LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-18-2007, 11:47 AM   #1
RedhatLearner
LQ Newbie
 
Registered: Dec 2007
Posts: 1

Rep: Reputation: 0
Automatically set up FTP only accounts for accepting datafeeds


Hello,


I'm trying to create a website that will accept and process datafeeds but with only a limited knowledge of php I have become unstick rather quickly.

I'm trying to make it that people can register on our site and they will then be set up and sent their ftp log-in details automatically but am a little stuck as to how to do this.

The plan is:

- Each new user request generates a new folder in an uploads directory. The folder name would be that persons unique id from the mysql userid primary key.

-The ftp only account, chrooted into that specific folder, is automatically created on the system (-really stick as to how to do this )

-login details are automatically sent to the user

-a cron job scans each folder to see if new files have been added and process the datafeed if a new file has been uploaded.

-at the end of the day another cron job moves all the files into an archive folder


I'm sure there must be a better way of doing this so any help would be much appreciated!
 
Old 12-19-2007, 06:23 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by RedhatLearner View Post
with only a limited knowledge of php I have become stuck rather quickly.
Then I urge you (do not read that as "ask" or "suggest") to search for current, maintained and supported packages that already provide (parts) of what you need. Not only will it save you time but it will also mean you can ask for support and implies it will have better testing and security than you can come up with (with all due respect). See Freshmeat, Sourceforge and Nongnu.

If you still want to go the "home brew" way, good luck, and here's some unsorted questions / comments for you:
- How do you verify any user input doesn't include chars you should exclude?
- How do you react to illegal input? Scrub or deny?
- What's the time between account creation and upload readiness?
- Do you detect "free" email providers and woudl that be a good thing?
- Do you detect username iterations? Should you?
- Do you intend to allow these services only over SSL? Why not?
- What's the maximum amount of files a user can dump on the system? Per file filesize? How do you check that? How often?
- Vsftpd allows you to create "virtual" users. A FTP-only account doesn't need an account on the system.
- Does processing the datafeed include a validity check? Why not?


I'll leave you with some links (from the LQ FAQ: Security references) that may or may not make for an interesting read:

Apache
Web Security Appliance With Apache and mod_security (SF): http://www.securityfocus.com/infocus/1739
Securing Apache Step-by-Step: http://www.securityfocus.com/infocus/1694
Securing apache2: http://www.securityfocus.com/infocus/1786

Suexec
Apache suEXEC Support: http://httpd.apache.org/docs/1.3/suexec.html
HOWTO Install PHP with SuExec: http://gentoo-wiki.com/HOWTO_Install_PHP_with_SuExec
HOWTO Install PHP as CGI with Apache's suEXEC Feature: http://archiv.debianhowto.de/en/php_cgi/c_php_cgi.html
How to set up suexec to work with virtual hosts and PHP (+PHP +public_html patch): http://alain.knaff.lu/howto/PhpSuexec/

PHP
PHP and the OWASP Top Ten Security Vulnerabilities: http://www.sklar.com/page/article/owasp-top-ten
Top 7 PHP Security Blunders: http://www.sitepoint.com/print/php-security-blunders
PHP Security Guide: http://phpsec.org/projects/guide/ (PHP Security Library: http://phpsec.org/library/)
PHPsec.org Security Guide considered harmful: http://www.hardened-php.net/php_secu...armful.51.html
PHP: Preventing register_global problems: http://www.modsecurity.org/documenta...r-globals.html
Securing PHP Step-by-Step: http://www.securityfocus.com/infocus/1706
PHP Security: http://www.onlamp.com/pub/a/php/2003...undations.html
Security of PHP: http://www.developer.com/lang/article.php/918141 (PHP Foundations: http://www.onlamp.com/pub/ct/29)
Auditing PHP, Part 1: Understanding register_globals: http://www-128.ibm.com/developerworks/library/os-php1/
Hardened PHP: http://www.hardened-php.net
Web application security: http://www.heise-security.co.uk/articles/84511

Checking PHP
Pixy (Check cross-site scripting and SQL injection): http://pixybox.seclab.tuwien.ac.at/pixy/

Exploiting Common Vulnerabilities in PHP Applications
http://www.securereality.com.au/studyinscarlet.txt

Application security testing
Open Web Application Security Project (OWASP): http://www.owasp.org/index.php/OWASP...le_of_Contents
Springenwerk Cross Site Scripting (XSS) security scanner: http://sourceforge.net/projects/springenwerk

BTW: if you think you needn't read those I can only wish you may live in interesting times.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Move FTP Accounts L1nuxbug Linux - Server 1 06-08-2007 06:46 AM
sendmail set up for email accounts banner Linux - General 1 07-05-2005 09:19 AM
Samba Fails to create machine accounts automatically. ghotip Linux - Distributions 7 10-17-2003 05:26 PM
ftp/telnet not accepting connections mstembri Linux - Newbie 6 10-05-2003 03:11 PM
restricting accounts in wu-ftp dkc_ace Linux - Software 18 01-12-2003 12:14 AM


All times are GMT -5. The time now is 02:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration