Anonymous FTP Server

Setting up an anonymous FTP server is relatively easy, but you must do it correctly because you are potentially giving access to your system to everybody on the network. To set up anonymous FTP, you must create a special account with the name ftp. For example

ftp:*:400:40:Anonymous FTP:/var/spool/ftp:/bin/false

Files that are available by anonymous FTP will be placed in the ftp home directory. You should therefore the home directory in a special place, such as /var/spool/ftp.

When it is used for anonymous FTP, ftpd uses the chroot() function call to change the root directory of the perceived filesystem to the home directory of the ftp account. For this reason, you must set up that account’s home directory as a mini-filesystem. Three directories go into this mini-filesystem: bin This directory holds a copy of the /bin/ program, which ftpd uses to list files. If your system uses dynamic linking and shared libraries, you must either install programs that are statically linked or install the dynamic libraries in the appropriate directory, e.g. /var/spool/ftp/lib. etc This directory holds a version of the /etc/ and optionally /etc/group files, which are put there so that the /bin/ls will print usernames and groupnames when it lists files. Replace the encrypted passwords in these files with asterisks. Some security-conscious sites may wish to delete some or all account names from the passwd . The only account name that needs to be present is ftp. Actually, if neither file exists, most FTP servers will still work normally. pub This directory, short for “public” holds the files that are actually made available for anonymous FTP transfer. You can have as many subdirectories as you wish in the pub directory.

Be sure to place copies of the actual files or hard links to them in the mini-filesystem rather than using symbolic links pointing to other places on your system. Because the ftpd program uses the chroot() system call, symbolic links may not behave properly with anonymous FTP. In general, symbolic links to inside your chroot area will work, and they are commonly used on anonymous FTP suites. However, any symbolic link that points outside the chroot area or is an absolute link will not work.

To create an anonymous FTP site, the following actions need to occur:

1. Create the ftp user id

2. Set up ~ftp/bin

3. Set up ~ftp/etc

4. Set up ~ftp/pub

5. Secure the ~ftp directory Many ftp servers work fine if the only entries in the passwd file are for root and ftp, and the only entry in the group file is for group ftp. The only side effect is that files left in the ftp directories will show numeric owners and groups when clients do a directory listing. The advantage to having a trimmed file is that even if outsiders do obtain a copy of the file, they will not be able to gain any clues as to your system’s usernames. The disadvantage is that the dir command will not show symbolic usernames.

Allowing Only FTP Access

Sometimes, you may wish to give people permission to FTP files to and from your system, but you may not want to give them permission to actually log in. One simple way to accomplish this goal is to set up the person’s account with a special shell, such as /bin/ftponly. The following will allow for this situation:

1. Create a shell script /bin/ftponly, which prints a polite message if the user attempts to log into her account. An example is:

#!/bin/sh /bin/ << XX

You may use FTP to put files on this system, but you may not Use this account to login.

--The Management

XX /usr/bin/ 20

2. Create your user account with /bin/ftponly as its shell.

grossman:Mqu310QJ4akf/E:400:40:Harold Grossman:/export/home/grossman:/bin/ftponly

3. Finally, add the file /bin/ftponly to the file /etc/shells:

# List of acceptable shells for chsh passwd –s # Ftpd will not allow users to connect do not have one of these shells # /bin/sh /bin/csh /bin/ftponly