PDA

View Full Version : Permissions on a per .vfs basis?


IggyPop
05-15-2007, 04:59 AM
Hi guys, hope you can bear with me for a while now, im suffering from a "forgot-all-about-configuring-ioFTPD"-syndrome but i am slowly recovering :D

Let´s say i have three different groups added to the site. Each of the groups uses their own vfs file so they can only see and access the harddrive directory configured in their vfs. All well there, no problem. But now i want to set permissions for what each group is allowed to do in their home dir, like uploading, downloading etcetera etcetera. Can i set permissions on a vfs basis then? Like, group A is allowed to upload in their homedir, but no more, group B is allowed both up/downloading and so on.

Does this make any sense? What i am trying to find out is if i can describe different permissions for each group. Looking at the ioftpd.ini it seems like i have to define permissions for each group in the .ini file, is that the way it should be done?

Zer0Racer
05-15-2007, 10:32 AM
You can use the detailed vfs permissions in ioFTPD.ini for this. For example if you've mapped both groups homedirs to the same virtual name in their vfs:

[VFS]
MakeDir = /home/* *
Upload = /home/* *
Download = /home/* =groupB !=groupA !*
DeleteOwn = /home/* =groupB !=groupA !*
RenameOwn = /home/* =groupB !=groupA !*

But don't forget to always keep the default permissions at the bottom to not screw up the permissions for the rest of the site. Example:


Download = /home/* =groupB !=groupA !*
Download = * *

/ZR

IggyPop
05-15-2007, 11:00 AM
You can use the detailed vfs permissions in ioFTPD.ini for this. For example if you've mapped both groups homedirs to the same virtual name in their vfs:

[VFS]
MakeDir = /home/* *
Upload = /home/* *
Download = /home/* =groupB !=groupA !*
DeleteOwn = /home/* =groupB !=groupA !*
RenameOwn = /home/* =groupB !=groupA !*

But don't forget to always keep the default permissions at the bottom to not screw up the permissions for the rest of the site. Example:


Download = /home/* =groupB !=groupA !*
Download = * *

/ZR

Sweet, Zero, this looks exactly what i was looking for :D Thanks a bunch!

EDIT: There´s a few VFS sections through out the ioftpd.ini file, which one are you referring to in your answer? I guess it´s the one in the "Permissions" section, but better safe than sorry :D

Zer0Racer
05-15-2007, 01:31 PM
Under [VFS]. Look closely at my previous post ;)
You can see it next to the other Upload = /Incoming/* 31VM stuff

/ZR

IggyPop
05-16-2007, 12:57 AM
Under [VFS]. Look closely at my previous post ;)
You can see it next to the other Upload = /Incoming/* 31VM stuff

/ZR

Yup, found it, edited it and will soon test it. Dang, with the help of you guys im sure i will get this baby on the road again. Happy happy, joy joy! :D

e-buzzen
05-16-2007, 02:14 AM
OMFG, sorry for off topic, but i accidentally stumbled upon an old text document and found my old and original login credentials :D

IggyPop=e-buzzen. Guess i´ll be using the old one from now on....:D

e-buzzen
05-16-2007, 02:54 AM
OK, let´s see if i did this correct now.

Upload = /* =groupA =groupB !*

I translate this into allowing users from groupA to upload in their home dir defined in groupA.vfs, the same for groupB (different home dir though) but no one else allowed to upload in the home dir defined in default.vfs, is that correct?

User added with default settings ends up in the NoGroup and cant, in my example above, not upload anything, right? That works OK, but users from groupA and groupB are also not able to upload. What have i done wrong?

Zer0Racer
05-16-2007, 03:39 AM
The rule above will give you trouble if you have specified two different root dirs in the group's vfs and the default.vfs. You're only allowing groupA and groupB to upload anywhere on the site since /* is the root. Noone else will be able to upload at all, besides the Master account and maybe the VFS administrator.

I'm not 100% sure on how the VFS permissions work if you, for instance, set /home from default.vfs as root in groupA.vfs. Maybe you have to use /home/* in ioFTPD.ini for the detailed vfs permissions OR the ini always reflects what the user sees in his vfs.

