Permissions & Ownership

Note: the commands in this document stongly resemble the UNIX commands chmod and chown. They are not those commands, and if you mistakenly use those commands on your FTP files and directories, you will break your FTP site.

Permissions
- What is an anonymous user?
- What is an authorized user?
- What Are Permissions?
- How Do I Tell Which Permissions Are Set?
- How Do I Set Permissions?
  - By Number or
  - By TextNot implemented yet!!!
- What Permissions Should I Set?
Ownership

What is an anonymous user?

An anonymous user is someone who logs into an FTP server as user 'anonymous'. The server requires no password for an anonymous user (although they are asked to submit thier email address as a password). This can be disabled. In the permissions scheme, their access is controlled by the "others" bit.

What is an authorized user?

An authorized user is a user who you have created with the ftp_adduser command. When they log into your FTP server, they submit thier userid and password toothe server. In the permissions scheme, their access is controlled by the "user" bit.

What Are Permissions?

Permissions are the way you regulate access to your files. You can regulate what you yourself can do with files, and what others can do with the same files. In an FTP site, this means you can control what files are readable by anyone who accesses your site (anonymous users), and which are readable only by authorized users (with userids and passwords). You can control to which directories users can upload files, and in which directories they can delete files.

There are three groups of permissions for each file and directory:

owner permissions, which control what the owner of the file or directory may do;
group permissions, which control what the group that owns the file may do;
other premissions, which control what everyone else may do.

Each group of permissions contains a bit for read, write, and excecute. These bits are either on or off. That makes nine permissions bits total for each file and directory, controlling premissions for owner's read, write, and excecute; group's read, write, and excecute; and other's read, write, and excecute. For example, a file could be readable and writeable, but not excecutable by the file's owner, and not readable or writable, but excecutable by the file's group, and completely unavailable to others.

Note: for the purposes of administering an FTP site, group permissions don't matter.

How Do I Tell Which Permissions Are Set?

At a Unix prompt, do this:

`[panix-avery] <~>` `cd corp-ftp`	-- change to your FTP directory
`[panix-avery] <~/corp-ftp> ls -l`	-- list files with permission info
`drwxrwxrwx 1 avery users 2525 Feb 18 09:17 index.html`

Here's what that output means:

    -rwxrwxrwx  1 avery    users        2525 Feb 18 09:17 index.html
    ^\ /\ /\ /
    | V  V  V
    | |  |  `-- others (non Panixians)
    | |  `-- group (doesn't apply)
    | `-- user (authorized FTP user)
    `-- d=directory, -=file, l=link, etc

The list of letters at the far left is the permissions table. The first letter indicates what the file is (plain file, directory, link, etc.). The second, third, and fourth letters are read, write, and excecute for the file's owner. The next three letters are the permissions for the file's group, and the last three letters are the permissions for others.

How Do I Set Permissions?

To set permissions, you will use the ftp_chmod command. There are two ways to use ftp_chmod: number or text (Not implemented yet).

Setting by Number:

Using the numbering scheme, the ftp_chmod command has three number places, as in:

[panix-avery] <~/corp-ftp> ftp_chmod ftp.domain.com704 foo.txt ('704' is the permissions number.)

These numbers represent the three user types. The first number on the left side ( the '7' in the example above) is for "user", the middle one (the '0') is for "group" (which is completely unused in the context of FTP, and should always be set to no access), and the right hand one (the '4') is for "other." Now, here's what each number does:

For Files:

0  =  ---  =  no access
1  =  --x  =  execute
2  =  -w-  =  write
3  =  -wx  =  write and execute
4  =  r--  =  read
5  =  r-x  =  read and execute
6  =  rw-  =  read and write
7  =  rwx  =  read write execute (full access)

So, if you set a file to:

ftp_chmod ftp.domain.com 604 foo
                         ^^^
                         ||`-- others have read access
                         |`-- group has no access (they don't matter)
                         `-- user has read and write access

This would be a good permission set for a file you wanted an authorized user to be able to download or delete, while only allowing anonymous users to download the file.

