PSA9: The passwords in ioFTPD users files are sha1 hashes of the password. There is no way to reverse them. With ioFTPD offline editing the field manually by copying a known password hash is about the only way to recover the master ioFTPD account. That works, I've done it.
It isn't so much that the user ioFTPD can't be banned, but that the addresses like 127.0.0.1 can't be. Thus you can always login to the server locally using any account that has 127.0.0.1 in it's hostmask. Using @localhost isn't always as reliable since sometimes lmhosts / hosts can be set to resolve that to @machinename instead of @localhost.
No idea what the 2 flag meant historically but 3 for uploading will probably stay the way it is, but perhaps a 4 or 5 could be defined to support limited upload rights instead of full upload rights like you were proposing. If you just want users to be able to download just don't give them a flag or do like I do and give them the Z flag which has no meaning besides a handy way to identify pure download only accounts. A user without up/down rights at all doesn't make a lot of sense unless it's a look style account. In that case just change the download rule to exclude accounts with another made up flag instead of using "*"...
Only the M, V, G, F, f, L, A flags have hard coded meanings. You could for instance change every instance of 1 to Q in the admin file and now site admins would need the Q flag...
All new options like No_SubDir_Sizing are not required to be defined so I can support as much backward compatibility as possible in the config file. Thus I have chosen default values for them that mirrors the old behavior where possible, and I comment out the value that would change it's behavior. You can of course explicitly set an option to the default (say False instead of True) but since that's the default it doesn't do anything...
|