[gollem] FTP directory perms

Lars Anderson lsa@business.auc.dk
Tue, 5 Mar 2002 18:42:30 +0100

Previous message: FTP directory perms
Next message: [gollem] FTP directory perms
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 05, 2002 at 12:33:24, Rich West wrote:

> I've tinkered with gollem in the past and I really like the idea behind 
> it.  The only reason I have not deployed it is because of the general 
> security problems with FTP.
> 
> I have noticed that gollem, and I am guessing this is an artifact of PHP 
> --with-ftp compiled in, allows all users to browse the entire system (if 
> the ftp server is the same as the web server).  I mean, if you change 
> the "dir" variable within the URL, you can get anywhere on the system 
> (kinda scary), and this bypasses the normal FTP 'root-jail' setups for 
> accounts.

Use an ftp server that can jail the user, we use proFTPd.

> 
> Is there a way to configure it to observe the FTP server permissions 
> even if the FTP server resides on the same host as the web server for 
> the Horde system?
> 

Huh? It does, gollem is "just" an ftp client.

Regards
Lars
-- 
Lars Anderson                      mailto:lsa@business.auc.dk
Department of Business Studies     http://www.business.auc.dk/~lsa/ 
Aalborg University                 Voice: +45 96358225, Fax: +45 98153505
Denmark                            Office: Fib4-117


>From chuck@horde.org Date: Tue,  5 Mar 2002 13:02:49 -0500
Return-Path: <chuck@horde.org>
Mailing-List: contact gollem-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list gollem@lists.horde.org
Received: (qmail 14635 invoked from network); 5 Mar 2002 18:03:27 -0000
Received: from h00104bc60b3c.ne.mediaone.net (HELO marina.horde.org) (24.91.196.127)
  by clark.horde.org with SMTP; 5 Mar 2002 18:03:27 -0000
Received: by marina.horde.org (Postfix, from userid 33)
	id 6F9B439A4; Tue,  5 Mar 2002 13:02:49 -0500 (EST)
Received: from 192.168.0.115 ( [192.168.0.115])
	as user chuck@localhost by marina.horde.org with HTTP;
	Tue,  5 Mar 2002 13:02:49 -0500
Message-ID: <1015351369.3c850849451da@marina.horde.org>
Date: Tue,  5 Mar 2002 13:02:49 -0500
From: Chuck Hagenbuch <chuck@horde.org>
To: gollem@lists.horde.org
References: <3C850164.6080804@divatv.com>
In-Reply-To: <3C850164.6080804@divatv.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 4.0-cvs
Subject: Re: [gollem] FTP directory perms

Quoting Rich West <Rich.West@divatv.com>:

> I have noticed that gollem, and I am guessing this is an artifact of PHP 
> --with-ftp compiled in, allows all users to browse the entire system (if 
> the ftp server is the same as the web server).  I mean, if you change 
> the "dir" variable within the URL, you can get anywhere on the system 
> (kinda scary), and this bypasses the normal FTP 'root-jail' setups for 
> accounts.

No. This is what your FTP server allows.

> Is there a way to configure it to observe the FTP server permissions 
> even if the FTP server resides on the same host as the web server for 
> the Horde system?

There is no way for it _not_ to. It is connecting to your FTP server and 
reading what your FTP server allows it to read.

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
"A dream which helps you to live your reality with dignity
 and justice is a good dream." - Tariq Ramadan

Previous message: FTP directory perms
Next message: [gollem] FTP directory perms
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]