M4100 FTP Share

[tconway]

I just picked up an m4100, os 3.4.805, bios 2.4.437

I added some ftp shares but I don't quite understand how the ftp server works with the shares.

I created folder/shares with access from different users
\www\webdata\ftphome1 share (ftphome1)
\www\webdata\ftphome2 share (ftphome2)

I can map drives to both the shares with no problem.

If I ftp to either share, the root is the webdata folder (no access) with one subfolder
that reflects the users rights (ftphome1 or ftphome2) depending on who I am logged in as. Is this normal for a snapserver?

thx

[Phoenix32]

I would be interested in someone posting up a good "SNAP Server FTP How To" as well (and added to the Wiki later).

[blue68f100]

Why Did you use the www (web) port 80?

Make sure you have turned on FTP. If you want outside access setup your router to point to the snap.

Create the share at the root of the main share not under the web. (share1/ftp/User1, Share1/ftp/user2 .....) or If you prefer give each user their won folder at the root level.

You give all users "read access" to the root. Then you give each user full access to their own folder, and make them the owner. Remove (No Access) access from folders you do not want the user into. This is where most mess up.

The snap OS does not have a way to hide files, like the Guardian OS does.

This should get you started. The snap checks security and gives you a warning if there is a problem.

[jontz]

What you are describing sounds normal for a snap server if I am understanding your correctly. What were you expecting it to do?

Honestly, the best way I found to set up an FTP server was to create a second share for FTP use, and then assign the FTP users to my FTP share while not giving them access to my normal share. When the FTP users logged in, they could see the FTP share and all of the folders in it, but they could only access the folders I gave them rights to. The other folders came up as access denied. They could not, however, see my normal share that I use for everyday access inside my network.

I'll work on a snap FTP guide, including the snaps limitaions as a FTP server.

[tconway]

FTP is enabled, I'm testing from within my Lan for the time being.
I'll try to be more clear

I created a user "user1"

as administrator I created folder at root level "webdata"
I created a webdata$ share and assigned RO access to "user1"
I then created "webdata\user1" share and assigned FULL access to "user1"
(the snap server created the "user1" subdirectory)

I ftp to snapserver as user1, enter password
pwd is "\" but I am not in the "user1" folder. I can't write anything.
"user1" is a subfolder which makes no sense, it should be root.
I have to cd "user1" to get full access

thx

[Phoenix32]

Quote:

Originally Posted by jontz

I'll work on a snap FTP guide, including the snaps limitaions as a FTP server.

If you would be so kind, send me a copy of that in e-mail when you complete it please.

[blue68f100]

Are you using IE, FireFTP (FF) or other client FTP Program?

The $ makes it a hidden folder. And is treated as system files.

If you can connect via web interface, use windows finder to create a folder, then drop in some files.

Then go to security file/folder and look to see how it assign access. Then you will under stand what is going on. It took me some time to get it down. I suspect you are missing read access to the root.

Jontz, If you would please send me a copy and I will help proof it. As you know everyone looks a security differntly, more eyes the better. When I get the 4500 on line I will let you know what is different. I know it has a hidden file features. This allows you to send a link to someone, and that is the only file you will see. All other will be hidden, like there is only one file in the folder.

I have my new APC UPS with the Network Management card setup to auto shutdown my Snaps. So I'm getting closer.

[snap-tech]

Snap-Tech stepping in.

I will keep this simple.

1. If you are making a web page place this and all graphic files under the www folder and keep as read only for all users.

2. I would create a root folder called ftp. Under the folder called ftp create your individual user folders -- as follows

ftp\user1
ftp\user2
ftp\user3

Then create a share that points to ftp\user1 anc call the share user1
then create a share that points to ftp\user2 and call the share user2

Now create your users -- lets say user1 user2 user3.

Give user1 full access to the share called user1
give user2 full access to the share called user2
give user3 full access to the share called user3

If you create a share that points to the folder called ftp then give users1 user2 and user3 read only to the share called ftp. this means that they will see the folders called user1 user2 and user3 but will not be able to access the folders other than the one that there share points to. If you don't want the users to know that there are other users folders then don't give any of them access to the share called ftp or just don't create the share called ftp.

I always found it easiest to name the shares the same as the folder they point to. This helps keep things inline and easier to remember what points to what.

If for example you give any user full access to the share called ftp they will have full access for all folders located under the share, even if you deny them access to the share called user1 or user2 or user3.

The snap security is a top-down security.

Also something that helps is when you are testing shares, open up another window and login into the admin page and check the active user tab and see what the ftp user is actually logged in as. They may be in a guest and not the user u think they are in as.

Also remember that share1 does not point to a folder, it points to the root so I would remove all users from share1 other than the snap administrator. Only admins should have any access to share1 which gives them full access to all data on snap no matter what share/folders have been created.

Douglas Snap-Tech

[snap-tech]

sorry but some of my previous post is not correct. I was lying in bed trying to fall asleep, but something kept hunting me about my post. I finally figured it out and below are the corrections.


You want to grant full access to user1 user2 user3 to the share calld ftp. Then you would go into the file and folder security and deny user2 access to user1 folder and same for user3. User1 would have full acess to the share named user1as well as full file and folder security to the share user1. god i hope that makes sense.

