[prev in list] [next in list] [prev in thread] [next in thread]
List: wuftpd-questions
Subject: RE: restricting mkdir
From: "James R. Hendrick" <Jim_Hendrick () KEANE-NNE ! com>
Date: 2003-05-13 14:53:58
[Download RAW message or body]
OK. Here's what I discovered.
The "upload" clause in the ftpaccess file does work, but you need to read
the man page *carefully*
This will prevent uploads for members of the guest class whose home
directory is in /home/ftpusers/* to all directories ("*")
upload class=guest /home/ftpusers/* * no
This would seem to allow uploads for class=guest to their own "uploads" area
but disallow "mkdir"
upload class=guest /home/ftpusers/*/ /*/uploads yes nodirs
THIS IS INCORRECT
It will indeed allow uploads, but fail to prevent mkdir...
What is needed I found by looking in the anonymous HOWTO and extrapolating.
THIS WORKS
upload class=guest /home/ftpusers/* /*/uploads yes * * * nodirs
Key points:
specifying "yes" automatically allows mkdir.
to have it parse the "nodirs" *requires* the positional parameters for user,
group and mode
I used "*" here since I want the files owned by the userid of the person
doing the upload
and I already handled the mode earlier in the config file.
Note: the original home directory: "/home/ftpusers/*/" seems to take place
*before* the chroot()
while the second directory: "/*/uploads"
Here is my ftpaccess file (sanitized).
Hope this helps.
Jim H.
----------------------------------------------------------------------------
----------
# restrict information in the banner
greeting terse
# insure we don't bother with identd (although we specify "-I" in the
inetd.conf)
timeout RFC931 0
# log everything members of the guest class do
log commands guest
log transfers guest
log security guest
log syslog+xferlog
# restrict where users can come from (also defined for the inetd and in the
ftphosts file)
class guest guest 10.0.0.0/8
class real real 10.0.0.0/8
# define the base of the chroot() for guest class users
guest-root /home/ftpusers
# and give them a sane umask that allows user and group readability only
defumask 0337 guest
# make all users stay in their home directories by default
restricted-uid *
# handle exceptions here (root is probably a bad example)
unrestricted-uid root
# specifically define all members of ftpusers to be guest class
guestgroup ftpusers
# and then all users by default
guestuser *
# handle exceptions here
realuser root (root is probably a bad example)
# prevent guests from doing anything other than upload or download
delete no guest # delete permission?
overwrite no guest # overwrite permission?
rename no guest # rename permission?
chmod no guest # chmod permission?
umask no guest # umask permission?
# by default they cannot retrieve anything
# (even though we are also careful with user/group/file/directory
permissions)
noretrieve relative class=guest *
# but we need to let them retrieve things from where we put them
# (and we also make those directories owned by root and not writeable just
in case)
allow-retrieve absolute class=guest /home/ftpusers/*/downloads/*
# again, we specifically deny anything in the root area (the chroot'd root)
upload /home/ftpusers/* / no
upload /home/ftpusers/* /bin no
upload /home/ftpusers/* /usr no
upload /home/ftpusers/* /etc no
# prevent the guest class from uploading anywhere
upload class=guest /home/ftpusers/* * no
# but allow them to upload to their own home directory
# NOTE: this actually allows them to upload to any guest users home
# and only file permissions and the "restricted-uid" clause prevents
otherwise
# the truly paranoid could easily replace this with lines for each
individual
# user in the guest class
upload class=guest /home/ftpusers/* /*/uploads yes * * * nodirs
----------------------------------------------------------------------------
-----
> -----Original Message-----
> From: CHarris@checkfree.com [mailto:CHarris@checkfree.com]
> Sent: Friday, May 09, 2003 4:13 PM
> To: wuftpd-questions@wuftpd.org
> Subject: restricting mkdir
>
>
> is it possible to keep guest users from creating or removing
> directories?
>
> thanks in advance,
>
>
> chris
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic