This ``howto'' gives the details on how to set-up anonymous ftp for your Un*x machine (specific details are for Linux, but are generally applicable). The assumption is that ftp is already enabled. If not then check the following files and modify them accordingly:
Setting up anonymous ftp
- /etc/services - make sure the ftp service exists with a line like:ftp 21/tcp
- /etc/inetd.conf - establish ftp as a inetd service. Should have a line like :
ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd(see the inetd.conf(5), hosts_access(5), & tcpd(8) man pages)
- /etc/ftpaccess - make sure that it exists and gives the appropriate access to real users as well as anonymous.
(see the ftpaccess(5) man page)
- /etc/ftpusers - to disallow ftp access to certain privilege users, such as: root, uucp, and news. This is done by listing them, one user per line.
(see the ftpd(8) man page)
- /etc/ftpconversions - maps how conversions are carried out (e.g. .tar.gz <-> .tar, etc.)
(see the ftpconversions(5) man page)
If all these steps are successful, you should now have a fully functional anonymous ftp site. User rk will have a directory ~ftp/pub/rk where he can make any file publically available he desires.
- add ftp as a user with a home directory, but no shell and no password to disallow any type of shell login. The uid & gid need to follow the usual rules for accounts.
- Change to the ftp home directory (cd ~ftp) and create the directories (etc, bin, pub, lib) with restricted permissions and ownership
mkdir etc bin pub lib chmod 755 etc bin pub lib . chown root.root etc bin pub lib .
- Anonymous ftp attempts to make things more secure by using the chroot mechanism which changes the root to something lower in the directory tree. This requires that some of the system files need to be copied to this ``new'' root.
Copy & edit the system /etc/passwd & /etc/group to ~ftp/etc. Strip them to the bare-bones. Remember any anonymous ftp user can read these.
~ftp/etc/passwd:root:*:0:0:root:/root:/bin/csh bin:*:1:1:bin:/bin: adm:*:3:4:adm:/var/adm: ftp:*:400:400::/u/ftp:/bin/false~ftp/etc/group:root::0:root bin::1:root,bin,daemon daemon::2:root,bin,daemon sys::3:root,bin,adm adm::4:root,adm,daemon mail::12:mail news::13:news uucp::14:uucp man::15:man src::16:root,bin,src ftp::400:root,bin,srcOnce they have been created, give these files only read access with:cd ~ftp/etc chmod 444 *
- ftp uses a single executable, ``ls'', which is probably dynamically linked to a run-time library. The following assumes some version, which should be modified for your own set-up.
Discover the dynamically loaded library
ldd /bin/lsCopy over the executable and libraryumask 022 cp /bin/ls ~ftp/bin cp /lib/libc.so.5.3.12 ~ftp/lib cp /lib/ld.so ~ftp/lib cd ~ftp/lib ln -s libc.so.5.3.12 libc.so.5
- Experience has shown that using the dynamically linked ``ls'' doesn't work in all cases. (It did work for Linux when it used the a.out format of executables. It does not work under the Linux ELF format.) The following section describes the ``easiest'' path to create a statically linked ls executable.
- The first thing to do is to grab the latest GNU file utilities collection. The closest & readily available anonymous ftp site is ftp://ftp.cdrom.com/pub/gnu/fileutils-3.16.tar.gz.
- unzip it & and un-tar it somewhere:
tar -xzvf fileutils-3.16.tar.gz
- Go into that directory and executecd fileutils-3.16 ./configure
- Go into the library directory and build the librarycd lib make
- Enter into the source directory and build only the ls utility with static linking. (The example assumes the GNU gcc compiler & loader is being used. Substitute the appropriate loader command for your system.)cd ../src make LDFLAGS=-static ls
- test it with ldd to make sure it's statically loaded and that it executes correctly with ./ls
If everything works out, the ~ftp/lib can be eliminated once the statically linked ls is moved to ~ftp/bin.
- Add allowed user directorys to pub, with the appropriate permissions and ownershipcd ~ftp/pub mkdir rk chown rk.owen rk chmod 755 rk
Last Modified: 1997/02/26 10:53:46
Brought to you by: R.K. Owen,Ph.D.
This page is http://owen.sj.ca.us/rkowen/howto/anonftp.html