upload.configuration.howto

wu-ftpd类unix下的ftp服务器,可用于嵌入式系统

 
  Copyright (c) 1999,2000 WU-FTPD Development Group.  
  All rights reserved.
  
  Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
    The Regents of the University of California.
  Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
  Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
  Portions Copyright (c) 1989 Massachusetts Institute of Technology.
  Portions Copyright (c) 1998 Sendmail, Inc.
  Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P.  Allman.
  Portions Copyright (c) 1997 Stan Barber.
  Portions Copyright (c) 1997 Kent Landfield.
  Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
    Free Software Foundation, Inc.  
 
  Use and distribution of this software and its source code are governed 
  by the terms and conditions of the WU-FTPD Software License ("LICENSE").
 
  If you did not receive a copy of the license, it may be obtained online
  at http://www.wu-ftpd.org/license.html.
 
  $Id: upload.configuration.HOWTO,v 1.2 2000/07/01 18:49:32 wuftpd Exp $
 


                           Upload Configuration
                                  HOW-TO

This document is available on-line at:
  ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO

One of the more powerfull, yet most often misused, features of WU-FTPD is
the upload clause.  Historically, the problems with the upload clause stem
from unclear documentation and poor implementation.  This document is an
attempt to address these issues.  The features discussed in this document
apply to WU-FTPD Version 2.6.0.  If you are not running 2.6.0, you are
strongly encouraged to upgrade; it includes a number of corrections, new
features and security enhancements not available with earlier versions of
WU-FTPD.



Upload restrictions for anonymous FTP users
-------------------------------------------
For this example, we'll assume your system /etc/passwd file contains an
entry for the anonymous FTP user as follows:

ftp:*:95:95::/home/ftp:

If your /etc/passwd file does not contain an entry for the user 'ftp' your
site will not allow anonymous FTP.  In addition, if the usernames 'ftp' or
'anonymous' appear in the /etc/ftpusers file, anonymous FTP will not be
allowed.

In /etc/ftpaccess, we need a class which allows anonymous access.  The
following allows anonymous FTP from anywhere:

class anonftp anonymous *

To prevent anonymous FTP users attempting a Denial of Service (DoS) attack
against your system, you should create a special filesystem to receive
their uploads.  This separate filesystem protects your server by limiting
the total size of all uploaded files while preventing those files from
consuming all available space on the server.  For this example, mount the
filesystem on /home/ftp/incoming

By default, the server will not allow uploads from anonymous FTP users.
Just to be safe, and so we don't forget, let's add a clause saying that:

upload /home/ftp * no

What this says is, "For any user whose home directory is the anonymous FTP
area, /home/ftp, do not allow any uploads."  As I said, this is the
default, but put it in anyway so you don't forget.

Now, we want to allow uploads into the incoming filesystem.  We MUST add a
clause granting that privilege to anonymous users.  Right now we don't want
to let anonymous users create directories.  (I recommend NEVER allowing them
to do it, but I'll show you how in a bit.)  We want to ensure, however,
the server is safe and cannot be used as a way-point for software pirates
(warez traders).  So we'll set the directory permissions for the incoming
area to prevent anyone seeing what's there and make the area write-only for
anonymous users.

First, we need an FTP site administrator, someone who owns the files, but
isn't the root user or the anonymous user.  Something like the following
/etc/passwd entry will do:

ftpadmin:*:96:96::/home/ftp:

Set the incoming area permissions and ownership to safe values.  I
recommend the following:

chown ftpadmin /home/ftp/incoming
chgrp ftpadmin /home/ftp/incoming
chmod 3773 /home/ftp/incoming

Actually, ftpadmin should own more of the site, but I'm only talking about
uploads right now.

Finally, before we get into allowing uploads, one last thing.  Whether you
allow on-the-fly tar'ing of directories or not, you should make sure an
end-run cannot be made and the incoming area downloaded using tar.  To do
so, create the special file '.notar' in both the FTP directory and the
incoming area:

touch /home/ftp/.notar
chmod 0 /home/ftp/.notar
touch /home/ftp/incoming/.notar
chmod 0 /home/ftp/incoming/.notar

The zero-length .notar file can confuse some web clients and FTP proxies,
so let's mark it unretrievable.

noretrieve .notar

Time to allow uploads, put the following in /etc/ftpaccess:

upload /home/ftp /incoming yes ftpadmin ftpadmin 0440 nodirs

Notice the target directory for the uploads is relative to the view the
user will have during the FTP session.

What this says is, "For any user whose home directory is the anonymous FTP
area, /home/ftp, allow uploads into the directory /incoming but do not
allow the creation of new directories.  Make all files uploaded owned by
the FTP administrator, mark them read-only so we don't allow them to be
downloaded."  If uploaded files are to be made available for downloading,
the safest thing to do is to tell the FTP administrator to move them into a
public area and modify the permissions after validating and approving them.
I know this seems draconian but, in the long run, it's best.

Some FTP sites like to live dangerously and allow anonymous users to create
directories.  I don't recommend this; it cannot be done with absolute
safety.  If you insist, however, you can at least limit it to a single
directory level.  For example, replace the upload clause just added with
the following:

upload /home/ftp /incoming   yes ftpadmin ftpadmin 0440 dirs 3773
upload /home/ftp /incoming/* yes ftpadmin ftpadmin 0440 nodirs

The first line allows directories to be created in the incoming area and
enforces the use of safe permissions on them.  The second prevents creation
of deeper sub-directories.  Notice one of the problems with allowing
directory creation is there is no way to automatically create a '.notar' in
the new directory, so a crafty user may be able to make an end-run and
download it anyway using on-the-fly tar'ing.

One last thing: since the incoming area shouldn't allow downloads, and
since it's a file system, there will be a lost+found area; you will want to
add the following clause to make SURE no downloads occur:

noretrieve /home/ftp/incoming

or, at least, add the following to prevent downloading of the lost+found
files:

noretrieve /home/ftp/incoming/lost+found



Upload restrictions for guest users
-----------------------------------
Setting up the FTP server for guest users is covered in the Guest HOWTO.
It is not my purpose here to cover how to set up for guest access.  If you
have not yet done so, review the information in that document at:

  ftp://ftp.fni.com/pub/wu-ftpd/guest-howto

For this example, I'll assume you have entries similar to the following in
your system /etc/passwd file:

dick:*:1010:1010::/home/users/./dick:/bin/sh
jane:*:1011:1011::/home/users/./jane:/bin/sh

By default, the WU-FTPD server will grant upload privileges to all guest
users.  The example users are chroot'd to /home/users and cannot access any
area of the filesystem outside that directory structure.  What we're
interested in, then, is simply protecting the areas in the chroot directory
structure we want to keep the users out of.

In a minimal installation, there will be bin, etc and dev, subdirectories
in the /home/users directory.  Other files and subdirectories may exist
depending upon the requirements of your operating system.  We don't want
users being able to upload into these areas.  In case something happens to
the permissions on them (you did set the permissions to safe values, didn't
you?), you should deny upload privileges in your ftpaccess file.  In our
case, we'll say the following:

upload /home/users/* /    no
upload /home/users/* /bin no
upload /home/users/* /etc no
upload /home/users/* /dev no

While we're at it, we'll prevent downloads with noretrieve.  Don't forget
to prevent end-runs by also creating .notar files in each directory.

noretrieve /home/users/bin
noretrieve /home/users/etc
noretrieve /home/users/dev



Upload restrictions for real users
----------------------------------
First off, let me say you shouldn't have any real users in your FTP site.
Or, being more realistic, the only real user should be the site
administrator.  That being said, real users should be restricted to
uploading only into specific areas.  Let's start with a real user in
/etc/passwd:

ftpadmin:*:109:109::/home/users/ftpadmin:/bin/sh

Again, by default, the server will grant upload privileges everywhere, so
we have to start by revoking them and only allowing what we want to:

upload /home/users/ftpadmin *                      no
upload /home/users/ftpadmin /tmp                   yes nodirs
upload /home/users/ftpadmin /home/users/ftpadmin   yes
upload /home/users/ftpadmin /home/users/ftpadmin/* yes
upload /home/users/ftpadmin /home/ftp/incoming     yes ftpadmin ftpadmin 0440 nodirs



About matching rules
--------------------
Use extreme care when forming wildcard matching rules.  It may be tempting
to say, for instance:

upload /home/users/ftpadmin /home/users/ftpadmin* yes