how-to

Install Anonymous FTP

by Hal Pomeranz
<[email protected]>

Hal Pomeranz is the Chief Operations Architect for Corio, Inc., an Application Services Provider based in Redwood City, CA.

ANNOUNCING THE SAGE "HOW-TO NOTES" SERIES

With the accompanying first entry by Hal Pomeranz, SAGE is pleased to announce the commencement of the How-To Notes series. Based on an idea floated in last year's <sage-member> survey, this series is a collection of basic information intended to assist sysadmins in quickly getting something running. They will cover such points as where to obtain software, what hardware may be required, and what steps are necessary to get a minimal service configured for "average use." The notes are not designed for advanced configurations, complex installations, or specialized situations. All will eventually be available from the SAGE Web pages. The series editor (not yet selected) will manage new topics and a review cycle.

Questions, comments, and suggestions are always welcome. We hope this series proves valuable to the membership.

This note describes how to configure an anonymous FTP server on a UNIX-like operating system. The steps for configuring the freely available Washington University FTP daemon software (WU FTP) are described, but administrators wishing to use their vendor's anonymous FTP server may do so simply by skipping Section 1, Section 2.7, Section 3.1 (though see Section 3.1.2 for guidelines on how to create an /etc/ftpusers file), and Section 3.3.

The WU FTP software should be used if the administrator wishes to allow file uploads in a secure fashion (Section 2.7).In particular, a good set of requirements for file upload areas includes

1. No user may get a directory listing in the upload area or any of its subdirectories (helps prevent disclosure of proprietary information in file or directory names).
2. Files may only be uploaded into subdirectories of the upload area (helps
   protect ~ftp/{bin,lib,dev,etc,pub}).
3. Files that have been uploaded may not be downloaded by any anonymous user (prevents your site from being used as a "warez" site for the dissemination of copyrighted materials).
4. Files that have been uploaded may not be overwritten (helps prevent confusion and trojan-horse attacks).

   Requirement I plays havoc with graphically oriented, "point-and-click" FTP clients that insist on getting directory listings in order to function properly.Most of these clients allow the user to input pathnames from the keyboard, but some amount of user education is likely to be required.

   Requirements III and IV are enforced by configuring the WU FTP daemon to make all uploaded files be read-only (mode 400) owned by root. This implies an administrator or some external process that retrieves files from the upload area and makes them available to internal users.

   1. WU-ftpd

   The Washington University FTP daemon is the de facto standard FTP server for anonymous FTP sites.This is primarily due to the wide variety of features it supports ­ features that make the code more difficult to audit and therefore more dangerous from a security perspective.If you only need to allow "vanilla" anonymous FTP access (no file uploads, no nonanonymous access), then skip this section and use your OS vendor's ftpd.

   1.1. Download

   1.1.1 Connect to ftp://ftp.academ.com/pub/wu-ftpd/private/

   1.1.2 Download latest beta release (currently wu-ftpd-2.4.2-beta-18.tar.Z)

   1.1.3 Unpack in appropriate source directory

   # mv wu-ftpd-2.4.2-beta-<vers>.tar.Z <srcdir>
   # cd <srcdir>
   # zcat wu-ftpd-2.4.2-beta-<vers>.tar.Z | tar xf -

   where <vers> is the appropriate version number (see previous step) and <srcdir> is some directory on your system where you keep third-party source code.

   1.2. Build Process

   1.2.1 Move to configuration directory.

   # cd wu-ftpd-2.4.2-beta-<vers>/src/config

   1.2.2 Edit appropriate configuration file for your OS (consult ../../INSTALL for OS type information).If USE_ETC is set, replace this with USE_ETC_FTPD.

   1.2.3 Return to top-level source directory.

   # cd ../..

   1.2.4 Initiate build process.

   # sh build CC=<comp> <target>

   where <comp> is your C compiler (cc by default) and <target> is the appropriate OS identifier.

