< Day Day Up > |
To allow anonymous FTP access by other users to your system, you must have a user account named FTP. Most distributions already create this account for you. If your system does not have such an account, you will have to create one. You can then place restrictions on the FTP account to keep any remote FTP users from accessing any other part of your system. You must also modify the entry for this account in your /etc/passwd file to prevent normal user access to it. The following is the entry you find in your /etc/passwd file on Red Hat systems that sets up an FTP login as an anonymous user:
ftp:x:14:50:FTP User:/var/ftp:
The x in the password field blocks the account, which prevents any other users from gaining access to it, thereby gaining control over its files or access to other parts of your system. The user ID, 14, is a unique ID. The comment field is FTP User. The login directory is /var/ftp. When FTP users log in to your system, they are placed in this directory. If a home directory has not been set up, create one and then change its ownership to the FTP user with the chown command.
The group ID is the ID of the ftp group, which is set up only for anonymous FTP users. You can set up restrictions on the ftp group, thereby restricting any anonymous FTP users. Here is the entry for the ftp group you find in the /etc/group file. If your system does not have one, you should add it:
ftp::50:
If you are creating virtual FTP hosts, you will need to create an FTP user for each one, along with its directories. For example, to create an FTP server for a host1-ftp host, you would create a host1-ftp user with its own directory.
useradd -d /var/host1-ftp host1-ftp
This would create a user such as that described here:
host1-ftp:x:14:50:FTP User:/var/host1-ftp:
You would also need to create the corresponding home directory, /var/host1-ftp in this example, and set its permissions to give users restricted access.
mkdir /var/host1-ftp chmod 755 /var/host1-ftp
You also need to make sure that the root user owns the directory, not the new FTP users. This gives control of the directory only to the root user, not to any user that logs in.
chown root.root /var/host1-ftp
As previously noted, on Red Hat, the FTP home directory is named ftp and is placed in the /var directory. When users log in anonymously, they are placed in this directory. An important part of protecting your system is preventing remote users from using any commands or programs not in the restricted directories. For example, you would not let a user use your ls command to list filenames, because ls is located in your /bin directory. At the same time, you want to let the FTP user list filenames using an ls command. Newer FTP daemons like vsftpd and ProFTPD solve this problem by creating secure access to needed system commands and files, while restricting remote users to only the FTP site's directories. In any event, make sure that the FTP home directory is owned by the root user, not by the FTP user. Use the ls -d command to check on the ownership of the FTP directory.
ls -d /var/ftp
To change a directory's ownership you use the chown command, as shown in this example:
chown root.root /var/ftp
Another, more traditional, solution is to create copies of certain system directories and files needed by remote users and to place them in the ftp directory where users can access them. A bin directory is placed in the ftp directory and remote users are restricted to it, instead of the system's bin directory. Whenever they use the ls command, remote users are using the one in ftp/bin, not the one you use in /bin. If, for some reason, you set up the anonymous FTP directories yourself, you must use the chmod command to change the access permissions for the directories so that remote users cannot access the rest of your system. Create an ftp directory and use the chmod command with the permission 555 to turn off write access: chmod 555 ftp. Next, make a new bin directory in the ftp directory, and then make a copy of the ls command and place it in ftp/bin. Do this for any commands you want to make available to FTP users. Then create an ftp/etc directory to hold a copy of your passwd and group files. Again, the idea is to prevent any access to the original files in the /etc directory by FTP users. The ftp/etc/passwd file should be edited to remove any entries for regular users on your system. All other entries should have their passwords set to x to block access. For the group file, remove all user groups and set all passwords to x. Create an ftp/lib directory, and then make copies of the libraries you need to run the commands you placed in the bin directory.
A directory named pub, located in the FTP home directory, usually holds the files you are making available for downloading by remote FTP users. When FTP users log in, they are placed in the FTP home directory (/var/ftp on Red Hat), and they can then change to the pub directory to start accessing those files (/var/ftp/pub on Red Hat). Within the pub directory, you can add as many files and directories as you want. You can even designate some directories as upload directories, enabling FTP users to transfer files to your system.
In each subdirectory set up under the pub directory to hold FTP files, you should create a README file and an INDEX file as a courtesy to FTP users. The README file contains a brief description of the kind of files held in this directory. The INDEX file contains a listing of the files and a description of what each one holds.
< Day Day Up > |
This HTML Help has been published using the chm2web software. |