Discussion:
[Proftpd-user] Problem with Umask directive
Florian Coulmier
2009-03-17 11:14:54 UTC
Permalink
Hello,

I have a proftpd 1.3.1 on a linux server that I use in production
environnement. My default umask is 0027, wich create files in 640 mode
and directories in 750 mode.
However, for some directories, I need a 0007 umask, to add group write
to files and directories created (in my case, the group is apache).

Everything work fine when I use this configuration :

<Directory /usr/local/user/dir1>
umask 0007 0007
</Directory>

What I mean by "everything work fine" is that :
- When I create directory /usr/local/user/dir1, it has mode 770 (OK).
- When I create directory /usr/local/user/dir1/sdir1, it also has mode
770 (OK).
- When I create file /usr/local/user/dir1/sdir1/file1, it has mode 660
(OK).

But, I have some problems with umask when I use globing in the
directory directive :

<Directory /usr/local/*/dir1>
umask 0007 0007
</Directory>

With this configuration, I have the following problems :
- When I create directory /usr/local/user/dir1, it has mode 770 (OK).
- When I create directory /usr/local/user/dir1/sdir1, it has mode 750
(NOT OK).
- When I create file /usr/local/user/dir1/sdir1/file1, it has mode 640
(NOT OK).

It seems that the umask is not applied recursively when globing is
used in the "Directory" section.

It is very important for me to make the umask directive work with
globing. Has anyone else already encountered this problem and managed
to solve it or found a workarround ?

Thanks for your help.

Florian Coulmier
Florian Coulmier
2009-03-17 13:26:16 UTC
Permalink
I have an update for this problem. The behaviour of proftpd seems
correct, when I create the directory "dir1", then I disconnect from my
FTP session and I reconnect. After the logout/login, files and
directories created under "dir1", with globbing active, have the good
permission.

I have still not found a workarround for this.

Florian Coulmier
Post by Florian Coulmier
Hello,
I have a proftpd 1.3.1 on a linux server that I use in production
environnement. My default umask is 0027, wich create files in 640 mode
and directories in 750 mode.
However, for some directories, I need a 0007 umask, to add group write
to files and directories created (in my case, the group is apache).
<Directory /usr/local/user/dir1>
umask 0007 0007
</Directory>
- When I create directory /usr/local/user/dir1, it has mode 770 (OK).
- When I create directory /usr/local/user/dir1/sdir1, it also has mode
770 (OK).
- When I create file /usr/local/user/dir1/sdir1/file1, it has mode 660
(OK).
But, I have some problems with umask when I use globing in the
<Directory /usr/local/*/dir1>
umask 0007 0007
</Directory>
- When I create directory /usr/local/user/dir1, it has mode 770 (OK).
- When I create directory /usr/local/user/dir1/sdir1, it has mode 750
(NOT OK).
- When I create file /usr/local/user/dir1/sdir1/file1, it has mode 640
(NOT OK).
It seems that the umask is not applied recursively when globing is
used in the "Directory" section.
It is very important for me to make the umask directive work with
globing. Has anyone else already encountered this problem and managed
to solve it or found a workarround ?
Thanks for your help.
Florian Coulmier
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM)
are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly
and
easily build your RIAs with Flex Builder, the Eclipse(TM)based
development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
Yusuke Sato
2009-03-18 01:34:48 UTC
Permalink
Post by Florian Coulmier
It seems that the umask is not applied recursively when globing is
used in the "Directory" section.
It is probably, proftpd Spec. Please see the following documents:

http://www.proftpd.org/docs/howto/Directory.html

Yusuke
====
satou-***@aics.ad.jp
Key fingerprint = 582B C953 6AC5 F524 25AE 9E70 357C 154F EA95 4905
Florian Coulmier
2009-03-18 08:59:07 UTC
Permalink
Post by Yusuke Sato
Post by Florian Coulmier
It seems that the umask is not applied recursively when globing is
used in the "Directory" section.
http://www.proftpd.org/docs/howto/Directory.html
Yes, I have already read this documentation, but my problem is not
described.It sounds more like a bug or an unexpected behaviour than a
known feature.
Should I open a new case in the bugtracker ?
Post by Yusuke Sato
Yusuke
====
Key fingerprint = 582B C953 6AC5 F524 25AE 9E70 357C 154F EA95 4905
TJ Saunders
2009-03-18 16:27:01 UTC
Permalink
Post by Florian Coulmier
But, I have some problems with umask when I use globing in the
<Directory /usr/local/*/dir1>
umask 0007 0007
</Directory>
- When I create directory /usr/local/user/dir1, it has mode 770 (OK).
- When I create directory /usr/local/user/dir1/sdir1, it has mode 750
(NOT OK).
- When I create file /usr/local/user/dir1/sdir1/file1, it has mode 640
(NOT OK).
It seems that the umask is not applied recursively when globing is
used in the "Directory" section.
In the mentioned <Directory> howto, it states that a "*" within a
<Directory> path:

"will only match that single directory level, and will not match
multiple directory levels."

