How can prevent user from uploading php files with ftp?

Question

I have installed webmin in a Ubuntu Desktop, and created a user with shell: /bin/rbash so the user can upload files to the server with ftp. Now I wanna be able to prevent the user to upload php files to the server. I have tried to create a .htaccess file, and I have tested many different .htaccess code, but Its not working... Can somebody give me a hint on how to solve the problem?

Thanks

Answer 1

I managed to solve my problem by entering PathDenyFilter "(\\.php)$" in the proftpd.conf file.

Answer 2

For direct question answer there could be 2 approaches:

1. You want user allow submit / download files through FTP only, then you should put FTP folder outside webroot. Then any kind of script could not be executed.
2. You want user allow submit files through FTP and allow them to be viewed through web. (it sounds like it's your current case). Then to disable PHP execution, insert in FTP upload directory .htaccess file with following code

<IfModule mod_php5.c>
php_flag engine 0
</IfModule>

AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

I took this code from Wordfence WordPress plugin upload directory htaccess and assuming that you have Apache, if you mention htaccess. Or do you have nginx? You choose Ubuntu Desktop, would be this machine available public internet?

IMHO, I would not suggest allow users to allow upload files inside webroot, because they can upload anything without validation. It takes only 1 malicious execute of script to create dangerous backdoor to your server. In place of that, I would suggest PHP upload, where you can check if it is true image (not php file with extension like image), check size etc.

If you need allow upload large files (through FTP) and show them as existing, choose my 1st option and then scan with PHP that directory and list them out. You can do it with RecursiveDirectoryIterator