On Sun, Jan 21, 2001 at 11:49:48PM +0900, itojun@iijlab.net wrote:
> >recently i have faced a problem when setting up netbsd ftpd.
> >when i set up an "incoming" directory, users can be given
> >permission to use some commands like STOR to upload files,
> >but this way they are not permitted to use MKD to make
> >subdirectories into the "incoming" directory.
> >
> >users who want to upload something, usually also want to
> >make directories for the stuff they upload - and i think
> >that this is practical and understandable, so i tried to
> >let them create directories somehow. then i realized that
> >i can only do that by allowing the whole "modify" group of
> >commands which leads to DELE and RMD also be allowed -
> >something that is rather undesirable.
> 
> 	sorry if i'm reading between lines...
> 	if you allow commands like mkdir how can you prevent rogue users
> 	from digging tons of files into incoming directory and exchange warez
> 	(license violated software) between anonymous ftp users?
> 	this is the very reason why incoming directory has specific permission,
> 	and umask is set to 0707 for guest's uploads (make the uploaded file
> 	accessible from, say wheel group only).  did you supply any special
> 	code for that?

I'm a bit hesitant to migrate the control of `MKD' from the `modify'
directive to the `upload' directive, given that it potentially opens
up the incoming directory to a more permissive behaviour that before.
On the other hand, the default umask means that any created directory
is effective not accessable by the ftp user (see below for umask
commentry), so it's probably not that much of a problem.

As the default umask for guests is 0707, new files and directories will
be created with group permissions only.  This is not useful because
directories would not be accessable for uploading.  If a umask of 0407
is used to allow directories to be created for uploading then directories
could be created with the permissions d-wxrwx--- and files with --w-rw----. 
A slight unfortunate side-effect of this would be that a file could be
overridden by other guest users.

There's a few potential work-arounds (extra features to ftpd) to
consider to solve this:

	* Add the ability to specify separate umasks for directory
	  and file creation.  You could then have a directory umask of
	  0407 and a file umask of 0707.

	* Add a `noclobber' directive to ftpd, which prevents files
	  from being APPEnded to or STORed to if they already exist.

	* Allow the ability to enable/disable commands on a
	  per-command basis. You could disable APPE, or allow MKD to
	  be enabled with 'modify guest off'.

I'm considering some or all of these, depending upon feedback.

Luke.