41.13. Restricting Access to FTP Commands
WU-FTPD can be configured to restrict the FTP commands that certain types and classes of users can use. This is useful for stopping anonymous clients from modifying files, as on most FTP servers they are only allowed to download, not upload, rename, or delete. In fact, this is exactly how WU-FTPD is set up in its usual default configuration.
There are five commands to which you can restrict access, all related to server-side data modification. They are:
chmod Change the UNIX permissions of a file on the server (chmod in the UNIX FTP client).
delete Delete a file or directory on the server (del or rmdir in the UNIX FTP client).
rename Change the name of a file or directory (rename in the FTP client).
overwrite Upload a file with the same name as one that already exists.
umask Change the default UNIX permissions for newly created files (umask in the UNIX FTP client).
It is not possible to stop clients from using directory listing or download commands. It is also not possible to use this feature to prevent the upload of files that do not already exist. This can be achieved, however, by setting directory permissions appropriately or blocking all uploaded filenames as explained in Section 41.6 “Denying Access to Files”.
To define which clients can use particular commands, follow these steps:
1. | |
2. | On the form that appears, the Command restrictions table lists existing commands and the user types and client classes that are or are not allowed to use them. As usual, you can add a new command using the blank row at the bottom, edit existing entries, or delete the restrictions on a command altogether by selecting the blank option from the Command menu. |
3. | The FTP server processes this table in descending order when a client tries to do something, and uses the selection in the Allow? column for the first entry that matches to decide whether or not it is allowed. This means that the order matters, and if two entries match, the first one in the table will decide what happens. |
4. | The fields for each row and their meanings are: Command You must select the command being restricted from this menu or the blank option to delete the row. Allow? This field determines whether or not an attempt to use the command by a client that matches the chosen user types and classes is allowed. For user types The restriction will only apply to the types of user selected in this column. See Section 41.5 “Managing User Classes” earlier in the chapter for details on what each means. For classes Only the client classes selected in this column will be effected by the restriction. |
5. | When you are done editing or adding to the table, hit the Save button to activate your changes. |
If a client command does not match any entry in the table, it will be allowed by the FTP server (unless blocked by some other filename restriction set elsewhere).