NWFTPD.NLM and SFTP-SVR.NLM require different NetWare file system rights to resrict users from replacing files per FTP/SFTP

  • Document ID:3090499
  • Creation Date:19-Feb-2008
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      NetWare

Environment

Novell NetWare 6.5 Support Pack 7
NetWare FTP Server (NWFTPD.NLM version 5.08.07)
OpenSSH sftp-server (SFTP-SVR.NLM version 3.71.05)

Situation

Restricted access to the NetWare file system over FTP/SFTP may be required for security reasons. For many FTP operations the NetWare FTP Server (NWFTPD.NLM) and the OpenSSH sftp-server (SFTP-SVR.NLM) behave simular and require the same file system rights for the operating user. However, NWFTPD.NLM and SFTP-SVR.NLM work different in case of replacing an existing file and require different access rights for such operation.
This document describes this difference and reads how a NetWare administrator can allow users to upload (PUT) new files and download (GET) existing files, but restrict them from replacing and deleting existing files on a NetWare 6.5 server over FTP and SFTP.

Resolution

DIFFERENT BEHAVIOUR OF NWFTPD.NLM AND SFTP-SVR.NLM REGARDING REPLACING ALREADY EXISTING FILES:
When you PUT a source file over an already existing target file with the same name per FTP, NWFTPD.NLM will delete the already existing target file and then create the new target file with the same name. In this scenario, the resulting target file will have a new creation time and a new modification time.
When you PUT a source file over an already existing file with the same name per SFTP, SFTP-SVR.NLM will open the already existing target file and replace the data in the already existing target file with the data from the source file. In this scenario, the creation time of the already existing target file does not change, but the modification time is renewed.
FILE SYSTEM RIGHTS THAT ALLOW USERS TO UPLOAD/PUT NEW FILES AND DOWNLOAD/GET EXISTING FILES, BUT RESTRICT THEM FROM REPLACING AND DELETING EXISTING FILES ON A NW 6.5 SERVER OVER FTP AND SFTP:
The ERASE and CREATE rights are needed to replace an already existing file over FTP (NWFTPD.NLM) and the ERASE right should be revoked to deny such FTP operation.
Only the WRITE right is needed to replace an already existing file over SFTP (SFTP-SVR.NLM) and should be revoked to deny such SFTP operation
Hence, in order to allow users to upload new files and download already existing files, but prohibit them to replace and delete already existing files, you need to grant users the following effective file system rights:
FTP (NWFTP.NLM):
- Read
- Write (only needed if you also want to allow FTP users to APPEND data to already existing files)
- Create
- File Scan
SFTP: (SFTP-SVR.NLM)
- Read
- Create
- File Scan