For Directories:

read = list files in the directory
write = upload to or delete files from the directory
execute = download files in the directory (you can download files in an excecutable directory if you know the filename, even if you can't list them)

Setting by Text:

Another means is via text based commands: chmod [ugo][+-][rwx] [filename]. Where u=user, g=group and o=other and +/- turns on/off the attributes which follow it: r=read, w=write, x=execute.

For example, typing ftp_chmod ftp.domain.com go+r foo, turns on the read bits for group and others on file "foo". Note, that this command does NOT reset the other bits, so any previously specified permissions will not be changed. For example, this did not change any permissions for user and if group already had execuete permissions, it did not remove it.

But, if you type ftp_chmod ftp.domain.com go=r foo, it will set file foo to be readable by group and other and turn off any write and execute permissions group and others had.

Now, whether you use the numbers or the text, you can name files using standard wild cards. For example, ftp_chmod ftp.domain.com 604 *.html will change the permissions on all your .html files, while ftp_chmod ftp.domain.com 604 foo* will change permissions on all files and directories with names starting with foo.

What Permissions Should I Set?

The permissions that you set for a file or directory depend on what you want people who access your FTP site to be able to do. What follows is a list of actions that users (both anonymous and authorized) can do with files on your site, and the premission set that is required for that action.

You should determine what access you want to give the file owner, and what access you want to give anonymous users. Look up the octal number on the chart below for each, and put them together with a zero (for the unused group permissions) between them. Plug that number into the command:

ftp_chown ftp.<domain.com> <octal-number> <file>

Replace <domain.com> with your domain, <octal-number> with the octal number you look up in the table below, and <file> with the file or directory you want to set permissions for.

First, you must set permissions for the directory in which files are contained, because that governs what a user may do to any file in the directory:

Directories:
What a user can do: Permission needed: Octal-Number:

closed to all access --- 0

files downloadable only if filename is known --x 1

files listable and downloadable r-x 5

files listable, downloadable, uploadable, and deletable rwx 7

If you set the permissions on a directory to unreadable and scannable (i.e. ftp_chmod ftp.domain.com 701 directory ), FTP users will be unable to list the files in the directory, but will be able to download files if they know the name of the file they want. This may be useful to you if you want a medium amount of security on a directory, but wish to make files in the directory available to people to whom you don't want to give an FTP account.

**Directories:**
What a user can do:	Permission needed:	Octal-Number:
closed to all access	---	0
files downloadable only if filename is known	--x	1
files listable and downloadable	r-x	5
files listable, downloadable, uploadable, and deletable	rwx	7

After you've set the permissions for a directory, set the permissisons for the files in the directory:

Files:
What a user can do: Permission needed: Octal-Number:

inaccessible to all --- 0

downloadable only r-- 4

downloadable and deletable rw- 6

**Files:**
What a user can do:	Permission needed:	Octal-Number:
inaccessible to all	---	0
downloadable only	r--	4
downloadable and deletable	rw-	6

For more information on the chmod and ls commands, check out the Unix Manual Pages. You'll find them by going to a Unix prompt and typing man chmod or man ls.

What is ownership?

Ownership is who owns any given file or directory. Although the owner of a file may give others the permissions to do things to the file, ultimately it is only the owner of the file who can set those permissions. In addition, ownsership is a convenient way of giving only one person access to files on an FTP server.

How do I tell what ownership is set?

At a UNIX prompt, type the command ls -l. You will see output like this:

[panix-slavery] 17 Oct <~/corp-ftp> What?! ls -l
total 4
dr-xr-xr-x  2 slavery       512 Oct 17 16:41 bin
drwxr-xr-x  2 slavery       512 Oct 17 16:41 etc
drwx---r-x  2 slavery       512 Oct 17 16:41 pub
-rw-r--r--  1 slavery        57 Oct 17 16:41
welcome.msg

The second collumn shows you the file owner In this case, all of the files are owned by user slavery.

How do I set ownsership?

You set ownsership of the files in your FTP site with the ftp_chown command.

What ownership should I set?

You should leave a file as owned by you most of the time, controlling only whether or not an anonymous user has access to it. If you want to give only one user access to a file you should set the file to be owned by them, after creating them a userid. Then you can give only the file owner the permission to download the file.

To Corp-Web FAQ index

To top of page