You give full acess to shares and limit or deny access through file and folder security. If you do not want user to be able to do more than read data within a specific share then you can give read only access to the share. But if they are going to have write access to data within a share then give full access to the share and limit there access to specific folders/files that you don't want them to be able to change within the same share.

I hope this makes sense.

I have to get up in 2 hours to go to seattle. At least I will be able to get to sleep now I hope.

Douglas Snap-tech

[snap-tech]

snap security can be a pain in the ass to get it down.

[snap-tech]

one other thing

there is no difference between and ftp share and a network or lanmanager share. a share is a share on a snap.

[tconway]

blue68f100
I'm using a client FTP Program. Actually to test, I'm using ftp from windows command line. I understand $ makes a hidden folder, just trying options

Snap-Tech
If I understand correctly, I create
ftp\user1
ftp\user2
ftp\user3

Then create "ftp" share and grant full access to all 3 users
Then through folder security, deny access on user1 to user2, user3... same for the ither users.

Following these steps, if I ftp from the command line as user1 will I be in the user1 folder or the ftp folder? If I end up in the ftp folder this is very problematic having to leave the changing of directory to the user.

-Tom

[blue68f100]

Create the shares first then user. You have and option when you create a share users to config access rights.

Depending on your router (firewall) and ISP's some ftp client does not work. In most cases IE does.

Security will drive you nuts, when you you start testing it.

[snap-tech]

In that case don't create the share ftp or don't give any users acess to it.

Just create the shares that point to user1 folder, user2 folder and user3 folder and give the correct user full access to the correct share.

Douglas Snap-Tech

[Phoenix32]

Ya know, there has been just enough good info here (and it was good info), spread out through enough messages, from enough people, and a few corrections, to muddy up the water and make it all confusing.

So let's try this...

We have a SNAP Server. We want to use it for FTP and for internal LAN use.

For the FTP we want two sections, one private and one not so private. Both require a username and password, but FTPuser1 only get's access to XX while FTPuser2 gets access to XX and YY. Either user can upload, but only to a specified upload directory within their accessable shares.

Lastly, there is also a share that is for normal file access (not FTP) for LAN use only, but any user on the LAN can access it.


This should be a common setup, so how does one set this up on a SNAP? Step by step? Thank you...

[tconway]

Based upon my experimentation the ftp share is the same as the normal share.
The snaps ftp server however does not work like convention ftp servers. There seems to be an odd concept of root

Create share ftp\user1 and give access to user1
user1 ftp's and gets this
\
\user1
I would anticipate only \ bing the user1 folder

Create anther share for root ftp and user1 sees this
\
\ftp
\user1
I would anticipate \ with a subdirectory of user1

Strange and dangerous behavior. With the only option under the ftp server being "allow anonymous ftp".... I'm not using it.

[blue68f100]

Not to through another twist in the works but firewall cause major havic with ftp servers. Phoenix32 and jonts will confirm. Even ISP handle the trafic differently. Only IE seam to get through Verizon with a Netgear router, Comcast is not near as picky. So if you are setting this up for outside access be warned.

If on your other folder and share at the same level, Add NO Access for unwanted snoops. It will prevent them from browsing. Have you private share nested under 1 folder/dir.

[jontz]

Quote:

Originally Posted by tconway

blue68f100
I'm using a client FTP Program. Actually to test, I'm using ftp from windows command line. I understand $ makes a hidden folder, just trying options

Snap-Tech
If I understand correctly, I create
ftp\user1
ftp\user2
ftp\user3

Then create "ftp" share and grant full access to all 3 users
Then through folder security, deny access on user1 to user2, user3... same for the ither users.

Following these steps, if I ftp from the command line as user1 will I be in the user1 folder or the ftp folder? If I end up in the ftp folder this is very problematic having to leave the changing of directory to the user.

-Tom

So, pretty much what I said originally...

Blue and Phoenix, I will be sending you my brief "essay" on my snap FTP experience sometime this weekend now that Thanksgiving is over with...

[Phoenix32]

Thank you.

[jontz]

...or I could boil it down for you right now....the snap SUCKS as a FTP server

I'll be more in depth than that though...

[Morpheus256]

I'm very interested in reading the ftp book for the snap mine should be here next week so i'll finally be able to play with it.

[re3dyb0y]

A book with 1 sentence

"Don't use the snap as a FTP server"


Or Maybe 2

"A work around, is to map shares to a desktop pc, or some other better NAS device, and FTP from there"

[blue68f100]

Maybe, but I'm not convenced it's not mfg interpentation of ftp through firewalls. My brother was trying to access mine and had no luck. He moved to a different location, NOT Behind a FIREWALL and it worked fine. Then another case is when I moved from Comcast Cable to Verizon FIOS. The only thing that's works now is IE. All internal testing works fine, even with FTP clinet software.

The solution may be a DMZ, but I don't like that solution.

[Morpheus256]

it sounds like it could be a problem with the ftp daemon and PASV connections then if nat devices mess with it.

[blue68f100]

NAT & Firewalls play havic on FTP. The only clean way is in a DMZ.

WarFTP even had problems working through NAT & Firewalls.

All worked flawlessly behind the firewall with FTP clinet software.