User Tools

Site Tools


howtos:pure-ftpd_upload_script

Enable Upload Script

To enable uploadscript set the paramter “CallUploadScript” to “yes”. In Ubuntu this is done by creating a file called “CallUploadScript” with only the word “yes” inside it. Place CallUploadScript into /etc/pure-ftpd/conf.

Now edit the file /etc/default/pure-ftpd-common and add/edit the following:

UPLOADSCRIPT=/home/pureftpd/uploadscript.sh
# if set, pure-uploadscript will spawn $UPLOADSCRIPT running as the
# given uid and gid
UPLOADUID=1008
UPLOADGID=1008

This will call the script “/home/pureftpd/uploadscript.sh” after an upload event and run it as the user given by uid=1008/guid=1008. To find the values for a user just run:

# id pureftpd
uid=1008(pureftpd) gid=1008(pureftpd) groups=1008(pureftpd)

The Upload Script

Now to the script.

Of course you will have to make sure it has execution permissions:

# chmod +x /home/pureftpd/uploadscript.sh

A Word of Caution

You will also have to consider very carefully what you put into the script. The script will run no matter who or what is uploaded and can become a security breach. As you do not control what is uploaded or what it is called it could inadvertably do bad stuff to your system.

The Story

My need for an uploadscript was to determine if a file was a picture and not some funny Windows malware (Linux has saved a lot of Windows machines LOL). A customer of mine was getting a lot of documents scanned by a bureau with a massive virus infected network (cheap labour does come at a price :-)). To minimize the risk of uploading crapware I was told to find a simple (and cheap) solution. As I knew that the files uploaded only was pictures a simple filter testing for that was an easy choice. You could choose to extend the action and also virusscan the files, that would be a very easy job to do - just add an other if-then test cycle to the script and throw in Clam AV or some other anti-virus vendor.

The Script

I'm simply testing the file with the command “file” and to determine what filetype it is. I rely on the fact that “file” does its job correctly. If you could fool the tool to believe that a file is a picture but instead is a Windows executable there is a very big chance that someone will double click on it and start the menace. Back to the script. If the file is a picture of either GIF or PNG type it will be accepted and moved into /home/pureftpd/upload. If it is of any other type it will be deleted and a mail send to user@spammenot.dk.

#!/bin/bash
logger uploadscript
FILETYPE=`file "$1" | cut -d: -f2 | cut -c 1-4 | tr -d " "`
if [ x$FILETYPE = xGIF -o x$FILETYPE = xPNG ]; then
        mv "$1" /home/pureftpd/upload
else
        rm "$1"
        echo "$1 uploaded and deleted again" | /usr/bin/mail -s "New upload : $1" \ user@spammenot.dk
fi
howtos/pure-ftpd_upload_script.txt · Last modified: 02/12/2018 20:34 by 127.0.0.1