Книга: Fedora™ Unleashed, 2008 edition

Configure Permission Control

Configure Permission Control

Controlling user activity is an important component of securing your system's server. The ftpaccess file includes a number of commands that enable you to determine what users can and cannot execute during an FTP session. You can use these permission controls to allow users to change file permissions, delete and overwrite files, rename files, and create new files with default permissions. You learn how to use all these ftpaccess file command lines in the following sections.

The chmod line determines whether a user can change a file's permissions. Here is the command line:

chmod <yes|no> <typelist>

This command acts the same as the standard chmod command.

The yes|no parameter designates whether the command can be executed. typelist is a comma-delimited string of the keywords anonymous, guest, and real. If you do not specify a typelist string, the command is applied to all users. An exhaustive description of its purpose and parameters can be found in the man page.

The delete line determines whether the user can delete files with the rm command. Here's the command line:

delete<yes|no> <typelist>

The yes|no parameter is used to turn this permission on or off, and typelist is the same as the chmod command.

This command line of the ftpaccess file allows or denies users the ability to overwrite an existing file. Here's the command line:

overwrite <yes|no> <typelist>

The FTP client determines whether users can overwrite files on their own local machines; this line specifically controls overwrite permissions for uploads to the server. The yes|no parameter toggles the permission on or off, and typelist is the same as in the chmod line.

You can enable or prevent a user from renaming files by using this command line:

rename <yes|no> <typelist>

The yes|no parameter toggles the permission on or off, and typelist is the same comma-delimited string as in chmod.

This line determines whether the user is able to use the compress command on files:

compress <yes|no> [<classglob>]

The yes|no parameter toggles the permission on or off, and classglob is a regular expression string that specifies one or more defined classes of users. The conversions that result from the use of this command are specified in the ftpconversions file, which contains directions on what compression or extraction command is to be used on a file with a specific extension, such as .Z for the compress command, .gz for the gunzip command, and so on. See the section "Configuring FTP Server File-Conversion Actions" later in this chapter.

This line determines whether the user is able to use the tar (tape archive) command on files:

tar <yes|no> [<classglob> ...]

The yes|no parameter toggles the permission on or off, and classglob is a regular expression string that specifies one or more defined classes of users. Again, the conversions that result from the use of this command are specified in the ftpconversions file.

This line is a bit different from the other commands in the permission control section. The umask command determines with what permissions a user can create new files; here it is.

umask <yes|no> <typelist>

The yes|no parameter toggles based on whether a user is allowed to create a file with his default permissions when uploading a file. Like the overwrite command you read about earlier in this section, this command line is specific to uploaded files because the client machine determines how new files are created from a download.

Оглавление книги