[vox-tech] Limiting FTP User access to certain subdirectories

Bryan Richter bryan.richter at gmail.com
Thu May 1 10:26:48 PDT 2008 

On Thu, May 1, 2008 at 9:54 AM, Richard S. Crawford
<rscrawford at mossroot.com> wrote:
> Here's what I'm trying to do. Maybe I'm shooting for the moon here, but it
> can't hurt to try.
>
> I have several sites on my host, and several users who need access to
> subdirectories within those sites. For example:
>
> /V_HOST/SITE_ONE/CAMPUS/COURSES
> /V_HOST/SITE_TWO/CAMPUS/COURSES
>
> We have educational designers who need to be able to get into the COURSES
> directories of SITE_ONE and SITE_TWO, but not in any other subdirectory, or
> any subdirectory above the COURSES subdirectories. In an ideal world, my
> educational designers would only have to worry about one login, rather than
> having to have a second login for each site.
>
> I created a subdirectory under V_HOST called "designers". Under "designers"
> I created one subdirectory for each designer. Then in each of those
> subdirectories I created a symbolic link to the various COURSES
> subdirectories. For example:
>
> /V_HOST/DESIGNERS/USER_1
>      COURSES_ONE -> /V_HOST/SITE_ONE/COURSES
>      COURSES_TWO -> /V_HOST/SITE_TWO/COURSES
>
> This didn't work until I gave the user account for each designers the same
> UID as the user that owns the entire site. I thought it was a great solution
> until I discovered that the education designers, once they followed the
> symbolic links to the COURSES subdirectories, could then browse to higher
> level directories in their FTP client. I trust the designers not to make any
> willful changes to the code elsewhere, but accidents can happen. Plus we're
> talking about allowing people outside our office having access to the
> courses subdirectories.
>
> I tried creating a new user account and switching ownership of the courses
> subdirectories to that user, then setting the UID of one of my designers
> accounts to the same UID as the new user, but I got a "permission denied"
> error when I attempted to follow the symbolic link to the courses
> subdirectory.
>
> The host has SELinux enabled, and, unfortunately, I don't have the option of
> disabling it.
>
> Does anyone have any suggestions for how to go about doing what I want to
> do? Am I living in a dreamworld here?
>

How about groups?

1. Create a course_designers group.
2. Change group ownership of the COURSES directories to course_designers.
3. Add your designers' users to course_designers.

-Bryan

More information about the vox-tech mailing list