Next Previous Contents

4. FTP Setup Tips for versions 7.x

4.1 Getting Started

It is recommended that the user install with one of the Server installation groups or use Custom and either specify all packages or make sure that wu-ftp, anonftp and xinetd are installed. Selecting the Anonymouse FTP Server at installation time is the best shot.

Packages that are installed for the installation groups can be found on the installation CD in the RedHat/base/comps file.

The section for the Anonymous FTP Server contains the following:

  xinetd
  wu-ftpd
  anonftp

With the Network Server including the following packages:

  openssh-server
  sysstat
  xinetd
  talk-server
  telnet-server
  rusers-server
  rwall-server
  finger-server
  rsh-server
  tftp-server
  ypserv

The packages can be installed by mounting the installation cdrom and running the command:

    cd /mnt/cdrom/RedHat/RPMS
    rpm -Uvh xinetd* wu-ftpd* anonftp*

/var/ftp is the root directory for the FTP server. The anonftp package sets almost everything up. It provides generic copies of the libraries and files needed in /var/ftp/*. For most uses, no further configuration is needed by the administrator.

4.2 Secure it up

The anonftp RPM places some binaries and libraries in the /home/ftp directories to allow FTP users to do things like automatically gunzip files as they are being retrieved, or retrieve whole directories as tar files. There are a few extra files placed by the anonftp RPM that probably will never be used, and should probably be removed in the interest of security.

        cd /home/ftp/bin
        rm cpio sh zcat
        cd ../etc
        rm ld.so.cache
        cd ../lib
        rm ld.so* libtermcap*

Finally, the permissions should be changed on these files to improve security.

        chmod 111 ~ftp/bin/* ~ftp/bin ~ftp/etc ~ftp/lib
        chmod 444 ~ftp/etc/*
        chmod 555 ~ftp ~ftp/lib/*

When you're done, you should have the following:

/var/ftp/bin/:
total 328
d--x--x--x    2 root     root         4096 Dec 19 08:26 .
dr-xr-xr-x    6 root     root         4096 Dec 19 08:26 ..
---x--x--x    1 root     root        16284 Aug 17 10:53 compress
---x--x--x    1 root     root        50140 Aug 17 10:53 cpio
---x--x--x    1 root     root        51804 Aug 17 10:53 gzip
---x--x--x    1 root     root        43612 Aug 17 10:53 ls
---x--x--x    1 root     root       146940 Aug 17 10:53 tar
lrwxrwxrwx    1 root     root            4 Dec 19 08:26 zcat -> gzip

/var/ftp/etc/:
total 20
d--x--x--x    2 root     root         4096 Dec 19 08:26 .
dr-xr-xr-x    6 root     root         4096 Dec 19 08:26 ..
-r--r--r--    1 root     root           53 Aug 17 10:53 group
-r--r--r--    1 root     root          485 Aug 17 10:53 ld.so.cache
-r--r--r--    1 root     root           79 Aug 17 10:53 passwd

/var/ftp/lib/:
total 1444
d--x--x--x    2 root     root         4096 Dec 19 08:26 .
dr-xr-xr-x    6 root     root         4096 Dec 19 08:26 ..
-r-xr-xr-x    1 root     root        90092 Aug 17 10:53 ld-2.1.92.so
lrwxrwxrwx    1 root     root           12 Dec 19 08:26 ld-linux.so.2 -> ld-2.1.92.so
-r-xr-xr-x    1 root     root      1109404 Aug 17 10:53 libc-2.1.92.so
lrwxrwxrwx    1 root     root           14 Dec 19 08:26 libc.so.6 -> libc-2.1.92.so
-r-xr-xr-x    1 root     root        80224 Aug 17 10:53 libnsl-2.1.92.so
lrwxrwxrwx    1 root     root           16 Dec 19 08:26 libnsl.so.1 -> libnsl-2.1.92.so
-r-xr-xr-x    1 root     root        38876 Aug 17 10:53 libnss_files-2.1.92.so
lrwxrwxrwx    1 root     root           22 Dec 19 08:26 libnss_files.so.2 -> libnss_files-2.1.92.so
-r-xr-xr-x    1 root     root        86548 Aug 17 10:53 libpthread-0.8.so
lrwxrwxrwx    1 root     root           17 Dec 19 08:26 libpthread.so.0 -> libpthread-0.8.so
-r-xr-xr-x    1 root     root        25688 Aug 17 10:53 librt-2.1.92.so
lrwxrwxrwx    1 root     root           15 Dec 19 08:26 librt.so.1 -> librt-2.1.92.so
lrwxrwxrwx    1 root     root           19 Dec 19 08:26 libtermcap.so.2 -> libtermcap.so.2.0.8
-r-xr-xr-x    1 root     root        12088 Aug 17 10:53 libtermcap.so.2.0.8

If you're missing any of these files, re-install the anonftp RPM and try again. To see the permissions as shown aboive type the command

        ls -al ~ftp/*/

You will get the listings as shown above.

By default, /var/ftp/pub is created with 2755 permissions (set group ID on execution). To tighten that up, use

        chmod 555 ~ftp/pub

Place any files you want to make available via FTP in the /pub/ directory. You can make subdirectories in /pub/ as well.

For security, and to make sure anonymous users can read the files, all files in /pub/ should be set to mode 444, and all directories to mode 555. Do this with:

        chmod 444 (name-of-file)
        chmod 555 (name-of-directory)

Some sites have an ``incoming'' directory, where users can drop off files to be added to your archive. I do not recommend this unless it's absolutely necessary, since such directories are inevitably abused by pirated-software traders and the like (Note: Under US Federal Law a site is responsiable for its content). If you want an incoming directory anyway:

        mkdir ~ftp/incoming
        chmod 333 incoming

The mode 333 means that people will be able to change into the directory, and place files there, but not list any files in the directory. This will deter improper use somewhat, but don't put too much faith in it - again, the best way to make sure an incoming directory isn't abused is not to have one. If you do have an incoming directory, check it daily and clean out anything you don't want around.

You're all set! For security, make sure that nothing below /var/ftp is writeable by anyone:

        chmod -R a-w ~ftp

(You'll still be able to write to the FTP directories as root.)


Next Previous Contents