How safe is it to give someone their own FTP account on my web space to upload files?

I assume the worst they could do is create directories and files? Would I be correct in assuming it would be impossible for them to cause any damage or gain access to any other area? The directory for the user would be /big/dom/domain/user so presumably they can only cause chaos in that directory?

I tried moving into my root as this new user but couldn't execute any commands such as ls mkdir etc

Should be safe as long as it's not under the web/cgi roots, and no vulnerabilities exist within those that would permit access to the files.

Thanks, just wanted to be sure :)

Another option to consider, if they are uploading only and don't need access to the files, is to set the new FTP account as "Write-Only".

John

We have supported this for our customers to get large files to us for five or so years here on FQ. We use one area we call "Files2image" and provide the password to all our customers that request it. We tried the write only, but they could not see the files after they sent them.

We provide Read-Write, the worst thing is the customers can see and have access to other customers files. We get comments "oh we did not know you do work for THEM". Kind of like virtual name dropping.:smile:

If you are allowing uploads to any path within your web directory, then you must include an .htaccess so that users cannot access the files via the web (put it one directory above the user directory so that users cannot delete it). Otherwise, nothing would prevent a user from uploading a PHP file management script to gain access to all files on your server. Just because a user is FTP-limited, does not mean the script is going to obey the same limits.

-Matt