This time it was pretty interesting task. We needed a generic ftp account for all the public users to upload their stuff to our ftp server. However, the requirement was to prevent them from downloading other users’ files from this ftp server. The Write-Only access if you will.
I spent some time to figure out how to do this. First I thought that FTP authorization rules can help.
It is pretty obvious idea that if I keep Write permission only, I’ll have what I need. No, it does not work; without Read the server cannot find a user’s home directory.
Then I started playing around NTFS permission on the user’s home folder. Without much success though. Until I found the Creating a Blind Drop FTP Server article by Steve Schofield. I’ve slightly modified the settings he recommended to get what I needed. So, here’s the answer:
On the user’s home folder ACL you need to
- Stop inheritance and copy all permissions
- Delete USERS
- Delete CREATOR OWNER
Then in the Advanced Settings, add two different sets of permissions for the user account
One is to allow Read and Write (not Modify!) for This folder and subfolders
It gives the user ability to browse folder structure and create files and folders. Since CREATOR OWNER is deleted, the user will not have Full Control on any objects he/she created.
Another set is List folder/read data and Read permissions for Files only
Now user cannot do anything with the files; however, they still will be visible for the user
Done. And I’m happy with this