PDA

View Full Version : Beginner help to setup permissions


karlmarius
12-13-2011, 05:50 PM
Hi!

I'm totally new to ioftpd.
I've managed to get the server up and running with ssl, but have trouble with understanding how to set correct permissions...

So I want all user that are in my "OWNERS" group to have full access to the server, including uploading to all directories. As now I cant't upload anything anywhere :confused:

I also want regular users to be able to upload to a dir called "Upload", and download anything, this group is called "Regular".

can somebody give an example on what to put in the config file straight out. have tried, but don't understand the config apparently :confused:

Also, is there something else that needs to be configured else than the ini file ?

All help is really appreciated!

Flow
12-14-2011, 12:00 PM
read /etc/default.vfs file.

users added to site can be set to use different .vfs file (Virtual File System)

karlmarius
12-14-2011, 01:10 PM
So the way to go is to use different vfs for different groups? Is this required to achieve what i ant here. It's not possible to set different permissions for different groups with just one vfs?

thedepartedone
12-14-2011, 03:16 PM
also look under ### PERMISSIONS ### in ioftpd.ini , by default , if i remember correctly, it has the path /incoming/* as the only location they can delete, upload, rename, etc... and by default i think it is also set so that only those with 1M flags can do those tasks.

karlmarius
12-14-2011, 03:40 PM
read /etc/default.vfs file.

users added to site can be set to use different .vfs file (Virtual File System)


Is it necessary to use different vfs for different groups to achieve this.
Is it not possible to set that the "owners" group has full access for everything, while the the "regular" group only have permissions to edit/upload files to the "upload" directory?
would /* =OWNERS, be enough to se that users in the "owners" group have full access, while users with the "3" flag only could upload to the"upload" directory.

Could someone please post an example of config for the ioftpd.in for me to be able to do this?

Yil
12-14-2011, 04:36 PM
Just setup the default.vfs file. For most users there is never a need to use more than one VFS file.

There are 2 major access checks on file access.

The first is the VFS section of the .ini file which controls who can do what. The default setup shows an example of a server where normal users (3 flag only) can only upload stuff under the /Incoming directory. The reason it's setup so restrictive by default is so that new users understand what they are granting users permission to do. Perhaps I should change that... Anyway, just change the /Incoming/* to /* and then they'll apply everywhere which is what most people do I bet. An obvious counter-example would be people who remove user's ability to modify the /ARCHIVE dir on their servers...

The second check is the actual filesystem directory/file permissions (the rwx stuff). Thus a user could have rights in the .ini file to create a directory anywhere but the / root dir may have rw-r--r-- which means only the owner (ioFTPD user by default) can create/delete stuff in the / dir.

And now for the last bit of info I think you need. If rwx permissions are good enough for controlling who can up/down where then just open up everything in the .ini VFS section and you're done. If only some people should be able to upload across the whole server I'd suggest just using the "3" flag which by convention is for that purpose (i.e. accounts without the 3 flag can't modify stuff). If you want you could also give out the 4,5,6,a,b,c whatever flags to groups of users. There is almost no difference between using a made-up flag like say 4 and having a made up group like say OWNERS and granting them rights to upload somewhere except most permission .ini entries are flag-style which means you could write 13VM45 which is simpler than 13VM =USERS =OWNERS...

Yil
12-14-2011, 04:46 PM
Just a quick update. I personally find there are VERY few reasons for the VFS section of the .ini file to be overly complex. I bet most people grant uploaders the rights to their own stuff but nobody elses, and 1 (SiteOp) flagged users can do anything.

Similarly, I find that creating more than maybe 1 new user flag is rarely needed, especially if you are using it to control filesystem access only.

If you find yourself doing either send me a private message and I'll see if there isn't a simpler way to do what you want.

The only other thing I should mention is the private/hidden directory option. Using 'site chattr +h' you can create a flag-style permission entry that controls who can even see the directory. Thus you can make /GAMES have a chattr +h value of 1VM =GAMERS and only SiteOps and people in the GAMERS group could even see that you have a /GAMES directory... This feature removes the need for multiple .vfs files and also gets rid of .ini VFS rules about who can do what to different sections because you don't need to worry about them uploading to a directory they can't even see.