[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wuftpd-questions
Subject:    RE: restricting mkdir
From:       "James R. Hendrick" <Jim_Hendrick () KEANE-NNE ! com>
Date:       2003-05-13 14:53:58
[Download RAW message or body]

OK. Here's what I discovered.

The "upload" clause in the ftpaccess file does work, but you need to read
the man page *carefully*
This will prevent uploads for members of the guest class whose home
directory is in /home/ftpusers/* to all directories ("*")
upload class=guest /home/ftpusers/* * no
This would seem to allow uploads for class=guest to their own "uploads" area
but disallow "mkdir"
upload class=guest /home/ftpusers/*/ /*/uploads yes nodirs
THIS IS INCORRECT

It will indeed allow uploads, but fail to prevent mkdir...
What is needed I found by looking in the anonymous HOWTO and extrapolating.

THIS WORKS
upload class=guest /home/ftpusers/* /*/uploads yes * * * nodirs

Key points:
specifying "yes" automatically allows mkdir.
to have it parse the "nodirs" *requires* the positional parameters for user,
group and mode 
I used "*" here since I want the files owned by the userid of the person
doing the upload
and I already handled the mode earlier in the config file.


Note: the original home directory: "/home/ftpusers/*/" seems to take place
*before* the chroot()
while the second directory: "/*/uploads"

Here is my ftpaccess file (sanitized).

Hope this helps.

Jim H.


----------------------------------------------------------------------------
----------
# restrict information in the banner
greeting terse
# insure we don't bother with identd (although we specify "-I" in the
inetd.conf)
timeout RFC931 0
# log everything members of the guest class do
log commands guest
log transfers guest
log security guest
log syslog+xferlog
# restrict where users can come from (also defined for the inetd and in the
ftphosts file)
class guest     guest   10.0.0.0/8
class real      real    10.0.0.0/8
# define the base of the chroot() for guest class users
guest-root      /home/ftpusers
# and give them a sane umask that allows user and group readability only
defumask 0337 guest
# make all users stay in their home directories by default
restricted-uid  *
# handle exceptions here (root is probably a bad example)
unrestricted-uid        root
# specifically define all members of ftpusers to be guest class
guestgroup      ftpusers
# and then all users by default
guestuser       *
# handle exceptions here
realuser        root (root is probably a bad example)
# prevent guests from doing anything other than upload or download
delete     no   guest               # delete permission?
overwrite  no   guest               # overwrite permission?
rename     no   guest               # rename permission?
chmod      no   guest               # chmod permission?
umask      no   guest               # umask permission?
# by default they cannot retrieve anything 
# (even though we are also careful with user/group/file/directory
permissions)
noretrieve relative class=guest *
# but we need to let them retrieve things from where we put them
# (and we also make those directories owned by root and not writeable just
in case)
allow-retrieve absolute class=guest /home/ftpusers/*/downloads/*
# again, we specifically deny anything in the root area (the chroot'd root)
upload /home/ftpusers/* /    no
upload /home/ftpusers/* /bin no
upload /home/ftpusers/* /usr no
upload /home/ftpusers/* /etc no
# prevent the guest class from uploading anywhere
upload class=guest /home/ftpusers/* * no
# but allow them to upload to their own home directory
# NOTE: this actually allows them to upload to any guest users home
# and only file permissions and the "restricted-uid" clause prevents
otherwise
# the truly paranoid could easily replace this with lines for each
individual
# user in the guest class
upload class=guest /home/ftpusers/* /*/uploads yes * * * nodirs
----------------------------------------------------------------------------
-----




> -----Original Message-----
> From: CHarris@checkfree.com [mailto:CHarris@checkfree.com]
> Sent: Friday, May 09, 2003 4:13 PM
> To: wuftpd-questions@wuftpd.org
> Subject: restricting mkdir
> 
> 
> is it possible to keep guest users from creating or removing 
> directories?
> 
> thanks in advance,
> 
> 
> chris
> 
> 
[prev in list] [next in list] [prev in thread] [next in thread]