vsftpd configuration for shared website folder with file permissions coherenceQuotas in vsftpd?Allow...

OP Amp not amplifying audio signal

Bullying boss launched a smear campaign and made me unemployable

How obscure is the use of 令 in 令和?

How to remove border from elements in the last row?

How to coordinate airplane tickets?

Forgetting the musical notes while performing in concert

How to travel to Japan while expressing milk?

Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?

What is the most common color to indicate the input-field is disabled?

How to prevent "they're falling in love" trope

files created then deleted at every second in tmp directory

Should I tell management that I intend to leave due to bad software development practices?

How to Prove P(a) → ∀x(P(x) ∨ ¬(x = a)) using Natural Deduction

What is an equivalently powerful replacement spell for the Yuan-Ti's Suggestion spell?

Can a virus destroy the BIOS of a modern computer?

How do conventional missiles fly?

Convert seconds to minutes

How badly should I try to prevent a user from XSSing themselves?

Finitely generated matrix groups whose eigenvalues are all algebraic

How does a dynamic QR code work?

One verb to replace 'be a member of' a club

Notepad++ delete until colon for every line with replace all

Rotate ASCII Art by 45 Degrees

Placement of More Information/Help Icon button for Radio Buttons



vsftpd configuration for shared website folder with file permissions coherence


Quotas in vsftpd?Allow anonymous upload for Vsftpd?Cannot read/write FTP directory vsftpd on centos 6.0 (empty folder)What permissions should my website files/folders have on a Linux webserver?vsftpd default permissions for website directory and ftpvsFTPd default uploaded file permissions on Ubuntu not workingvsftpd permissions for virtual users with Apache SUexec compatibilityPermissions prevent file upload in vsftpdWhat owner should be for ftp user home folder(ubuntu, vsftpd)VSFTP virtual users upload with user owner













0















I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:




  • The virtual vsftpd user is called rootftp, and it belongs to a group called edev that also includes bob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway, bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change to root when playing around within the folder). Anyway, the edev group is designed to be a family that could grow in some point in the future, as implied by its name.

  • No file/folder in the website folder is world accesible (others have no permissions).

  • Apache (www-data) have the usual read-only permissions, except that it has write permissions for the usual "upload folder".

  • The edev's members must have rw and rwx permissions for files/folders.

  • Anonymous ftp login is forbidden.

  • Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).


The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):



virtual_use_local_privs=NO

chown_uploads=YES

chown_username=www-data

chown_open_mode=0450

anon_umask=007

# set other required anon_* directive.


but that has its own set of problems:




  1. folders won't have execute permissions by default, because the open mode is the same for files and folders.

  2. even if that can magically be solved, in case the upload folder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTP CHMOD command to recover the apache write permissions because rootftp cannot change its permissions now, since the owner has changed.

  3. another solution is to forbid the upload folder deletion, so its permissions are preserved after its original creation (bob can set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to set chattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftp and bob) to add files, which is far from ideal. I don't know if a bind mount can help here either.


Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).






permissions vsftpd






share



























    0















    I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:




    • The virtual vsftpd user is called rootftp, and it belongs to a group called edev that also includes bob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway, bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change to root when playing around within the folder). Anyway, the edev group is designed to be a family that could grow in some point in the future, as implied by its name.

    • No file/folder in the website folder is world accesible (others have no permissions).

    • Apache (www-data) have the usual read-only permissions, except that it has write permissions for the usual "upload folder".

    • The edev's members must have rw and rwx permissions for files/folders.

    • Anonymous ftp login is forbidden.

    • Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).


    The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):



    virtual_use_local_privs=NO
    
chown_uploads=YES
    
chown_username=www-data
    
chown_open_mode=0450
    
anon_umask=007
    
# set other required anon_* directive.


    but that has its own set of problems:




    1. folders won't have execute permissions by default, because the open mode is the same for files and folders.

    2. even if that can magically be solved, in case the upload folder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTP CHMOD command to recover the apache write permissions because rootftp cannot change its permissions now, since the owner has changed.

    3. another solution is to forbid the upload folder deletion, so its permissions are preserved after its original creation (bob can set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to set chattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftp and bob) to add files, which is far from ideal. I don't know if a bind mount can help here either.


    Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).






    permissions vsftpd






    share

























      0












      0








      0








      I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:




      • The virtual vsftpd user is called rootftp, and it belongs to a group called edev that also includes bob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway, bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change to root when playing around within the folder). Anyway, the edev group is designed to be a family that could grow in some point in the future, as implied by its name.

      • No file/folder in the website folder is world accesible (others have no permissions).

      • Apache (www-data) have the usual read-only permissions, except that it has write permissions for the usual "upload folder".

      • The edev's members must have rw and rwx permissions for files/folders.

      • Anonymous ftp login is forbidden.

      • Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).


      The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):



      virtual_use_local_privs=NO
      
chown_uploads=YES
      
chown_username=www-data
      
chown_open_mode=0450
      
anon_umask=007
      
# set other required anon_* directive.


      but that has its own set of problems:




      1. folders won't have execute permissions by default, because the open mode is the same for files and folders.

      2. even if that can magically be solved, in case the upload folder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTP CHMOD command to recover the apache write permissions because rootftp cannot change its permissions now, since the owner has changed.

      3. another solution is to forbid the upload folder deletion, so its permissions are preserved after its original creation (bob can set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to set chattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftp and bob) to add files, which is far from ideal. I don't know if a bind mount can help here either.


      Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).






      permissions vsftpd






      share














      I'm trying to (re)configure my vsftpd server (linux/ubuntu machine) and a corresponding shared website folder in a way that ideally respect the following constraints:




      • The virtual vsftpd user is called rootftp, and it belongs to a group called edev that also includes bob, the (sudo) sysadmin: he helps sometimes but it's not in charge of developing the site. Anyway, bob's wants to be able to modify any file without using superpowers (for instance, he doesn't want to be constantly checking if some file owner has change to root when playing around within the folder). Anyway, the edev group is designed to be a family that could grow in some point in the future, as implied by its name.

      • No file/folder in the website folder is world accesible (others have no permissions).

      • Apache (www-data) have the usual read-only permissions, except that it has write permissions for the usual "upload folder".

      • The edev's members must have rw and rwx permissions for files/folders.

      • Anonymous ftp login is forbidden.

      • Virtual users actions must not affect any previous restriction in anyway (creating a file with incorrect user, group or permissions).


      The last point is my main problem. The most obvious approach is to chown everything as www-data:edevs, setting setgid to every folder, and finally set per virtual user (to don't change vsftpd.conf):



      virtual_use_local_privs=NO
      
chown_uploads=YES
      
chown_username=www-data
      
chown_open_mode=0450
      
anon_umask=007
      
# set other required anon_* directive.


      but that has its own set of problems:




      1. folders won't have execute permissions by default, because the open mode is the same for files and folders.

      2. even if that can magically be solved, in case the upload folder changes for any reason (it is removed and then recreated for testing), the virtual user cannot apply the FTP CHMOD command to recover the apache write permissions because rootftp cannot change its permissions now, since the owner has changed.

      3. another solution is to forbid the upload folder deletion, so its permissions are preserved after its original creation (bob can set them once and forever), but I haven't found the way to do it. The most closed thing I have found is to set chattr +i upload, but that will prevent every type of modification, not just "deletion". Setting the sticky bit to its parent directory will forbid the group (rootftp and bob) to add files, which is far from ideal. I don't know if a bind mount can help here either.


      Another approach is to let the current configuration as it is, forget bob's comfort and a potential group of developers (every other edev's member will be forced to exclusively use ftp, even when ssh access could be granted), and chown everything as rootftp:www-data, although problem (1) will still be present (fact that annoys me).






      permissions vsftpd




      permissions vsftpd





      share












      share










      share



      share










      asked 2 mins ago









      Peregring-lkPeregring-lk

      292314




      292314






















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961224%2fvsftpd-configuration-for-shared-website-folder-with-file-permissions-coherence%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961224%2fvsftpd-configuration-for-shared-website-folder-with-file-permissions-coherence%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Image
          Муніципалітети департаменту Йонна фр.муніципалітетФранціїБургундія-Франш-КонтеЙоннаПарижаДіжонаОсера Фонтен-ла-Гаярд Fontaine-la-Gaillarde Країна  Франція Регіон Бургундія-Франш-Конте  Департамент Йонна  Округ Сан Кантон Сан-Норд-Ест Код INSEE 89172 Поштові індекси 89100 Координати 48°13′13″ пн. ш. 3°22′51″ сх. д. H G O Висота 111 - 234 м.н.р.м. Площа 10,61 км² Населення 502 (2011-01-01) Густота 47,31 ос./км² Розміщення Влада Мер Мандат Michel Papinaud 2014-2020 Фонте́н-ла-Гая́рд , Фонтен-ла-Ґаярд (фр. Fontaine-la-Gaillarde ) — муніципалітет у Франції, у регіоні Бургундія-Франш-Конте, департамент Йонна. Населення — 502 осіб (2011) [1] . Муніципалітет розташований на відстані [2] близько 105 км на південний схід від Парижа, 160 км на північний захід від Діжона, 50 км на північ від Осера. Зміст 1 Демографія 2 Економіка 3 Посилання 4 Див. т...
          Read more

          Список ссавців Італії Природоохоронні статуси | Список |...

          Image
          Списки ссавцівФауна ІталіїСписки:ІталіяСсавці Італії ІталіїМСОПХижіCetartiodactylaРукокриліКомахоїдніЗайцеподібніГризуниМСОП ссавці Італії ? Італія Біорегіон Біогеографічний екорегіон Голарктика Екозона Палеарктика Біом субтропічний ліс, альпійські луки, прісні води, континентальний шельф, континентальний схил Місцевість Континент Європа Країна Італія Територія Середземне море Фауна більшого обсягу За географією фауна Європи За систематикою ссавці, фауна Італії За екологією суходільна фауна, морська фауна За біогеографією теріофауна Європи Геологічний вік сучасність Особливості Видовий обсяг 121 Чужорідні види Genetta genetta, Ondatra zibethicus, Oryctolagus cuniculus, Rattus norvegicus, Rattus rattus, Sciurus carolinensis, Tamias sibiricus Список ссавців Італії містить перелік видів, записаних на території Італії (південна Європа) згідно з ...
          Read more

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...

          Image
          Народились 7 квітняНародились 1977Уродженці Банської БистриціВипускники Університету Матея БелаСловацькі політикиРевізіоністи ГолокостуРомофобиУльтраправіШовіністиПопулізмКритики Європейського союзуАнтиамериканізм словац.7 квітня1977Банська БистрицяЧССРультраправийсловацькийполітикЙозефу ТісоПершій Словацькій республіціВолодимиру ПутінуциганНАТОСШАЄвросоюзусловацьке національне повстанняантисемітськоїпопулістської«Котлеба — Народної партії Наша Словаччина»Банськобистрицького краю7 квітня1977Банська БистрицяЧССРуніверситету Матея Бела20062000200921 лютого2010єврословацьку кронугромадського партнерстваЄСНАТОромської меншини2012напіввоєнізованих структурМіністерство внутрішніх справчервні2016Верховний судБанськобистрицькому краї2016однопалатний словацький законодавчий орган«Котлеба — Народна партія Наша Словаччина»Банськобистрицького краю«Глінкова гвардія»Другої світової війни«Революцію гідності» Маріан Котлеба словац. Marian Kotleba Народився 7 квітня 1977 ( 1977-04-...
          Read more