``Red Hat Tips'' are documentation meant to help Red Hat users with specific tasks. Some of these documents are for new users, some are for advanced users. Hopefully each document will also be of help for both new and advanced users. If you have contributions to make, please send them to firstname.lastname@example.org. If you have changes that need to be made to individual Tips, send them to the author of that document or the email@example.com address if one is not specified.
Guest FTP access is a useful way of allowing users to have file transfer access to specific areas of a site (the root directory of their web site, for example). Some of the steps are similar to virtual FTP setup but the focus of this document is just the guest user setup.
First of all, make certain that both the wu-ftpd package and the anonftp packages are installed on the system. The versions installed should at minimum match those below:
Checking to see if they are installed can be done with the following command:
rpm -qa | egrep '(wu-ftpd|anonftp)'
If the packages are not installed, they can be installed from the Red Hat Linux installation cd, as the root user:
mount /mnt/cdrom cd /mnt/cdrom/RedHat/RPMS/ rpm -ivh wu-ftpd* anonftp* cd umount /mnt/cdrom
Create the guest user account. The account is created like a normal user would be.
set up the password for the guest user:
/usr/bin/passwd theguest theguest theguest
Stop telnet access
edit /etc/shells and add "/bin/true" to the end if it is not already there. Then:
when prompted, enter:
Now edit /etc/passwd and add "/./" to the user's home directory entry. So if /etc/passwd contains:
change it to:
This step can be skipped by using the -d option to useradd to specify the user's home directory. This can also be useful if the ftp root is in another location. Likewise, using chsh can also be skipped by using the -s option.
/usr/sbin/useradd -d /var/ftp/virtual/mrfrog/./ -s /bin/true theguest
Copy the anonftp files to the guest user's home dir.
cp -a ~ftp/lib ~theguest cp -a ~ftp/bin ~theguest cp -a ~ftp/etc ~theguest
tar cvf - * | ( cd ~theguest ; tar xvf -)
will do it too.
Update the theguest/etc/passwd and theguest/etc/group files
Edit theguest/etc/passwd file and remove the line for the FTP user. Append the exact password line for "theguest" from /etc/passwd. But remove theguest's password and replace it with a "*" to make it invalid. For example:
will be changed and appended to theguest/etc/passwd as:
Now modify theguest/etc/group file and add the theguest line found in /etc/group. Delete the ftp group from theguest/etc/group as well.
chown theguest's home directory and chmod the directories and files according to the following examples:
chown theguest.theguest ~theguest chmod 750 ~theguest chown -R root.root ~theguest/etc ~theguest/bin ~theguest/lib cd ~theguest chmod -R 555 * cd etc chmod 444 *
Add the following to the end of /etc/ftpaccess
Whether or not theguest can delete, overwrite, or rename files will depend on the settings in /etc/ftpoaccess. The default settings are:
chmod no guest,anonymous delete no guest,anonymous overwrite no guest,anonymous rename no guest,anonymous
which prohibit the guest accounts from performing chmod, delete, overwrite or rename operations. To allow these operations, the "guest" will have to be removed from the default typelist, like so:
chmod no anonymous delete no anonymous overwrite no anonymous rename no anonymous
To Anon or Not to Anon:
Finally, if anon FTP access isn't desired, the anonftp package can be uninstalled. The guest access will still be present and the guest user's lib, etc. and bin directories will be preserved.
rpm -e anonftp
By removing the anonftp package, anyone that expects to ftp into the system will need to be either a regular user or an ftp guest user.
Symlinked directories or files:
A common oops with guest ftp accounts is to try and allow access to other areas of the system with symlinks. But because Anonymous ftp operates in a chroot environment where a particular directory becomes the root or / directory (in the example here, /var/ftp/domains/mrfrog is now the root directory for theguest), this means there is no access to filesystems outside of the anonymous ftp area. This is why there is a copy of various libraries in ftp/lib and binaries such as ls in the ftp/bin directory.
You might have to copy your files to somewhere under ftp, set up another account, or not use the chrooted environment for the users that need access to files eleswhere.
ftpaccess has many more options that can be used to control ftp user access. Read the man page for more information.
Location of the ftp root:
In Red Hat 7, the location for the ftp root was changed from /home/ftp to /var/ftp.
killing directory listings:
By chmod'ing the /lib and /bin directories to 111 the users will not be able to see any files that are in the directories. This may be useful for some secured systems.