6

I have a CentOS server running PureFTPd with multiple virtual users mapping to a single system user. Each of these virtual users gets chrooted to a directory corresponding to their username. The directory tree is:

  • /ftp_accounts
    • /virtual_user_1
    • /virtual_user_2
    • ...
    • /virtual_user_N

Only one of these FTP virtual users (let's call him "master_virtual_user") is chrooted the main ftp_accounts directory, allowing access to all sub-folders.

For this specific "master_virtual_user", I would like to prevent the deletion of only the virtual_user_* folders, but still maintain full read-write access to everything else in this directory tree.

Given that all of these FTP virtual users are mapping to the same system user, is there any way to achieve this?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Ralph
  • 105
  • 1
  • 5

2 Answers2

5

It would be nice if you could use the immutable flag on directories, but you can cheat by making a file in that directory that is immutable. So touch virtu_user_X/.immutable then chattr +i virt_user_x/.immutable. For example:

[root@hellonurse ~]# cd /root
[root@hellonurse ~]# mkdir z
[root@hellonurse ~]# cd z
[root@hellonurse z]# touch .i
[root@hellonurse z]# chattr +i .i
[root@hellonurse z]# cd ..
[root@hellonurse ~]# rm  -rf z
rm: cannot remove ā€˜z/.iā€™: Operation not permitted
[root@hellonurse ~]# chattr -i z/.i
[root@hellonurse ~]# rm  -rf z
[root@hellonurse ~]# ls z
ls: cannot access z: No such file or directory
Xavier Lucas
  • 12,815
  • 2
  • 44
  • 50
chicks
  • 3,639
  • 10
  • 26
  • 36
  • Thanks @chicks, this is great! I created the following shell script that runs every day and creates an _.immutable_ file for any new directories directly inside the parent. Does this look good to you? `for d in /path/to/parent/dir/*/; do ( if [ -f "$d.immutable" ] then echo "Found $d.immutable" else touch "$d.immutable" chattr +i "$d.immutable" echo "Created $d.immutable" fi ); done` ā€“ Ralph Mar 23 '15 at 02:45
  • Nice @ralph . My only concern with your script is that the size of all of the directory match expansion could exceed the size of an allowed command line. If you're not worried about that scale, great. Otherwise there are a few options. (1) cd first then do the expansion as `for d in ./*/; do` so that you're not repeating the path over and over. Eventually this will still exceed the size of a command. (2) Use `find`. ā€“ chicks Mar 24 '15 at 17:15
3

Take away write permissions for that user using file system access control lists (ACL) - setfacl command.

setfacl -m u:master_virtual_user:r-x virtual_user_*

Daniel t.
  • 9,061
  • 1
  • 32
  • 36