====== Enable Upload Script ======


To enable uploadscript set the paramter "CallUploadScript" to "yes". In Ubuntu this is done by creating a file called "CallUploadScript" with only the word "yes" inside it. Place CallUploadScript into /etc/pure-ftpd/conf.

Now edit the file /etc/default/pure-ftpd-common and add/edit the following:

<file>
UPLOADSCRIPT=/home/pureftpd/uploadscript.sh
# if set, pure-uploadscript will spawn $UPLOADSCRIPT running as the
# given uid and gid
UPLOADUID=1008
UPLOADGID=1008
</file>

This will call the script "/home/pureftpd/uploadscript.sh" after an upload event and run it as the user given by uid=1008/guid=1008. To find the values for a user just run:

<code>
# id pureftpd
uid=1008(pureftpd) gid=1008(pureftpd) groups=1008(pureftpd)
</code>

====== The Upload Script ======

Now to the script.

Of course you will have to make sure it has execution permissions:

<code>
# chmod +x /home/pureftpd/uploadscript.sh
</code>

===== A Word of Caution =====

You will also have to consider **very** carefully what you put into the script. The script will run no matter who or what is uploaded and can become a security breach. As you do not control what is uploaded or what it is called it could inadvertably do bad stuff to your system. 

===== The Story =====

My need for an uploadscript was to determine if a file was a picture and not some funny Windows malware (Linux has saved a lot of Windows machines LOL). A customer of mine was getting a lot of documents scanned by a bureau with a massive virus infected network (cheap labour does come at a price :-)). To minimize the risk of uploading crapware I was told to find a simple (and cheap) solution. As I knew that the files uploaded only was pictures a simple filter testing for that was an easy choice. You could choose to extend the action and also virusscan the files, that would be a very easy job to do - just add an other if-then test cycle to the script and throw in [[http://www.clamav.net/|Clam AV]] or some other anti-virus vendor. 

===== The Script =====

I'm simply testing the file with the command "file" and to determine what filetype it is. I rely on the fact that "file" does its job correctly. If you could fool the tool to believe that a file is a picture but instead is a Windows executable there is a very big chance that someone will double click on it and start the menace.
Back to the script. If the file is a picture of either GIF or PNG type it will be accepted and moved into /home/pureftpd/upload.
If it is of any other type it will be deleted and a mail send to user@spammenot.dk. 

<file>
#!/bin/bash
logger uploadscript
FILETYPE=`file "$1" | cut -d: -f2 | cut -c 1-4 | tr -d " "`
if [ x$FILETYPE = xGIF -o x$FILETYPE = xPNG ]; then
        mv "$1" /home/pureftpd/upload
else
        rm "$1"
        echo "$1 uploaded and deleted again" | /usr/bin/mail -s "New upload : $1" \ user@spammenot.dk
fi
</file>