lsg43.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Setting Up ftpd</B></FONT></CENTER></H4>



<BR>



<P>The FTP daemon, ftpd, must be started on the FTP server (some Linux versions use the daemon wu.ftpd as the server). The daemon is usually handled by inetd instead of the rc startup files, so ftpd is only active when someone needs it. This approach is best for all but the most heavily laden FTP sites. When ftpd is started using inetd, the inetd daemon watches the TCP command port (channel 21) for an arriving data packet requesting a connection, and then spawns ftpd.



<BR>



<P>Make sure that inetd can start the ftpd daemon by checking the inetd configuration file (usually /etc/inetd.config) for a line that looks like the following:



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">ftp stream tcp nowait root /usr/etc/ftpd ftpd -l</FONT></PRE>



<P>If the line doesn't exist, add it to the file. With most Linux systems, the line is already in the file although it may be commented out. Remove the comment symbol if this is the case. The FTP entry essentially specifies to inetd that FTP is to use TCP and that it should spawn ftpd every time a new connection is made to the FTP port. In the preceding example, the ftpd daemon is started with the -l option, which enables logging. You can ignore this option if you want.



<BR>



<P>There are several ftpd daemon options that you can add to the /etc/inetd.config line to control ftpd's behavior. The most commonly used options are as follows:



<BR>







<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="100%" CELLPADDING=2 >



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



-d



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



This option adds debugging information to the syslog.</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



-l



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



This option activates logging of sessions (only failed and successful logins, not debug information). If the -l option is specified twice, all commands are logged, too. If specified three times, the size of all get and put file transfers are added, as well.</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



-t



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



This option sets the timeout period before ftpd terminates after a session is concluded (default is 15 minutes). The value is specified in seconds after the -t option.</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



-T



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



This option sets the maximum timeout period (in seconds) that a client can request. The default is two hours. This enables a client to alter the normal default timeout for some reason.</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



-u



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



This option sets the umask value for files uploaded to the local system. The default umask is 022. Clients can request a different umask value.</FONT>



</TABLE><BR>



<A NAME="E69E247"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>FTP Logins</B></FONT></CENTER></H4>



<BR>



<P>If you are going to set up a user-based FTP service, where each person accessing your system has a valid login name and password, then you must create an account for each user in the /etc/passwd file. If you are not allowing anonymous FTP access, do not create a generic login that anyone can use.



<BR>



<P>To set up an anonymous FTP server, you must create a login for the anonymous user ID. This is done in the normal process of adding a user to the /etc/passwd file. The login name is whatever you want people to use when they access your system, such as &quot;anonymous&quot; or &quot;ftp&quot;. You need to select a login directory for the anonymous users that can be protected from the rest of the filesystem. A typical /etc/passwd entry looks like the following:



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">ftp:*:400:51:Anonymous FTP access:/usr/ftp:/bin/false</FONT></PRE>



<P>This entry sets up the anonymous user with a login of ftp. The asterisk password prevents anyone gaining access to the account. The user ID number (400) is, of course, unique to the entire system. For better security, it is a good idea to create a separate group just for the anonymous FTP access (edit the /etc/group file to add a new group), then set the ftp user to that group. Only the anonymous FTP use should belong to that group, as it can be used to set file permissions to restrict access and make your system more secure. The login directory in the example above is /usr/ftp, although you could choose any directory as long as it belongs to the anonymous FTP user (for security reasons, again). The startup program shown in the preceding example is /bin/false, which helps protect your system from access to accounts and utilities that do not have a strong password protection.



<BR>



<BR>



<A NAME="E69E248"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Setting Up the Directories</B></FONT></CENTER></H4>



<BR>



<P>As you will see in the next section, &quot;Setting Permissions,&quot; you can try to make the entire anonymous FTP subdirectory structure a filesystem unto itself, with no allowance for the anonymous user to get anywhere other than /usr/ftp (or whatever directory you use for anonymous access). For this reason, you need to create a mini-filesystem just for the anonymous FTP access, which holds the usual directory names and basic files anyone logging in needs. Part of the procedure is summarized in a checklist at the end of this chapter.



