upload.configuration.howto

wu-ftpd类unix下的ftp服务器,可用于嵌入式系统

But, if you do, there will be unintended consequences.  In the example,
we're trying to restrict upload privileges to just the ftpadmin's home
directory.  Consider, though, this will match all of the following
directories:

/home/users/ftpadmin
/home/users/ftpadmin/mirrors
/home/users/ftpadministration

This last directory isn't wanted.  Instead use:

upload /home/users/ftpadmin /home/users/ftpadmin   yes

to match the ftpadmin's home directory itself, then use:

upload /home/users/ftpadmin /home/users/ftpadmin/* yes

to match all subdirectories under the ftpadmin's home.



umasks for guest and real users
-------------------------------
In most cases you will want to allow guest and real users to control the
permissions on their own files and directories.  As in the examples shown,
if there are no specific permissions given on upload clauses, any new files
or directories created will have all permissions set.  umasks can be used
to reduce these permissions.

The daemon has a command-line option (-u) to set the default umask for all
users.  Follow the -u option with an octal permissions mask.  Bits in this
mask are permissions to turn off whenever the daemon creates a new file or
directory.  The manpage for ftpd documents the -u option.

Often times, the global -u option is not sufficient.  In the ftpaccess
file, you can control umasks by class by using the defumask clause.  If no
class is given, defumask overrides the -u umask from the command line.  If
the current user is a member of the named class, defumask overrides the
umask setting for this user only.

For example, assume there are several classes of users

class admin  real       10.0.0.0/8 127.0.0.0/8
class local  guest      10.0.0.0/8 127.0.0.0/8
class remote guest      *
class anon   anonymous  *

( Notice, by the way, in this example, real users will not be allowed
access unless from the local network since they are not in any class when
coming from an outside IP address.  Since the daemon gives no clue to the
remote user in this case, to outside addresses it will appear as if the
admin users do not exist on the server.  The specific cause for their login
failure will appear in your system logs. )

We can control the umask by class for these users.  For example, we might
say:

defumask 0377
defumask 0177 admin
defumask 0133 local remote

The first clause applies whenever another defumask clause does not match
the current user's class.  This is the same as adding '-u 0377' to the
command line for the FTP daemon.  In this case, the clause applies only to
anonymous users since all other classes have specific default umasks given.

The second turns off execute permissions, as well as group- and world- read
and write permissions, for all files and directories created by real users
(users in the admin class).

The last rule turns off execute permissions and group- and world-write
permissions for files and directories created by guests (in the local and
remote classes).

Remember: umasks apply to ALL files and directories created EXCEPT those
where an upload clause applies AND the upload clause gives specific
permissions.  Disabling execute permissions will cause problems using newly
created directories; leaving them enabled is unsafe because all files
uploaded will have execute permission and could, therefore, be used in
attempts to break into the server.

I recommend disabling all execute permissions and instructing your users to
use the chmod command to add execute permissions to directories or to
change the umask before creating directories.  This may be a bit more work
for your users, but it is safer than having a Trojan Horse program marked
executable just waiting for someone, possibly root, to try running it.



umask and chmod command restrictions
------------------------------------
As just mentioned, users have the ability to change the current umask and
modify the permissions on files and directories.

Obviously, you will want to disable this feature for anonymous users.  You
may also want to control who may use these features for your guest and real
users.  The defaults should be acceptable for most sites.  The default
settings are equivalent to the following (which you may want to add to your
ftpaccess file so you don't forget):

chmod no  anonymous
chmod yes real,guest

umask no  anonymous
umask yes real,guest

If, for example, you wanted to disable these commands for guests accessing
the server from outside the local network, you could add the following:

chmod no  class=remote
umask no  class=remote

Be sure to insert these _before_ the 'yes' clauses.  Order is important;
the daemon will apply the first matching rule it finds.   If you do
something like this, it is probably safer to rewrite the clauses to deny
everything but what you allow.  For example:

chmod yes real,class=local
umask yes real,class=local
chmod no  guest,anonymous
umask no  guest,anonymous



Delete, overwrite, rename restrictions
--------------------------------------
The daemon also provides control over the user's ability to delete, over-
write and rename files.  Again, the defaults are probably acceptable in
most cases.  These are:

delete no  anonymous
delete yes real,guest

rename no  anonymous
rename yes real,guest

overwrite no  anonymous
overwrite yes real,guest

As with the chmod and umask clauses, you can control these by class as
well.  Continuing the above example, restricting these to local users only,
we could instead say:

delete    yes real,class=local
rename    yes real,class=local
overwrite yes real,class=local
delete    no  guest,anonymous
rename    no  guest,anonymous
overwrite no  guest,anonymous



Per-class upload clauses
------------------------
Just as we can restrict the ability to change permissions, delete files,
etc., we can also define upload clauses which apply only to specific
classes of users.  For instance, with the classes from the above examples,
we can revoke upload rights for remote guests.

For example, we can deny all uploads the remote guests except to their
personal tmp directories:

upload class=remote /home/users/* *      no
upload class=remote /home/users/* /*/tmp yes nodirs



Private incoming areas
----------------------
Often times, users would like to have private areas in the FTP site.
Sometimes, it is usefull to also have incoming areas in those private
areas.  Examples of the permissions for private areas can be found in the
layout at ftp://ftp.wu-ftpd.org/pub/wu-ftpd/examples/ and, other than
ownership, are no different than the public incoming area, so I'll simply
present the upload clauses here.

For this example, we'll allow anonymous uploads into all private incoming
areas:

upload /home/ftp            /private/*/incoming          yes * * 0440 nodirs
upload /home/users/ftpadmin /home/ftp/private/*/incoming yes * * 0440 nodirs

The assumption here is Unix shell users have private areas in the anonymous
site.  Those areas are owned by the appropriate user, and incoming files
are to be owned by that user.  The wildcard match on directory allows
anonymous uploading to any private incoming directory.  The wildcard for
owning user and group instructs the daemon to set the file's ownership to
that of the directory receiving it.

Don't forget, if you allow private incoming areas, they are open for
anonymous access and you should take care to ensure a DoS attempt to fill
the file system cannot take out your entire server.  Create a separate
filesystem for the private incoming areas or put them inside the public
incoming area.



Differences from earlier versions
---------------------------------
This HOWTO was written for  version 2.6.0 of the WU-FTPD server.  Earlier
versions used different rules for the upload clause.

Some versions of the daemon required the first parameter to be the name of
the root directory for the chroot.  This allowed upload control by area,
but did not provide for different rules on a per-user basis.

Some versions of the daemon required the first parameter to be lexically
identical to the user's home directory entry.  This was non-obvious and the
'/./' was often forgotten.

Some versions of the daemon got totally confused, attempted to apply both
these methods at once, and ended up ignoring all your upload rules.  If you
were smart, you had your permissions set properly and didn't notice.

Early versions of the VR upgrades, and all earlier versions of the daemon,
allowed file system modification as the default for all users.  The current
version does not allow any modification commands (ie., upload, delete,
rename) by anonymous users unless specifically granted in the ftpaccess
file.

Early versions of the VR upgrades, and all earlier versions of the dameon,
had no method for specifying the permissions for a newly created directory.
Also, they required exact matches for the first parameter (no globbing) and
exact user and group names or numbers for ownership file files and
directories.

-- 

Gregory A Lundberg              WU-FTPD Development Group
1441 Elmdale Drive              lundberg@wu-ftpd.org
Kettering, OH 45409-1615 USA    1-800-809-2195