Opened 15 years ago

Last modified 6 years ago

#2204 closed Feature request

Make FileZilla play nice within limited access rights in NT?

Reported by: s_lonewolf Owned by:
Priority: normal Component: Other
Keywords: Cc: s_lonewolf, imessvb, Eirik, Tim Kosse
Component version: Operating system type:
Operating system version:

Description

Is there any way to make the FileZilla service under NT
live happily within the confines of restrictive access?

IOW, can FileZilla only have Read ( (RX) (RX) ) access

to the whole system, except where needed (log files,
directories in which ftp users will be uploading, etc.)?

NO FTP server for Windows is capable of this yet, and I
have no idea why. Though the most secure solution
would be to make sure that a program doesn't even have
Read or eXecute permissions on files it shouldn't be
touching, it'd be a step in the right direction to know
that even if there's a security hole in the server down
the road, people wouldn't be able to do much except
peek at operating system files. (Instead of being able
to bring the whole system to a screaching CRASH because
the program had the access to overwrite critical system
files.)

For reference:

I change permissions across the board on NT systems to
in an effort to create a more secure environment. Gone
is Everybody (only Microsoft would give everybody
permission to a system) and Creator/Owner (except for
below). The default for me is to give Administrators
and SYSTEM Full Control (RXWDPO), Power Users Change
(RXWD) and Users Read (RX) from C:\ on down. The only
exceptions are for C:\WinNT\Profiles (NT4) or
C:\Documents and Settings (2K/XP), where I modify
rights according to the user so that each user has
their own little space (or have a virii/worms/etc)
screw things up. Creator/Owner gets full control for
the All Users directory, only so that people can manage
their own files as they wish while making sure people
keep their hands off of other people's files. I'll use
Apache as prime example, only because it's the only
program I know of (extra emphasis on "I know of") that
can live within these confines. Heck, I don't even let
Apache have write access to DocumentRoot, only to stop
the PHP worms in their tracks!

If FileZilla could pull this off, it could have a HUGE
advantage over every other FTP server product out there
-- commercial, freeware, open-source -- bar none!

Change History (3)

comment:1 Changed 15 years ago by imessvb

I guess I have a related issue:

Preference settings are saved in the program directory,
rather than user's home directory. This limited "Limited
Users" (yeah, yeah) to set their non-critical preferences.

comment:2 Changed 15 years ago by Eirik

Answer to imessvb: Reinstall filezilla and go for saving the
settings in the registry.

This is not a support request, moving to feature request
tracker.

comment:3 Changed 15 years ago by Tim Kosse

FileZilla Server should be able to run with limited access
rights, you can assign any user account on the service
dialog in the management console of Windows (XP at least,
not sure about 2K or NT).
Though each time you update/reinstall FileZilla Server you
have to reassign the account.

FileZilla Server just needs read and execute access inside
its own directory, and write access to FileZilla Server.xml

Note: See TracTickets for help on using tickets.