ch48.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

for each user in the <TT>/etc/passwd</TT> file. If you are not allowing anonymous

FTP access, do not create a generic login that anyone can use.</P>

<P>To set up an anonymous FTP server, you must create a login for the anonymous user

ID (if one doesn't already exist; many versions of Linux have the entry already completed

upon installation). This is done in the normal process of adding a user to the <TT>/etc/passwd</TT>

file. The login name is whatever you want people to use when they access your system,

such as <TT>anonymous</TT> or <TT>ftp</TT>. You need to select a login directory

for the anonymous users that can be protected from the rest of the file system. A

typical <TT>/etc/passwd</TT> entry looks like this:<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">ftp:*:400:51:Anonymous FTP access:/usr/ftp:/bin/false

</FONT></PRE>

<P>This sets up the anonymous user with a login of <TT>ftp</TT>. The asterisk password

prevents anyone gaining access to the account. The user ID number (400) is, of course,

unique to the entire system. For better security, it is a good idea to create a separate

group just for the anonymous FTP access (edit the <TT>/etc/group</TT> file to add

a new group), and then set the <TT>ftp</TT> user to that group. Only the anonymous

FTP user should belong to that group because it can be used to set file permissions

to restrict access and make your system more secure. The login directory in the preceding

example is <TT>/usr/ftp</TT>, although you could choose any directory as long as

it belongs to root (for security reasons, again). The startup program shown in the

preceding example is <TT>/bin/false</TT>, which helps protect your system from access

to accounts and utilities that do not have a strong password protection.

<CENTER>

<H4><A NAME="Heading9<FONT COLOR="#000077">Setting Up the Directories</FONT></H4>

</CENTER>

<P>As you will see in the next section, &quot;Setting Permissions,&quot; you can

try to make the entire anonymous FTP subdirectory structure a file system unto itself,

with no allowance for the anonymous user to get anywhere other than <TT>/usr/ftp</TT>

(or whatever directory you use for anonymous access). For this reason, you need to

create a mini-file system just for the anonymous FTP access which holds the usual

directory names and basic files that anyone logging in will need.</P>

<P>The process for setting up the directories that your anonymous FTP login will

need is simple, requiring you to create a number of directories and to copy files

into them. Here's the basic procedure:



<DL>

	<DD><B>1.</B> Create the <TT>bin</TT> directory (<TT>/usr/ftp/bin</TT>, for example)

	and copy the directory listing command <TT>ls</TT> that users will need to view directory

	and file details.<BR>

	<BR>

	<B>2.</B> Create the <TT>etc</TT> directory (<TT>usr/ftp/etc</TT>, for example) and

	copy your <TT>passwd</TT> file (<TT>/etc/passwd</TT>) and group file (<TT>/etc/group</TT>)

	into it. We'll edit these files in a moment.<BR>

	<BR>

	<B>3.</B> Create the <TT>lib</TT> directory (<TT>/usr/ftp/lib</TT>, for example)

	and copy the files <TT>/lib/ld.so</TT> and <TT>/lib/libc.so.</TT>X (where X is the

	version number of the<TT> libc</TT> file) into it. These files are used by <TT>ls</TT>.

	Do this step only if your <TT>ls</TT> command requires these files; most versions

	of Linux do not have this dependency.<BR>

	<BR>

	<B>4. </B>Create the <TT>pub</TT> directory (<TT>/usr/ftp/pub</TT>, for example)

	to hold your accessible files. We'll look at this directory in more detail in a moment.<BR>

	<BR>

	<B>5.</B> Create the <TT>dev</TT> directory (<TT>/usr/ftp/dev</TT>, for example)

	and use the <TT>mknod</TT> command to copy the <TT>/dev/zero</TT> file. You need

	to retain the same major and minor device numbers as the <TT>/dev/zero</TT> file

	in <TT>/dev</TT>. This device file is used by <TT>ld.so</TT> (and hence <TT>ls</TT>).

	Do this step only if <TT>ls</TT> requires the <TT>/lib</TT> directory files mentioned

	earlier.

</DL>



<P>The copies of the <TT>/etc/passwd</TT> and <TT>/etc/group</TT> files are copied

into the <TT>~ftp/etc</TT> directory. You should edit these files to remove all passwords

and replace them with an asterisk. Remove all entries in both <TT>/etc/passwd</TT>

and <TT>/etc/group</TT>, except those used by the anonymous FTP login (usually just

<TT>anonymous</TT> and <TT>bin</TT>).</P>

<P>The <TT>~ftp/pub</TT> directory structure can be used to store the files you want

to allow anonymous users to access. Copy them into this directory. You can create

subdirectories as you need them for organizational purposes. It may be useful to

create an upload directory somewhere in the <TT>~ftp/pub</TT> directory structure

which has write permission, so that users can upload files to you only in this area.

