howto accept only one filetype with vsftpd

Latest response

Hi,

I have deployed vsftpd and want client to be able to upload only zip files. I found deny_file directive but that works the other way. It has, however, a under documented and restricted regexp functionality. Is it possible to use deny_file's regexp to negate zip (denyfile != .zip)?

Fred

fv
Log in to join the conversation

Responses

David Powles's picture Red Hat Guru 25394 points
29 April 2013 9:50 AM

Hi Fred,

No answer yet, but I think we should be able to help out. Let me chase this one up.

BM Red Hat Expert 1221 points
30 April 2013 5:33 PM

Hi Fred,

An entry in vstfpd.conf like "deny_file != .zip" won't work, but I believe that I may have created a value for deny_file that would be a step in the right direction:

deny_file={*.[a-y]*,*.z[a-hj-z]*,*.zi[a-oq-z]*}

It seems like the value of deny_file isn't actually a regexp, but more like a shell file glob.  I've tested this deny_file expression on my system, and vsftpd does allow me to upload "file.zip" and "file.ZiP", but it won't allow me to upload the following files:

  • file.txt
  • file.zap
  • file.zit
  • file.zzz

It does, however, allow me to upload the file "file.zipped", so the expression isn't perfect.  As the documentation for vsftp states, deny_file isn't really intended for serious access control.

fv Community Member 50 points
14 May 2013 6:30 AM

Thanks! I will try this!

fv Community Member 50 points
14 May 2013 6:30 AM

[Duplicate comment removed -Admin]

Mv Newbie 15 points
14 May 2013 1:41 PM

What about this one:

deny_file={*.[a-y]*,*.z[a-hj-z]*,*.zi[a-oq-z]*,*.zip[a-z0-9]*}

I guess you'd need to add 0-9 to the other entries as well.

BM Red Hat Expert 1221 points
15 May 2013 6:53 PM

Good catch!  Yes, of course you should really include all characters that are acceptable as part of a file name in your locale in the character class.