FTP server totally ignores NTFS permissions.

Discussion in 'OT Technology' started by deusexaethera, Sep 17, 2008.

  1. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    This is bugging the shit out of me. I've got a bunch of folders in ..\ftproot, and a bunch of user accounts for FTP users, and a bunch of Virtual Directory assignments to redirect users to their respective folders. The NTFS authentication works just fine, but the NTFS permissions are being completely ignored; I can log in as "guest" and I pop up in the ..\ftproot\guest folder, but nothing is stopping me from navigating (and opening files in!) ..\ftproot\classified_state_secrets. (I don't really have state secrets on my FTP server, it's just an example.)

    What am I doing wrong? And no, the FTP user accounts are not members of any admin groups, or even any groups that have any blanket access permissions at all.
     
  2. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    sounds like you need chroot functionality? but i'm guessing you're running IIS?
     
  3. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
  4. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    IIS6, yes.

    Thanks for the Google link, 5Gen. I never would've thought of that.
     
  5. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    It's funny how the simplest things escape people isn't it?

    I know the problem you're running into and I'm pretty sure it's a permissions issue with the folder and/or how FTP is authenticating.
     
  6. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Okay, I read through all that, and I created a new FTP site that isolates users, but now nobody can log in at all. Those sites you linked to don't describe how to do what I want to do. I don't want FTP users to be directed to ..\ftproot\<username>\, I want them to be directed to whatever the hell folder I specify in the Virtual Directory setting for that user. My FTP folder structure looks like ..\ftproot\<company division>\<username>, and sometimes there's a <sub division> before <username> as well. This isn't going to work if I can't use a folder structure that doesn't look like a plain list of usernames.

    Is there a way to use an arbitrary folder structure?
     
  7. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    When they have absolutely no idea what they're looking for and they were told to get it done by the end of the day, yeah, sometimes details get overlooked.
     
  8. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    I don't believe so - not using IIS. You can dump them all to one directory and let NTFS take care of it, but it won't dump them to a specific folder. Or use the AD method described in the lazy admin article.
     
  9. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I'll double-check the AD approach, but I did have them all dump into one folder at one point, and WS_FTP let me see everything -- even open and edit documents. Not cool.

    Is there another FTP server that does what I want to do?
     
  10. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Fixed it. I shitcanned IIS and installed FileZilla; it let me set RWMD access permissions for every single folder on the server for every single user in the list. I gots my FTP server all locked down now, even have SSL forced for folders that contain sensitive info.
     
  11. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    I was going to suggest it but I had absolutely no knowledge over the server product, just used the client.
     
  12. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Let me put it this way: I got the results I wanted in a couple of hours without knowing anything about the product or reading the manual.

    I have to say I'm impressed; it's not perfect, but it's gotta be one of the best SourceForge products I've ever seen -- it just works.
     
  13. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Figured shitcanning IIS would be the solution. Fuck that piece of shit.
     
  14. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    It seems oddly simplistic for a built-in Windows service. Now, Windows Distributed Filesystems, for example, that works better than any other file-sync product I've tried.
     
  15. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    I agree - to have it integrated via AD but not actually write a GUI to manage it seems pretty stupid. I suppose in this day and age, FTP is becoming a dying technology.
     
  16. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I don't think so. How else am I supposed to transfer a 100GB of data to a customer? I'm sure as hell not going to do it through a VPN.
     
  17. Limp_Brisket

    Limp_Brisket New Member

    Joined:
    Jan 2, 2006
    Messages:
    48,422
    Likes Received:
    0
    Location:
    Utah
  18. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    We use Yousendit. FTP can be a real hassle with overly restrictive firewalls.
     
  19. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    SCP? (sigh) Engineers and their fucking acronyms.
     
  20. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    scp is ssh copy. It replaced ftp. It is more secures because it uses they cryptography.
     
  21. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Ahh. I wonder if NMCI doesn't block it like it blocks FTP.
     

Share This Page