Any user can delete any files even those whose owner of the root

Discussion in 'Installation/Configuration' started by Jolman, Jan 31, 2010.

  1. Jolman

    Jolman Member

    First, i want to say thanks to all who develope ISPConfig and make it free for all!​

    Second: Sorry for my english!

    Hi all, i have next problem: After installed on my server ISPConfig (for information i'am not newbie) i'am detect that any user entered to it directory through ftp can delete any files even those whose owner of the root.:mad:

    To resolve this problem i reconfigure and recompile my ProFTPD with next options: - ./configure --sysconfdir=/etc --enable-shadow --enable-auth-pam --enable-facl --disable-ipv6.:cool:

    But it not solve my problem!

    I was followed this instruction:

    Used next version of software:
    1. OS CentOS v5.4
    2. ProFTPD v1.3.3
    3. ISPConfig v2.2.35

    Please who can help, what can i must doing to solve my problem?:confused:

    Thank you in advance :eek:
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Make sure that you installed your server exactly as decsribed in the tutorial, its not nescessary to recompile proftpd with any other options. Then make sure that you use the exact proftpd configuration that is described in the tutorial, this will ensure that the ftp user can not access files outside of its home directory.

    On a linux system, a user who owns a directory can always delet all files that are inside this directory, even if this file is owned by the root user. Thats the case on all systems and has nothing to do with ispconfig. You can test this on the shell:

    1) create a new linux system user called john
    2) craete a directory owned by john.
    3) add a file owned by root into this directory.
    4) try to delete this file when you are logged in as john, you will see that its possible to delete the file. The reason is that the file is in a directory owned by john. If the directory would be owned by root, john would not be able to delete the file owned by root.
  3. Jolman

    Jolman Member

    Thank you for answer!

    I'am exactly follow manual mentioned above.

    So that's OK, but what worked before, in previous
    installations, a simple user can't delete files that
    the owner of root. For example after connect to FTP
    user in "/var/www/web2/", in the previous installations
    user can't delete files whose owner is root, but now
    it can. I thought that may be i doing something wrong ?
    If you say such behavior is normal, what can you say
    about my previous installations. Why in the previous
    installations any user can't delete files in its
    folder whose owner root ?

    As i understand that if any user can delete files of root,
    even in it's directory, this is violates the principle of
    Discretionary Access Control!

    Sorry for my english, I hope you understand me

    Best regards
  4. Jolman

    Jolman Member

    I'am creat a files of new users with root UID ...

    I'am create a file in the new user directory with root UID, than login as new user and delete it. Yes any user can delete files of root in the own home directory!

    Thank you for you time!

    Thats all ( But my previu.... )
  5. Jolman

    Jolman Member

    Sorry for my stuped question!

    Best regards Jolman

Share This Page