Tips and Tricks: change the group and umask your ftp files for security
paan
29 June 2008
587 views
No Comment
The task
One of the problems when I am uploading files to a webserver is files permission needs to be reset everytime I upload a file so that you the webserver user can read the files. This is cubersome little thinkg especially when sometimes when I am coding and I reupload the script each time I test it.
The problem
The easiest way to get around this problem is to setup a umask for the file.This could solve our problems but usually in a multi user system like a public webserver(like the one I’m using), the ftp runs under my username group. Allowing the file to be written by the webserver group would require for me to allow the files to be globally written. Which is a BIG BAD BAD in terms of security.
To make the ftp server to run as a webserver group requires the user that log in to be in the webserver group which means that all files writable by the webserver group(usually webserver config are) is wrtitable by the user. Which is anothe big security BAD.
The solutions
I’m using pureftpd as my ftp server so to solve this I used the pureftpd upload script feature. Basically what this do is that it runs a script you specify after each file is uploaded. To turn on this feature on pureftpd is a 2 step procedure.
- Enable the option in the pure-ftpd deamon
- this is done with the -o parameter to the pure-ftpd deamon. I use xinetd to start my pure-ftpd deamon so it’s just a matter of digging into the /etc/xinetd.d/ folder and editing the pureftpd file to add a “-o” to “server_args”. If you’re running pure-ftpd using initd script then you need to edit your initd scripts instead.
- Run the pure-uploadscript deamon
- The -o flag only tells pure ftpd to pass the file to the pure-uploadscript deamon. You still have to configure and run the pure-upload script deamon. To run the deamon just type in:
1
pure-uploadscript -B -r /pathtoyourscriptThe damon will pass the name of the uploaded file as the first paramater to the script($1)
- the -B flag tells pure-uploadscripts to run in the background. The -r flag specify the script that you want to run on the uploaded files.
- Remember to run the pure-uploadscript deamon each time your server restarts. Stuck the line in the ftp server intd script if your ftp server uses intd script to start.
- The -o flag only tells pure ftpd to pass the file to the pure-uploadscript deamon. You still have to configure and run the pure-upload script deamon. To run the deamon just type in:
Now we look at the script it self. Basicly you just assign the group of the file to the webserver group.
1 2 | #!/bin/bash chgrp apache $1 |
simple. While we are at it. We might as well just tighten some file permission by setting the umask on the uploaded files. For pure ftpd just change you current -u argument in the xinetd file to 017:022. The first umask is for the files and the second is for the directory
The umask is the opposite of setting the permissions that you want to set. Meaning that it is the permissions you do not want, rather than the permissions you do (like when issueing a chmod). so the above umask will give 760 (-rwxrw—-) for files and 755(-rwxr-xr-x) for directory.
The Caveat
The caveat is that pure-uploadscript on handles files. And directory created is not run through the pure-uploadscript. Which is why I relax the umask restriction a bit for created directory. You could go through the trouble of parsing the file name and getting the parent directory of the file passed to the script and chgrp that directory to. But for now I’m too lazy to do that. :D. Send me a copy of your script if you do.
| 2.5 |
Have your say!