fabre@inspirationmatters.com
11-02-2005, 03:17 PM
Talk about a pure nightmare...
On my 2003 Server I have an IIS FTP site with user level isolation.
In each user directory, there is a Download directory that I want to
have read-only, and an Upload directory that should basically be
write-only (ie. the ability to write, overwrite and delete files and
subfolders, to list the content of the folder and each subfolder, but
no ability to read/copy the files - I simply want to avoid the users
using my FTP site as a remote hard drive).
I put all the users with such an FTP directory in a group called
FTPUsers.
At the root of the FTP site, I specified that FTPUsers have read-only
permissions over the entire thing, and copied these permissions to all
child objects.
Now, after testing that indeed all users only had read permissions on
any file, I thought I could just then browse to each Upload directory
and change the permissions there.
I removed the inheritance, copied all previously inherited permissions,
removed all permissions to the CREATOR OWNER and modified the ones for
FTPUsers in the following way:
Deny (Files only): Execute Files + Read Data + Change Permissions +
Take Ownership
Allow (Folder and subfolders): Traverse Folder + List Folders + Create
Files + Create Folders + Delete Subfolders and Files + Delete
Allow (Files only): Write Data + Append Data + Delete Subfolders and
Files + Delete
I also made sure that the users in FTPUsers where not in any other
group that has permissions for the Upload directory.
Now, when I login onto the FTP site with the credentials of one of the
users members of FTPUsers, I can indeed write files to the Upload
directory and am denied the right to read them.
However, I still can't overwrite the files or delete them. What sort of
unintuitive setting have I forgotten to set?
Many Thanks,
Fabre Lambeau
Inspiration Matters Ltd
On my 2003 Server I have an IIS FTP site with user level isolation.
In each user directory, there is a Download directory that I want to
have read-only, and an Upload directory that should basically be
write-only (ie. the ability to write, overwrite and delete files and
subfolders, to list the content of the folder and each subfolder, but
no ability to read/copy the files - I simply want to avoid the users
using my FTP site as a remote hard drive).
I put all the users with such an FTP directory in a group called
FTPUsers.
At the root of the FTP site, I specified that FTPUsers have read-only
permissions over the entire thing, and copied these permissions to all
child objects.
Now, after testing that indeed all users only had read permissions on
any file, I thought I could just then browse to each Upload directory
and change the permissions there.
I removed the inheritance, copied all previously inherited permissions,
removed all permissions to the CREATOR OWNER and modified the ones for
FTPUsers in the following way:
Deny (Files only): Execute Files + Read Data + Change Permissions +
Take Ownership
Allow (Folder and subfolders): Traverse Folder + List Folders + Create
Files + Create Folders + Delete Subfolders and Files + Delete
Allow (Files only): Write Data + Append Data + Delete Subfolders and
Files + Delete
I also made sure that the users in FTPUsers where not in any other
group that has permissions for the Upload directory.
Now, when I login onto the FTP site with the credentials of one of the
users members of FTPUsers, I can indeed write files to the Upload
directory and am denied the right to read them.
However, I still can't overwrite the files or delete them. What sort of
unintuitive setting have I forgotten to set?
Many Thanks,
Fabre Lambeau
Inspiration Matters Ltd