vsftpd configuration for shared website folder with file permissions coherenceQuotas in vsftpd?Allow...
OP Amp not amplifying audio signal
Bullying boss launched a smear campaign and made me unemployable
How obscure is the use of 令 in 令和?
How to remove border from elements in the last row?
How to coordinate airplane tickets?
Forgetting the musical notes while performing in concert
How to travel to Japan while expressing milk?
Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?
What is the most common color to indicate the input-field is disabled?
How to prevent "they're falling in love" trope
files created then deleted at every second in tmp directory
Should I tell management that I intend to leave due to bad software development practices?
How to Prove P(a) → ∀x(P(x) ∨ ¬(x = a)) using Natural Deduction
What is an equivalently powerful replacement spell for the Yuan-Ti's Suggestion spell?
Can a virus destroy the BIOS of a modern computer?
How do conventional missiles fly?
Convert seconds to minutes
How badly should I try to prevent a user from XSSing themselves?
Finitely generated matrix groups whose eigenvalues are all algebraic
How does a dynamic QR code work?
One verb to replace 'be a member of' a club
Notepad++ delete until colon for every line with replace all
Rotate ASCII Art by 45 Degrees
Placement of More Information/Help Icon button for Radio Buttons
vsftpd configuration for shared website folder with file permissions coherence
Quotas in vsftpd?Allow anonymous upload for Vsftpd?Cannot read/write FTP directory vsftpd on centos 6.0 (empty folder)What permissions should my website files/folders have on a Linux webserver?vsftpd default permissions for website directory and ftpvsFTPd default uploaded file permissions on Ubuntu not workingvsftpd permissions for virtual users with Apache SUexec compatibilityPermissions prevent file upload in vsftpdWhat owner should be for ftp user home folder(ubuntu, vsftpd)VSFTP virtual users upload with user owner
I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:
- The virtual
vsftpduser is calledrootftp, and it belongs to a group callededevthat also includesbob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway,bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change torootwhen playing around within the folder). Anyway, theedevgroup is designed to be a family that could grow in some point in the future, as implied by its name. - No file/folder in the website folder is world accesible (others have no permissions).
- Apache (
www-data) have the usual read-only permissions, except that it has write permissions for the usual "uploadfolder". - The
edev's members must have rw and rwx permissions for files/folders. - Anonymous ftp login is forbidden.
- Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).
The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):
virtual_use_local_privs=NO
chown_uploads=YES
chown_username=www-data
chown_open_mode=0450
anon_umask=007
# set other required anon_* directive.
but that has its own set of problems:
- folders won't have execute permissions by default, because the open mode is the same for files and folders.
- even if that can magically be solved, in case the
uploadfolder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTPCHMODcommand to recover the apache write permissions becauserootftpcannot change its permissions now, since the owner has changed. - another solution is to forbid the
uploadfolder deletion, so its permissions are preserved after its original creation (bobcan set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to setchattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftpandbob) to add files, which is far from ideal. I don't know if abind mountcan help here either.
Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).
permissions vsftpd
asked 2 mins ago
Peregring-lkPeregring-lk
292314
add a comment |
I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:
- The virtual
vsftpduser is calledrootftp, and it belongs to a group callededevthat also includesbob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway,bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change torootwhen playing around within the folder). Anyway, theedevgroup is designed to be a family that could grow in some point in the future, as implied by its name. - No file/folder in the website folder is world accesible (others have no permissions).
- Apache (
www-data) have the usual read-only permissions, except that it has write permissions for the usual "uploadfolder". - The
edev's members must have rw and rwx permissions for files/folders. - Anonymous ftp login is forbidden.
- Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).
The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):
virtual_use_local_privs=NO
chown_uploads=YES
chown_username=www-data
chown_open_mode=0450
anon_umask=007
# set other required anon_* directive.
but that has its own set of problems:
- folders won't have execute permissions by default, because the open mode is the same for files and folders.
- even if that can magically be solved, in case the
uploadfolder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTPCHMODcommand to recover the apache write permissions becauserootftpcannot change its permissions now, since the owner has changed. - another solution is to forbid the
uploadfolder deletion, so its permissions are preserved after its original creation (bobcan set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to setchattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftpandbob) to add files, which is far from ideal. I don't know if abind mountcan help here either.
Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).
permissions vsftpd
asked 2 mins ago
Peregring-lkPeregring-lk
292314
add a comment |
I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:
- The virtual
vsftpduser is calledrootftp, and it belongs to a group callededevthat also includesbob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway,bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change torootwhen playing around within the folder). Anyway, theedevgroup is designed to be a family that could grow in some point in the future, as implied by its name. - No file/folder in the website folder is world accesible (others have no permissions).
- Apache (
www-data) have the usual read-only permissions, except that it has write permissions for the usual "uploadfolder". - The
edev's members must have rw and rwx permissions for files/folders. - Anonymous ftp login is forbidden.
- Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).
The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):
virtual_use_local_privs=NO
chown_uploads=YES
chown_username=www-data
chown_open_mode=0450
anon_umask=007
# set other required anon_* directive.
but that has its own set of problems:
- folders won't have execute permissions by default, because the open mode is the same for files and folders.
- even if that can magically be solved, in case the
uploadfolder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTPCHMODcommand to recover the apache write permissions becauserootftpcannot change its permissions now, since the owner has changed. - another solution is to forbid the
uploadfolder deletion, so its permissions are preserved after its original creation (bobcan set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to setchattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftpandbob) to add files, which is far from ideal. I don't know if abind mountcan help here either.
Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).
permissions vsftpd
asked 2 mins ago
Peregring-lkPeregring-lk
292314
I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:
- The virtual
vsftpduser is calledrootftp, and it belongs to a group callededevthat also includesbob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway,bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change torootwhen playing around within the folder). Anyway, theedevgroup is designed to be a family that could grow in some point in the future, as implied by its name. - No file/folder in the website folder is world accesible (others have no permissions).
- Apache (
www-data) have the usual read-only permissions, except that it has write permissions for the usual "uploadfolder". - The
edev's members must have rw and rwx permissions for files/folders. - Anonymous ftp login is forbidden.
- Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).
The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):
virtual_use_local_privs=NO
chown_uploads=YES
chown_username=www-data
chown_open_mode=0450
anon_umask=007
# set other required anon_* directive.
but that has its own set of problems:
- folders won't have execute permissions by default, because the open mode is the same for files and folders.
- even if that can magically be solved, in case the
uploadfolder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTPCHMODcommand to recover the apache write permissions becauserootftpcannot change its permissions now, since the owner has changed. - another solution is to forbid the
uploadfolder deletion, so its permissions are preserved after its original creation (bobcan set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to setchattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftpandbob) to add files, which is far from ideal. I don't know if abind mountcan help here either.
Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).
permissions vsftpd
permissions vsftpd
asked 2 mins ago
Peregring-lkPeregring-lk
292314
asked 2 mins ago
Peregring-lkPeregring-lk
292314
asked 2 mins ago
Peregring-lkPeregring-lk
292314
asked 2 mins ago
Peregring-lkPeregring-lk
292314
asked 2 mins ago
Peregring-lkPeregring-lk
292314
292314
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961224%2fvsftpd-configuration-for-shared-website-folder-with-file-permissions-coherence%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961224%2fvsftpd-configuration-for-shared-website-folder-with-file-permissions-coherence%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
