| Groups | Blog | Home |
iis ftp : hierarchical permissions?
-- Stand-Alone Windows Server 2003 Web Edition with one IP -- web admin needs change permissions on entire website directory -- less-privileged user needs read permissions on subdirectory in website -- no anonymous access I basically need a login for uploading content changes to the entire website, and then a separate login that's distributed to users that gives them access to a download folder which is a subdirectory of the website. I can't figure out how to do this! If it's possible, can someone explain to me how to set it up?
Wow that's ton of questions:
a) assumming your website everything is configured and running fine at d:\website\ b) client webroot is at d:\website\c1, c2 .... c) then you setup ftp server - set the root to some dummy d:\dummy\ d) create a virtual directory with the same name that the client login - e.g. clientaccess1 then map it to d:\website\c1\ e) grant read & write permission for user Clientaccess at folder c1 f) repeat d - e for all clients. When client login, it will redirect to their folder automatically, as the username and virtual directory same. the key here is that you must control access via NTFS. side note - ftp upload can do magic :) e.g. user can't upload malicious script etc to do magic stuff when it's executing at server end. -- Regards, Bernard Cheah http://www.iis-resources.com/ http://www.iiswebcastseries.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "geek-y-guy" <noone@nowhere.com> wrote in message news:uialOMMZGHA.3532@TK2MSFTNGP05.phx.gbl... > Hi: Is the following possible with MSFTP? > > -- Stand-Alone Windows Server 2003 Web Edition with one IP > -- web admin needs change permissions on entire website directory > -- less-privileged user needs read permissions on subdirectory in website > -- no anonymous access > > I basically need a login for uploading content changes to the entire > website, and then a separate login that's distributed to users that gives > them access to a download folder which is a subdirectory of the website. > > I can't figure out how to do this! If it's possible, can someone explain > to me how to set it up? > > >
[quoted text, click to view] "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message news:%23F6LwxRZGHA.1196@TK2MSFTNGP03.phx.gbl... > Wow that's ton of questions: > a) assumming your website everything is configured and running fine at > d:\website\ > b) client webroot is at d:\website\c1, c2 .... > c) then you setup ftp server - set the root to some dummy d:\dummy\ > d) create a virtual directory with the same name that the client login - > e.g. clientaccess1 > then map it to d:\website\c1\ > e) grant read & write permission for user Clientaccess at folder c1 > f) repeat d - e for all clients. OK, great...I will try that. [quoted text, click to view] > > When client login, it will redirect to their folder automatically, as the > username and virtual directory same. the key here is that you must control > access via NTFS. > > side note - ftp upload can do magic :) e.g. user can't upload malicious > script etc to do magic stuff when it's executing at server end. > > -- > Regards, > Bernard Cheah > http://www.iis-resources.com/ > http://www.iiswebcastseries.com/ > http://msmvps.com/blogs/bernard/ > > > "geek-y-guy" <noone@nowhere.com> wrote in message > news:uialOMMZGHA.3532@TK2MSFTNGP05.phx.gbl... >> Hi: Is the following possible with MSFTP? >> >> -- Stand-Alone Windows Server 2003 Web Edition with one IP >> -- web admin needs change permissions on entire website directory >> -- less-privileged user needs read permissions on subdirectory in website >> -- no anonymous access >> >> I basically need a login for uploading content changes to the entire >> website, and then a separate login that's distributed to users that gives >> them access to a download folder which is a subdirectory of the website. >> >> I can't figure out how to do this! If it's possible, can someone explain >> to me how to set it up? >> >> >> > >
[quoted text, click to view]
> > "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message > news:%23F6LwxRZGHA.1196@TK2MSFTNGP03.phx.gbl... >> Wow that's ton of questions: >> a) assumming your website everything is configured and running fine at >> d:\website\ >> b) client webroot is at d:\website\c1, c2 .... >> c) then you setup ftp server - set the root to some dummy d:\dummy\ >> d) create a virtual directory with the same name that the client login - >> e.g. clientaccess1 >> then map it to d:\website\c1\ >> e) grant read & write permission for user Clientaccess at folder c1 >> f) repeat d - e for all clients. > > OK, great...I will try that. Sorry, Bernard, but was I supposed to create an FTP site with "user isolation mode"? I did that on my first try, and did the following: -- Created a regular domain user -- Created the FTP site with a dummy "home" directory -- created a virtual directory with the same name as the user (with read/write checked), pointing to the main website directory -- gave the main website directory "change" permissions in NTFS for that user name. When I try to connect using SmartFTP client, I get: 220 Microsoft FTP Service USER TestFTP1 331 Password required for TestFTP1. PASS (hidden) 530 User TestFTP1 cannot log in, home directory inaccessible. I went back and set NTFS "change" on the dummy ftp directory for that user and got the same response. I also checked the properties for the FTP site and it had "allow