Re: [twsocket] TFtpServ that uses FTP user's Windows accountsecurity context
Hello, Seems like cool stuff. In order for me to test it more, we will first adapt the changes to our FTPSrvMT.pas. This can take a week. Regards, SZ - Original Message - From: Arno Garrels [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Friday, May 18, 2007 4:32 PM Subject: Re: [twsocket] TFtpServ that uses FTP user's Windows accountsecurity context Now the source code is included: http://www.duodata.de/misc/delphi/OverbyteIcsFtpSrv-20070516.zip -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html Arno Garrels wrote: Fastream Technologies wrote: Not yet. Having personal problems these days.. :(( I uploaded a new version with some common improvements and fixes. There's a new option to hide the physical path, see Menu | Options. http://www.duodata.de/misc/delphi/OverbyteIcsFtpServ.zip HomeDir is hardcoded C:\TEMP. In order to test Windows security try the following: 1) Create a new user Group FTP-Users 2) Right-click Drive C: | Properties | Security-Settings 3) Add group FTP-Users deny Full Access 4) Go to C:\Temp, Properties | Security-Settings Set proper NTFS rights to Group FTP-Users (break inheritance, copy inherited rights) 5) Create a new user make her a member of Group FTP-Users only. Make sure the server process runs in an account with sufficent permissions. Since the FtpSrv demo is not Vista-compatible please try on a different NT-OS or turn off virtualization as well as UAC or try to run the demo As Administrator. BTW: Even disk quotas work (I tested in XP). -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html On 5/11/07, Arno Garrels [EMAIL PROTECTED] wrote: Fastream Technologies wrote: Hello Arno, I use Windows Vista Business. I went to the control panel and created what's called a limited user. Now that user can go into C:\Windows and list file/folder listings when logged in with your server demo. Is this normal? SZ, Any progress in testing? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html Regards, SZ On 5/10/07, Arno Garrels [EMAIL PROTECTED] wrote: Perhaps you can code the NTLM into ICS FTP Server demo? Believe me there is DEMAND for it! Fastream offers you $200 for the task to be completed in 10 days plus we can help you test. I know $200 is not much for a German company but this code could be used by many people so it's well spent effort (remember we will donate the demo). OK, some money is always welcome :-) I uploaded the result for testing (binary only): http://www.duodata.de/misc/delphi/OverbyteIcsFtpServ.zip It might be slower than the original v6 demo since security context is switched very frequently, please check whether it's too slow. Note that currently CWD works for directory names with length = 3 as well as with current HomeDir (Angus can you tell us why?). PWD also always succeeds. It's possible to upload a zero-size file even if the user has only read access (file is not written). My solution impersonates user's Windows security context upon filesystem access, all events however are triggered in the the context of server's process, it may be usefull to switch to user's context in some events as well, but that was fine tuning and should be discussed here. BTW: I changed/fixed the STOU command, can somebody please test? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TFtpServ that uses FTP user's Windows accountsecurity context
Fastream Technologies wrote: Hello Arno, I use Windows Vista Business. I went to the control panel and created what's called a limited user. Now that user can go into C:\Windows and list file/folder listings when logged in with your server demo. Is this normal? SZ, Any progress in testing? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html Regards, SZ On 5/10/07, Arno Garrels [EMAIL PROTECTED] wrote: Perhaps you can code the NTLM into ICS FTP Server demo? Believe me there is DEMAND for it! Fastream offers you $200 for the task to be completed in 10 days plus we can help you test. I know $200 is not much for a German company but this code could be used by many people so it's well spent effort (remember we will donate the demo). OK, some money is always welcome :-) I uploaded the result for testing (binary only): http://www.duodata.de/misc/delphi/OverbyteIcsFtpServ.zip It might be slower than the original v6 demo since security context is switched very frequently, please check whether it's too slow. Note that currently CWD works for directory names with length = 3 as well as with current HomeDir (Angus can you tell us why?). PWD also always succeeds. It's possible to upload a zero-size file even if the user has only read access (file is not written). My solution impersonates user's Windows security context upon filesystem access, all events however are triggered in the the context of server's process, it may be usefull to switch to user's context in some events as well, but that was fine tuning and should be discussed here. BTW: I changed/fixed the STOU command, can somebody please test? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TFtpServ that uses FTP user's Windows accountsecurity context
Not yet. Having personal problems these days.. :(( On 5/11/07, Arno Garrels [EMAIL PROTECTED] wrote: Fastream Technologies wrote: Hello Arno, I use Windows Vista Business. I went to the control panel and created what's called a limited user. Now that user can go into C:\Windows and list file/folder listings when logged in with your server demo. Is this normal? SZ, Any progress in testing? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html Regards, SZ On 5/10/07, Arno Garrels [EMAIL PROTECTED] wrote: Perhaps you can code the NTLM into ICS FTP Server demo? Believe me there is DEMAND for it! Fastream offers you $200 for the task to be completed in 10 days plus we can help you test. I know $200 is not much for a German company but this code could be used by many people so it's well spent effort (remember we will donate the demo). OK, some money is always welcome :-) I uploaded the result for testing (binary only): http://www.duodata.de/misc/delphi/OverbyteIcsFtpServ.zip It might be slower than the original v6 demo since security context is switched very frequently, please check whether it's too slow. Note that currently CWD works for directory names with length = 3 as well as with current HomeDir (Angus can you tell us why?). PWD also always succeeds. It's possible to upload a zero-size file even if the user has only read access (file is not written). My solution impersonates user's Windows security context upon filesystem access, all events however are triggered in the the context of server's process, it may be usefull to switch to user's context in some events as well, but that was fine tuning and should be discussed here. BTW: I changed/fixed the STOU command, can somebody please test? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TFtpServ that uses FTP user's Windows accountsecurity context
Is this normal? I think so, since a newly created user is a member of group Everyone by default which has read-permission to most files. I tested with a newly created group FTP-Users to which I denied certain NTFS-rights for testing purposes (there's probably a smarter way). -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html Fastream Technologies wrote: Hello Arno, I use Windows Vista Business. I went to the control panel and created what's called a limited user. Now that user can go into C:\Windows and list file/folder listings when logged in with your server demo. Is this normal? Regards, SZ On 5/10/07, Arno Garrels [EMAIL PROTECTED] wrote: Perhaps you can code the NTLM into ICS FTP Server demo? Believe me there is DEMAND for it! Fastream offers you $200 for the task to be completed in 10 days plus we can help you test. I know $200 is not much for a German company but this code could be used by many people so it's well spent effort (remember we will donate the demo). OK, some money is always welcome :-) I uploaded the result for testing (binary only): http://www.duodata.de/misc/delphi/OverbyteIcsFtpServ.zip It might be slower than the original v6 demo since security context is switched very frequently, please check whether it's too slow. Note that currently CWD works for directory names with length = 3 as well as with current HomeDir (Angus can you tell us why?). PWD also always succeeds. It's possible to upload a zero-size file even if the user has only read access (file is not written). My solution impersonates user's Windows security context upon filesystem access, all events however are triggered in the the context of server's process, it may be usefull to switch to user's context in some events as well, but that was fine tuning and should be discussed here. BTW: I changed/fixed the STOU command, can somebody please test? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://www.elists.org/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be