Configuring File Transfer Protocol (FTP) servers
The File Transfer Protocol (FTP) server included in the system
provides support for an anonymous FTP account. There may be
several access points for this account, known as ``FTP virtual
domains'' depending on the IP addresses (real and aliased)
that are defined on the system.
The
FTP Server Manager
allows you to perform common configuration and
administration tasks on the FTP server, such as:
WARNING:
Because of the inherent security problems associated with
FTP, you should read the guidelines given in
``FTP server security''
if you want to provide FTP services.
FTP server security
You can use the
FTP Server Manager
to check on various aspects of FTP server security:
Additionally, if you are setting up a publicly available FTP server,
you should consider assigning a dedicated mountable filesystem to
the ~ftp/pub/incoming directory. This will protect your system
against an attacker who tries to fill your hard disk with large files or
many small files (to use up the available inodes). Such an attack
could render your system practically unusable
until you remove the offending files.
It is most convenient to reserve a filesystem
for the incoming
directory when you install your system
or when you add a hard disk (see
diskadd(ADM)).
Alternatively, if the incoming
directory is on a ufs or vxfs filesystem,
you can set up hard and soft limit
quotas for the disk space and number of inodes
that the ftp user is allowed (see
quota(ADM)
and related manual pages ).
It is also advisable to set up a regular cron job to purge the
directory of old or excessively large files,
and to report any possible problems with disk usage (see
crontab(C)).
For example, the following crontab entries for
root check hourly for the existence of files bigger than
10MB, and once per day
delete files which have not been modified within the last 30 days:
0 * * * * ksh -c "find ~ftp/pub/incoming -type f -size +10485760c -exec ls -l {} \; >> /var/adm/log/incoming.log"
0 0 * * * ksh -c "find ~ftp/pub/incoming -type f -mtime +30 -exec rm -f {} \; 2>&1 > /dev/null"
For more on anonymous FTP security,
consult the information available from CERT at the
URL:
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config.
You can also obtain information about the known abuses of anonymous
FTP at the URL:
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses.
The FTP Server Manager interface
You can use the
FTP Server Manager to administer local or remote
FTP servers.
You can start the FTP Server Manager in any of these ways:
-
Start the \*(sOadmin launcher by entering scoadmin on the command
line, and then select
Networking FTP Server Manager.
-
Enter the command scoadmin FTP Server Manager on the command
line (or abbreviate this to scoadmin FTP).
For more information about using the \*(sOadmin managers, see
``Administering your system with \*(sOadmin''.
Configuring anonymous FTP
To configure anonymous FTP using the FTP
Manager:
-
Select
FTP Anonymous Configure.
-
Enter the following information for the anonymous FTP account:
Anonymous FTP home-
The home directory for anonymous FTP access.
The default value is /home/ftp.
NOTE:
For preference, specify a home directory on a local filesystem.
If the FTP server system uses NFS to mount
the home filesystem from a remote file server,
it must have root access to this filesystem for
FTP to work correctly (see
exportfs(NADM)).
Click on Suggest if you want the
FTP Server Manager
to suggest a value for the home directory.
Click on Select if you want to choose
a directory using a file browser.
User ID-
The user ID of the anonymous FTP account.
Click on Suggest if you want the
FTP Server Manager
to suggest a value for the user ID.
The default user ID is 300.
Allow incoming transfers-
Select this if you want to allow anonymous FTP users to be
able to put files in the ~ftp/pub/incoming directory
hierarchy in the anonymous FTP area. Deselect this
if you want the anonymous FTP account only
to allow read access to the ~ftp/pub directory hierarchy.
By default, incoming transfers are allowed.
NOTE:
If you allow incoming transfers, anonymous FTP users
are permitted to view the contents of the ~ftp/pub/incoming
directory by default.
If you want to prevent possible abusers from viewing the contents
of this directory, change its mode to 1733 using the
chmod(C)
command.
Alternatively,
you can prevent unauthorized access to the contents of uploaded files
by controlling their owner, group, and mode as described in
``Controlling access to directories''.
If the host being configured is an NIS client, creation of
the anonymous FTP user account will fail if ftp
is present in the passwd map for the NIS domain.