anonymous" checked and just "read" permissions checked. I un-checked allow anonymous and still can't get in. I also tried connecting from IE6, and I'm given the login prompt, but it doesn't accept the username and password. I'll try setting it up without user isolation enabled and let you know. [quoted text, click to view] > >> >> When client login, it will redirect to their folder automatically, as the >> username and virtual directory same. the key here is that you must >> control access via NTFS. >> >> side note - ftp upload can do magic :) e.g. user can't upload malicious >> script etc to do magic stuff when it's executing at server end. >> >> -- >> Regards, >> Bernard Cheah >> http://www.iis-resources.com/ >> http://www.iiswebcastseries.com/ >> http://msmvps.com/blogs/bernard/ >> >> >> "geek-y-guy" <noone@nowhere.com> wrote in message >> news:uialOMMZGHA.3532@TK2MSFTNGP05.phx.gbl... >>> Hi: Is the following possible with MSFTP? >>> >>> -- Stand-Alone Windows Server 2003 Web Edition with one IP >>> -- web admin needs change permissions on entire website directory >>> -- less-privileged user needs read permissions on subdirectory in >>> website >>> -- no anonymous access >>> >>> I basically need a login for uploading content changes to the entire >>> website, and then a separate login that's distributed to users that >>> gives them access to a download folder which is a subdirectory of the >>> website. >>> >>> I can't figure out how to do this! If it's possible, can someone explain >>> to me how to set it up? >>> >>> >>> >> >> > >
If you use 'user isolation' then you can follow this:
How To Set Up Isolated Ftp Site http://support.microsoft.com/?id=555018 In this case.... you might need to changed your web folder structure to mapped it back to the ftp designed folder structure. it's been a while I tested this. you can try the virtual directory trick to see if it redirect. as for the error msgs. if permission is set correctly, you can get filemon from sysinternals.com to track what's going on and where IIS FTP redirect the user to.... I'm guessing folder structure not correctly setup. -- Regards, Bernard Cheah http://www.iis-resources.com/ http://www.iiswebcastseries.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "geek-y-guy" <noone@nowhere.org> wrote in message news:eMnwPrYZGHA.4752@TK2MSFTNGP02.phx.gbl... > > >> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message >> news:%23F6LwxRZGHA.1196@TK2MSFTNGP03.phx.gbl... >>> Wow that's ton of questions: >>> a) assumming your website everything is configured and running fine at >>> d:\website\ >>> b) client webroot is at d:\website\c1, c2 .... >>> c) then you setup ftp server - set the root to some dummy d:\dummy\ >>> d) create a virtual directory with the same name that the client login - >>> e.g. clientaccess1 >>> then map it to d:\website\c1\ >>> e) grant read & write permission for user Clientaccess at folder c1 >>> f) repeat d - e for all clients. >> >> OK, great...I will try that. > > Sorry, Bernard, but was I supposed to create an FTP site with "user > isolation mode"? > > I did that on my first try, and did the following: > > -- Created a regular domain user > -- Created the FTP site with a dummy "home" directory > -- created a virtual directory with the same name as the user (with > read/write checked), pointing to the main website directory > -- gave the main website directory "change" permissions in NTFS for that > user name. > > When I try to connect using SmartFTP client, I get: > > 220 Microsoft FTP Service > > USER TestFTP1 > > 331 Password required for TestFTP1. > > PASS (hidden) > > 530 User TestFTP1 cannot log in, home directory inaccessible. > > I went back and set NTFS "change" on the dummy ftp directory for that user > and got the same response. > > I also checked the properties for the FTP site and it had "allow > anonymous" checked and just "read" permissions checked. > > I un-checked allow anonymous and still can't get in. > > I also tried connecting from IE6, and I'm given the login prompt, but it > doesn't accept the username and password. > > I'll try setting it up without user isolation enabled and let you know. > > >> >>> >>> When client login, it will redirect to their folder automatically, as >>> the username and virtual directory same. the key here is that you must >>> control access via NTFS. >>> >>> side note - ftp upload can do magic :) e.g. user can't upload malicious >>> script etc to do magic stuff when it's executing at server end. >>> >>> -- >>> Regards, >>> Bernard Cheah >>> http://www.iis-resources.com/ >>> http://www.iiswebcastseries.com/ >>> http://msmvps.com/blogs/bernard/ >>> >>> >>> "geek-y-guy" <noone@nowhere.com> wrote in message >>> news:uialOMMZGHA.3532@TK2MSFTNGP05.phx.gbl... >>>> Hi: Is the following possible with MSFTP? >>>> >>>> -- Stand-Alone Windows Server 2003 Web Edition with one IP >>>> -- web admin needs change permissions on entire website directory >>>> -- less-privileged user needs read permissions on subdirectory in >>>> website >>>> -- no anonymous access >>>> >>>> I basically need a login for uploading content changes to the entire >>>> website, and then a separate login that's distributed to users that >>>> gives them access to a download folder which is a subdirectory of the >>>> website. >>>> >>>> I can't figure out how to do this! If it's possible, can someone >>>> explain to me how to set it up? >>>> >>>> >>>> >>> >>> >> >> > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |