Re: How do I force an FTP user to '/home/ftpdir'? -- MIDRANGE-L

× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.

Subject: Re: How do I force an FTP user to '/home/ftpdir'?
From: Tom Hightower <tomh5480@xxxxxxxxx>
Date: Tue, 22 Feb 2005 09:57:51 -0600
List-archive: <http://archive.midrange.com/midrange-l>
List-help: <mailto:midrange-l-request@midrange.com?subject=help>
List-id: Midrange Systems Technical Discussion <midrange-l.midrange.com>
List-post: <mailto:midrange-l@midrange.com>
List-subscribe: <http://lists.midrange.com/mailman/listinfo/midrange-l>, <mailto:midrange-l-request@midrange.com?subject=subscribe>
List-unsubscribe: <http://lists.midrange.com/mailman/listinfo/midrange-l>, <mailto:midrange-l-request@midrange.com?subject=unsubscribe>

rob@xxxxxxxxx said the following on 2/21/2005 7:59 AM:

Tom,
Two area's of concern. QIBM_QTMF_SVR_LOGON Will be where you set initial directory. QIBM_QTMF_SERVER_REQ will be where you make sure that they do not go to another directory. Beware of a patch I need to make to my version, (as pointed out on this list). If you lock them down to a directory /ftp/customer123/upload/*, the hack would be /ftp/customer123/upload/../../customer456/upload It was suggested that I actually do the CD and then just check the resultant directory against what directory was intended.

Rob Berendt

I know I should just write something real intelligent, but in the case of '../..' - I just deny the command. I figure they're not likely to enter that in a brower or GUI ftp client, and - if they're writing a script - they can enter each 'cd ..' on a separate line.

But mostly, I wasn't sure how to check to see where I wind up after doing '../..'. Maybe when I have time to experiment...

Tom

As an Amazon Associate we earn from qualifying purchases.

Follow-Ups:

Re: How do I force an FTP user to '/home/ftpdir'? , rob

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.