At line 1 removed 2 lines |
Requires CrushFTP version 9.3.1+ |
|
At line 5 changed one line |
In this limited mode, the TempAccounts and Preview folders need to be moved from the default CrushFTP folder location to a location within the user data root. Then correct the path settings on Preferences->Preview page "Previews Path", respectively on Server Admin->Shares page, "General Settings" menu "Location of temp account file system" field. Otherwise image/document preview thumbnails or shared files can not be retrived. If also the "server.file.strict" flag is set to "true", the CrushFTP service won't even start up for it's in violation of it's own access rules.\\ |
In this limited mode, the __TempAccounts__ and __Preview__ folders need to be moved from the default CrushFTP folder location to a location within the user data root. Then correct the path settings on Preferences->Preview page "Previews Path", respectively on Server Admin->Shares page, "General Settings" menu "Location of temp account file system" field. Otherwise image/document preview thumbnails or shared files can not be retrieved. If also the __"server.file.strict"__ flag is set to __"true"__, the CrushFTP service won't even start up for it's in violation of it's own access rules.\\ |
At line 8 changed one line |
The server install could be: /C:/CrushFTP9/ , in UNIX-style path notation, regardless of operating system family \\ |
The server install could be: /C:/CrushFTP11/ , in __UNIX-style__ path notation, regardless of operating system family \\ |
At line 15 changed 4 lines |
file.warn = log an error about the violation, mainly useful for debugging why something got blocked (default=true)\\ |
file.log = if a separate audit log should be kept with all the error info (default=false)\\ |
file.strict = if its true, the action is blocked. Otherwise its allowed and just the error info is logged (default=false)\\ |
security.exec = controls if external processes can be launched from the Preview config or not (default=true)\\ |
__file.warn__ = log an error about the violation, mainly useful for debugging why something got blocked (default=true)\\ |
__file.log__ = if a separate audit log should be kept with all the error info (default=false)\\ |
__file.strict__ = if its true, the action is blocked. Otherwise its allowed and just the error info is logged (default=false)\\ |
__security.exec__ = controls if external processes can be launched from the Preview config, Execute task, etc (default=true)\\ |
__security.classloader__ = controls if DB drivers and other classes can be loaded on the fly and not part of the classpath (default=false)\\ |
__security.stop_start__ = controls if server process can be restarted or stopped (default=true)\\ |
__security.tunnels_allowed__ = controls if the server allows users configured with a tunnel to utilize them (default=true)\\ |
At line 22 changed one line |
vmarg.2=-Dcrushftp.server.root=C:/CrushFTP9/ |
vmarg.2=-Dcrushftp.server.root=C:/CrushFTP11/ |
At line 25 changed 3 lines |
vmarg.5=-Dcrushftp.server.file.log=false |
vmarg.6=-Dcrushftp.security.exec=true |
vmarg.7=-Dcrushftp.server.file.strict=true |
vmarg.5=-Dcrushftp.server.file.log=true |
vmarg.6=-Dcrushftp.security.exec=false |
vmarg.7=-Dcrushftp.security.classloader=false |
vmarg.8=-Dcrushftp.security.stop_start=false |
vmarg.9=-Dcrushftp.server.file.strict=true |
vmarg.10=-Dcrushftp.server.tunnels_allowed=false |
At line 30 changed one line |
Edit the startup launcher (OSX=CrushFTP.command file in the CrushFTP folder, CrushFTP9.app/Contents/MacOS/CrushFTP.command) (Linux=/var/opt/CrushFTP9/crushftp_init.sh)\\ |
Edit the startup launcher (OSX=CrushFTP.command file in the CrushFTP folder) (Linux=/var/opt/CrushFTP11/crushftp_init.sh)\\ |
At line 34 changed one line |
-Dcrushftp.server.root=/var/opt/CrushFTP9/ -Dcrushftp.user.root=/home/UserData/ -Dcrushftp.server.file.warn=true -Dcrushftp.server.file.log=false -Dcrushftp.server.file.strict=true -Dcrushftp.security.exec=true -Xmx......... |
-Dcrushftp.server.root=/var/opt/CrushFTP11/ -Dcrushftp.user.root=/home/UserData/ -Dcrushftp.server.file.warn=true -Dcrushftp.server.file.log=false -Dcrushftp.server.file.strict=true -Dcrushftp.security.exec=true -Dcrushftp.security.classloader=false -Dcrushftp.security.stop_start=true -Dcrushftp.server.tunnels_allowed=false -Xmx......... |
At line 37 changed one line |
''In all cases, matching case is important even if the OS filesystem is not case sensitive.'' |
''Path arguments are __case sensitive__ even if the OS/filesystem is not.'' |
|
Applying the crushftp.server.root and crushftp.user.root JVM runtime parameters at least , will have the equivalent results of UNIX chrooting. |
\\ |
!IMPORTANT\\ |
Before applying the restrictive run time arguments, the __TempAccounts__ and __Preview__ folders need to be moved under the path set for user root. The server __SSL keystore__ file to be moved under the server root. Then the settings updated accordingly.\\ |
Especially in case of setting the __Dcrushftp.server.file.strict__ flag to __true__, for in case of any kind of misconfiguration in this area, the server process will not start.\\ |