Granting 775 permissions on a directory doesn't automatically mean that all users in a certain group will gain rwx
access to it. They need to either be the owner of the directory or to belong to the directory's group:
$ ls -ld some_dir
drwxrwxr-x 2 alex consult 4096 Feb 20 10:10 some_dir/
^ ^
| |_____ directory's group
|___________ directory's owner
So, in order to allow both alex and ben to have write access to some_dir
, the some_dir
directory itself must belong to the consult
group. If that's not the case, the directory's owner (alex in your example), should issue the following command:
$ chgrp consult some_dir/
or to change group ownership of everything inside the directory:
$ chgrp -R consult some_dir/
This will only work if alex is a member of the consult
group, which seems to be the case in your example.
This will not allow ben to access all of alex's directories for two reasons:
- Not all of alex's directories will belong to the
consult
group
- Some of alex's directories may belong to the
consult
group but alex may not have chosen to allow rwx
group access to them.
In short, the answer depends both on group ownership and on the group permission bits set for the directory.
All of this is provided you don't use any additional mandatory access control measures on your system.
There are 2 solutions using 2 different ftp servers
1 - Use proftpd with the VirtualServer feature and with a local user force. Snippet of a config file of mine:
ServerType standalone
DefaultServer on
AccessGrantMsg "User %u logged in."
DeferWelcome off
# Use pam to authenticate (default) and be authoritative
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
<VirtualHost xxx.xxx.xxx.xxx>
ServerAdmin nwildner@xxx.xxx.xxx.xxx
ServerName "FTP"
TransferLog /var/log/proftpd/transfer.log
ExtendedLog /var/log/proftpd/full.log ALL
DefaultRoot /var/www/digitalgoods
User apache
Group apache
AllowOverwrite yes
MaxLoginAttempts 3
RequireValidShell no
</VirtualHost>
Create the 3 users, and let them use the ftp. They will be "chrooted" to /var/www/digitalgoods
and any file uploaded will have the permissions set to apache:apache
2 - Use vsftpd chroot, and create 3 users with the same userid than apache AND same home dir that will be chrooted(yeah, that´s a kludge but it shall work):
Contents of /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirmessage_enable=YES
check_shell=NO
syslog_enable=YES
connect_from_port_20=YES
xferlog_std_format=NO
idle_session_timeout=3600
ftpd_banner=FTP XXX
chroot_local_user=YES
ls_recurse_enable=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=NO
userlist_deny=NO
tcp_wrappers=YES
Since we are using least privilege, we will have to declare the logins that will access this ftp at /etc/vsftpd/user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#
devel
manuals
Create 2 users (/etc/passwd
) and use the same userid of the apache user(again, its a damn kludge but at least you will have 2 users uploading to their chrooted homes with the same permission). With the check_shell=NO
you don´t need to give a valid shell to those users
[root@]# grep 'apache\|desenv\|man\|' /etc/passwd
apache:x:48:48:Apache:/var/www:/sbin/nologin
devel:x:48:48::/var/www/digitalgoods:/sbin/nologin
manuals:x:48:48::/var/www/digitalgoods:/sbin/nologin
Best Answer
Simply not. Look this example