Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!wuarchive!uwm.edu!spool.mu.edu!news.cs.indiana.edu!cica!ogre!mr From: mr@ogre.cica.indiana.edu (Michael Regoli) Newsgroups: comp.unix.questions Subject: Re: Applying restrictions to anonymous ftp-ers Message-ID: Date: 7 May 91 14:34:39 GMT References: <1991May6.190230.10494@cica.indiana.edu> Sender: news@cica.indiana.edu (News System) Organization: Indiana University Lines: 52 Nntp-Posting-Host: ogre.cica.indiana.edu In <1991May6.190230.10494@cica.indiana.edu> mr@cica.indiana.edu (Michael Regoli) writes: >][ >When logging into many hosts allowing anonymous ftp access, the >message "Guest login ok, access restrictions apply" appears upon a >successful login. However, it remains to be seen what restrictions >are in effect. For example, in a public uploads area (owned by ftp, >mode 777), ftp users can "put" and "get" files, in addition to "dele" >and "append" to files. It is the latter cases that oftentimes >destroys data in a public area. >What measures can be applied via BSD ftpd to restrict access to >certain ftp commands? Thanks to everyone for contacting me. Here's a temporary solution that seems to work: For obvious reasons, I need the directory for "uploads" to be mode 777 so ftp-er's can place files anytime. What works is to chown the uploads directory to "root" and add the sticky bit to mode 777 on the directory. In order to protect the files from being "stomped," chown the files to anything other than root or ftp. (Since ftpd does a chroot, without the sticky bit set, it will delete ANY file, with ANY ownership, that is placed in a directory that is mode 777.) Of course, files that are placed prior to a "chown" are owned by ftp and therefore can be destroyed by anonymous ftp-ers. Not much we can do about it. (Well, of course, we could have cron visit the directory on a regular basis to chown the files, but we don't get *that* far behind in moving files out of the public uploads area.) Anyhow, this entire exercise has been useful in learning the nuances of Unix file permissions and ftp/ftpd. My thanks again to everyone. -- michael regoli mr@cica.indiana.edu regoli@iubacs.bitnet ...rutgers!iuvax!cica!mr -- michael regoli mr@cica.indiana.edu regoli@iubacs.BITNET ..rutgers!iuvax!cica!mr