pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: FTP-client for Windows, safety concerns

On 14 June 2012 23:51, herbert langhans 
<> wrote:
> On Thu, Jun 14, 2012 at 11:38:27PM +0100, Chavdar Ivanov wrote:
>> On 14 June 2012 23:15, Andy Ruhl <> wrote:
>> > On Thu, Jun 14, 2012 at 3:09 PM, herbert langhans
>> > <> wrote:
>> >> Long story, simple question: what relieable(!) FTP-client for Windows
>> >> and Apples should I recommend to my FTP-users? Some full functional
>> >> (think about gftp) gui-programm would be the best. Maybe even something
>> >> easy to install, so I can send them the exe file via e-mail ...
>> >
>> > What is wrong with the web browser?
>> >
>> >
>> Plenty of reasons *not* to use a browser as an ftp client, i.e. no
>> control over active vs. passive mode, difficult or impossible upload
>> etc.
>> I've always installed filezilla on customers' workstations, setting up
>> their account to connect to our ftp server.
>> The 'safety' aspect is bogus; I monitor their accounts to make sure it
>> is not used outside its remit; the passwords are not important - the
>> ftp server (proftpd) has been configured to use 'Defaultroot ~' - i.e.
>> chrooted to users' home directory. sshd_config has
>> 'PasswordAuthentication no' and the ftp server has 'PathDenyFilter
>> ".htaccess|.ftpaccess|authorized_keys"' - which stops them from
>> uploading their own key to let them log on interactively.
> The 'Defaultroot' trick I tried. If I remember correct, you cannot
> access linked files - this is a nasty side effect.

No, that is by design. They can only access files under their tree.

You can always hard-link files in their directories (presumably
read-only for them) though. These of course will be usable (assuming
they are on the same filesystem).

> Otherwise it would be
> great that the users cannot get lost when they hop back some
> directories. According the logfiles its a typical reaction that the
> users log out, restart the client and log in again.

Exactly. They should not be allowed to traverse the whole tree.

BTW this is the behavior in ftp mode; if you run is in sftp, you still
can do it - meaning you could be using a client like filezilla for
both, restricted user access and wider administrative one.

> herb langhans


Home | Main Index | Thread Index | Old Index