<!-- $Id: Umask.html,v 1.3 2004/04/10 18:01:18 castaglia Exp $ -->
<!-- $Source: /cvsroot/proftp/proftpd/doc/howto/Umask.html,v $ -->
<html>
<head>
<title>ProFTPD mini-HOWTO - Umask</title>
</head>
<body bgcolor=white>
<hr>
<center><h2><b><i>Umask</i></b></h2></center>
<hr>
<p>
ProFTPD's <a href="http://www.proftpd.org/docs/directives/linked/config_ref_Umask.html"><code>Umask</code></a> configuration directive is used to set the
file permission bits on newly created files and directories. However, the way
in which <code>Umask</code> is to be used is not entirely straightforward.
<p>
<code>Umask</code> is used to set the value that <code>proftpd</code> will
use when calling <code>umask(2)</code>. The <code>umask(2)</code> function
works something like this: <code><i>mode - umask</i></code>.
(Technically, the operation is <code><i>mode & ~umask</i></code>). Thus, with
a <i>mode</i> of <code>0666</code>, and a <i>umask</i> of <code>0022</code>,
the permissions on the newly created file will be <code>0644</code>
(<i>e.g.</i> <code>rw-r--r--</code>).
<p>
A quick review of permission bits:
<pre>
4 <i>is</i> read permission (<i>r</i>)
2 <i>is</i> write permission (<i>w</i>)
1 <i>is</i> execute permission (<i>x</i>)
</pre>
The first digit of a <i>mode</i> (<code>0750</code>, for example) is used to
specify some special bits (<i>e.g.</i> set-user-ID, set-group-ID, and the
"sticky bit"). The second digit, the <code>7</code> in this
example, specifies the user owner permissions, and is a sum of the above
permission bits: <code>7 = 4 + 2 + 1</code> (<i>e.g.</i> <code>rwx</code>).
Group owner permissions are specified by the third bit, <code>5</code>:
<code>5 = 4 + 1</code> (<i>e.g.</i> <code>r-x</code>). And finally, other
or world permissions are specified using the last bit, which in the
example is <code>0</code> (no permissions, <i>e.g.</i> <code>---</code>).
The full represenation of a <i>mode</i> of <code>0750</code>, as one would
see it in a directory listing, would thus be: <code>rwxr-x---</code>.
<p>
The <code>proftpd</code> daemon always starts with a base <i>mode</i> of
<code>0666</code> when creating files. Note that <code>Umask</code> can only
be used to "take away" permissions granted by the base
<i>mode</i>; it cannot be used to add permissions that are not there. This
means that files uploaded to a <code>proftpd</code> server will never have the
execute permission enabled by default (the base <i>mode</i> is does not have
any execute bits enabled). This is a conscious security design decision. For
directories, the base <i>mode</i> is <code>0777</code>. The <i>umask</i> used
for directories can be configured using the optional second parameter to the
<code>Umask</code> directive; if this second parameter is not used, the
<i>umask</i> used for created directories will default to the same
<i>umask</i> as used for files.
<p>
If it is necessary to make uploaded files executable, the
<code>SITE CHMOD</code> FTP command can be used:
<pre>
SITE CHMOD <i>mode</i> <i>file</i>
</pre>
Use of this command can be restricted using a "command" of
<code>SITE_CHMOD</code> in a <code><Limit></code> section. For
example, this section of a <code>proftpd.conf</code> file:
<pre>
<Limit SITE_CHMOD>
AllowUser ftpadmin
DenyAll
</Limit>
</pre>
will deny everyone except user <code>ftpadmin</code> from being able to
use the <code>SITE CHMOD</code> command to change the permissions on files
via FTP. Note that this construction is recommended instead of using the
deprecated (as of <code>proftpd-1.2.2rc2</code>) <code>AllowChmod</code>
configuration directive.
<p>
<hr>
Last Updated: <i>$Date: 2004/04/10 18:01:18 $</i><br>
<hr>
</body>
</html>
distrib
>
Mandriva
>
2008.1
>
x86_64
>
media
>
main-release
>
by-pkgid
>
976aeacbdb50a0541a053b760df66615
>
files
>
108
