At line 1 added 2 lines |
Requires __CrushFTP__ version __10.5.2__+ |
|
At line 3 changed one line |
In this limited mode, the "Share" storage for TempAccounts and Preview images for thumbnails needs to be moved from the default CrushFTP folder location to a location within the user data. Otherwise thumbnails can't be retrieved or generated.\\ |
In this limited mode, the __TempAccounts__ and __Preview__ folders need to be moved from the default CrushFTP folder location to a location within the user data root. Then correct the path settings on Preferences->Preview page "Previews Path", respectively on Server Admin->Shares page, "General Settings" menu "Location of temp account file system" field. Otherwise image/document preview thumbnails or shared files can not be retrieved. If also the __"server.file.strict"__ flag is set to __"true"__, the CrushFTP service won't even start up for it's in violation of it's own access rules.\\ |
At line 6 changed one line |
The server install could be: C:\CrushFTP8\ \\ |
The server install could be: /C:/CrushFTP10/ , in __UNIX-style__ path notation, regardless of operating system family \\ |
At line 8 changed one line |
The user data storage could be: D:\UserData\ \\ |
|
The user data storage could be: /D:/UserData/ , same UNIX-style path notation \\ |
At line 12 changed 3 lines |
file.warn = log an error about the violation, mainly useful for debugging why something got blocked (default=true)\\ |
file.log = if a separate audit log should be kept with all the error info (default=false)\\ |
file.strict = if its true, the action is blocked. Otherwise its allowed and just the error info is logged (default=false)\\ |
__file.warn__ = log an error about the violation, mainly useful for debugging why something got blocked (default=true)\\ |
__file.log__ = if a separate audit log should be kept with all the error info (default=false)\\ |
__file.strict__ = if its true, the action is blocked. Otherwise its allowed and just the error info is logged (default=false)\\ |
__security.exec__ = controls if external processes can be launched from the Preview config, Execute task, etc (default=true)\\ |
__security.classloader__ = controls if DB drivers and other classes can be loaded on the fly and not part of the classpath (default=false)\\ |
__security.stop_start__ = controls if server process can be restarted or stopped (default=true)\\ |
At line 16 changed one line |
Edit the wrapper.conf file in the service file and append this to it (note the double backslashes due to config file encoding):\\ |
Edit the CrushFTPServer.ini file in the "service" subdirectory of the CrushFTP installation folder and append this to it (note the double backslashes due to config file encoding):\\ |
At line 18 changed 5 lines |
wrapper.java.additional.2=-Dcrushftp.server.root=C:\\CrushFTP8\\ |
wrapper.java.additional.3=-Dcrushftp.user.root=D:\\UserData\\ |
wrapper.java.additional.4=-Dcrushftp.server.file.warn=true |
wrapper.java.additional.5=-Dcrushftp.server.file.log=false |
wrapper.java.additional.6=-Dcrushftp.server.file.strict=true |
vmarg.2=-Dcrushftp.server.root=C:/CrushFTP10/ |
vmarg.3=-Dcrushftp.user.root=C:/ftproot/ |
vmarg.4=-Dcrushftp.server.file.warn=true |
vmarg.5=-Dcrushftp.server.file.log=true |
vmarg.6=-Dcrushftp.security.exec=false |
vmarg.7=-Dcrushftp.security.classloader=false |
vmarg.8=-Dcrushftp.security.stop_start=false |
vmarg.9=-Dcrushftp.server.file.strict=true |
At line 25 changed one line |
Edit the startup launcher (OSX=CrushFTP.command file in the CrushFTP folder, CrushFTP8.app/Contents/MacOS/CrushFTP.command) (Linux=/var/opt/CrushFTP8_PC/crushftp_init.sh)\\ |
Edit the startup launcher (OSX=CrushFTP.command file in the CrushFTP folder) (Linux=/var/opt/CrushFTP10/crushftp_init.sh)\\ |
At line 29 changed one line |
-Dcrushftp.server.root=/var/opt/CrushFTP8_PC/ -Dcrushftp.user.root=/home/UserData/ -Dcrushftp.server.file.warn=true -Dcrushftp.server.file.log=false -Dcrushftp.server.file.strict=true -Xmx......... |
-Dcrushftp.server.root=/var/opt/CrushFTP10/ -Dcrushftp.user.root=/home/UserData/ -Dcrushftp.server.file.warn=true -Dcrushftp.server.file.log=false -Dcrushftp.server.file.strict=true -Dcrushftp.security.exec=true -Dcrushftp.security.classloader=false -Dcrushftp.security.stop_start=true -Xmx......... |
At line 32 changed one line |
''In all cases, matching case is important even if the OS filesystem is not case sensitive.'' |
''Path arguments are __case sensitive__ even if the OS/filesystem is not.'' |
|
Applying the crushftp.server.root and crushftp.user.root JVM runtime parameters at least , will have the equivalent results of UNIX chrooting. |
\\ |
!IMPORTANT\\ |
Before applying the restrictive run time arguments, the __TempAccounts__ and __Preview__ folders need to be moved under the path set for user root. The server __SSL keystore__ file to be moved under the server root. Then the settings updated accordingly.\\ |
Especially in case of setting the __Dcrushftp.server.file.strict__ flag to __true__, for in case of any kind of misconfiguration in this area, the server process will not start.\\ |