no previous pagepage up: Anonymous FTP FAQ
next page: 2. Setting up a chrooted Secure Anonymous ftp server.

1. General Description of Setting up an "anonymous" ftp server.


This article is from the Anonymous FTP FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.

1. General Description of Setting up an "anonymous" ftp server.

1. Create the user ftp in /etc/passwd. Use a misc group. The user's home directory will be ~ftp where ~ftp is the root you wish anonymous users to see. Creating this user turns on anonymous ftp.

Use an invalid password and user shell for better security. The entry in the passwd file should look something like:

ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/true

2. Create the home directory ~ftp. Make the directory owned by root (NOT ftp) with the same group as ftp. Thus, owner permissions are for root and group permissions are for the anonymous users. Set the permissions for ~ftp to 555 (read, nowrite, execute).

Warning: Some MAN pages recommend making the ~ftp directory owned by ftp. This is a big NO-NO, if you want any type of security on your system.

3. Create the directory ~ftp/bin. This directory is owned by root (group e.g. wheel) with permissions 111 (noread, nowrite, execute).

4. Copy the program ls into ~ftp/bin. ls is owned by root with permissions 111 (noread, nowrite, execute). Any other commands you put in ~ftp/bin should have the same permissions as well.

5. Make the directory ~ftp/etc. This directory is owned by root with permissions 111.

6. Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc. These files should be mode 444. The passwd file should only contain root, daemon, uucp, and ftp. The group file must contain ftp's group. Use your /etc/passwd and /etc/group files as a template for creating passwd and group files going to ~ftp/etc. You may even change the user names in this file, they are used only for 'ls' command. So for example if all files in your ~ftp/pub/linux hierarchy will be maintained by a real user 'balon' with uid=156 you may put

linux:*:156:120:Kazik Balon::

in the ~ftp/etc/passwd file (regardless of his real username). Leave only these users who will own files under ftp hierarchy (e.g. root, daemon, ftp...) and definitely remove *ALL* passwords by replacing them with '*' so the entry looks like:

root:*:0:0:Ftp maintainer::
ftp:*:400:400: Anonymous ftp::

For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (the effect is that ls -l will not show the directories' group names). Wuarchive ftp daemon (and some others) have some extensions based on the contents of the group/passwd files, so read the appropriate documentation.

7. Make the directory ~ftp/pub. This directory is owned by you and has the same group as ftp with permissions 555. On most systems (like SunOS) you may want to make this directory 2555, ie. set-group-id, in order to create new files with the same group ownership.

Files are left here for public distribution. All folders inside ~ftp/pub should have the same permissions as 555.

Warning: Neither the home directory (~ftp) nor any directory below it should be owned by ftp! No files should be owned by ftp either. Modern ftp daemons support all kinds of useful commands, such as chmod, that allow outsiders to undo your careful permission settings. They also have configuration options like the following (WuFTP) to disable them:

      # all the following default to "yes" for everybody
      delete          no      guest,anonymous         # delete permission?
      overwrite       no      guest,anonymous         # overwrite permission?
      rename          no      guest,anonymous         # rename permission?
      chmod           no      anonymous               # chmod permission?
      umask           no      anonymous               # umask permission?

8. If you wish to have a place for anonymous users to leave files, create the directory ~ftp/pub/incoming. This directory is owned by root with permissions 733. Do a 'chmod +t ~ftp/pub/incoming'. The ftp daemon will normally not allow an anonymous user to overwrite an existing file, but a normal user of the system would be able to delete anything. By setting the mode to '1733' you prevent this from happening. In wuftpd you may configure the daemon to create new files with permissions '600' owned by root or any other user. Many times, incoming directories are abused by exchanging pirated and pornographic material. Abusers often create hidden directories there for this purpose. Making the incoming directory unreadable by anonymous ftp helps to some extent. With ordinary ftp severs there is no way to prevent directories being created in incoming. The WUarchive ftp server can limit uploads to certain directories and can restrict characters used in file names like this:

      # specify the upload directory information
      upload  /var/spool/ftp  *       no
      upload  /var/spool/ftp  /incoming       yes     ftp     staff   0600    nodirs
      # path filters                                                                                  # path-filter...
      path-filter  anonymous  /etc/msgs/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
      path-filter  guest      /etc/msgs/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-

Suggestion: Create an extra file-system for your ftp-area (or at least for your incoming-area) to prevent a denial-of-service attack by filling your disk with garbage (inside your incoming directory).

If you have wuftpd you may want to add some ftp extensions like compression/decompression 'on the fly' or creation of tar files for the directory hierarchies. Get the appropriate sources (gzip, gnutar, compress), compile them and link statically, put in the ~ftp/bin directory and edit the appropriate file containing the definitions of the allowed conversions. /usr/bin/tar is already statically-linked. You may wish to use gnu tar anyway.

Gary Mills wrote a small program to support the following:

To do tar and compress, he wrote a tiny program called `pipe', and statically-linked it. His /etc/ftpconversions file looks like this:

      #strip prefix:strip postfix:addon prefix:addon postfix:external command:
      :.Z:  :  :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
      :-z:  :  :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
      :  :  :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
      :  :  :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR
      :  :  :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress -c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
      :  :  :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
      :  :  :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
      :  :  :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP

Here it is:

      /* pipe.c: exec two commands in a pipe */
      #define NULL (char *)0
      #define MAXA 16
      main(argc, argv) int argc; char *argv[]; {
      char *av1[MAXA], *av2[MAXA];
      int i, n, p[2], cpid;                                                       
      i = 0; n = 0;
      while ( ++i < argc && n < MAXA ) {
      if ( *argv[i] == '|' && *(argv[i]+1) == '\0' ) break;
      av1[n++] = argv[i];
      if ( n == 0 ) uexit();
      av1[n] = NULL;
      n = 0;
      while ( ++i < argc && n < MAXA )
      av2[n++] = argv[i];
      if ( n == 0 ) uexit();
      av2[n] = NULL;
      if ( pipe(p) != 0 ) exit(1);
      if ( ( cpid = fork() ) == (-1) ) exit(1);
      else if ( cpid == 0 ) {
      (void)execv(av1[0], av1);
      else {
      (void)execv(av2[0], av2);
      uexit() {
      (void)write(2, "Usage: pipe  | \n", 34);
      -------- CUT HERE ------------

9. Other things to do:

as root:

touch ~ftp/.rhosts
touch ~ftp/.forward
chmod 400 ~ftp/.rhosts
chmod 400 ~ftp/.forward

ie. make these files zero-length and owned by root.

Due to the last /bin/mail bugs in SunOS:

touch /usr/spool/mail/ftp; chmod 400 /usr/spool/mail/ftp

Consider an email-alias for the ftp-admin(s) to provide an email-address for problems-reports.

If you are mounting some disks from other machines (or even your own) to the ~ftp hierarchy, mount it read-only. The correct entry for the /etc/fstab (on the host with ftpd) is something like:

other:/u1/linux /home/ftp/pub/linux nfs ro,noquota,nosuid,intr,bg 1 0

This mounts under /home/ftp/pub/linux the disk from host 'other' with no quota, no 'suid' programs (just in case), interruptible (in case 'other' goes down) and 'bg' - so if 'other' is down when you reboot it will not stop you trying to mount /home/ftp/pub/linux all over again.


Continue to:

no previous pagepage up: Anonymous FTP FAQ
next page: 2. Setting up a chrooted Secure Anonymous ftp server.