41.6. Denying Access to Files

Sometimes it is useful to restrict the types of files that users can download, especially for untrusted anonymous clients. You can block access to a filename in any directory (like secret.txt), an absolute path (like /etc/passwd) or even a directory and all its contents (like /var/log). The shell wildcards characters * and ? can be used in file and path names as well, which provides extra flexibility. This can be useful if you want to protect files containing secret information, or limit clients to downloading from a certain directory (like /home). There is no way, however, to prevent the listing of directories using this feature.

To set up filename download restrictions, follow these steps:

1.
On the main page, click on the Limits and Access Control icon to bring up the form shown in Figure 41.3.

Figure 41.3. The limits and access control form.


2.
Each row in the Deny access to files table defines a single filename restriction. As with other tables in this module, at the bottom of the table is a single blank row for adding a new filename or path and, if this is the first time you have used this feature, a single row is all the table will contain. Otherwise, existing restrictions will be listed, allowing you to edit or delete them.

The fields in each row and their meanings are:

Files to deny A list of relative or absolute filenames or patterns to which to deny access, separated by spaces. The wildcard characters * and ? can be used for both, allowing you to enter files like secret.* or /home/*/public_html.

Relative to chroot? If Yes is selected, any absolute path entered in the first field is considered to be relative to the anonymous FTP root directory. If No is chosen, paths are taken to be relative to the real root directory.

Deny for classes In this field you must select the checkboxes for classes to which the restriction applies. See Section 41.5 “Managing User Classes” for more information on how to add classes of your own. This can be useful if you want to block access by anonymous clients to some file, but allow real UNIX users.

3.
The Allow access to files even if denied table has exactly the same structure as the denial table, but is for entering filenames and paths to which access should be allowed even if they are denied by an entry in the table above. This can be used to deny access to everything (by entering * in a Files to deny row) and then granting back download rights on only files matching a pattern (like *.html for example).

4.
Click the Save button at the bottom of the page to save and activate any new file restrictions. If you want to add more than one entry in either table, click on the Limits and Access Control icon again to redisplay the form and fill in the new empty rows that appear.

There is also a similar feature for restricting the names of files that clients can upload. This can be useful for blocking the creation of hidden files or directories whose names start with a dot, or hard to comprehend names containing spaces and control characters. These are often used by sneaky people to hide files on your anonymous FTP server if you allow uploading. Because trusted people may have good reasons for creating such files, you can define restrictions that apply only to anonymous or guest users.

To add and edit upload filename limits, follow these steps:

1.
On the main page of the module, click on the Permissions icon.

2.
In the form that appears, the Disallowed upload filenames table at the bottom lists filenames that are allowed and denied for different types of users. Existing restrictions can be edited by just changing their fields in the table, and a new one created by filling in the final blank row (which will be all the table contains if you haven't used this form before). The columns in the table and the meanings of their fields are:

Allowed characters A single Perl regular expression that all uploaded files must match. For example, if you entered ^[a-z]+$, only filenames made up of lower-case letters would be allowed.

File regexps to deny A space-separate list of regular expressions that are not allowed in filenames. A good example is ^., which blocks any name starting with a dot, which hides the file.

User types The types of users to which this restriction applies. Often you will want to place stricter limits on anonymous clients than real or guest users.

Error message file The full path to a file that will be sent to any client which tries to upload a file whose name does not match the allowed expression or does match one of the denied expressions.

3.
As usual, click the Save button at the bottom of the page to activate any new restrictions when you are done.

If more than one restriction is defined for the same type of user, they will all be checked to determine if an uploaded filename is allowed.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.3.154