User Tools

Site Tools


howtos:pure-ftpd_upload_script

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:pure-ftpd_upload_script [d/m/Y H:i] (current)
Line 1: Line 1:
 +====== Enable Upload Script ======
  
 +
 +To enable uploadscript set the paramter "CallUploadScript" to "yes". In Ubuntu this is done by creating a file called "CallUploadScript" with only the word "yes" inside it. Place CallUploadScript into /etc/pure-ftpd/conf.
 +
 +Now edit the file /etc/default/pure-ftpd-common and add/edit the following:
 +
 +<file>
 +UPLOADSCRIPT=/home/pureftpd/uploadscript.sh
 +# if set, pure-uploadscript will spawn $UPLOADSCRIPT running as the
 +# given uid and gid
 +UPLOADUID=1008
 +UPLOADGID=1008
 +</file>
 +
 +This will call the script "/home/pureftpd/uploadscript.sh" after an upload event and run it as the user given by uid=1008/guid=1008. To find the values for a user just run:
 +
 +<code>
 +# id pureftpd
 +uid=1008(pureftpd) gid=1008(pureftpd) groups=1008(pureftpd)
 +</code>
 +
 +====== The Upload Script ======
 +
 +Now to the script.
 +
 +Of course you will have to make sure it has execution permissions:
 +
 +<code>
 +# chmod +x /home/pureftpd/uploadscript.sh
 +</code>
 +
 +===== A Word of Caution =====
 +
 +You will also have to consider **very** carefully what you put into the script. The script will run no matter who or what is uploaded and can become a security breach. As you do not control what is uploaded or what it is called it could inadvertably do bad stuff to your system. 
 +
 +===== The Story =====
 +
 +My need for an uploadscript was to determine if a file was a picture and not some funny Windows malware (Linux has saved a lot of Windows machines LOL). A customer of mine was getting a lot of documents scanned by a bureau with a massive virus infected network (cheap labour does come at a price :-)). To minimize the risk of uploading crapware I was told to find a simple (and cheap) solution. As I knew that the files uploaded only was pictures a simple filter testing for that was an easy choice. You could choose to extend the action and also virusscan the files, that would be a very easy job to do - just add an other if-then test cycle to the script and throw in [[http://www.clamav.net/|Clam AV]] or some other anti-virus vendor. 
 +
 +===== The Script =====
 +
 +I'm simply testing the file with the command "file" and to determine what filetype it is. I rely on the fact that "file" does its job correctly. If you could fool the tool to believe that a file is a picture but instead is a Windows executable there is a very big chance that someone will double click on it and start the menace.
 +Back to the script. If the file is a picture of either GIF or PNG type it will be accepted and moved into /home/pureftpd/upload.
 +If it is of any other type it will be deleted and a mail send to user@spammenot.dk. 
 +
 +<file>
 +#!/bin/bash
 +logger uploadscript
 +FILETYPE=`file "$1" | cut -d: -f2 | cut -c 1-4 | tr -d " "`
 +if [ x$FILETYPE = xGIF -o x$FILETYPE = xPNG ]; then
 +        mv "$1" /home/pureftpd/upload
 +else
 +        rm "$1"
 +        echo "$1 uploaded and deleted again" | /usr/bin/mail -s "New upload : $1" \ user@spammenot.dk
 +fi
 +</file>
howtos/pure-ftpd_upload_script.txt · Last modified: d/m/Y H:i (external edit)