From: Daniel Bareiro on
Hi all!

Yesterday someone asked me the possibility to create two users for FTP
access. One that had the ability to create any type of file and other
that could create any type of files except directories to avoid changing
the structure of the access tree.

As I'm using ProFTPd, I thought this could be done at application level
as follows:


<Directory /home/ftphome/*>
<Limit MKD RMD>
Order Allow,Deny
AllowUser adminftp
Deny ALL
</Limit>
</Directory>


But the following restlessness arose to me: if I want to do this at the
filesystem, how could I get it? Because the writing permission that we
can set for user/group does not discriminate types of archives.

Thanks in advance for your replies.

Regards,
Daniel
--
Fingerprint: BFB3 08D6 B4D1 31B2 72B9 29CE 6696 BF1B 14E6 1D37
Powered by Debian GNU/Linux Lenny - Linux user #188.598
From: Anand Sivaram on
On Thu, Jun 3, 2010 at 16:09, Daniel Bareiro <daniel-listas(a)gmx.net> wrote:

> Hi all!
>
> Yesterday someone asked me the possibility to create two users for FTP
> access. One that had the ability to create any type of file and other
> that could create any type of files except directories to avoid changing
> the structure of the access tree.
>
> As I'm using ProFTPd, I thought this could be done at application level
> as follows:
>
>
> <Directory /home/ftphome/*>
> <Limit MKD RMD>
> Order Allow,Deny
> AllowUser adminftp
> Deny ALL
> </Limit>
> </Directory>
>
>
> But the following restlessness arose to me: if I want to do this at the
> filesystem, how could I get it? Because the writing permission that we
> can set for user/group does not discriminate types of archives.
>
> Thanks in advance for your replies.
>
> Regards,
> Daniel
> --
> Fingerprint: BFB3 08D6 B4D1 31B2 72B9 29CE 6696 BF1B 14E6 1D37
> Powered by Debian GNU/Linux Lenny - Linux user #188.598
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkwHhlYACgkQZpa/GxTmHTfuGACfaO9nBr2dI/zTtM2Sey7DJkfX
> wFUAn1HiWA+Pnb/7e3xAjFni7XasBtsq
> =2u6r
> -----END PGP SIGNATURE-----
>
>
I dont think you could do that in filesystem level, since when 'w'
permission is given the user could create both files and directories, but
without 'w' permission the user cant do both. May be you could give
readonly permission to all directories except one where this user could
create any type of files including directories and normal files.
From: thib on
Anand Sivaram wrote:
> I dont think you could do that in filesystem level, since when 'w'
> permission is given the user could create both files and directories, but
> without 'w' permission the user cant do both. May be you could give
> readonly permission to all directories except one where this user could
> create any type of files including directories and normal files.

POSIX won't allow it, but another layer could (a virtual filesystem,
mandatory access control systems, ...)

The reason nobody seems to care very much is that determining the file type
is very difficult to do reliably. Obviously filename extensions are
useless, but format signatures can also be easily faked. Even the human eye
can be fooled by some steganographic contents, and a directory structure
could take the form of an archive.

Restricting file types to a directory is just not something you usually do.
But maybe there are special use cases.

-t


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/4C08D6EB.2000908(a)stammed.net