[NTLUG:Discuss] Don't list files for ftp upload
Jay Cox
sqrtofone at yahoo.com
Tue Dec 11 22:21:18 CST 2001
On Mon, 10 Dec 2001, m m wrote:
> Hi all.
>
> how do I set up the ftp list only folder (and
> spaces has been used) but not list files, when the
> user tries to upload file to the server?
>
> thanks
I have a guess as to what could work.
I suppose you could set up you directories where the user could upload
stuff to be writable but not readable by whatever user ids the ftp server
would use when serving those users. (it would also probably help to set
the sticky bit on those directories).
i could even show you an example without using ftp of what i mean.
both users greg and george here have files named "bob" and "zbob"
Example 1: root creates the directory
[root at localhost /root]# mkdir /tmp/blah
[root at localhost /root]# chmod 1733 /tmp/blah/
total 0
[root at localhost /root]# dir -l /tmp/blah/
total 0
[root at localhost /root]# dir -dl /tmp/blah/
drwx-wx-wt 2 root root 1024 Dec 11 21:43 /tmp/blah/
....
Example 2: greg tries to look into directory and copies a file to
directory
[greg at localhost greg]$ dir /tmp/blah/
dir: /tmp/blah/: Permission denied
[greg at localhost greg]$ cp bob /tmp/blah/
[greg at localhost greg]$ dir /tmp/blah/bob
-rw-rw-r-- 1 greg greg 72777 Dec 11 21:44 /tmp/blah/bob
....
Example 3: george tries to copy his bob file to directory, fails, copies
his zbob file to directory, and looks to see what the culprit was in why
he couldnt copy bob to the directory.
[george at localhost george]$ cp zbob bob
[george at localhost george]$ cp bob /tmp/blah/bob
cp: cannot create regular file `/tmp/blah/bob': Permission denied
[george at localhost george]$ cp zbob /tmp/blah/zbob
[george at localhost george]$ dir -l /tmp/blah/zbob
-rw-rw-r-- 1 george george 1969 Dec 11 21:46 /tmp/blah/zbob
[george at localhost george]$ dir -l /tmp/blah/bob
-rw-rw-r-- 1 greg greg 72777 Dec 11 21:44 /tmp/blah/bob
[greg at localhost greg]$ dir /tmp/blah/
dir: /tmp/blah/: Permission denied
....
As you can see though from the third example, if a user can guess the name
of a file that is there, he would be able to see it and stat it. but
only if he guesses.
Also, if greg happens to be in george's group, (and greg knew or guessed
that there was a file named zbob that was put in the /tmp/blah directory),
greg could overwrite that file. so it would be good in this senario to
have all users be in mutually exclusive groups.
But other than those two problems, i think such a solution as I have given
might do (on a temporary basis at least).
Hmmm. However if you decide to allow http to do uploading it might do you
well to write/find a cgi script that'll let users upload any files to
virtual directories and let the cgi scriptsort out all those other nasty details
about identical file names (like prepending the username to the true file
name). I personally would vouch for the latter, if you knew what to do or
look for.
Jay Cox
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list