Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 32. Linux FTP ServerNext

32.10. The special file .notar

Whether you allow on-the-fly tarring of directories or not, you should make sure an end-run cannot be made using tar command in all areas where the upload parameter is not permit. To do so, create the special file .notar in each directory and in the FTP directory. 


      [root@deep ] /# touch /home/ftp/.notar
      [root@deep ] /# touch /home/ftp/etc/.notar
      [root@deep ] /# touch /home/ftp/dev/.notar
      [root@deep ] /# touch /home/ftp/bin/.notar   (1)
      [root@deep ] /# touch /home/ftp/lib/.notar   (2)
      [root@deep ] /# chmod 0 /home/ftp/.notar
      [root@deep ] /# chmod 0 /home/ftp/etc/.notar
      [root@deep ] /# chmod 0 /home/ftp/dev/.notar
      [root@deep ] /# chmod 0 /home/ftp/bin/.notar (3)
      [root@deep ] /# chmod 0 /home/ftp/lib/.notar (4)
(1)
Require only if you are not using the --enable-ls option.
(2)
Require only if you are not using the --enable-ls option.
(3)
Require only if you are not using the --enable-ls option.
(4)
Require only if you are not using the --enable-ls option.

The zero-length .notar file can confuse some web clients and FTP proxies, so let's mark it irretrievable to solve the problem. Add the following lines to your /etc/ftpaccess file. 

        noretrieve .notar

The noretrieve command. The noretrieve parameter of Wu-ftpd server allow you to deny transfer of the sectected directories or files. It is also a good idea to prevent downloads of those subdirectories bin, etc, dev, and lib in the /home/ftp directory with the command noretrieve in your /etc/ftpaccess file. 

        # We'll prevent downloads with noretrieve.
        noretrieve /home/ftp/etc
        noretrieve /home/ftp/dev
        noretrieve /home/ftp/bin  (1)
        noretrieve /home/ftp/lib  (2)

(1)
Require only if you are not using the --enable-ls option.
(2)
Require only if you are not using the --enable-ls option.

PrevHomeNext
Securing FTPUpInstalled files