To create a local anonymous FTP user, stop NIS
using the command sh /etc/inid.d/nis stop, configure anonymous
FTP, and then restart NIS using the command
sh /etc/inid.d/nis start.
-
Click on OK to accept.
This procedure will set up the anonymous FTP account and
home directory hierarchy for the primary domain.
If you subsequently want to enable or disable incoming transfers,
follow the instructions given in
``Configuring FTP home directories''.
For information on setting up anonymous FTP access
to virtual domains and their home directories, see
``Configuring FTP virtual domains''
and
``Configuring FTP home directories''.
Configuring compression and archival commands
Compression, uncompression, and tar archival are
implicit operations that you can use with the get command in
ftp(TC).
When you request a file from an FTP server using get,
ftpd attempts to supply a file with the specified name
from the current directory.
If the server cannot find the file, it will then attempt to generate the
requested filename from those listed in the current directory using
the conversion rules in /etc/ftpconversions.
If ftpd finds an output filename that matches the one
specified, it performs the conversion and sends the result to you.
For example, you would enter the ftp
command get foo to have the remote
FTP server uncompress the file named
foo.Z before sending it to you. (If a file named
foo also exists in the same directory as foo.Z,
the server will send you this instead.)
Similarly, the command get bar.Z would cause the server
to compress the file named bar before transmitting it.
To archive and compress the hierarchy below a
directory named src so that it can be sent as one file,
you would enter get src.tar.Z.
To control who is allowed to use the compression and archival commands
on an FTP server,
edit the arguments to the compress and tar
keyword lines in /etc/ftpaccess. By default, the
following lines in this file allow the class all (consisting of
anonymous, guest, and real users)
to use the commands:
compress yes all
tar yes all
If you want to prevent anonymous FTP users from using these
commands, create a class anonclass containing anonymous
and amend the lines to read:
compress no anonclass
compress yes all
tar no anonclass
tar yes all
By default, the FTP Server Manager configures the
compress and tar binaries for use on an
FTP server.
To make additional compression and archival
programs available for use:
-
Edit /etc/ftpconversions to define the rules for
automatically compressing, uncompressing, archiving, and unarchiving files
based on their file extension.
Suitable rules are already given in ftpconversions for the
compress, cpio and tar commands.
Rules are also listed in the ftpconversions file
for archival and compression programs such as gzip, zip,
and unzip. These programs are not provided, but
you can obtain them from the Internet if required.
-
Each rule in the ftpconversions file show which programs
are needed to perform a particular conversion. The pathnames are
specified relative to the FTP home directory.
If the programs do not already exist in the FTP home area,
you must copy them there together with any dynamic linked libraries
that they need.
Copy the binary for each program to the appropriate directory
(usually ~ftp/bin) in the FTP home area.
Change the mode of each copied binary
to 111, and change its owner and group to root and sys:
chmod 111 filename
chown root:sys filename
NOTE:
Some commands require other commands to be copied to the FTP area.
For example, to be able to archive directory hierarchies,
cpio needs to read output piped from find.
To perform the piping, cpio also needs the pipeline
program which must exist in FTP's ~ftp/etc/inet directory.
The FTP Server Manager
installs pipeline when the FTP home area is created.
-
Run the command dump -Lv filename on each binary to
find out which dynamic linked libraries it uses. (You can also use the
ldd command if this is available on your system.)
For example, cpio requires the libraries
libc.so.1,
libxattr.so,
and libthread.so.1 from
/usr/lib.
Copy each library to the appropriate ~ftp/usr/lib
or ~ftp/lib directory in the FTP home area
if it is not already present.
Change the mode of the copied library to 444, and change its owner and
group to root and sys:
chmod 444 filename
chown root:sys filename
NOTE:
As an exception, the mode of the library libc.so.1 must be 111.
This library should already be present in the FTP area's
~ftp/usr/lib directory.
See also:
Controlling access to anonymous FTP
To disable access to anonymous
FTP using the FTP Server Manager,
select
FTP Anonymous Disable.
To re-enable access to anonymous
FTP using the FTP Server Manager, select
FTP Anonymous Enable.
Removing anonymous FTP
To remove anonymous FTP using the FTP
Manager, select
FTP Anonymous Remove.
Click on OK when asked to confirm.
NOTE:
This procedure removes the anonymous user account as well as its
home directory hierarchy. If you want to re-use the anonymous user's
ID, you may not be able to do so until the time period defined by
the variable UIDAGE in /etc/default/userdel
has elapsed. The default time period is 12 months.
Scheduling the shutdown of the FTP server
To schedule when the FTP server will be shut down
using the FTP Server Manager:
-
If you have not already configured a shutdown file, select
Options General,
then enter the pathname of the file that the FTP server should use.
Click on OK to accept.
-
Select
FTP Server Disable.
-
Enter the date and time at which you want to
shut down the FTP server.
-
Enter the number of hours and minutes before shutdown when new connections
will be denied. The default value is 30 minutes.
-
Enter the number of hours and minutes before shutdown when existing
connections will be closed. The default value is 10 minutes.
-
If required, you can edit the message that will warn users of the
impending shutdown. See
ftpshut(ADMN)
for the magic cookies, such as ``%s'' for the shutdown time,
that you can use in this message.
-
Click on OK to accept.
To re-enable the server, select
FTP Server Enable.
Configuring user classes
A user class defines a set of users according to the account
type they are accessing and their IP address or domain name.
You can then limit access by classes as described in
``Setting class limits''.
NOTE:
The special class anon is predefined for anonymous FTP
users accessing the FTP server from any IP address.
If you remove this class, an anonymous user will not be able to log into the
FTP server unless the anonymous user is defined as a member
of another class whose address matches that of their system.
To configure a class using the FTP Server Manager:
-
Select
View Classes.
-
To define a new class, select
Edit Add.
To modify an existing class, click on the group from those displayed, then
select
Edit Modify.
-
Enter the following information for the class:
Class name-
A unique name for the class.
User types-
The types of user who will be included in this class.
Select one or more of:
Anon-
corresponds to ftp or anonymous
Guest-
members of a guest group
Real-
real users defined on the system
Addresses-
One or more IP addresses or domain names which define where
you expect users in this class to be coming from. You can use the
character ``'' to replace any element of an address. For example,
``'' would match all addresses, ``.mynet.com'' would match both
rivers.mynet.com and seas.mynet.com, and
``200.25..'' would match any IP address that begins 200.25.
For each address you enter, click on Add to add it to the list.
Anon group-
The name of the group to which an anonymous user in this class will be set.
This allows you to set up directories and files that only certain classes
of anonymous users can access.
-
Click on OK to accept.
Setting class limits
To configure limits for a class using the
FTP Server Manager:
-
Select
View Class limits.
-
To define new limits for a class, select
Edit Add.
To modify existing limits for a class,
click on the class from those displayed, then select
Edit Modify.
-
Enter the following information for the class:
Class-
The name of the class to which the limit will be applied.
Max users-
The maximum number of users in this class who can gain access at the same
time. Enter the value -1 or select Unlimited if you do not want to
restrict the number.
Times-
The days and times at which the limit will be applied.
To edit these, click on Select.
Enter the time range and day, then click on Add
to add it to the list of access times. Repeat this for each access time
range you require, then click on OK to accept.
Message file-
(Optional)
The pathname of a message file that will be displayed to a user if they
are denied access. Click on Select to choose the file
using a file browser.
-
Click on OK to accept.
NOTE:
If you define more than one limit for a class, the FTP
server will use the first limit listed that is applicable to the time
at which a user attempts to access the system.
To change the position of a limit, select it from those listed and use
View Raise
and
View Lower
to move it up or down the list.
Controlling access to directories
To control access permissions to directories into
which users can put files:
-
In the FTP Server Manager, select
View Directory access.
-
To define new directory access permissions, select
Edit Add.
To modify existing directory access permissions,
click on the directory from those displayed, then select
Edit Modify.
-
Enter the following information for the directory:
Home directory-
The name of the home directory used for FTP access.
You can select from a list of all home directories known to the system.
Directory pattern-
The directory below the home directory to which access permissions will apply.
You can use the character ``'' to replace any element
of a directory's pathname. For example,
``'' would match all directories, ``/incoming/'' would match all
directories below /incoming.
Uploads-
Whether a user can put files onto the server.
Owner-
The user who will own uploaded files.
Group-
The group who will own uploaded files.