If you need the Umask to work recursively, simply use:

<Directory /usr/local/>

with the asterisk.

This is not a bug.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A woman can become a man's friend only in the following stages - first an
acquaintance, next a mistress, and only then a friend.

-Anton Chekhov

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Florian Coulmier
2009-03-18 16:03:40 UTC
Permalink
Post by TJ Saunders
Post by Florian Coulmier
But, I have some problems with umask when I use globing in the
<Directory /usr/local/*/dir1>
umask 0007 0007
</Directory>
- When I create directory /usr/local/user/dir1, it has mode 770 (OK).
- When I create directory /usr/local/user/dir1/sdir1, it has mode 750
(NOT OK).
- When I create file /usr/local/user/dir1/sdir1/file1, it has mode 640
(NOT OK).
It seems that the umask is not applied recursively when globing is
used in the "Directory" section.
In the mentioned <Directory> howto, it states that a "*" within a
"will only match that single directory level, and will not match
multiple directory levels."
<Directory /usr/local/>
with the asterisk.
This is not a bug.
I think there's a confusion. I do not want to match multiple
directories with the wildcard. I just want to match the directory
"user" in my exemple, so all path with this format would be concerned :

/usr/local/user1/dir1
/usr/local/user2/dir1
/usr/local/user3/dir1
...

As you can see, the wildcard (*) just replace the "userX" directory in
each case. So, everything in the <Directory> directive should apply
recursively to the "dir1" of each user. But this is not the case.

And I cannot set the umask directive for "/usr/local" because I just
want to "dir1" directory of each user to be writable by apache (the
umask add the write permission to group apache on files under the
"dir1" directory - on my server, "dir1" is "data").
So, this is a bug for me.

If you know another way I could do what I want, I am opened to any
solution.

Thanks

Florian
Post by TJ Saunders
TJ
~
~
~
~
~
~
~
~
~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A woman can become a man's friend only in the following stages - first an
acquaintance, next a mistress, and only then a friend.
-Anton Chekhov
~
~
~
~
~
~
~
~
~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM)
are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly
and
easily build your RIAs with Flex Builder, the Eclipse(TM)based
development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
TJ Saunders
2009-03-18 19:04:52 UTC
Permalink
Post by Florian Coulmier
I think there's a confusion. I do not want to match multiple
directories with the wildcard. I just want to match the directory
/usr/local/user1/dir1
/usr/local/user2/dir1
/usr/local/user3/dir1
...
As you can see, the wildcard (*) just replace the "userX" directory in
each case. So, everything in the <Directory> directive should apply
recursively to the "dir1" of each user. But this is not the case.
What proftpd version are you using? Using proftpd-1.3.2 and the suggested
configuration, it works as expected. Unless there are other Umask
directives in your full proftpd.conf that might also be affecting the
situation?

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your reason and your passion are the rudder and the sails of your seafaring
soul.

-Kahlil Gibran

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Florian Coulmier
2009-03-19 09:05:13 UTC
Permalink
Post by TJ Saunders
Post by Florian Coulmier
I think there's a confusion. I do not want to match multiple
directories with the wildcard. I just want to match the directory
"user" in my exemple, so all path with this format would be
/usr/local/user1/dir1
/usr/local/user2/dir1
/usr/local/user3/dir1
...
As you can see, the wildcard (*) just replace the "userX" directory in
each case. So, everything in the <Directory> directive should apply
recursively to the "dir1" of each user. But this is not the case.
What proftpd version are you using? Using proftpd-1.3.2 and the suggested
configuration, it works as expected. Unless there are other Umask
directives in your full proftpd.conf that might also be affecting the
situation?
I tried 1.3.2, and it solves a big part of the problem, but not the
entire problem.

With 1.3.2, here is the situation with a concrete case :

1. Configuration of Proftpd v1.3.2 :
-----------------------------------

ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
ScoreboardFile /var/run/proftpd/proftpd.scoreboard
Port 21
Umask 0027
MaxInstances 30
CommandBufferSize 512
User nobody
Group nogroup
DefaultRoot ~
AllowOverwrite on

AuthUserFile /etc/proftpd/ftp.passwd
AuthGroupFile /etc/proftpd/ftp.group
DirFakeUser On
DirFakeGroup On

IdentLookups Off
UseReverseDNS Off

<Limit SITE_CHMOD>
DenyAll
</Limit>

<Directory /usr/local/ftp/test1/data>
umask 0007 0007
</Directory>

<Directory /usr/local/ftp/test2/*/data>
umask 0007 0007
</Directory>

2. Content of ftp.passwd
------------------------

fcoulmier:HASHPASSWORD:10000:80:Test account:/usr/local/ftp:/sbin/
nologin

3. FTP commands & Results
-------------------------

NcFTP 3.2.1 (Jul 29, 2007) by Mike Gleason (http://www.NcFTP.com/contact/
).
ncftp> open -u fcoulmier myserver
Connecting to X.X.X.X...
ProFTPD 1.3.2 Server (ProFTPD Default Installation) [X.X.X.X]
Logging in...
Password requested by X.X.X.X for user "fcoulmier".

