View Single Post
Old 10-13-2009, 04:20 PM  
Yil
Too much time...
 
Join Date: May 2005
Posts: 1,194
Default

When dealing with an anonymous account or an account/password that are shared/well known (i.e. my FTP server setup for users to upload crashlogs/minidumps where everyone shares an account) the best way to make sure people can't download information sent by someone else is to use .ini file permissions. Look again at the .ini file just a few lines below where you were before and you'll see

Code:
# anybody can download anything...
Download     = /* *
The way the .ini files works is lines are processed top to bottom and the first match for the operation based on the path is used. Thus just add the line you actually suggested "Download = /Upload/* 1VM" above the more generic one and that will restrict users without the 1VM flag from downloading in the /Upload dir but allow them everywhere else... If you've already added the line and it didn't work, make sure you used "site rehash" and that you added the line BEFORE the /* one. The rest of the .ini can just use the default values in the original. ini file or you can customize more like you have done (though I haven't checked your settings here).

Quote:
My problems:
- Anonymous can list the content of /Upload and above all download whatever there is
- Contributor cannot create a dir or upload in the /Products dir (error message is: [1] 550 fze: Permission denied (directory mode).
The .ini file is not involved in those 2 problems. To restrict entering the /Upload directory you want to change the directory mode (rwx) flags. In particular you can use something like 0770 which is rwxrwx---. The command is "site chmod 770 dirname" and if you are using Flash it has a nice little popup you can use to do this. You only need to change the /Upload directory itself, and not everything recursively under it. Using something like that will only allows the owner or any account that is a member of the group for the directory to access it, but other users such as anon users won't have any ability to enter/list/etc provided they aren't in the same group as the directory...

The /Products error is the reverse problem. The default perms of 0755 only allows the OWNER (probably you or ioFTPD account) to create directories immediately beneath it. While that is a good default setting for the / directory it's not so useful for something like /Products. I'd suggest you "site chmod 755 /" and then change the default to the more liberal 777 mode which allows anyone to do anything anywhere. That may sound bad, BUT they must also pass the action test from the .ini rules. Thus users can't remove stuff unless they match the Remove rule. So just add the Q flag if you want them able to remove stuff, or leave it 1VM is you only want admins to.

I hope that helps a little bit. In general you probably don't need separate .vfs files and can control access through rwx flags and control operations through the .ini.
Yil is offline   Reply With Quote