   1.3. Install

   1.3.1 Edit top-level Makefile and set BINDIR, ETCDIR, and MANDIR appropriately.WARNING! On most architectures, the default values for these variables will overwrite existing OS binaries and other files. This is probably not what you want.

   1.3.2 Trigger install process.

   # make install

   2. Create anonymous FTP directory

   When a user logs in as anonymous, FTP daemons call chroot() to restrict that user's access only to files in your anonymous FTP area.Make sure that your anonymous FTP area lives in its own partition and don't make any symbolic links into or out of this area.Also note that the most important and most difficult part of setting up any anonymous FTP installation is getting the directory permissions right.Errors in this step can allow outsiders to modify or overwrite files in your anonymous FTP area and possibly gain shell access to your machine.

   2.1. Create top-level FTP directory

   2.1.1 Make directory.

   # mkdir <path>

   where <path> is where the anonymous FTP area is rooted (e.g.,/usr/local/ftp, /export/ftp, etc.).

   NOTE: This step may not be required if the anonymous FTP area is going to be located on an already-mounted partition, or you may have to modify your fstab file and mount the FTP area by hand before proceeding.

   2.1.2 Set ownership and permissions.

   # chmod 755 <path>
   # chown root <path>
   # chgrp root <path>

   2.1.3 Move to new directory.

   # cd <path>

   2.2. Install ls program.

   2.2.1 Make ~ftp/bin directory.

   # mkdir bin

   2.2.2 Copy binary.

   # cp /bin/ls bin

   2.2.3 Set ownership and permissions.

   # chmod 111 bin bin/ls
   # chown root bin bin/ls
   # chgrp root bin bin/ls

   2.3 Install shared libraries.

   NOTE:Commands below are appropriate for Solaris systems.Consult OS documentation to find out appropriate libraries for other systems.Skip this step if you can build a statically linked ls program on your machine (ls sources available from any GNU archive in the fileutils package).

   2.3.1 Make ~ftp/lib directory.

   # mkdir -p usr/lib

   2.3.2 Copy libraries.

   # for lib in ld.so.1 libc.so.1 libdl.so.1 libintl.so.1 \
   >		libw.so. 1 nss_files.so.1
   > do
   >	cp /usr/lib/$lib usr/lib/$lib
   >	chmod 555 usr/lib/$lib
   > done

   2.3.3 Set ownership and permissions.

   # chmod 111 usr usr/lib
   # chown root usr usr/lib usr/lib/*
   # chgrp root usr usr/lib usr/lib/*

   2.4. Make devices.

   NOTE:The arguments for mknod shown here are for Solaris systems. For other machines, copy the major/minor device numbers, ownership, and permissions from /dev (the ls -l command may be used to show major/minor device numbers).

   2.4.1 Create ~ftp/dev.

   # mkdir dev

   2.4.2 Create device files.

   # mknod dev/tcp c 11 42
   # mknod dev/zero c 13 12

   2.4.3 Set ownership and permissions.

   # chmod 111 dev
   # chmod 666 dev/tcp

   # chmod 444 dev/zero
   # chown root dev dev/tcp dev/zero
   # chgrp sys dev dev/tcp dev/zero

   NOTE: The permissions for dev/tcp shown above are correct.

   2.5. Configure ~ftp/etc directory.

   2.5.1 Create ~ftp/etc directory.

   # mkdir etc

   2.5.2 Create ~ftp/etc/passwd file as follows:

   root:x:0:1:0000-Admin(0000):/:/sbin/sh
   ftp:x:90:1:Anon FTP User:/:/sbin/sh

   WARNING!Do not put actual passwords in the ~ftp/etc/passwd file!Do not create ~ftp/etc/shadow or similar file!

   2.5.3 Create ~ftp/etc/group file.

   root:*:0:
   other::1:

   2.5.4 Create ~ftp/etc/nsswitch.conf file (not required on nonSolaris machines).

   passwd: files
   group: files

   2.5.5 Create the welcome.msg, message.toomany, and pathmsg files in ~ftp/etc as documented in Appendices B-D.

   2.5.6 Set ownership and permissions.

   # chmod 444 etc/*
   # chmod 111 etc
   # chown root etc etc/*
   # chgrp root etc etc/*

   2.6. Make download area.

   NOTE: Files in this area will be readable by anonymous users. Make sure that all of the files and subdirectories in this directory are owned by root or somebody other than the anonymous user, ftp, so that there is no chance of the files being overwritten.

