Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.kei.com!news.mathworks.com!uunet!in2.uu.net!news1.digital.com!nntp-hub2.barrnet.net!nntp-sc.barrnet.net!hal.COM!darkstar.UCSC.EDU!darkstar.ucsc.edu!hermit From: hermit@cats.UCSC.EDU (William R. Ward) Newsgroups: comp.security.firewalls,comp.security.unix,comp.security.misc,comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.unix.admin,comp.admin.policy Subject: Re: Anon ftp posting procedures? Date: 20 Sep 1995 23:18:02 GMT Organization: Computing and Telecommunications Services, UCSC Lines: 40 Message-ID: <HERMIT.95Sep20161802@ese.UCSC.EDU> References: <43parm$jjj@news.aaped.com> NNTP-Posting-Host: ese.ucsc.edu In-reply-to: kwestby@aaped.com's message of 20 Sep 1995 15:09:42 GMT Xref: euryale.cc.adfa.oz.au comp.security.unix:16117 comp.security.misc:17911 comp.unix.bsd.bsdi.misc:969 comp.unix.bsd.misc:234 comp.unix.admin:32896 comp.admin.policy:6437 In article <43parm$jjj@news.aaped.com>, kwestby@aaped.com (Kevin Westby) writes: ) I was wondering what procedures/guidelines are used to allow general ) users to place files on an anonymous ftp server (placed outside ) company firewall)? The incoming directory allows uploads but does ) not allow downloads. I'd like to be able to allow general users to ) post things directly to the pubs directory but am unsure on the best ) way to do it. That's a bad idea. You're going to amass quite a collection of pirated PC games and XXX-rated GIFs that way. If there are certain users in particular whom you want to give this access to, then create accounts for them for FTP only, so they can write in their respective areas. But then you have to deal with the nightmare of administering user accounts on a firewall machine. If your FTP server allows you to set up users only in the chroot'ed FTP area but not in the "real" /etc/passwd that would be preferable. That way the only thing someone could gain from hacking that password would be the privilege to upload files. Having a write-only incoming directory is generally the best way. You could write a cron job that scans the directory and moves files to the pub directory, doing some kind of checks on file size and/or contents to make sure it's something you want to put there. Better would be to check each one by hand, but that's a lot of work. If you can be more specific about *why* you want this, perhaps someone can suggest an alternate mechanism altogether which can achieve the same result. --Bill. -- William R Ward ** hermit@cats.ucsc.edu ** hermit@bayview.com Bay View Consulting /|\ GEEK GCS d->! s: a-- C++ UL/S++++$ 1803 Mission St. #339 / | \ CODE P+++$>+++++ L++>++++ E++ W>+++$ N++ Santa Cruz CA 95060 USA /__| \ 3.0 !K w>--- !O M-- V-- PS+ PE Y+>++ +1 408/479-4072 |-----/ PGP+>++ t+ !5 !X !R !tv b+>+++ DI++ +1 408/458-8862 pgr ~~~~~~~~~~~~~ !D G-- e++ h r+++ y+++>** COPYRIGHT(C) 1995 William Ward. Not for distribution via Microsoft Network.