|
This "howto" gives the details on how to set-up anonymous ftp
for your Un*x machine (specific details are for Linux, but are
generally applicable). The assumption is that ftp is already
enabled. If not then check the following files and modify them
accordingly:
- /etc/services - make sure the ftp service exists with
a line like:
ftp 21/tcp
- /etc/inetd.conf - establish ftp as a inetd service.
Should have a line like :
ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd
(see the inetd.conf(5), hosts_access(5), & tcpd(8) man pages) - /etc/ftpaccess - make sure that it exists and gives the appropriate
access to real users as well as anonymous.
(see the ftpaccess(5) man page) - /etc/ftpusers - to disallow ftp access to certain privilege
users, such as: root, uucp, and news.
This is done by listing them, one user per line.
(see the ftpd(8) man page) - /etc/ftpconversions - maps how conversions are carried out
(e.g. .tar.gz <-> .tar, etc.)
(see the ftpconversions(5) man page)
- add ftp as a user with a home directory,
but no shell and no
password to disallow any type of shell login. The uid &
gid need to follow the usual rules for accounts.
/etc/passwd:ftp:*:400:400::/u/ftp:/bin/false
/etc/group:ftp::400:root,bin,src,rk
- Change to the ftp home directory (cd ~ftp) and create
the directories (etc, bin, pub, lib) with
restricted permissions and ownership
mkdir etc bin pub lib chmod 755 etc bin pub lib . chown root.root etc bin pub lib .
- Anonymous ftp attempts to make things more secure by using
the chroot mechanism which changes the root to something
lower in the directory tree. This requires that some of the
system files need to be copied to this "new" root.
Copy & edit the system /etc/passwd & /etc/group to ~ftp/etc. Strip them to the bare-bones. Remember any anonymous ftp user can read these.
~ftp/etc/passwd:root:*:0:0:root:/root:/bin/csh bin:*:1:1:bin:/bin: adm:*:3:4:adm:/var/adm: ftp:*:400:400::/u/ftp:/bin/false
~ftp/etc/group:root::0:root bin::1:root,bin,daemon daemon::2:root,bin,daemon sys::3:root,bin,adm adm::4:root,adm,daemon mail::12:mail news::13:news uucp::14:uucp man::15:man src::16:root,bin,src ftp::400:root,bin,src
Once they have been created, give these files only read access with:cd ~ftp/etc chmod 444 *
- ftp uses a single executable, "ls", which is probably
dynamically linked to a run-time library. The following assumes some
version, which should be modified for your own set-up.
Discover the dynamically loaded library
ldd /bin/ls
Copy over the executable and libraryumask 022 cp /bin/ls ~ftp/bin cp /lib/libc.so.5.3.12 ~ftp/lib cp /lib/ld.so ~ftp/lib cd ~ftp/lib ln -s libc.so.5.3.12 libc.so.5
-
Experience has shown that using the dynamically linked "ls"
doesn't work in all cases. (It did work for Linux when it used
the a.out format of executables. It does not work
under the Linux ELF format.)
The following section describes the "easiest" path to create
a statically linked ls executable.
- The first thing to do is to grab the latest GNU file utilities collection. The closest & readily available anonymous ftp site is ftp://ftp.cdrom.com/pub/gnu/fileutils-3.16.tar.gz.
- unzip it & and un-tar it somewhere:
tar -xzvf fileutils-3.16.tar.gz
- Go into that directory and execute
cd fileutils-3.16 ./configure
- Go into the library directory and build the library
cd lib make
- Enter into the source directory and build only the ls
utility with static linking. (The example assumes the GNU
gcc compiler & loader is being used. Substitute
the appropriate loader command for your system.)
cd ../src make LDFLAGS=-static ls
- test it with ldd to make sure it's statically loaded and that it executes correctly with ./ls
If everything works out, the ~ftp/lib can be eliminated once the statically linked ls is moved to ~ftp/bin.
- Add allowed user directorys to pub,
with the appropriate permissions and ownership
cd ~ftp/pub mkdir rk chown rk.owen rk chmod 755 rk
Brought to you by: R.K. Owen,Ph.D.
This page is http://rkowen.owentrek.com/howto/anonftp.html