FTP Guest User Setup for Red Hat Linux

FAQ Maintainer, Red Hat, Inc.


This document shows the basic steps needed to configure guest user ftp for Red Hat Linux 6.x and 7.x systems.

1. Configuring Guest FTP Access

1.1 Preface

``Red Hat Tips'' are documentation meant to help Red Hat users with specific tasks. Some of these documents are for new users, some are for advanced users. Hopefully each document will also be of help for both new and advanced users. If you have contributions to make, please send them to faq-maintainer@redhat.com. If you have changes that need to be made to individual Tips, send them to the author of that document or the faq-maintainer@redhat.com address if one is not specified.

1.2 Introduction

Guest FTP access is a useful way of allowing users to have file transfer access to specific areas of a site (the root directory of their web site, for example). Some of the steps are similar to virtual FTP setup but the focus of this document is just the guest user setup.

1.3 Software Installation

First of all, make certain that both the wu-ftpd package and the anonftp packages are installed on the system. The versions installed should at minimum match those below:

wu-ftpd-2.5.0-5.6.0
anonftp-2.8-1

Checking to see if they are installed can be done with the following command:

rpm -qa | egrep '(wu-ftpd|anonftp)'

If the packages are not installed, they can be installed from the Red Hat Linux installation cd, as the root user:

mount /mnt/cdrom
cd /mnt/cdrom/RedHat/RPMS/
rpm -ivh wu-ftpd* anonftp*
cd
umount /mnt/cdrom

1.4 Create the guest user account

Create the guest user account. The account is created like a normal user would be.

/usr/sbin/useradd theguest

set up the password for the guest user:

/usr/bin/passwd theguest
        
theguest
theguest

1.5 Stop telnet access

Stop telnet access

edit /etc/shells and add "/bin/true" to the end if it is not already there. Then:

/usr/bin/chsh theguest

when prompted, enter:

/bin/true

Now edit /etc/passwd and add "/./" to the user's home directory entry. So if /etc/passwd contains:

theguest:x:2855:2857::/home/mrfrog:/bin/true

change it to:

theguest:x:2855:2857::/home/mrfrog/./:/bin/true

This step can be skipped by using the -d option to useradd to specify the user's home directory. This can also be useful if the ftp root is in another location. Likewise, using chsh can also be skipped by using the -s option.

/usr/sbin/useradd -d /var/ftp/virtual/mrfrog/./ -s /bin/true theguest

1.6 Setting up the guest users home directory

Copy the anonftp files to the guest user's home dir.

cp -a ~ftp/lib ~theguest
cp -a ~ftp/bin ~theguest
cp -a ~ftp/etc ~theguest

or

tar cvf - * | ( cd ~theguest ; tar xvf -)

will do it too.

1.7 Editing the user-specific passwd and group files

Update the  theguest/etc/passwd and  theguest/etc/group files

Edit  theguest/etc/passwd file and remove the line for the FTP user. Append the exact password line for "theguest" from /etc/passwd. But remove theguest's password and replace it with a "*" to make it invalid. For example:

theguest:x:2855:2857::/home/mrfrog/./:/bin/true

will be changed and appended to  theguest/etc/passwd as:

theguest:*:2855:2857::/home/mrfrog/./:/bin/true

Now modify  theguest/etc/group file and add the theguest line found in /etc/group. Delete the ftp group from  theguest/etc/group as well.

1.8 Setting directory and file permission

chown theguest's home directory and chmod the directories and files according to the following examples:

chown theguest.theguest ~theguest

chmod 750 ~theguest

chown -R root.root ~theguest/etc ~theguest/bin ~theguest/lib

cd ~theguest
chmod -R 555 *

cd etc
chmod 444 *

1.9 Edit /etc/ftpaccess for guest user permissions

Add the following to the end of /etc/ftpaccess

guestgroup theguest

Whether or not theguest can delete, overwrite, or rename files will depend on the settings in /etc/ftpoaccess. The default settings are:

chmod           no              guest,anonymous
delete          no              guest,anonymous
overwrite       no              guest,anonymous
rename          no              guest,anonymous

which prohibit the guest accounts from performing chmod, delete, overwrite or rename operations. To allow these operations, the "guest" will have to be removed from the default typelist, like so:

chmod           no              anonymous
delete          no              anonymous
overwrite       no              anonymous
rename          no              anonymous

1.10 Further notes

To Anon or Not to Anon:

Finally, if anon FTP access isn't desired, the anonftp package can be uninstalled. The guest access will still be present and the guest user's lib, etc. and bin directories will be preserved.

rpm -e anonftp

By removing the anonftp package, anyone that expects to ftp into the system will need to be either a regular user or an ftp guest user.

Symlinked directories or files:

A common oops with guest ftp accounts is to try and allow access to other areas of the system with symlinks. But because Anonymous ftp operates in a chroot environment where a particular directory becomes the root or / directory (in the example here, /var/ftp/domains/mrfrog is now the root directory for theguest), this means there is no access to filesystems outside of the anonymous ftp area. This is why there is a copy of various libraries in  ftp/lib and binaries such as ls in the  ftp/bin directory.

You might have to copy your files to somewhere under  ftp, set up another account, or not use the chrooted environment for the users that need access to files eleswhere.

/etc/ftpaccess:

ftpaccess has many more options that can be used to control ftp user access. Read the man page for more information.

Location of the ftp root:

In Red Hat 7, the location for the ftp root was changed from /home/ftp to /var/ftp.

killing directory listings:

By chmod'ing the  /lib and  /bin directories to 111 the users will not be able to see any files that are in the directories. This may be useful for some secured systems.

1.11 Other Resources