I suggest you put all groups' homedirs in ie. /home/groupname. Then you can set a separate mountpoint in each group's vfs ie. "d:/ftp-root/home/groupname" /home (not as root) and you will be able to use /home/* for the detailed vfs permissions without the risk of mixing anything up. In case you want ever more detailed settings maybe you should mount is as /home/groupname so you can specify /home/groupname/* in ioFTPD.ini.

It's always good to just use an empty dir as root and only mount stuff in vfs. So even if a users cdup:s from the /home dir it will just be empty. To make users to automatically end up in /home when they log in you can set a special homedir setting in ioFTPD (though it's a per user command, but I think you can use the groupname to set the permissions for all users in that group at the same time) ie. site change =groupA homedir /home

And to make sure noone gets access to any other group's homedir (if you use /home/groupname as mount point) you can set the correct attributes for each group's dir (making if private/hidden) ie. site chattr +h "groupA" "=groupA" (if you're currently browsing /home and see the groupA dir). Do the same for all the other dirs. If they cdup now they won't see any other dirs inside /home than their own, making if kinda like the first example.

Or maybe I misunderstand. You just want to set different root dirs for each group?

/ZR

P.S. And oh, don't forget to chmod the dirs you want to be writable to 777. D.S.

e-buzzen
05-16-2007, 10:05 AM
The rule above will give you trouble if you have specified two different root dirs in the group's vfs and the default.vfs. You're only allowing groupA and groupB to upload anywhere on the site since /* is the root. Noone else will be able to upload at all, besides the Master account and maybe the VFS administrator.

I'm not 100% sure on how the VFS permissions work if you, for instance, set /home from default.vfs as root in groupA.vfs. Maybe you have to use /home/* in ioFTPD.ini for the detailed vfs permissions OR the ini always reflects what the user sees in his vfs.

I suggest you put all groups' homedirs in ie. /home/groupname. Then you can set a separate mountpoint in each group's vfs ie. "d:/ftp-root/home/groupname" /home (not as root) and you will be able to use /home/* for the detailed vfs permissions without the risk of mixing anything up. In case you want ever more detailed settings maybe you should mount is as /home/groupname so you can specify /home/groupname/* in ioFTPD.ini.

It's always good to just use an empty dir as root and only mount stuff in vfs. So even if a users cdup:s from the /home dir it will just be empty. To make users to automatically end up in /home when they log in you can set a special homedir setting in ioFTPD (though it's a per user command, but I think you can use the groupname to set the permissions for all users in that group at the same time) ie. site change =groupA homedir /home

And to make sure noone gets access to any other group's homedir (if you use /home/groupname as mount point) you can set the correct attributes for each group's dir (making if private/hidden) ie. site chattr +h "groupA" "=groupA" (if you're currently browsing /home and see the groupA dir). Do the same for all the other dirs. If they cdup now they won't see any other dirs inside /home than their own, making if kinda like the first example.

Or maybe I misunderstand. You just want to set different root dirs for each group?

/ZR

P.S. And oh, don't forget to chmod the dirs you want to be writable to 777. D.S.

Whaow, lots of good and useful info here, thanks a million. I think, after reading your excellent explanations, that i have to redesign the whole directory structure a bit to get permissions to work. No biggie though.

And yes, different root dirs for each group and different permissions for each root dir, thats what i am aiming for. Is that possible through ioftpd.ini? Otherwise i think your setup suggestion with /home/groupname is the one best suited for my needs, and also to use the "site change =groupA homedir /home" command. I have to continue experiment i think. Thanks again.

e-buzzen
05-17-2007, 05:29 AM
Sorry to say, but it looks like i can´t achieve what i want permission wise. I frankly dont know how to set up the vfs/directory structure to be able to use different permissions based on group membership when all the groups have their own vfs file with their own homedir defined. :cry: I dont even know if its possible with ioFTPD. Using "the other" Windows ftpd atm and it can most certainly be done with that one, but it misses a few features that ioFTPD has, for example ident, and i would really prefer to use ioFTPD, especially now when Yil has put a tremendous amount of quality work in the project.

I´m kinda stumped right now. :confused: