791-793.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Linux Unleashed, Third Edition:Setting Up an FTP and Anonymous FTP Site</TITLE>
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0672313723//-->
<!--TITLE=Linux Unleashed, Third Edition//-->
<!--AUTHOR=Tim Parker//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Sams//-->
<!--CHAPTER=48//-->
<!--PAGES=791-793//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="789-791.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="794-796.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading8"></A><FONT COLOR="#000077">Setting Up the Directories</FONT></H4>
<P>As you will see in the next section, &#147;Setting Permissions,&#148; you can try to make the entire anonymous FTP subdirectory structure a file system unto itself, with no allowance for the anonymous user to get anywhere other than <TT>/usr/ftp</TT> (or whatever directory you use for anonymous access). For this reason, you need to create a mini-file system just for the anonymous FTP access which holds the usual directory names and basic files anyone logging in will need.</P>
<P>The process for setting up the directories that your anonymous FTP login will need is simple, requiring you to create a number of directories and copy files into them. Here&#146;s the basic procedure:</P>
<DL>
<DD><B>1.</B>&nbsp;&nbsp;Create the <TT>bin</TT> directory (<TT>/usr/ftp/bin</TT>, for example) and copy the directory listing command <TT>ls</TT> that users will need to view directory and file details.
<DD><B>2.</B>&nbsp;&nbsp;Create the <TT>etc</TT> directory (<TT>usr/ftp/etc</TT>, for example) and copy your <TT>passwd</TT> file (<TT>/etc/passwd</TT>) and group file (<TT>/etc/group</TT>) into it. We&#146;ll edit these files in a moment.
<DD><B>3.</B>&nbsp;&nbsp;Create the <TT>lib</TT> directory (<TT>/usr/ftp/lib</TT>, for example) and copy the files <TT>/lib/ld.so</TT> and <TT>/lib/libc.so.<I>X</I></TT> (where <I>X</I> is the version number of the<TT>libc</TT> file) into it. These files are used by <TT>ls</TT>. Do this step only if your <TT>ls</TT> command requires these files; most versions of Linux do not have this dependency.
<DD><B>4.</B>&nbsp;&nbsp;Create the <TT>pub</TT> directory (<TT>/usr/ftp/pub</TT>, for example) to hold your accessible files. We&#146;ll look at this directory in more detail in a moment.
<DD><B>5.</B>&nbsp;&nbsp;Create the <TT>dev</TT> directory (<TT>/usr/ftp/dev</TT>, for example) and use the <TT>mknod</TT> command to copy the <TT>/dev/zero</TT> file. You need to retain the same major and minor device numbers as the <TT>/dev/zero</TT> file in <TT>/dev</TT>. This device file is used by <TT>ld.so</TT> (and hence <TT>ls</TT>). Do this step only if <TT>ls</TT> requires the <TT>/lib</TT> directory files mentioned earlier.
</DL>
<P>The copies of the <TT>/etc/passwd</TT> and <TT>/etc/group</TT> files are copied into the <TT>~ftp/etc</TT> directory. You should edit these files to remove all passwords and replace them with an asterisk. Remove all entries in both <TT>/etc/passwd</TT> and <TT>/etc/group</TT>, except those used by the anonymous FTP login (usually just <TT>anonymous</TT> and <TT>bin</TT>).</P>
<P>The <TT>~ftp/pub</TT> directory structure can be used to store the files you want to allow anonymous users to access. Copy them into this directory. You can create subdirectories as you need them for organizational purposes. It may be useful to create an upload directory somewhere in the <TT>~ftp/pub</TT> directory structure that has write permission, so that users can upload files to you only into this upload area.</P>
<BLOCKQUOTE>
<P><FONT SIZE="-1"><HR><B>Note:&nbsp;&nbsp;</B><BR>If you allow remote users to access your system, you may want to protect yourself legally by issuing a warning that their activities on your system may be recorded or logged. Unfortunately, in today&#146;s world you have to take all steps necessary to prevent getting sued!<HR></FONT>
</BLOCKQUOTE>
<H4 ALIGN="LEFT"><A NAME="Heading9"></A><FONT COLOR="#000077">Setting Permissions</FONT></H4>
<P>You can use the <TT>chroot</TT> command to help protect your system. The <TT>chroot</TT> command makes the <TT>root</TT> directory appear to be something other than <TT>/</TT> on a file system. For example, since <TT>chroot</TT> is always set for the anonymous FTP login, any time anonymous users type a <TT>cd</TT> command, it can always be relative to their home directory. In other words, when they type <TT>cd /bin,</TT> they will really be changing to <TT>/usr/ftp/bin</TT> if the root has been set to <TT>/usr/ftp</TT>. This helps prevent access to any other areas of the file system than the FTP directory structure.</P>
<P>If you do create an upload area, you may want to set the permissions to allow execute and write, but not read (to prevent another user downloading the files someone else has uploaded).</P>
<P>Set all permissions for directories under <TT>~ftp/</TT> to prevent write access by user, group, or other. Make sure the directories and files under <TT>~ftp</TT> are set to allow the anonymous login to read them (set their ownership and group permissions to the <TT>root</TT> login and group ID), and set only read permission. The directories will need execute and read permission to enable the anonymous users to enter them and obtain directory listings. This provides pretty good security. All directories in the <TT>~ftp</TT> directory structure should have the permissions set with the command:</P>
<!-- CODE SNIP //-->
<PRE>
chmod 555 dir_name
</PRE>
<!-- END CODE SNIP //-->
<P>which sets read-execute permission only. The exception is the upload directory, which can have write permission as noted earlier.
</P>
<H4 ALIGN="LEFT"><A NAME="Heading10"></A><FONT COLOR="#000077">Test the System</FONT></H4>
<P>Before you let anyone else onto your Linux FTP system, log into it yourself and try to access files you shouldn&#146;t be able to, move into directories out of the <TT>~ftp</TT> structure, and write files where you shouldn&#146;t be able to. This will provide a useful test of the permissions and directory structure. Spend a few minutes trying to read and write files. Make sure your system is buttoned up: If you don&#146;t, someone else will find the holes and exploit them.</P>
<P>It is a useful idea to set up a mailbox for the FTP administrator so users on other systems who need help or information can send mail to you. Create a mail alias such as<TT>ftp-admin</TT> in the file <TT>/etc/aliases</TT> (and run <TT>newaliases</TT> to make it effective).</P>
<P>Because this is a system administration book, we won&#146;t go into much detail about how to organize your directory structure, but a few useful tips may help you. To begin, decide what you want to store in your FTP directories and organize the structure logically. For example, if you are making available programs you have written, set up separate directories for each. A <TT>README</TT> file in each directory will help show browsers what it contains. A master <TT>README</TT> or <TT>INSTRUCTIONS</TT> file in the <TT>~ftp</TT> directory can help explain how your site is set up and what its contents are.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="789-791.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="794-796.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>