"The Linux Gazette...making Linux just a little more fun!"


(?) The Answer Guy (!)


By James T. Dennis, [email protected]
LinuxCare, http://www.linuxcare.com/


(?) ftpacess and the Incoming Conundrum

From Ron McKown on Mon, 19 Jul 1999

(?) greetings james!

i have a question for you, and this question has been everywhere. no one seems to be able to answer it.... let me explain what i am trying to do:

i would like anonymous ftp users to upload files and make directories with specific ownership and file permissions. sounds easy, right?

(!) Nope. It doesn't. Of course we'd need to know the specific desired ownership and permissions; but there is no generalized support for this in the WU ftpd nor in the old Berkeley daemon.

(?) i've been banging my head against the wall for weeks now over this. i've read the ftpaccess man page 20 times. i understand everything that /etc/ftpaccess is capable of doing. the 'upload' feature of ftpaccess looks like my ticket, but it doesn't seem to work no matter what i do.

(!) If you understand everything about ftpaccess then you are much smarter than I am. I've read it at least 50 times and I still find some elements confusing. I've learned a bit about it from many experiments --- which have shed light on some of the man page details.

(?) i would very much like to send you a copy of my ftpaccess file but first i would like to see if you can help me otherwise.

(!) I probably can't help with ftpaccess.

(?) i think i'm missing a setting or i'm missing a concept.. maybe i need to look at group settings some more or maybe a group setting isn't configured correctly.

is this a umask issue?? if so, what should i set my defumask to in my /etc/ftpaccess?

(!) Read on.

(?) please reply by email if you are able to help. i've a client breathing down my neck about this (i'm sure you know the feeling).

thanks james,

Ron McKown GM Consulting

-- Ron McKown

(!) Unfortunately I think you're trying to drive a screw with a hammer.
The wu-ftpd mechanisms for controlling access to the incoming directory are very limited. You can use the flag nodirs to disable the ability to make directories thereunder, you can allow or restrict the chmod command, and you can set the umask (among other things).
However, I don't know of any combination of these that would match your needs. umask settings only apply to newly created FILES not to DIRECTORIES.
The frustrating thing is that it seems that you can "almost" get what you want with the right combination of ftpaccess settings and underlying (OS) permissions, ownership and account settings (/etc/passwd, and /etc/group).
I've been there. It was a bad place.
You might be able to cook up a statically linked binary program that you put in the ftp/chroot /bin directory and allow the users to call with a site/quote command. That could create a directory and set the permission. However, I've never written such a command, and it might be very difficult to write one that was sufficiently robust that you could trust it.
In addition it is difficult for users to use site/quote commands through many FTP clients (and some GUI clients will make it impossible).
You'd probably be far better off using ProFTPd (http://www.proftpd.org). This is a GPL'd FTP daemon package with a configuration file that's deliberately similar in structure and syntax to the (now) ubiquitous Apache/NCSA .conf files.
In their discussion of their UMASK directive they mention that umask modifies the permissions on directorie and files --- but they refer one to the OS documentation for details (ProFTPd runs on many UNIX platforms other than Linux). That suggests that they aren't currently doing anything beyond the current Linux UMASK semantics.
I've heard discussion of a DMASK setting, but I believe it was purely hypothetical and never implemented in Linux. (I don't know anything about such a setting in other OS').
However, I've copied the proftpd developers list on this response in the hopes that they can shed some light on this subject for us. (Any fruits from this discussion will be summarized, credited and posted to the Linux Gazette Answer Guy's column http://www.linuxgazette.net).
You don't mention your specific needs. What are the desired constraints on the created subdirectory's ownership and permissions? Let's say you created a group 'strange' and set the mode of the incoming directory to something like 3772 (sticky, SGID, world writable, executable and readable to owner and group).
It might allow one to force all directories created below that point to be group-owned by 'strange' and set to the same permissions as the parents. (That's the normal affect of an SGID directory (mode +2000) under Linux).
Only the owner of a file would be able to remove them (that's the normal affect of the sticky bit, mode +1000).
Having considered the OS level affects we then ask what ProFTPd directives would model your requirements. I can't even speculate, since I don't know them.
Even if you need to hack in some custom code (into the daemon) I would think that ProFTPd would be a cleaner code base to work from than wuftpd. ProFTPd is under GPL so you're licensed to modify it, and to distribute modified versions (so long as you make your patches available to the public under GPL if you exercise both of those rights).
There are a number of other FTP daemons available.
ncFTPd (by Mike Gleason) is shareware. You can freely use it for personal systems (up to 3 concurrent connectios) and some non-profit/educational institutions (read his license at http://www.ncftp.com for details). However it doesn't appear to exactly what you're looking for.
I do see (in ncftpd's documentation pages) a rather interesting discussion about "eventd" --- a deamon to process actions based on FTP deamon events (such as file and directory creations!). That looks rather interesting.... There's also a upload-event processor option in Mike's general.cf file that might be easier than writing a daemon (at the expense of greater server load since a new processes would be spawned for each such event, rather than a lightweight message from one daemon to another).
Yet another FTP daemon package is BeroFTPd by Bernhard Rosenkraenzer. Unfortunately he doesn't seem to maintain a web-based copy of his documentation (or even a web site for that matter), and I don't have the time to download that and read through the tar file. You can find BeroFTPd using a quick Freshmeat search. (http://www.freshmeat.net).
You'll probably find what you need in one of these packages, or perhaps with a bit of coding and patching to one of them.

(?) ftpacess and the Incoming Conundrum

From Ron McKown on Tue, 20 Jul 1999

howdy!
thank you so much for your quick response to my problem. i didn't realize that doing something like this would be so difficult! it looks like i will have to go with another ftp server afterall.

again, thanks for the excellent reply!

Ron McKown
GM Consulting


Copyright © 1999, James T. Dennis
Published in The Linux Gazette Issue 44 August 1999
HTML transformation by Heather Stern of Starshine Techinical Services, http://www.starshine.org/


[ Answer Guy Index ] 1 4 7 9
11 12 14 17
18 19 20 21 24 25 26
28 29 30 31 32 33 34
35 36 37 38 39 40 41
42 43 44 45 46 47 48


[ Table Of Contents ] [ Front Page ] [ Previous Section ] [ Next Section ]