Pure-ftpd overwrite protection does not work if resume is used
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pure-ftpd (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
It seems that there is a bug about the overwrite protection.
Server is :
Distributor ID: Ubuntu
Description: Ubuntu 12.04.4 LTS
Release: 12.04
Codename: precise
Pure-Ftpd installed is :
rc pure-ftpd 1.0.35-1 Secure and efficient FTP server
ii pure-ftpd-common 1.0.35-1 Pure-FTPd FTP server (Common Files)
ii pure-ftpd-ldap 1.0.35-1 Secure and efficient FTP server with LDAP user authentication
Options are :
AltLog clf:/var/
AnonymousCantUpload yes
AntiWarez yes
AutoRename yes
CreateHomeDir yes
Daemonize yes
DisplayDotFiles no
DontResolve yes
FortunesFile /etc/pure-
FSCharset UTF-8
IPV4Only yes
KeepAllFiles yes
LDAPConfigFile /etc/pure-
MinUID 1000
NoAnonymous no
NoChmod yes
NoRename yes
PAMAuthentication no
PassivePortRange 1 000 010 600
ProhibitDotFile
ProhibitDotFile
PureDB /etc/pure-
TLS 3
Umask 337 337
UnixAuthentication no
VerboseLog yes
test1:$
It system account is :
vi /etc/passwd
ftptest1:
Client is using :
Filezilla 3.7.3 within Windows 7.
PROBLEM
For our business with partners, we have to protect data uploaded because no modifications have to be done once released on binaries.
So deleting is not permitted, rewrite also in order to protect original data. Rights are also modified once uploaded (see umask 337 337)…
All works fine until the following :
If you upload the same file again (account test1), and choose « resume » within Filezilla, you first got a critical error BUT the file is deleted.
Then you’re able to upload a file with same name and we are in fault regarding the protection of original data uploaded…
Let me know if you need more details…
On 02/04/2014 02:07 PM, Nicolas Le Bihan wrote: log/pure- ftpd/transfer. log ftpd/conf/ .banner ftpd/db/ ldap.conf sRead yes sWrite yes ftpd/pureftpd. pdb 1$hzsp30D0$ bknAXCxCr1xL78S waROOU1: 1002:1001: :/ftp/. /test1/ ./::::: ::::::: x:1002: 1001::/ dev/null: /etc
> Public bug reported:
>
> Hi,
>
> It seems that there is a bug about the overwrite protection.
>
> Server is :
> Distributor ID: Ubuntu
> Description: Ubuntu 12.04.4 LTS
> Release: 12.04
> Codename: precise
>
>
> Pure-Ftpd installed is :
> rc pure-ftpd 1.0.35-1 Secure and efficient FTP server
> ii pure-ftpd-common 1.0.35-1 Pure-FTPd FTP server (Common Files)
> ii pure-ftpd-ldap 1.0.35-1 Secure and efficient FTP server with LDAP user authentication
>
>
> Options are :
> AltLog clf:/var/
> AnonymousCantUpload yes
> AntiWarez yes
> AutoRename yes
> CreateHomeDir yes
> Daemonize yes
> DisplayDotFiles no
> DontResolve yes
> FortunesFile /etc/pure-
> FSCharset UTF-8
> IPV4Only yes
> KeepAllFiles yes
> LDAPConfigFile /etc/pure-
> MinUID 1000
> NoAnonymous no
> NoChmod yes
> NoRename yes
> PAMAuthentication no
> PassivePortRange 1 000 010 600
> ProhibitDotFile
> ProhibitDotFile
> PureDB /etc/pure-
> TLS 3
> Umask 337 337
> UnixAuthentication no
> VerboseLog yes
>
>
> Virtual users are chrooted :
> test1:$
> It system account is :
> vi /etc/passwd
> ftptest1:
>
>
> Client is using :
> Filezilla 3.7.3 within Windows 7.
>
>
> PROBLEM
>
> For our business with partners, we have to protect data uploaded because no modifications have to be done once released on binaries.
> So deleting is not permitted, rewrite also in order to protect original data. Rights are also modified once uploaded (see umask 337 337)…
Deletion is an operation which affects the directory, thus the file permissions doesn't matter.
Maybe you need file system ACLs in your usecase.
Regards
Racke
-- www.linuxia. de/ www.icdevgroup. org/
LinuXia Systems => http://
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://
Interchange Development Team