User Tools

Site Tools


This is an old revision of the document!



From the man page of twoftpd-auth

twoftpd-auth reads a username and password from the network and authenticates them using the CVM module cvmodule. If the authentication succeeds, it sets the environment variables UID, GID, HOME, and USER to the user's UID, GID, home directory, and login name respectively, and then executes twoftpd-xfer.

And from the man page of twoftpd-xfer

twoftpd-xfer reads FTP request from the network and executes file transfers based on those requests. Before doing anything, twoftpd-xfer changes directory to the authenticated user's home directory, changes the root directory to that directory, and drops all root priviledges.

So for example for a web server, we can configure the HOME directory in /etc/passwd like

myuser:x:1000:1000:My User,,,:/srv/http/

So myuser is directly chrooted into /srv/http/


From the above example, which allow an access from user myuser to the directory /srv/http/ which should also be accessed by www-data, we have to set the directories permissions to

root:root      751 /srv
root:root      751 /srv/http
root:root      751 /srv/http/
myuser:mygroup 775 /srv/http/

In order to guaranty that mygroup is maintained/inherited during file/folder creation, also when done by other users, we can just add the group sticky bit.

chmod g+s /srv/http/

another user

To allow anotherUser to access this directory, we will have to add it to the mygroup group in /etc/group


and don't forget to also set the HOME directory in /etc/passwd to the same HOME as myuser (or at least in the PATH)

anotherUser:x:1001:1001:Another User,,,:/srv/http/


In twoftpd configuration file (/etc/twoftpd/run) the default umask is set to 022.

So in this condition, users from the group mygroup will not be able to write/modify files/directories in the HOME folder.

So when you put a file, the resulting file rights will be 644.

ftp> put myfile.txt 
ftp> dir
-rwxrwxr-x    1 myuser mygroup       25 Aug 17 05:22 robots.txt
-rw-r--r--    1 myuser mygroup     2047 Aug 27 16:01 myfile.txt
drwxrwxr-x    1 myuser mygroup     4096 Aug 18 20:37 script

By changing the umask to 002 we then have the file rights set to 664 and everybody in the mygroup group will now be able to write/modify files and directories.

ftp> put myfile.txt 
ftp> dir
-rw-rw-r--    1 myuser mygroup     1241 Aug 27 16:19 myfile.txt
-rwxrwxr-x    1 myuser mygroup       25 Aug 17 05:22 robots.txt
drwxrwxr-x    1 myuser mygroup     4096 Aug 18 20:37 script

and the directory rights is now 775

ftp> mkdir mydirectory
ftp> dir
-rw-rw-r--    1 myuser mygroup     1241 Aug 27 16:19 myfile.txt
drwxrwsr-x    1 myuser mygroup     4096 Aug 27 16:19 mydirectory
-rwxrwxr-x    1 myuser mygroup       25 Aug 17 05:22 robots.txt
drwxrwxr-x    1 myuser mygroup     4096 Aug 18 20:37 script
operating_systems/linux/debian/twoftpd.1346087417.txt.gz · Last modified: 2012/08/27 17:10 by sbolay