*BSD News Article 51713


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!uunet!in2.uu.net!news1.digital.com!nntp-hub2.barrnet.net!nntp-sc.barrnet.net!hal.COM!darkstar.UCSC.EDU!darkstar.ucsc.edu!hermit
From: hermit@cats.UCSC.EDU (William R. Ward)
Newsgroups: comp.security.firewalls,comp.security.unix,comp.security.misc,comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.unix.admin,comp.admin.policy
Subject: Re: Anon ftp posting procedures?
Date: 20 Sep 1995 23:18:02 GMT
Organization: Computing and Telecommunications Services, UCSC
Lines: 40
Message-ID: <HERMIT.95Sep20161802@ese.UCSC.EDU>
References: <43parm$jjj@news.aaped.com>
NNTP-Posting-Host: ese.ucsc.edu
In-reply-to: kwestby@aaped.com's message of 20 Sep 1995 15:09:42 GMT
Xref: euryale.cc.adfa.oz.au comp.security.unix:16117 comp.security.misc:17911 comp.unix.bsd.bsdi.misc:969 comp.unix.bsd.misc:234 comp.unix.admin:32896 comp.admin.policy:6437

In article <43parm$jjj@news.aaped.com>, kwestby@aaped.com (Kevin Westby) writes:
) I was wondering what procedures/guidelines are used to allow general
) users to place files on an anonymous ftp server (placed outside
) company firewall)?  The incoming directory allows uploads but does
) not allow downloads.  I'd like to be able to allow general users to
) post things directly to the pubs directory but am unsure on the best
) way to do it.

That's a bad idea.  You're going to amass quite a collection of
pirated PC games and XXX-rated GIFs that way.

If there are certain users in particular whom you want to give this
access to, then create accounts for them for FTP only, so they can
write in their respective areas.  But then you have to deal with the
nightmare of administering user accounts on a firewall machine.  If
your FTP server allows you to set up users only in the chroot'ed FTP
area but not in the "real" /etc/passwd that would be preferable.  That
way the only thing someone could gain from hacking that password would
be the privilege to upload files.

Having a write-only incoming directory is generally the best way. You
could write a cron job that scans the directory and moves files to the
pub directory, doing some kind of checks on file size and/or contents
to make sure it's something you want to put there.  Better would be to
check each one by hand, but that's a lot of work.

If you can be more specific about *why* you want this, perhaps someone
can suggest an alternate mechanism altogether which can achieve the
same result.

--Bill.

--
William R Ward     **    hermit@cats.ucsc.edu    **    hermit@bayview.com
Bay View Consulting       /|\    GEEK  GCS d->! s: a-- C++ UL/S++++$
1803 Mission St. #339    / | \   CODE  P+++$>+++++ L++>++++ E++ W>+++$ N++
Santa Cruz CA 95060 USA /__|  \   3.0  !K w>--- !O M-- V-- PS+ PE Y+>++
+1 408/479-4072         |-----/        PGP+>++ t+ !5 !X !R !tv b+>+++ DI++
+1 408/458-8862 pgr  ~~~~~~~~~~~~~     !D G-- e++ h r+++ y+++>**
COPYRIGHT(C) 1995 William Ward.  Not for distribution via Microsoft Network.