Note: the commands in this document strongly resemble the UNIX commands chmod and chown. They are not those commands, and if you mistakenly use those commands on your FTP files and directories, you will break your FTP site.
An anonymous user is someone who logs into an FTP server as user ‘anonymous’. The server requires no password for an anonymous user (although they are asked to submit their email address as a password). This can be disabled. In the permissions scheme, their access is controlled by the “others” bit.
An authorized user is a user who you have created with the ftp_adduser command. When they log into your FTP server, they submit their userid and password to the server. In the permissions scheme, their access is controlled by the “user” bit.
Permissions are the way you regulate access to your files. You can regulate what you yourself can do with files, and what others can do with the same files. In an FTP site, this means you can control what files are readable by anyone who accesses your site (anonymous users), and which are readable only by authorized users (with userids and passwords). You can control to which directories users can upload files, and in which directories they can delete files.
There are three groups of permissions for each file and directory:
- owner permissions, which control what the owner of the file or directory may do;
- group permissions, which control what the group that owns the file may do;
- other permissions, which control what everyone else may do.
Each group of permissions contains a bit for read, write, and execute. These bits are either on or off. That makes nine permissions bits total for each file and directory, controlling permissions for owner’s read, write, and execute; group’s read, write, and execute; and other’s read, write, and execute. For example, a file could be readable and writable, but not executable by the file’s owner, and not readable or writable, but executable by the file’s group, and completely unavailable to others.
Note: for the purposes of administering an FTP site, group permissions don’t matter.
At a Unix prompt, do this:
Here’s what that output means:
-rwxrwxrwx 1 avery users 2525 Feb 18 09:17 index.html ^\ /\ /\ / | V V V | | | `-- others (non Coderevos) | | `-- group (doesn't apply) | `-- user (authorized FTP user) `-- d=directory, -=file, l=link, etc
The list of letters at the far left is the permissions table. The first letter indicates what the file is (plain file, directory, link, etc.). The second, third, and fourth letters are read, write, and execute for the file’s owner. The next three letters are the permissions for the file’s group, and the last three letters are the permissions for others.
To set permissions, you will use the ftp_chmod command. There are two ways to use ftp_chmod: number or text.
Using the numbering scheme, the ftp_chmod command has three number places, as in:
|[coderevo-avery] <~/corp-ftp> ftp_chmod ftp.domain.com 704 foo.txt||(‘704’ is the permissions number.)|
These numbers represent the three user types. The first number on the left side ( the ‘7’ in the example above) is for “user”, the middle one (the ‘0’) is for “group” (which is completely unused in the context of FTP, and should always be set to no access), and the right hand one (the ‘4’) is for “other.” Now, here’s what each number does:
0 = --- = no access 1 = --x = execute 2 = -w- = write 3 = -wx = write and execute 4 = r-- = read 5 = r-x = read and execute 6 = rw- = read and write 7 = rwx = read write execute (full access)
So, if you set a file to:
ftp_chmod ftp.domain.com 604 foo ^^^ ||`-- others have read access |`-- group has no access (they don't matter) `-- user has read and write access
- read = list files in the directory
- write = upload to or delete files from the directory
- execute = download files in the directory (you can download files in an executable directory if you know the filename, even if you can’t list them)
Another means is via text based commands: chmod [ugo][+-][rwx] [filename]. Where u=user, g=group and o=other and +/- turns on/off the attributes which follow it: r=read, w=write, x=execute.
For example, typing ftp_chmod ftp.domain.com go+r foo, turns on the read bits for group and others on file “foo”. Note, that this command does NOT reset the other bits, so any previously specified permissions will not be changed. For example, this did not change any permissions for user and if group already had execute permissions, it did not remove it.
But, if you type ftp_chmod ftp.domain.com go=r foo, it will set file foo to be readable by group and other and turn off any write and execute permissions group and others had.
Now, whether you use the numbers or the text, you can name files using standard wild cards. For example, ftp_chmod ftp.domain.com 604 *.html will change the permissions on all your .html files, while ftp_chmod ftp.domain.com 604 foo* will change permissions on all files and directories with names starting with foo.
The permissions that you set for a file or directory depend on what you want people who access your FTP site to be able to do. What follows is a list of actions that users (both anonymous and authorized) can do with files on your site, and the permission set that is required for that action.
You should determine what access you want to give the file owner, and what access you want to give anonymous users. Look up the octal number on the chart below for each, and put them together with a zero (for the unused group permissions) between them. Plug that number into the command:
ftp_chown ftp.<domain.com> <octal-number> <file>
<domain.com> with your domain,
<octal-number> with the octal number you look up in the table below, and
<file> with the file or directory you want to set permissions for.
First, you must set permissions for the directory in which files are contained, because that governs what a user may do to any file in the directory:
|What a user can do:||Permission needed:||Octal-Number:|
|closed to all access||—||0|
|files downloadable only if filename is known||–x||1|
|files listable and downloadable||r-x||5|
|files listable, downloadable, uploadable, and deletable||rwx||7|
If you set the permissions on a directory to unreadable and scannable (i.e.
ftp_chmod ftp.domain.com 701 directory ), FTP users will be unable to list the files in the directory, but will be able to download files if they know the name of the file they want. This may be useful to you if you want a medium amount of security on a directory, but wish to make files in the directory available to people to whom you don’t want to give an FTP account.
After you’ve set the permissions for a directory, set the permissions for the files in the directory:
|What a user can do:||Permission needed:||Octal-Number:|
|inaccessible to all||—||0|
|downloadable and deletable||rw-||6|
For more information on the chmod and ls commands, check out the Unix Manual Pages. You’ll find them by going to a Unix prompt and typing man chmod or man ls.
Ownership is who owns any given file or directory. Although the owner of a file may give others the permissions to do things to the file, ultimately it is only the owner of the file who can set those permissions. In addition, ownership is a convenient way of giving only one person access to files on an FTP server.
At a UNIX prompt, type the command ls -l. You will see output like this:
[coderevo-slavery] 17 Oct <~/corp-ftp> What?! ls -l total 4 dr-xr-xr-x 2 slavery 512 Oct 17 16:41 bin drwxr-xr-x 2 slavery 512 Oct 17 16:41 etc drwx---r-x 2 slavery 512 Oct 17 16:41 pub -rw-r--r-- 1 slavery 57 Oct 17 16:41 welcome.msg
The second column shows you the file owner In this case, all of the files are owned by user slavery.
You set ownership of the files in your FTP site with the ftp_chown command.
You should leave a file as owned by you most of the time, controlling only whether or not an anonymous user has access to it. If you want to give only one user access to a file you should set the file to be owned by them, after creating them a userid. Then you can give only the file owner the permission to download the file.