This "howto" gives the details on how to set-up
anonymous ftp
for your Un*x machine (specific details are for Linux, but are
generally applicable). The assumption is that
ftp is already
enabled. If not then check the following files and modify them
accordingly:
Setting up
anonymous ftp
- add ftp as a user with a home directory,
but no shell and no
password to disallow any type of shell login. The uid &
gid need to follow the usual rules for accounts.
/etc/passwd:
ftp:*:400:400::/u/ftp:/bin/false
/etc/group:
ftp::400:root,bin,src,rk
- Change to the ftp home directory (cd ~ftp) and create
the directories (etc, bin, pub, lib) with
restricted permissions and ownership
mkdir etc bin pub lib
chmod 755 etc bin pub lib .
chown root.root etc bin pub lib .
- Anonymous ftp attempts to make things more secure by using
the chroot mechanism which changes the root to something
lower in the directory tree. This requires that some of the
system files need to be copied to this "new" root.
Copy & edit the system /etc/passwd & /etc/group to
~ftp/etc. Strip them to the bare-bones. Remember any
anonymous ftp user can read these.
~ftp/etc/passwd:
root:*:0:0:root:/root:/bin/csh
bin:*:1:1:bin:/bin:
adm:*:3:4:adm:/var/adm:
ftp:*:400:400::/u/ftp:/bin/false
~ftp/etc/group:
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
mail::12:mail
news::13:news
uucp::14:uucp
man::15:man
src::16:root,bin,src
ftp::400:root,bin,src
Once they have been created, give these files only
read access with:
cd ~ftp/etc
chmod 444 *
- ftp uses a single executable, "ls", which is probably
dynamically linked to a run-time library. The following assumes some
version, which should be modified for your own set-up.
Discover the dynamically loaded library
ldd /bin/ls
Copy over the executable and library
umask 022
cp /bin/ls ~ftp/bin
cp /lib/libc.so.5.3.12 ~ftp/lib
cp /lib/ld.so ~ftp/lib
cd ~ftp/lib
ln -s libc.so.5.3.12 libc.so.5
-
Experience has shown that using the dynamically linked "ls"
doesn't work in all cases. (It did work for Linux when it used
the a.out format of executables. It does not work
under the Linux ELF format.)
The following section describes the "easiest" path to create
a statically linked ls executable.
- The first thing to do is to grab the latest GNU file utilities
collection. The closest & readily available anonymous ftp site is
ftp://ftp.cdrom.com/pub/gnu/fileutils-3.16.tar.gz.
- unzip it & and un-tar it somewhere:
tar -xzvf fileutils-3.16.tar.gz
- Go into that directory and execute
cd fileutils-3.16
./configure
- Go into the library directory and build the library
cd lib
make
- Enter into the source directory and build only the ls
utility with static linking. (The example assumes the GNU
gcc compiler & loader is being used. Substitute
the appropriate loader command for your system.)
cd ../src
make LDFLAGS=-static ls
- test it with ldd to make sure it's statically loaded
and that it executes correctly with ./ls
If everything works out, the ~ftp/lib can be eliminated once
the statically linked ls is moved to ~ftp/bin.
- Add allowed user directorys to pub,
with the appropriate permissions and ownership
cd ~ftp/pub
mkdir rk
chown rk.owen rk
chmod 755 rk
If all these steps are successful, you should now have a fully
functional
anonymous ftp site. User
rk will have
a directory
~ftp/pub/rk where he can make any file
publically available he desires.