Making the user uftp1 a member of dba or oraprod a member of ftp may lead to security hole as either way will open the door for the uftp1 or the oraprod user to have access to the resources which ftp or dba is the owner of.
Creating a separate group for uftp1 and oraprod is a better approach.
But the best approach in terms of security in this scenario would be to make use of ACL and SGID bit. I will explain the approach here:
1. Suppose /u01 is the directory in question. Make oraprod and dba are the owner of the directory:
2. Give 770 permission on /u01:
3. Turn on SGID bit on /u01 so that when the uftp1 user creates any file in the directory the group owner of the directory (dba) will have the ownership of the newly created file by default rather than ftp. This will help the oraprod user to have permission on the file as it's a member of the group.
4. Now you have to set ACL for the user uftp1 on /u01. The syntax varies depending on whether it's a ZFS or UFS filesystem.
For ZFS:
For UFS:
That's it and you are all setup.
From within a directory, how do I determine whether I have write permission for it.
test -w pwd ; echo ?
This doesn't work as it returns false, even though I have write permission. (4 Replies)
My users home directory located in a RHEL 5.0 nfs server.
Client is ubuntu 8.1 using NIS for authntication anf NFS for automounting
home Directory on the client side.
I set 700 to the users home directory.
My problem here is some of the users change the mode, which result in leak of... (2 Replies)
Hi All
I am using cygwin and if i type ls -l it is giving like
drwxr-xr-x+ for directories.
My question is what is the meaning of '+' sign at the end?
its not giving that '+' sign for files.
Thank you (1 Reply)
Hi all.
Only one of the following makes any kind of sense as a possible permission field for a UNIX file. Which one?
--w-------
----rwxrwx
-r--------
--rwx-----
----r-----
I think it is no. 3. I dont think it would be 2, because why would you want to give groups and... (1 Reply)
Hello,
I've configured an user authentication against Active Directory (Windows Server 2008 R2) on AIX V6 with LDAP. It works fine.
And here's my problem:
How can I control ldap user permissions on the local AIX machine?
E.g. an AD user should be able to write all files of local sys... (1 Reply)
Hi,
How do i check if I have read/write/execute rights on a UNIX directory?
What I'm doing is checking read access on the files but i also want to check if user has rights on the direcory in whcih these files are present.
if then......
And I check if the directory exists by using... (6 Replies)
i have an application that writes to a directory. let's call the directory:
/var/app/
the permissions of this directory is:
drwxrwxr-x
Now the files that the application creates in this directory usually dont have read permissions for others.
i know there's something called... (3 Replies)
Hi,
I had a newbie question on giving permissions to directories and subdirectories.
I am one of the users in a group. The top level directory (say directory 'X' - owned by someone else) has the following permissions:
drwxrwxrwx
It also has a subdirectory, say 'Y', (which in turn has... (5 Replies)
Hi,
I have created a shared directory on /home, where all users on a certain group have read, write and execute permissions.
I did this using
chmod -R g+rwx /home/shared/
The problem is, when a particular user creates a directory within /home/shared, other users are not able to write to... (8 Replies)
Discussion started by: lost.identity
8 Replies
LEARN ABOUT FREEBSD
ftpchroot
FTPCHROOT(5) BSD File Formats Manual FTPCHROOT(5)NAME
ftpchroot -- list users and groups subject to FTP access restrictions
DESCRIPTION
The file ftpchroot is read by ftpd(8) at the beginning of an FTP session, after having authenticated the user. Each line in ftpchroot corre-
sponds to a user or group. If a line in ftpchroot matches the current user or a group he is a member of, access restrictions will be applied
to this session by changing its root directory with chroot(2) to that specified on the line or to the user's login directory.
The order of records in ftpchroot is important because the first match will be used. Fields on each line are separated by tabs or spaces.
The first field specifies a user or group name. If it is prefixed by an ``at'' sign, '@', it specifies a group name; the line will match
each user who is a member of this group. As a special case, a single '@' in this field will match any user. A username is specified other-
wise.
The optional second field describes the directory for the user or each member of the group to be locked up in using chroot(2). Be it omit-
ted, the user's login directory will be used. If it is not an absolute pathname, then it will be relative to the user's login directory. If
it contains the /./ separator, ftpd(8) will treat its left-hand side as the name of the directory to do chroot(2) to, and its right-hand side
to change the current directory to afterwards.
FILES
/etc/ftpchroot
EXAMPLES
These lines in ftpchroot will lock up the user ``webuser'' and each member of the group ``hostee'' in their respective login directories:
webuser
@hostee
And this line will tell ftpd(8) to lock up the user ``joe'' in /var/spool/ftp and then to change the current directory to /joe, which is rel-
ative to the session's new root:
joe /var/spool/ftp/./joe
And finally the following line will lock up every user connecting through FTP in his respective ~/public_html, thus lowering possible impact
on the system from intrinsic insecurity of FTP:
@ public_html
SEE ALSO chroot(2), group(5), passwd(5), ftpd(8)BSD January 26, 2003 BSD