   2.6.1 Make ~ftp/pub directory.

   # mkdir pub

   2.6.2 Set ownership and permissions.

   # chmod 555 pub
   # chown root pub
   # chgrp root pub

   2.7. Make upload directories.

   NOTE: Skip this section if you do not wish to allow uploads to your server at all.Do not allow uploads if not using WU FTP.

   2.7.1 Make ~ftp/incoming directory.

   # mkdir incoming

   2.7.2 Set ownership and permissions.

   # chmod 111 incoming
   # chown root incoming
   # chgrp root incoming

   2.7.3 Create one or more individual upload areas (substitute some directory name for <dir> below).

   # mkdir incoming/<dir>
   # chmod 311 incoming/<dir>
   # chown <uid> incoming/<dir>
   # chgrp root incoming/<dir>

   where <uid> is the numeric UID you will use for the ftp user in the system password file.

   3. Other system-configuration tasks

   With the anonymous FTP area successfully configured, the WU FTP software itself must be configured, password entries created, and modifications made to inetd.conf.

   3.1. Create WU FTP configuration files.

   NOTE: Skip this section if not using WU FTP, but do create a file called /etc/ftpusers per Section 3.1.2 (but not/etc/ftpd/ftpusers as documented there).

   3.1.1 Make /etc/ftpd directory

   # mkdir /etc/ftpd
   # chmod 700 /etc/ftpd
   # chown root /etc/ftpd
   # chgrp root /etc/ftpd

   3.1.2 Create /etc/ftpd/ftpusers file.This file contains the list of all users (one per line) not allowed to FTP into the server.It should include root, daemon, bin, nobody, and similar accounts which are not associated with real users.

   3.1.3 Make symlink from traditional /etc/ftpusers location.

   # ln -s /etc/ftpd/ftpusers /etc/ftpusers

   NOTE: If /etc/ftpusers already exists, make sure that /etc/ftpd/ftpusers is a superset of this file, then remove /etc/ftpusers and create the symlink.

   3.1.4 Make empty ftpconversions file.

   # touch /etc/ftpd/ftpconversions

   3.1.5 Create ftpaccess configuration file from Appendix A.

   3.1.6 Set ownership and permissions.

   # chmod 600 /etc/ftpd/ftp*
   # chown root /etc/ftpd/ftp*
   # chgrp root /etc/ftpd/ftp*

   3.2. Make password entry.

   3.2.1 Create entry for the ftp user in /etc/passwd.

   ftp:x:<uid>:<gid>:Anonymous FTP Account:<path>:/dev/null

   <uid> is the numeric user ID used in Section 2.7.3 and <gid> is some unused numeric group ID.<path> is the root of the anonymous FTP area as used in Section 2.1.

   3.2.2 Create corresponding entry in /etc/shadow or other file as required by your operating system.Do not use a valid DES password string for the ftp user.Instead use a string like * or LOCK or*NP*.Do not use an empty password field for the ftp user!

   3.3. Make inetd changes.

   NOTE: Skip this section if not using WU FTP.

   3.3.1 Edit /etc/inetd.conf (on some systems, /etc/inet/inetd.conf) and replace the existing entry for ftp with ftp stream tcp nowait root <BINDIR>/ftpd ftpd where <BINDIR> is the directory chosen for the install of WU FTP binary in Section 1.3.1.

   3.3.2 Get process ID of running inetd using ps and grep.

   3.3.3 Send SIGHUP to running inetd

   # kill -HUP <pid>

   where <pid> is the process ID determined in the previous section.

