Differentiated writable permissions
in [Debian]
|
Prev: Iceweasel/FF takes too much time to close (because it frees memory)
Next: How can I select more than one file in some file list using some key('s) (combination if necessary) (Nautilus)?
From: Daniel Bareiro on 3 Jun 2010 06:40 Hi all! Yesterday someone asked me the possibility to create two users for FTP access. One that had the ability to create any type of file and other that could create any type of files except directories to avoid changing the structure of the access tree. As I'm using ProFTPd, I thought this could be done at application level as follows: <Directory /home/ftphome/*> <Limit MKD RMD> Order Allow,Deny AllowUser adminftp Deny ALL </Limit> </Directory> But the following restlessness arose to me: if I want to do this at the filesystem, how could I get it? Because the writing permission that we can set for user/group does not discriminate types of archives. Thanks in advance for your replies. Regards, Daniel -- Fingerprint: BFB3 08D6 B4D1 31B2 72B9 29CE 6696 BF1B 14E6 1D37 Powered by Debian GNU/Linux Lenny - Linux user #188.598
From: Anand Sivaram on 3 Jun 2010 13:10 On Thu, Jun 3, 2010 at 16:09, Daniel Bareiro <daniel-listas(a)gmx.net> wrote: > Hi all! > > Yesterday someone asked me the possibility to create two users for FTP > access. One that had the ability to create any type of file and other > that could create any type of files except directories to avoid changing > the structure of the access tree. > > As I'm using ProFTPd, I thought this could be done at application level > as follows: > > > <Directory /home/ftphome/*> > <Limit MKD RMD> > Order Allow,Deny > AllowUser adminftp > Deny ALL > </Limit> > </Directory> > > > But the following restlessness arose to me: if I want to do this at the > filesystem, how could I get it? Because the writing permission that we > can set for user/group does not discriminate types of archives. > > Thanks in advance for your replies. > > Regards, > Daniel > -- > Fingerprint: BFB3 08D6 B4D1 31B2 72B9 29CE 6696 BF1B 14E6 1D37 > Powered by Debian GNU/Linux Lenny - Linux user #188.598 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkwHhlYACgkQZpa/GxTmHTfuGACfaO9nBr2dI/zTtM2Sey7DJkfX > wFUAn1HiWA+Pnb/7e3xAjFni7XasBtsq > =2u6r > -----END PGP SIGNATURE----- > > I dont think you could do that in filesystem level, since when 'w' permission is given the user could create both files and directories, but without 'w' permission the user cant do both. May be you could give readonly permission to all directories except one where this user could create any type of files including directories and normal files.
From: thib on 4 Jun 2010 06:40
Anand Sivaram wrote: > I dont think you could do that in filesystem level, since when 'w' > permission is given the user could create both files and directories, but > without 'w' permission the user cant do both. May be you could give > readonly permission to all directories except one where this user could > create any type of files including directories and normal files. POSIX won't allow it, but another layer could (a virtual filesystem, mandatory access control systems, ...) The reason nobody seems to care very much is that determining the file type is very difficult to do reliably. Obviously filename extensions are useless, but format signatures can also be easily faked. Even the human eye can be fooled by some steganographic contents, and a directory structure could take the form of an archive. Restricting file types to a directory is just not something you usually do. But maybe there are special use cases. -t -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C08D6EB.2000908(a)stammed.net |