FTP ?

G

Guest

While setting up an FTP site using IIS 5 i have created folders under the ftp
root\localusers\vendors and also created accounts on the server locally and
assigned each folder the correct permissions for each user. i have also
selected on the user profile the path for the folder that user should access
so when the user logs in using an ftp client the user should only go to that
folder and nowhere else.this works for some of the users and folders but not
all. some users are able to see the listing of the folders (which we do not
want) and some users can only go to their respected folders (which we do
want) has anybody else ran into this situation? if so what is the fix? all
folders are setup the same way as far as security goes so there does not
appear to be a configuration issue in the regard
 
R

Roger Abell [MVP]

You should reexamine the permissions on the different per-user
folders, and the parent folder of these, and also examine the groups
the accounts have membership within.
I am believing you will find differences between the accounts that
cannot cd out of their ftp accessed folder and those that can.
In general, that capability is totally under control of the NTFS
permissions on the storage that is made a vdir in FTP.
 
K

Karl Levinson, mvp

Steven said:
While setting up an FTP site using IIS 5 i have created folders under the ftp
root\localusers\vendors and also created accounts on the server locally and
assigned each folder the correct permissions for each user. i have also
selected on the user profile the path for the folder that user should access
so when the user logs in using an ftp client the user should only go to that
folder and nowhere else.this works for some of the users and folders but not
all. some users are able to see the listing of the folders (which we do not
want) and some users can only go to their respected folders (which we do
want) has anybody else ran into this situation? if so what is the fix? all
folders are setup the same way as far as security goes so there does not
appear to be a configuration issue in the regard

There are two methods mentioned in the first article below:

http://support.microsoft.com/?kbid=245048

http://www.securityadmin.info/faq.asp#ftpusers

I have to think the permissions must be incorrect or different than you
think. It could be remotely possible that the permissions ACL on the
folders could be corrupt and need to be reset.
 
C

Charlie Tame

Karl, I have not followed this thread because I am hardly an expert but I
find the permissions in NTFS a little - er- ambiguous.

On occasion I have found it necessary to remove inherited permissions and
then start over, although at first look all appears as you would want it. It
is as if allowing inheritance adds new permissions but does not always
remove those "Unselected" as it were, but perhaps this was simply me doing
it wrong :)

Charlie
 
R

Roger Abell [MVP]

Windows 2000 can have "issues" when in the ACL editor one
reduces such as a grant of Full to only some part of the grant.
If you open the Advanced view you can at times see that there
are multiple ACEs, some of which have permissions beyond
what you thought you had left of the initial greater (like Full)
grant, for example the permission to change permissions.
 
C

Charlie Tame

Hehe why thanks Roger, if I understand you correctly that would be what I
thought I was seeing.

I also think some of the wording is kinda "Well, I knew what I meant" and
until one gets used to making changes there are "Implications" that don't
always pan out :)

Charlie
 
R

Roger Abell [MVP]

Advance button in the NTFS permission editor can by your
friend once you become accustomed to seeing how the generic
grants (that show outside of the advanced view) appear in the
advanced view so that you can recognize what else is there
that only, at best, shows in the generic, non-advanced view
as a single "Special" checkmark.
 
C

Charlie Tame

Well thanks to both, I have always found that to be the best way to figure
out who could do or see what, but wasn't sure if my "Observations" had been
correct or whether it was just me misinterpreting things :)

Course when it's not something you do all the time I guess things drift out
of memory.

Good luck in 2006 anyway.

Charlie
 
R

Roger Abell [MVP]

No problem Charlie.
The "issue" that I mentioned about reducing a Full grant to
a lesser grant using the generic view is, AFAIK, a W2k only
issue, but it can lead to some bad mistakes in ACLing.
 
R

Roger Abell [MVP]

Yep - and the xcacls.vbs is more flexible and complete than
the xcacls.exe - plus it make a full set of examples for scripters.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top