Ftp Chmod 755
currently proftpd wont allow 755 permissions.
How else can i solved this issue I've tried local umask but im a bit stumped ?
18 Replies
anyone else
I guess im looking for a solution to allow Two users to be able to upload to one directory without conflicts.
if anyone has an example of vsftpd or proftpd that use's multiple users I'd be interested in seeing their config files
I'd suggest understanding what the 7 and 5 in '755' mean, and then applying that knowledge to the files you're trying to upload.
And your response to Xan concerns me… DO you actually understand the risks? Assuming you're using the system users for proftpd, you do realize you're sending the system passwords in the clear over the internet? The same passwords that could then be used to log into your node?
@mwalling:
Thats because the 1 bit means "execute". Directories need execute permissions to be entered. Files need execute permissions to be executed. If proftpd allowed files to be executable, it might allow for arbitrary code execution.
I'd suggest understanding what the 7 and 5 in '755' mean, and then applying that knowledge to the files you're trying to upload.
And your response to Xan concerns me… DO you actually understand the risks? Assuming you're using the system users for proftpd, you do realize you're sending the system passwords in the clear over the internet? The same passwords that could then be used to log into your node?
Agreed I understand the risks because whats going in the Ftp directory is not important and not for web usage and not accessible by any other source to the outside world etc… also it has disk space limitations etc.. etc.. even if it was compromised i have a script that checks which IP logged in.
I just need the ability for each user to share a directory, I was hoping adding them both to the same group would allow this but not such luck with the restrictive permission settings
@Xan:
It sounds like it will work, but as mwalling said, you need to examine the need for the execute bit on your files.
Ok well I don't need execute I just need both users ability to share one set of files / directories
There are very few legitimate reasons to be running plain FTP in this day and age. It's strongly recommended that you use SFTP/SCP instead.
Or if you want to forgo all the advice given above, let the two users log in with the same ID/password and hence upload to the same account's home directory. I mean, if they're going to share the same directory and all the same files, what's the point of keeping one user's password secret to the other?
The best way to do it, put both users in the same group, then give the files/directories group write access. You'll also need to make sure the files/directories are owned by said group.
Running FTP over the internet with cleartext passwords is sorta okay, as long as you're not using system accounts for your FTP logins. Last I checked, ProFTPd allows you to use the system accounts, or store the info in files or a SQL database.
This would be okay, provided the passwords used for these users are not the same as any other passwords.
However, passwords in cleartext is a bad idea.
1) RegularUser logs in to FTP via public wifi
2) RegularUser's password is sniffed
3) EvilDude SSHs to your box
4) EvilDude runs a kernel root exploit
5) EvilDude changes your root password and has fun erasing/stealing your data and hosting up all sorts of nasty things
The only way to prevent this scenario is to not allow cleartext password authentication by NOT running FTP…
@Guspaz:
Just preventing the system account from logging in via FTP is hardly sufficient.
He said not using system accounts. ie, the FTP server only uses it's own accounts. So that #3 in your scenario isn't possible.
The suggestion wasn't to disable access to the "System" account (which should go without saying), but to have FTP logins that are completely separate from other logins in the system (like SSH).
Edit: bah! glg beat me to it.
I'd still urge that FTP is just a bad protocol to use in general, though; protocols that use cleartext authentication have no place on the net.