<BR>



<P>The process for setting up the directories your anonymous FTP login needs is simple, requiring you to create a number of directories and copy files into them. Here are the basic procedures:



<BR>



<UL>



<LI>Create the bin directory (/usr/ftp/bin, for example) and copy the directory listing commands (ls, l, and so on) that users need to view directory and file details. You can also copy some utilities like more and less, if you want.



<BR>



<BR>



<LI>Create the etc directory (usr/ftp/etc, for example) and copy your passwd file (/etc/passwd) and group file (/etc/group) into it. You'll edit these files in a moment.



<BR>



<BR>



<LI>Create the lib directory (/usr/ftp/lib, for example) and copy the files /lib/rld and /lib/libc.so.1 into it. These files are used by ls. Do this step only if your ls command requires these files: not all versions of Linux have this dependency, so check first to prevent unnecessary work.



<BR>



<BR>



<LI>Create the pub directory (/usr/ftp/pub, for example) to hold your accessible files. You'll look at this directory in more detail in a moment.



<BR>



<BR>



<LI>Create the dev directory (/usr/ftp/dev, for example) and use the mknod command to copy the /dev/zero file. You need to retain the same major and minor device numbers as the /dev/zero file in /dev. This device driver is used by rld (and hence ls). Do this step only if ls requires the /lib directory files mentioned earlier.



<BR>



<BR>



</UL>



<P>The copies of the /etc/passwd and /etc/group files are copied into the ~ftp/etc directory to bypass the actual files in /etc. Edit these files to remove all passwords and replace them with an asterisk, preventing access to those accounts through anonymous FTP. Remove all entries in both /etc/passwd and /etc/group that are used names or groups (in other words, used by a valid user or group on your system), as well as most other entries except those used by the anonymous FTP login (usually just anonymous and bin).



<BR>



<P>You can use the ~ftp/pub directory structure to store the files you want to allow anonymous users to access. Copy them into this directory. You can create subdirectories as you need them for organizational purposes. It may be useful to create an upload directory somewhere in the ~ftp/pub directory structure that has write permission, so that users can upload files to you only into this upload area.



<BR>



<BR>



<A NAME="E69E249"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Setting Permissions</B></FONT></CENTER></H4>



<BR>



<P>You can use the chroot command to help protect your system. The chroot command makes the root directory appear to be something other than / on a filesystem. For example, when chroot has been set for the anonymous FTP login, any time the anonymous user types a cd command, it can always be relative to their home directory. In other words, when they type cd /bin, they will really be changing to /usr/ftp/bin if the root has been set to /usr/ftp. This helps prevent access to any other areas of the filesystem than the FTP directory structure. The changes are effective only for the user ID the chroot command was run for.



<BR>



<P>If you do create an upload area, you may want to set the permissions to allow execute and write, but not read (to prevent another user downloading the files someone else has uploaded).



<BR>



<P>To set the permissions for files and directories used by your anonymous FTP users, follow the following procedure. If the directories or files do not already exist, copy or create them as necessary:



<BR>



<OL>



<LI>Set the ~ftp directory to have root as owner and access permissions of 555.



<BR>



<BR>



<LI>Set the ~ftp/bin directory to have root as owner and access permissions of 555.



<BR>



<BR>



<LI>Set the file ~ftp/bin/ls to have root as owner and access permissions of 111.



<BR>



<BR>



<LI>Set the ~ftp/etc directory to have root as owner and access permissions of 555.



<BR>



<BR>



<LI>Set the ~ftp/etc/passwd and ~ftp/etc/group files to have root as owner and access permissions of 444.



<BR>



<BR>



<LI>If used, set the ~ftp/lib directory to have root as owner and access permissions of 555.



<BR>



<BR>



<LI>If used, set the files ~ftp/lib/rld and ~ftp/lib/libc.so.1 to have root as owner and access permissions of 444.



<BR>



<BR>



<LI>If used, set the ~ftp/dev directory to have root as owner and access permissions of 555.



<BR>



<BR>



<LI>If required, use the mknod command to create ~ftp/dev/zero with the same major and minor node numbers as /dev/zero.



