Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

File Permission Help

  • 29-09-2003 11:16am
    #1
    Closed Accounts Posts: 24


    I'm looking to set up an ftp and ssh server for my mates. However I want to tie down the file permissions so only those with correct access can access certain areas on the filesystem.

    Basically I want to be the user of the directory. I want one group, Managers, to have read/write access to a directory. The Users group will have read only access to the directory. And the Directory will be non-listable to everyone else.

    How is this possible to achieve when I can only set one Group Owner of a directory?

    Also is there any link that outlines a good way of laying out User/Group hirearchy?

    Thanks in advance.


Comments

  • Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    Ok well the first question i'd need to ask is will this server mainly be for FTP or SSH / Interactive Logins?

    That'll decide whether a 'fake' FTP filesystem can be used or whether you'll need to modify your 'real' filesystem.

    Just a caution at the beginning - if you're gonna let anyone (even your mates) into this Linux box, you'd be best off having it on a different physical PC from your real one.


  • Closed Accounts Posts: 24 Keyser Soze


    The FTP server is on a standalone pc on a DMZ. I'm using IPCop as the Firewall/Router.
    It has some SSH users but I find the SCP transferring files out kills the download speed. Therefore I decided to go down the road of FTP.
    I've ProFTP setup and the users goto the /ftp directory.
    As I said above I want ftp admin users with r/w access, and ftp users with read only. And not listable to any other users.


  • Closed Accounts Posts: 7,230 ✭✭✭scojones




  • Registered Users, Registered Users 2 Posts: 521 ✭✭✭Ronin


    go take a look at vsftpd has some nice features these days as well as giving different users different access levels. Check the EXAMPLE dir i think for more info on virtual users.

    freshmeat has links to it.


  • Registered Users, Registered Users 2 Posts: 2,518 ✭✭✭Hecate


    The best thing to do would be to just have the directory with your shared files owned by a 'manager' user or whatever, set the group ownership of the directory to Users and then make the manager user a member of Users.

    Now just set your permissions on the directory to drwxr-x--- , chmod 750 <dirname> will do this.

    This will mean that users in the Users group can only read from the directory, the manager user is the only one with write permissions and everyone else is denied access to the directory entirely. Hopefully this should solve your problem.

    In any case, you have to be uber- paranoid when running an ftp server these days, you might want to think about sticking it in a chroot environment or a jail if your using freebsd.


  • Advertisement
  • Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    You also need to be scanning those logs - take note of any unusual intrusion attempts and any other oddball activity. Portscans will be the most common occurance and you should make sure that any further attempts to login from addresses with portscans are stopped. If you build up a list of persistent offenders particularly on your own providers network you can configure your server to accept no connections from them to any port.

    Passwords need to be good - you should do a 'crack' run once you get all your users registered. Also set your FTP and SSH servers only to allow one password attempt per connection - this slows down anyone who tries to guess your servers passwords.


  • Closed Accounts Posts: 24 Keyser Soze


    Thanks for the help guys.
    I found the answer to my problem here if anyone is interested.

    http://trustees.sourceforge.net/

    "The main goal of Linux trustees project is to create an advanced permission management system for linux. In fact, UNIX permission system is not suitable for solution of very common tasks."
    "The solution proposed is mainly inspired by Novell Netware approach and Java security API."


Advertisement