Password required for fcoulmier

Password:

User fcoulmier logged in
Logged in to myserver.
ncftp / > ls
./ test1/ test2/
ncftp / > cd test1 (<-- in test1 directory, I test the umask
WITHOUT globbing in <Directory> section)
ncftp /test1 > ls
./
ncftp /test1 > mkdir data
ncftp /test1 > mkdir img
ncftp /test1 > ls -l
drwxr-x--- 10000 80 mar 19 09:50 .
drwxrwx--- 10000 80 mar 19 09:50 data (<-- It
works with no globbing)
drwxr-x--- 10000 80 mar 19 09:50 img
ncftp /test1 > cd data
ncftp /test1/data > mkdir output
ncftp /test1/data > ls -l
drwxrwx--- 10000 80 mar 19 09:51 .
drwxrwx--- 10000 80 mar 19 09:51 output (<-- It
works recursively with no globbing)

ncftp /test1/data/output > cd /test2 (<-- in test2 directory, I
test the umask WITH globbing in <Directory> section)
ncftp /test2 > ls
./
ncftp /test2 > mkdir dir1 dir2
ncftp /test2 > ls -l
drwxr-x--- 10000 80 mar 19 09:51 .
drwxr-x--- 10000 80 mar 19 09:51 dir1 (<--
Everything is normal for the moment)
drwxr-x--- 10000 80 mar 19 09:51 dir2
ncftp /test2 > cd dir1
ncftp /test2/dir1 > mkdir data
ncftp /test2/dir1 > mkdir img
ncftp /test2/dir1 > ls -l
drwxr-x--- 10000 80 mar 19 09:51 .
drwxr-x--- 10000 80 mar 19 09:51 data (<-- NOT
GOOD: Should be in 770 and not in 750)
drwxr-x--- 10000 80 mar 19 09:51 img
ncftp /test2/dir1 > cd data
ncftp /test2/dir1/data > mkdir test
ncftp /test2/dir1/data > ls -l
drwxr-x--- 10000 80 mar 19 09:52 .
drwxrwx--- 10000 80 mar 19 09:52 test (<-- This
is good. It works recursively under data directory)
ncftp /test2/dir1/data > cd test
ncftp /test2/dir1/data/test > put myfile
myfile: 1,17 MB 463,05 kB/s
ncftp /test2/dir1/data/test > ls -l
drwxrwx--- 10000 80 mar 19 09:52 .
-rw-rw---- 10000 80 1225350 mar 19 09:52
documentation.pdf (<-- This is good)

4. Bilan
--------

With Proftpd 1.3.2, the Umask directive applies recursively under the
<Directory> section, but does not apply to the <Directory> itself. I
think I am close to my ojective.
Maybe someone can give me some help for this last problem ?

Thanks

Florian
Post by TJ Saunders
Cheers,
TJ
~
~
~
~
~
~
~
~
~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your reason and your passion are the rudder and the sails of your seafaring
soul.
-Kahlil Gibran
~
~
~
~
~
~
~
~
~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM)
are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly
and
easily build your RIAs with Flex Builder, the Eclipse(TM)based
development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
TJ Saunders
2009-03-19 17:13:19 UTC
Permalink
Post by Florian Coulmier
With Proftpd 1.3.2, the Umask directive applies recursively under the
<Directory> section, but does not apply to the <Directory> itself. I
think I am close to my ojective.
Maybe someone can give me some help for this last problem ?
The Directory howto does mention that using a glob character will cause
the regex to apply to sub-directories which match the pattern -- but not
to the parent directory itself. Thus, in your case, you might try:

# Covers the sub-directories...
<Directory /usr/local/ftp/test2/*/data>
Umask 0007 0007
</Directory>

# ...and this covers the parent directory
<Directory /usr/local/ftp/test2/>
Umask 0007 0007
</Directory>

And to make sure that nothing else gets this Umask, you might also need:

# And this says to use the default Umask for other sub-directories
<Directory /usr/local/ftp/test2/*>
Umask 022
</Directory>

Hope this helps,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It is as natural to die as to be born, and to a little infant, the one is
as painful as the other.

-Francis Bacon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Loading...