Michael Leone on 22 Apr 2010 14:12:24 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] More advice on shell scripting and basic admin configurations

So I've figured out to edit /etc/password to change the user shell to
/bin/false; this stops the user from being able to telnet in. And I
can change the home folder there, too. Just have to remember to do
that for all new users.

In the new upload folders, I can add GROUP write rights, and that will
allow my scripting running user to be able to run. But what of new
files uploaded? Will they inherir these rights from the directory
level? I know Windows will, unless you take steps to do otherwise.

I'm out and not neat a machine, to be able to test this.

On 4/22/10, Mike Leone <turgon@mike-leone.com> wrote:
> So I have a specific question(s) about your example script. And all
> related to Scripting 101 and Linux Admining 101, I think ...
> So:
>> DMZ side script (will probably get mangled by the MTAs and MUAs):
>> #!/bin/bash -
>> # snag_files.sh--Snag some files and package up in ZIP file
>> TREE='/home/ftp/'  # Must be read-write by user, so ZIP can read and
>> delete
> In my case, the FTP is chrooted (I am using VSFTP), and is locked into
> only being able to access their own home directory. Wouldn't do to have
> the vendors be able to walk up and down the folder structure and be able
> to read any other vendor's invoices. Hence they can only FTP into their
> own home folder.
> That would cause grief with this script, because while the WORLD
> permissions are read for every folder under /home (BTW, at some point,
> that should be changed so that only the user has rights in their home
> folder, and only members of a certain group. Right now, any user that
> could telnet/SSH in, could go perusing through any other user's folders,
> since the default is for WORLD read. But, I digress ...), there are not
> GROUP or WORLD write permissions set, by default.
> The point is that each vendor's files should not be seen by any other
> vendor, so the files are not all in one directory.
> How best to take that into account, then? Change the VSFTP to chroot the
> users into a different folder structure, one in which the user of this
> script has R/W privileges, via means of membership in a group? Wouldn't
> that mean every file would need to have those group perms set? And the
> user creation take that into account?

Sent from my mobile device

Michael J. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug