[Dshield] FTP Site

Sean Graham seangra at yahoo.com
Thu Nov 29 14:15:14 GMT 2001


I disagree.  Quite the contrary actually, I find that the NTFS style 
permissions gives me a very easy, quick and powerful control over what 
rights people can have.

with NTFS two of the security permissions are "list folder contents" and 
"read".  There are also "modify", "write", "execute", "traverse folder", 
"list folder", "read attributes", "read extended attributes", "create 
files", "create folders", "write attributes", "write extended attributes", 
"delete", "delete subfolders", "change permissions", "read permissions", 
"take ownership" and "full control".

just a few more than read/write/execute ;)  I find this ACL system 
infinitely more powerful than the traditional unix access permissions system.

if you get to the nitty/gritty of things you can have some more permissions 
as well.

So just set the upload folder to "write" and "list folder contents" but not 
"read" and you're all set.

-- Sean

At 07:47 AM 11/29/2001 -0500, you wrote:
>In a message Sean said:
>
> >Date: Wed, 28 Nov 2001 01:19:43 +0100
> >To: dshield at dshield.org
> >From: Sean Graham <seangra at yahoo.com>
> >Subject: Re: [Dshield] (no subject)
> >Reply-To: dshield at dshield.org
> >
> >why do you wish to run an FTP with open access in the first place?
> >
> >Usually I have seen that people just mark the Uploads directory Write-Only,
> >but with list, and that's the only place with write access.  You can upload
> >all you want, and see what you've uploaded, but only users with accounts
> >can download anything that has been uploaded (or they must wait until you
> >move it out of the upload directory).  Wouldn't this be a simpler way to
> >control it?
> >
> >Good solution though.
> >
> >-- Sean
>
>I wanted open (e.g. anonymous) access for the DOWNLOAD for convenience - but
>no download from the UPLOAD.
>
>There are some complications in Windows NT/2000 NTFS permissions that make
>it difficult to allow directory viewing but not file reading (at least I had
>difficulty making that work smoothly with a "inherited" right to "write"
>allowed by IIS5 and a "deny" read set in NTFS security).  I'm certain your
>right about the settings it's just that I couldn't find a comfortable
>combination with the complexity of IIS5's security and NTFS permissions
>adding "inheritance" into the mix.  My old brain just froze :>
>
>Perhaps I should trash the "windoze" server and go with a Linux box.
>
>That should get the advice flowing :>
>
>Thanks for the reply.
>
>Paul
>
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www1.dshield.org/mailman/listinfo/dshield


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




More information about the list mailing list