Menu
▾
▴
[Proftpd-docs] CVS: www.proftpd.org/docs/howto Limit.html,1.1,1.2
|
From: TJ S. <cas...@us...> - 2010-01-05 17:03:15
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory sfp-cvsdas-2.v30.ch3.sourceforge.com:/tmp/cvs-serv31591 Modified Files: Limit.html Log Message: Updating website copy of Limit howto. Index: Limit.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Limit.html,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -r1.1 -r1.2 *** Limit.html 17 Aug 2007 00:11:26 -0000 1.1 --- Limit.html 5 Jan 2010 17:03:05 -0000 1.2 *************** *** 42,46 **** <p> <li>DIRS<br> ! <i>Covering</i>: CDUP, CWD, LIST, MDTM, NLST, PWD, RNFR, STAT, XCUP, XCWD, XPWD <p> --- 42,46 ---- <p> <li>DIRS<br> ! <i>Covering</i>: CDUP, CWD, LIST, MDTM, MLSD, MLST, NLST, PWD, RNFR, STAT, XCUP, XCWD, XPWD <p> *************** *** 96,100 **** <p> ! <b>Using <code>AllowUser</code></b><br> There is a catch to using the <code>AllowUser</code> configuration directive that causes confusion, primarily when a single <code>AllowUser</code> --- 96,100 ---- <p> ! <b>Using <code>AllowUser</code> and <code>DenyUser</code></b><br> There is a catch to using the <code>AllowUser</code> configuration directive that causes confusion, primarily when a single <code>AllowUser</code> *************** *** 122,125 **** --- 122,136 ---- AllowUser wendy </pre> + All of this applies to the <code>DenyUser</code> directive as well. + + <p> + Another important item to keep in mind is that the names used in + <code><Limit></code> sections, <i>e.g.</i> using <code>AllowUser</code>, + <code>DenyUser</code>, <code>AllowGroup</code>, and <code>DenyGroup</code>, + are <b>not</b> resolved to an ID and then applied; the limits are applied + only to the names. Why is this important? Consider the case where the site + is using virtual users, where two different user names are assigned the + same UID. Different limits can be applied to each name separately. Do not + assume that the limits are applied to the underlying IDs. <p> *************** *** 139,143 **** though it does not match Apache's interpretation. ! <p><a name="examples"></a> <b>Examples</b><br> Here are examples to help illustrate the use of <code><Limit></code>. --- 150,154 ---- though it does not match Apache's interpretation. ! <p><a name="Examples"></a> <b>Examples</b><br> Here are examples to help illustrate the use of <code><Limit></code>. *************** *** 176,180 **** <pre> <Directory /path/to/dir> ! <Limit LIST NLST> DenyAll </Limit> --- 187,191 ---- <pre> <Directory /path/to/dir> ! <Limit LIST NLST MLSD MLST> DenyAll </Limit> *************** *** 182,188 **** </pre> That's it. By default, all commands are allowed in a directory. By blocking ! the two FTP commands used to list a directory's contents (<i>i.e.</i> ! <code>LIST</code> and <code>NLST</code>), we have effectively blocked the ! client from seeing anything in the directory. <p> --- 193,199 ---- </pre> That's it. By default, all commands are allowed in a directory. By blocking ! the FTP commands used to list a directory's contents (<i>i.e.</i> ! <code>LIST</code>, <code>MLSD</code>, <code>MLST</code>, and <code>NLST</code>), ! we have effectively blocked the client from seeing anything in the directory. <p> *************** *** 296,300 **** you can use the following to block active transfers: <pre> ! <Limit PORT> DenyAll </Limit> --- 307,311 ---- you can use the following to block active transfers: <pre> ! <Limit EPRT PORT> DenyAll </Limit> *************** *** 302,306 **** Or, conversely, to block passive data transfers: <pre> ! <Limit PASV> DenyAll </Limit> --- 313,317 ---- Or, conversely, to block passive data transfers: <pre> ! <Limit EPSV PASV> DenyAll </Limit> *************** *** 308,311 **** --- 319,362 ---- <p> + Another common question is: "How can I create a read-only account using + <code><Limit></code> sections"? Here's how: + <pre> + # Assumes that the user is chrooted into their home directory + <Directory ~<i>user</i>> + <Limit CWD PWD DIRS READ> + AllowUser <i>user</i> + </Limit> + + <Limit ALL> + DenyUser <i>user</i> + </Limit> + </Directory> + </pre> + + <p> + What if you want to prevent a certain directory from being deleted, but + you <i>do</i> want to allow sub-directories in that directory to be deletable? + Using two <code><Directory></code> sections with + <code><Limit></code> sections, you can do this, <i>e.g.</i>: + <pre> + <Directory /path/to/dir> + <Limit RMD XRMD> + DenyAll + </Limit> + </Directory> + + <Directory /path/to/dir/*> + <Limit RMD XRMD> + AllowAll + </Limit< + >/Directory> + </pre> + Note the trailing "/*" suffix in the second <code><Directory></code> + section; this means that the second <code><Directory></code> section + configuration applies to the sub-directories, but <i>not</i> to the parent + directory itself (which is covered by the first <code><Directory></code> + section). + + <p> <hr> Last Updated: <i>$Date$</i><br> |
