Linode Forum

[aot2002]

I have two users who I want in the same ftp directory and I know if the chmod is right each user should be able to upload and have the same permissions..

currently proftpd wont allow 755 permissions.

How else can i solved this issue I've tried local umask but im a bit stumped ?

[Xan]

It's really inappropriate to be running FTP over the public Internet.

[aot2002]

I understand the risks thanks

anyone else

[saman007uk]

What do you mena by "currently proftpd wont allow 755 permissions. "? Error messages, logs ...

[aot2002]

for security reasons proftpd doesnt allow uploaded files to be chmod 755 only directories.

I guess im looking for a solution to allow Two users to be able to upload to one directory without conflicts.

if anyone has an example of vsftpd or proftpd that use's multiple users I'd be interested in seeing their config files

[mwalling]

Thats because the 1 bit means "execute". Directories need execute permissions to be entered. Files need execute permissions to be executed. If proftpd allowed files to be executable, it might allow for arbitrary code execution.

I'd suggest understanding what the 7 and 5 in '755' mean, and then applying that knowledge to the files you're trying to upload.

And your response to Xan concerns me... *DO* you actually understand the risks? Assuming you're using the system users for proftpd, you do realize you're sending the system passwords in the clear over the internet? The same passwords that could then be used to log into your node?

[aot2002]

mwalling wrote: Thats because the 1 bit means "execute". Directories need execute permissions to be entered. Files need execute permissions to be executed. If proftpd allowed files to be executable, it might allow for arbitrary code execution.

I'd suggest understanding what the 7 and 5 in '755' mean, and then applying that knowledge to the files you're trying to upload.

And your response to Xan concerns me... *DO* you actually understand the risks? Assuming you're using the system users for proftpd, you do realize you're sending the system passwords in the clear over the internet? The same passwords that could then be used to log into your node?

Agreed I understand the risks because whats going in the Ftp directory is not important and not for web usage and not accessible by any other source to the outside world etc... also it has disk space limitations etc.. etc.. even if it was compromised i have a script that checks which IP logged in.

I just need the ability for each user to share a directory, I was hoping adding them both to the same group would allow this but not such luck with the restrictive permission settings

[Xan]

It sounds like it will work, but as mwalling said, you need to examine the need for the execute bit on your files.

[aot2002]

Xan wrote: It sounds like it will work, but as mwalling said, you need to examine the need for the execute bit on your files.
Ok well I don't need execute I just need both users ability to share one set of files / directories

[Xan]

If you don't need the execute bit, why are you setting it?

[Guspaz]

You don't seem to understand the risks here. It's not about the security that you've set up around your FTP server, it's that the user passwords will be vulnerable to interception. At that point, your FTP security is irrelevant, because the attacker can get in via SSH or any other protocol exposed by your server; they have the passwords.

There are very few legitimate reasons to be running plain FTP in this day and age. It's strongly recommended that you use SFTP/SCP instead.

[hybinet]

The only reason anyone besides a braindead shared host would run plain FTP is anonymous FTP. But maybe that will do what the OP wants?

Or if you want to forgo all the advice given above, let the two users log in with the same ID/password and hence upload to the same account's home directory. I mean, if they're going to share the same directory and all the same files, what's the point of keeping one user's password secret to the other?

[mikeshoup]

Read up on UNIX permissions:

http://www.zzee.com/solutions/unix-permissions.shtml

The best way to do it, put both users in the same group, then give the files/directories group write access. You'll also need to make sure the files/directories are owned by said group.

Running FTP over the internet with cleartext passwords is sorta okay, as long as you're not using system accounts for your FTP logins. Last I checked, ProFTPd allows you to use the system accounts, or store the info in files or a SQL database.

This would be okay, provided the passwords used for these users are not the same as any other passwords.

However, passwords in cleartext is a *bad* idea.

[Guspaz]

Just preventing the system account from logging in via FTP is hardly sufficient. Imagine this scenario:

1) RegularUser logs in to FTP via public wifi
2) RegularUser's password is sniffed
3) EvilDude SSHs to your box
4) EvilDude runs a kernel root exploit
5) EvilDude changes your root password and has fun erasing/stealing your data and hosting up all sorts of nasty things

The only way to prevent this scenario is to not allow cleartext password authentication by *NOT* running FTP...

[glg]

Guspaz wrote: Just preventing the system account from logging in via FTP is hardly sufficient.

He said not using system accounts. ie, the FTP server only uses it's own accounts. So that #3 in your scenario isn't possible.