At line 3 changed one line |
In this limited mode, the "Share" storage for TempAccounts and Preview images for thumbnails need to be moved from the default CrushFTP folder location to a location within the user data. Otherwise thumbnails can't be retrieved or generated.\\ |
In this limited mode, the __TempAccounts__ and __Preview__ folders need to be moved from the default CrushFTP folder location to a location within the user data root. Then correct the path settings on Preferences->Preview page "Previews Path", respectively on Server Admin->Shares page, "General Settings" menu "Location of temp account file system" field. Otherwise image/document preview thumbnails or shared files can not be retrieved. If also the __"server.file.strict"__ flag is set to __"true"__, the CrushFTP service won't even start up for it's in violation of it's own access rules.\\ |
At line 6 changed one line |
The server install could be: C:\CrushFTP8\ \\ |
The server install could be: /C:/CrushFTP11/ , in __UNIX-style__ path notation, regardless of operating system family \\ |
At line 8 changed one line |
The user data storage could be: D:\UserData\ \\ |
|
The user data storage could be: /D:/UserData/ , same UNIX-style path notation \\ |
At line 12 changed 4 lines |
file.warn = log an error about the violation, mainly useful for debugging why something got blocked (default=true)\\ |
file.log = if a separate audit log should be kept with all the error info (default=false)\\ |
file.strict = if its true, the action is blocked. Otherwise its allowed and just the error info is logged (default=false)\\ |
security.exec = controls if external processes can be launched from the Preview config or not (default=true)\\ |
__file.warn__ = log an error about the violation, mainly useful for debugging why something got blocked (default=true)\\ |
__file.log__ = if a separate audit log should be kept with all the error info (default=false)\\ |
__file.strict__ = if its true, the action is blocked. Otherwise its allowed and just the error info is logged (default=false)\\ |
__security.exec__ = controls if external processes can be launched from the Preview config, Execute task, etc (default=true)\\ |
__security.classloader__ = controls if DB drivers and other classes can be loaded on the fly and not part of the classpath (default=false)\\ |
__security.stop_start__ = controls if server process can be restarted or stopped (default=true)\\ |
__security.tunnels_allowed__ = controls if the server allows users configured with a tunnel to utilize them (default=true)\\ |
At line 17 changed one line |
Edit the wrapper.conf file in the service file and append this to it (note the double backslashes due to config file encoding):\\ |
Edit the CrushFTPServer.ini file in the "service" subdirectory of the CrushFTP installation folder and append this to it (note the double backslashes due to config file encoding):\\ |
At line 19 changed 6 lines |
wrapper.java.additional.2=-Dcrushftp.server.root=C:\\CrushFTP8\\ |
wrapper.java.additional.3=-Dcrushftp.user.root=D:\\UserData\\ |
wrapper.java.additional.4=-Dcrushftp.server.file.warn=true |
wrapper.java.additional.5=-Dcrushftp.server.file.log=false |
wrapper.java.additional.6=-Dcrushftp.server.file.strict=true |
wrapper.java.additional.7=-Dcrushftp.security.exec=true |
vmarg.2=-Dcrushftp.server.root=C:/CrushFTP11/ |
vmarg.3=-Dcrushftp.user.root=C:/ftproot/ |
vmarg.4=-Dcrushftp.server.file.warn=true |
vmarg.5=-Dcrushftp.server.file.log=true |
vmarg.6=-Dcrushftp.security.exec=false |
vmarg.7=-Dcrushftp.security.classloader=false |
vmarg.8=-Dcrushftp.security.stop_start=false |
vmarg.9=-Dcrushftp.server.file.strict=true |
vmarg.10=-Dcrushftp.server.tunnels_allowed=false |
At line 27 changed one line |
Edit the startup launcher (OSX=CrushFTP.command file in the CrushFTP folder, CrushFTP8.app/Contents/MacOS/CrushFTP.command) (Linux=/var/opt/CrushFTP8_PC/crushftp_init.sh)\\ |
Edit the startup launcher (OSX=CrushFTP.command file in the CrushFTP folder) (Linux=/var/opt/CrushFTP11/crushftp_init.sh)\\ |
At line 31 changed one line |
-Dcrushftp.server.root=/var/opt/CrushFTP8_PC/ -Dcrushftp.user.root=/home/UserData/ -Dcrushftp.server.file.warn=true -Dcrushftp.server.file.log=false -Dcrushftp.server.file.strict=true -Dcrushftp.security.exec=true -Xmx......... |
-Dcrushftp.server.root=/var/opt/CrushFTP11/ -Dcrushftp.user.root=/home/UserData/ -Dcrushftp.server.file.warn=true -Dcrushftp.server.file.log=false -Dcrushftp.server.file.strict=true -Dcrushftp.security.exec=true -Dcrushftp.security.classloader=false -Dcrushftp.security.stop_start=true -Dcrushftp.server.tunnels_allowed=false -Xmx......... |
At line 34 changed one line |
''In all cases, matching case is important even if the OS filesystem is not case sensitive.'' |
''Path arguments are __case sensitive__ even if the OS/filesystem is not.'' |
|
Applying the crushftp.server.root and crushftp.user.root JVM runtime parameters at least , will have the equivalent results of UNIX chrooting. |
\\ |
!IMPORTANT\\ |
Before applying the restrictive run time arguments, the __TempAccounts__ and __Preview__ folders need to be moved under the path set for user root. The server __SSL keystore__ file to be moved under the server root. Then the settings updated accordingly.\\ |
Especially in case of setting the __Dcrushftp.server.file.strict__ flag to __true__, for in case of any kind of misconfiguration in this area, the server process will not start.\\ |