<CENTER>

<H4><A NAME="Heading10<FONT COLOR="#000077">Setting Permissions</FONT></H4>

</CENTER>

<P>You can use the <TT>chroot</TT> command to help protect your system. The <TT>chroot</TT>

command makes the <TT>root</TT> directory appear to be something other than <TT>/</TT>

on a file system. For example, since <TT>chroot</TT> is always set for the anonymous

FTP login, any time anonymous users type a <TT>cd</TT> command, it can always be

relative to their home directory. In other words, when they type <TT>cd/bin</TT>

they will really be changing to <TT>/usr/ftp/bin</TT> if the root has been set to

<TT>/usr/ftp</TT>. This helps prevent access to any other areas of the file system

than the FTP directory structure.</P>

<P>If you do create an upload area, you may want to set the permissions to allow

execute and write, but not read (to prevent another user downloading the files someone

else has uploaded).</P>

<P>Set all permissions for directories under <TT>~ftp/</TT> to prevent write access

by user, group, or other. Make sure the directories and files under <TT>~ftp</TT>

are set to allow the anonymous login to read them (set their ownership and group

permissions to the root login and group ID), and set only read permission. The directories

will need execute and read permission to enable the anonymous users to enter them

and obtain directory listings. This provides pretty good security. All directories

in the <TT>~ftp</TT> directory structure should have the permissions set with the

command<FONT COLOR="#0066FF"></FONT>

<PRE><FONT COLOR="#0066FF">chmod 555 dir_name

</FONT></PRE>

<P>which sets read-execute permission only. The exception is the <TT>upload</TT>

directory, which can have write permission as noted earlier.

<CENTER>

<H4><A NAME="Heading11<FONT COLOR="#000077">Test the System</FONT></H4>

</CENTER>

<P>Before you let anyone else onto your Linux FTP system, log into it yourself and

try to access files you shouldn't be able to access, move into directories out of

the <TT>~ftp</TT> structure, and write files where you shouldn't be able to. This

will provide a useful test of the permissions and directory structure. Spend a few

minutes trying to read and write files. Make sure your system is buttoned up--if

you don't, someone else will find the holes and exploit them.</P>

<P>It is a useful idea to set up a mailbox for yourself as FTP administrator so that

users on other systems who need help or information can send mail to you. Create

a mail alias such as<TT> ftp-admin</TT> in the file <TT>/etc/aliases</TT> (and run

<TT>newaliases</TT> to make it effective).</P>

<P>We won't go into much detail about how to organize your directory structure, but

a few useful tips may help you. To begin, decide what you want to store in your FTP

directories and organize the structure logically. For example, if you are making

available programs you have written, set up separate directories for each. A <TT>README</TT>

file in each directory will help show browsers what it contains. A master <TT>README</TT>

or <TT>INSTRUCTIONS</TT> file in the <TT>~ftp</TT> directory can help explain how

your site is set up and what its contents are.

<CENTER>

<H3><A NAME="Heading12<FONT COLOR="#000077">A More Secure FTP</FONT></H3>

</CENTER>

<P>The FTP system discussed in the preceding sections, which is the basic one supplied

with practically every Linux distribution, requires a bit of work to make it secure.

However, it is still vulnerable to very experienced crackers. There's a better alternative

if you are paranoid about your system's security: WU FTP. Developed at Washington

University, WU FTP adds some extra features to the standard FTP system:



<UL>

	<LI>Better control of user and group IDs

	<P>

	<LI>Better tracking of uploads and downloads

	<P>

	<LI>Automatic shutdown

	<P>

	<LI>Automatic compression and decompression of files

</UL>



<P>If these features sound useful, you can obtain a copy of the source code of WU

FTP from several sites, although the primary site is <TT>wuarchive.wustl.edu</TT>.

Check for the file <TT>/packages/wuarchive-ftpd/wu-ftpd-2.4.tar.Z</TT>. You will

get the source code which needs to be compiled on your Linux system.</P>

<P>WU FTP uses a number of environment variables to control the service, and the

accompanying documentation helps you set it up properly. Setting up WU FTP is much

more complex than standard FTP, and the extra security, while useful, may be unnecessary

for many FTP site machines that you may set up at home or work (unless you have sensitive

information).

<CENTER>

<H4><A NAME="Heading13<FONT COLOR="#000077">Checklist: Protecting an Anonymous

FTP System</FONT></H4>

</CENTER>

<P>Anonymous FTP is fast, relatively easy to use, and a huge security problem if

you don't carefully set up your system. The following list summarizes a few simple

steps to setting up a better anonymous FTP site:



<DL>

	<DD><B>1. </B>Create a user account called <TT>ftp</TT>. Edit the <TT>/etc/passwd</TT>

	file manually and replace the password with an asterisk in the second field. This

	prevents anyone from gaining access through the <TT>ftp</TT> account.<BR>

	<BR>

	<B>2. </B>If a home directory wasn't created for the <TT>ftp</TT> user when you created

	the account, set up a home directory for the <TT>ftp</TT> user's sole use (such as

	<TT>/home/ftp</TT>).<BR>

	<B><BR>

	3. </B>Set the <TT>ftp</TT> home directory so that the <TT>root</TT> user is the

	owner:<FONT COLOR="#0066FF"><BR>

	<BR>

	chown root /usr/ftp</FONT>

</DL>



<PRE><FONT COLOR="#0066FF"></FONT></PRE>



<DL>

	<DD><B>4.</B> Make the <TT>ftp</TT> home directory unwritable to anyone with the

	following command:<FONT COLOR="#0066FF"><BR>

	<BR>

	chmod ugo-w /usr/ftp</FONT>

</DL>



<PRE><FONT COLOR="#0066FF"></FONT></PRE>



<DL>

	<DD><B>5. </B>Create a <TT>bin</TT> directory under the <TT>ftp</TT> home directory:<BR>

	<FONT COLOR="#0066FF"><BR>

	mkdir ~ftp/bin</FONT>

</DL>



<PRE><FONT COLOR="#0066FF"></FONT></PRE>



<DL>

	<DD><B>6. </B>Make the <TT>~ftp/bin</TT> directory owned by <TT>root</TT> and unwritable

	to anyone else:<BR>

	<FONT COLOR="#0066FF"><BR>

	chown root ~ftp/bin<BR>

	chmod ugo-w ~ftp/bin<BR>

	</FONT>



	<P><B>7. </B>Place a copy of the listing commands (and any others that you want anonymous

	FTP users to use) in the <TT>bin</TT> directory:<BR>

	<FONT COLOR="#0066FF"><BR>

	cp /bin/ls ~ftp/bin<BR>

	<B></B></FONT>



	<P><B>8. </B>Create an <TT>etc</TT> directory under the <TT>ftp</TT> home directory

	and make it owned by <TT>root</TT> and unwritable:<BR>

	<FONT COLOR="#0066FF"><BR>

	mkdir ~ftp/etc<BR>

	chown root ~ftp/etc<BR>

	chmod ugo-w ~ftp/etc<BR>

	</FONT>



	<P><B>9. </B>Copy the <TT>/etc/passwd</TT> and <TT>/etc/group</TT> files into the

	<TT>~ftp/etc</TT> directory. Edit both files to remove all user accounts except <TT>ftp</TT>

	(and <TT>ftp</TT>'s group). (At the very least, remove all passwords for other accounts

	by placing asterisks in the password field.)<BR>

	<BR>

	<B>10. </B>Create the directory <TT>~ftp/pub/incoming</TT>, and make it owned by

	<TT>root</TT>. Then, make the directory writable by anyone:<BR>

	<FONT COLOR="#0066FF"><BR>

	mkdir ~ftp/pub/incoming<BR>

	chown root ~ftp/pub/incoming<BR>

	chmod ugo+w ~ftp/pub/incoming<BR>

	</FONT>



	<P><B>11. </B>Place any files you want accessible by anonymous FTP into the <TT>~ftp/pub</TT>

	directory. Users logging in through anonymous FTP will be able to transfer the files

	out. Allowing users to write files into the directory may not be desirable, so change

	the permissions or check the files frequently.

</DL>



<P>By following these steps (modified for your own particular needs), you can create

a secure site that lets you breathe a little easier.

<CENTER>

<H3><A NAME="Heading14<FONT COLOR="#000077">Summary</FONT></H3>

</CENTER>

<P>The information in this chapter enables you to set up your system as a full anonymous

FTP site or just a site for the users you want to gain access. Although the process

is simple, you have to take care to ensure the file permissions are properly set.

Once your FTP site is up, you can let others on the Internet or your local area network

know that you are running, as well as the type of material you store on your system.

Then sit back and share!









</td>
</tr>
</table>
<!-- begin footer information -->


</body></html>