   Appendix A. WU FTP ftpaccess Configuration File

   # real users may log in from the 172.16.0.0/16 network-- you
   # probably want to use your internal network address space here
   # instead. Anonymous users may log in from any IP address.
   #
   class users real 172.16.0.0 localhost
   class anon anonymous *
   # Three login attempts are permitted before the user is dropped and
   # a message is logged via syslog.
   #

   loginfails 3
   # Only ten real users are allowed at any time. 100 anonymous users
   # are allowed any Saturday or Sunday, or any weekday between 6pm
   # and 6am local time. At other times, only 60 anonymous users are
   # allowed.
   #
   # Obviously, you'll need to tune these parameters for your server
   # and bandwidth usage limits...
   #
   limit users 10 Any /etc/msg.toomany
   limit anon 100 SaSu|Any1800-0600 /etc/msg.toomany
   limit anon 60 Any /etc/msg.toomany
   # The first two lines cause any files named README* to be printed
   # if the user logs in (in this case the README* files must be in
   # ~ftp) or if the user changes directory into a subdirectory
   # containing a README* file.
   #
   # The next two lines cause the file ~ftp/etc/welcome.msg to be
   # displayed on each login and ".message" files to be displayed if
   # the user "cd"s into a directory containing such a file.
   #
   # "readme" files and "message" files are identical except "message" # files are only displayed once per user session, whereas "readme" # files are displayed every time the given condition is met.#
   readme README* login
   readme README* cwd=*

   message /etc/welcome.msg login
   message .message cwd=*
   # Anonymous users are prompted to enter their email address as a
   # password.
   # "passwd-check" prints a "warn"ing message if the password doesn't
   # look like a standard ("rfc822") email address. If you choose
   # "enforce" rather than "warn" you will end up denying access to
   # many, many people on the Internet who really don't know what
   # their email address is...
   #
   passwd-check rfc822 warn
   # Stop anonymous users from using "interesting" FTP commands.
   # Directory permissions in ~ftp should also stop this behavior,
   # but a little strength in depth never hurts ...
   #
   delete no anonymous
   overwrite no anonymous
   rename no anonymous
   chmod no anonymous
   umask no anonymous
   # NOTE: Insert the correct pathnames for your ~ftp directory
   # here!!! Uploads are generally not allowed in ~ftp, but are
   # allowed in subdirectories of ~ftp/incoming. Files uploaded here
   # will end up being owned by root, mode 4000 so that they cannot
   # be overwritten by other anonymous users.
   #
   upload /local/ftp * no
   upload /local/ftp /incoming/* yes root root 0400
   # Allow anonymous users to specify filenames containing letters,
   # numbers, dash ('-'), underscore ('_'), and period ('.') but not
   # paths which begin with period (e.g., '../../../../../../../etc/passwd',
   # which shouldn't work anyway due to chroot()) or dash (could be
   # trying to play tricks with STDIN/STDOUT).
   #
   path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
   # Log all commands issued by real users as an audit log. Log all
   # transfers to or from this server by real or anonymous users.
   #
   log commands real
   log transfers anonymous,real inbound,outbound
   # Email address used for %E in message files
   #
   email [email protected]

   Appendix B. Welcome Message (~ftp/etc/welcome.msg)

   This is the anonymous FTP server for <insert your company name here>.
   It is primarily for the use of the customers and employees of <your company name>. Please do not abuse this resource. Thank you for your cooperation.
   Note that file transfers to and from this server are now logged. If this bothers you, please log off now.
   If you have any questions about this server, and especially if you have any problems using it, please contact:

   Some Body	[email protected]
   Some Title	+1 (666) 555-5555
   Your Company Name

   If your ftp client has problems with receiving files from this server, send a '-' as the first character of your password (e-mail address).

   Appendix C. Too Many Users Message (~ftp/etc/msg.toomany)

   Sorry, there are too many users on this server at the moment. Please try again in 15 minutes or so.

   If you believe you have received this message in error, please send email to %E.

   Appendix D. Invalid Pathname Message (~ftp/etc/pathmsg)

   Please choose a pathname that does not contain special characters.