 2
    I've thought about using that, but the issue is seperate logins. I have been unable to talk the business into doing this, because it "complicates things more than just having the one login for such a simple and unimportant ftp site". That's why I'm trying to figure out if there is a way with ACL's, although I'm thinking it might be a lost cause as I've been unable to get them to do what I need.

    Maybe there is a way to do it with SELinux roles...?

Categories

Upcoming Training