Bolay's Wiki

User Tools

Site Tools

Trace: twoftpd
operating_systems:linux:debian:twoftpd

Table of Contents

TwoFTPd

Authentification

From the man page of twoftpd-auth

twoftpd-auth reads a username and password from the network and authenticates them using the CVM module cvmodule. If the authentication succeeds, it sets the environment variables UID, GID, HOME, and USER to the user's UID, GID, home directory, and login name respectively, and then executes twoftpd-xfer.

And from the man page of twoftpd-xfer

twoftpd-xfer reads FTP request from the network and executes file transfers based on those requests. Before doing anything, twoftpd-xfer changes directory to the authenticated user's home directory, changes the root directory to that directory, and drops all root priviledges.

So for example for a web server, we can configure the HOME directory in /etc/passwd like 

myuser:x:1000:1000:My User,,,:/srv/http/mysite.com/www:/bin/false

So myuser is directly chrooted into /srv/http/mysite.com/www

permissions

From the above example, which allow an access from user myuser to the directory /srv/http/mysite.com/www which should also be accessed by www-data, we have to set the directories permissions to 

root:root      751 /srv
root:root      751 /srv/http
root:root      751 /srv/http/mysite.com
myuser:mygroup 775 /srv/http/mysite.com/www

In order to guaranty that mygroup is maintained/inherited during file/folder creation, also when done by other users, we can just add the group sticky bit. 

chmod g+s /srv/http/mysite.com/www

another user

To allow anotherUser to access this directory, we will have to add it to the mygroup group in /etc/group 

mygroup:x:1000:anotherUser

and don't forget to also set the HOME directory in /etc/passwd to the same HOME as myuser (or at least in the PATH) 

anotherUser:x:1001:1001:Another User,,,:/srv/http/mysite.com/www:/bin/false

umask

The twoftpd startup configuration file (/etc/twoftpd/run) has a default umask set to 022.

So in this condition, users from the group mygroup will not be able to write/modify files/directories in the HOME folder.

So when we put a file, the resulting file rights will be 644. 

ftp> put myfile.txt 
...
ftp> dir
...
-rwxrwxr-x    1 myuser mygroup       25 Aug 17 05:22 robots.txt
-rw-r--r--    1 myuser mygroup     2047 Aug 27 16:01 myfile.txt
drwxrwxr-x    1 myuser mygroup     4096 Aug 18 20:37 script

By changing the umask to 002 we then have the file rights set to 664 and everybody in the mygroup group will now be able to write/modify files and directories. 

ftp> put myfile.txt 
...
ftp> dir
...
-rw-rw-r--    1 myuser mygroup     1241 Aug 27 16:19 myfile.txt
-rwxrwxr-x    1 myuser mygroup       25 Aug 17 05:22 robots.txt
drwxrwxr-x    1 myuser mygroup     4096 Aug 18 20:37 script

and the directory rights is now 775 

ftp> mkdir mydirectory
...
ftp> dir
...
-rw-rw-r--    1 myuser mygroup     1241 Aug 27 16:19 myfile.txt
drwxrwsr-x    1 myuser mygroup     4096 Aug 27 16:19 mydirectory
-rwxrwxr-x    1 myuser mygroup       25 Aug 17 05:22 robots.txt
drwxrwxr-x    1 myuser mygroup     4096 Aug 18 20:37 script
operating_systems/linux/debian/twoftpd.txt · Last modified: 2012/08/27 17:17 by sbolay