<BR>



<BR>



</OL>



<P>In general, you should have your FTP directories set so that all permissions for directories under ~ftp prevent write access by user, group, and other. Make sure the directories and files under ~ftp are set to allow the anonymous login to read them. (The directories need execute permission to allow the anonymous users to enter them and obtain directory listings.) This set of permissions provides pretty good security.



<BR>



<P>You can set the ownership of files and directories with the chown command. This command



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">chown root ~ftp/dev</FONT></PRE>



<P>sets the owner of ~ftp/dev to root, for example. All directories in the ~ftp directory structure should have the permissions set with the chmod command. This command



<BR>



<BR>



<PRE>



<FONT COLOR="#000080">chmod 555 dir_name</FONT></PRE>



<P>sets read-execute permission only for the directory, for example. The exception to this rule is the upload directory, which can have write permission, as noted earlier.



<BR>



<BR>



<A NAME="E69E250"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Testing the System</B></FONT></CENTER></H4>



<BR>



<P>Before you let anyone else onto your Linux FTP system, log in to it yourself and try to access files you shouldn't be able to, try to move into directories that are outside of the ~ftp structure, and try to write files where you shouldn't be able to. This provides a useful test of the permissions and directory structure. Spend an hour or so trying to read, write, copy, and move files, then try some su commands to try and log in as someone else (such as root or a valid system user). Make sure your system is buttoned up: if you don't, someone else will find the holes and exploit them.



<BR>



<P>It is a useful idea to set up a mailbox for the FTP administrator so that users on other systems who need help or information can send mail to you. Create a user and mailbox for a login such as ftp-admin and alias the mailbox to yourself or another person (or just log in as ftp-admin occasionally to check the mail).



<BR>



<P>Because this book covers system administration, it won't go into much detail about how to organize your directory structure, but a few useful tips may help you. To begin, decide what you want to store on your FTP directories and organize the structure logically. For example, if you are making available programs you have written, set up separate directories for each. A README file in each directory will help show browsers what is contained therein. A master README or INSTRUCTIONS file in the ~ftp directory can help explain how your site is set up and its contents (the uppercase letters draw a user's attention to the files immediately).



<BR>



<BR>



<A NAME="E68E230"></A>



<H3 ALIGN=CENTER>



<CENTER>



<FONT SIZE=5 COLOR="#FF0000"><B> Securing FTP</B></FONT></CENTER></H3>



<BR>



<P>The FTP system discussed earlier, supplied with practically every Linux distribution, requires a bit of work to make it secure. Even then, it is still vulnerable to very experienced hackers. A better alternative is available if you are paranoid about your system's security: WU FTP. Developed at Washington University, WU FTP adds some extra features to the standard FTP system:



<BR>



<UL>



<LI>Better control of user and group ID



<BR>



<BR>



<LI>Better tracking of uploads and downloads



<BR>



<BR>



<LI>Automatic shutdown



<BR>



<BR>



<LI>Automatic compression and decompression of files



<BR>



<BR>



</UL>



<P>If these features sound useful, you can obtain a copy of the source code of WU FTP from several sites, although the primary site is <A HREF="ftp://wuarchive.wustl.edu">wuarchive.wustl.edu</A>. Check for the file /packages/wuarchive-ftpd/wu-ftpd-X.X.tar.Z (where X.X is the latest version number). You will get the source code, which needs to be compiled on your Linux system.



<BR>



<P>WU FTP uses a number of environment variables to control the service, and the accompanying documentation helps you set it up properly. Setting up WU FTP is much more complex than standard FTP, and the extra security, which is useful, may be unnecessary for many FTP site machines you may set up at home or work (unless you have sensitive information).



<BR>



<BR>



<A NAME="E68E231"></A>



<H3 ALIGN=CENTER>



<CENTER>



<FONT SIZE=5 COLOR="#FF0000"><B>Summary</B></FONT></CENTER></H3>



<BR>



<P>The information in this chapter enables you to set your system up as a full anonymous FTP site, or just for users you want to gain access. The process is simple, although you have to take care to ensure that the file permissions are properly set. Once your FTP site is up, you can let others on the Internet or your local area network know you are running, and the type of material you store on your system. Then sit back and share!<A NAME="I2"></A>



<P ALIGN=LEFT>



























</td>
</tr>
</table>
<!-- begin footer information -->


</body></html>