From: TJ S. <tj...@ca...> - 2015-10-08 05:22:20
|
> We have a number of users that exist outside Unix, which are mapped by > our ProFTPd extension module to two ordinary Unix users, each within > their own separate uid and gid, that cannot login. When ProFTPd spawns a > process for either of those users, they run with the correct uid and gid. > > We then tested whether or not either user can 'get' files owned by the > four combinations of either (one as user, one as group), and with all > combinations of permissions. This points out that the rules regarding the > user owner are applied correctly (even though a 'cd' to a directory which > should be refused according to these rules is always allowed), You have not mentioned the permissions (read, write, execute) that the files/directories have; this information is necessary to truly decide whether a "change directory" operation would normally be allowed or not. > but that the rules regarding the group owner are not. It seems that in certain > cases, both users are considered to be in the same group, and are allowed > access, even though they are completely seperate (both in user and > group). What are these "certain cases", specifically? If, for example, the files are world-readable, it won't matter which users/groups own the files; they could still be read by any user. Thus, in order to help determine what may be happening, we need to know more specific information about the permissions and ownership of the files/directories in question. Cheers, TJ |