Mode-
The octal mode for uploaded files. Click on Select to change the
read, write, and execute permissions for the owner, group, and other users.
Create subdirs-
Whether a user can create new subdirectories of the directory.
-
Click on OK to accept.
Denying access to hosts
To deny access to users from certain host addresses:
-
In the FTP Server Manager,
select
View Denied hosts.
-
To define new denied hosts, select
Edit Add.
To modify existing denied hosts,
click on the address pattern from those displayed, then select
Edit Modify.
-
Enter the following information for the denied host address:
Address-
An IP address or domain name which defines the host(s)
that are to be denied access.
You can use the character ``'' to replace any element
of an address. For example, ``'' would match all addresses,
``.mynet.com'' would deny access to any host in the domain
mynet.com, and
``200.25..'' would deny access to any host having an IP
address that begins 200.25.
Deny unresolvable address-
Deny access to users from any host whose IP address cannot be
resolved into a domain name.
Message file-
(Optional)
The pathname of a message file that will be displayed to a user if they
are denied access. Click on Select to choose the file
using a file browser.
-
Click on OK to accept.
Denying access to users
To deny access to a user:
-
In the FTP Server Manager,
select
View Denied users.
-
To define a user to be denied access, select
Edit Add.
-
Choose the name of the user from the pull-down list.
-
Click on OK to accept.
WARNING:
To maintain system security, we recommend that you always
deny access to root.
We also recommend that you deny access to accounts which do not use
one of the standard shells listed in /etc/shells.
If you choose to enable access by root,
uncomment the /sbin/sh line in /etc/shells.
You do not need to deny access to accounts which do not have passwords.
The FTP server will not service these users.
Configuring FTP virtual domains
Virtual domains allow you to create alternative access points for
anonymous FTP on the same FTP server.
Each virtual domain name may be
associated with the IP address of a real networking interface,
or with an IP address that is an alias of a real IP
address. You can use virtual domains to set up FTP areas
that are specific to anonymous FTP users for different departments,
organizations or companies.
The primary FTP domain is defined as the
domain name with which you initially configured a server.
If required, you can set up an FTP virtual domain
with the same IP address and domain name as the primary domain.
Anonymous FTP users will be directed to this virtual domain
instead of to the primary domain. Guest and real users will continue to use
the primary domain.
See
``Virtual domains''
for more information.
To configure a virtual domain using the FTP Server Manager:
-
Select
View FTP virtual domains.
-
To define a new virtual domain, select
Edit Add.
To modify an existing virtual domain,
click on the domain from those displayed, then
select
Edit Modify.
-
Enter the following information for the virtual domain:
IP Address-
The IP address of the virtual domain. Click on Select
to select an IP address from those configured on the server.
You cannot select default values for the other fields until you have
entered an IP address in this field.
Anonymous FTP home-
The pathname of the root directory for anonymous FTP
to this virtual domain. Click on Select to choose a directory
using a file browser, or click on Default to use the default
location under
/var/internet/ip/IP_address/ftp/ftp.
Banner file-
The pathname of the file containing the message that is displayed to users
before they enter their user name and password. Click on Select
to choose a file using a file browser, or click on Default to use
the default pathname for this virtual domain.
Log file-
The pathname of the file used to log FTP file transfers.
Click on Select
to choose a file using a file browser, or click on Default to use
the default pathname for this virtual domain.
Alternatively, select Use primary log file to use the
same log file as that used by the primary domain (/var/adm/xferlog).
-
Click on OK to accept.
You must now set up the home directories for each virtual domain as
described in
``Configuring FTP home directories''.
Configuring guest groups
If a real user accessing the FTP server
is a member of a guest group defined in /etc/group,
they will be permitted
access to a different FTP home directory from that
available to anonymous FTP users. All users in the same guest group
share an FTP home directory for access to the FTP server.
To define a guest group using the FTP Server Manager:
-
Select
View Guest groups.
-
Select
Edit Add.
-
Choose the name of the group from the pull-down list.
-
Click on OK to accept.
You must now set up the home directories for each guest group as
described in
``Configuring FTP home directories''.
See
Administering users and groups
for information on how to set up user accounts and groups.
Viewing FTP logs
To view the FTP logs using the FTP Server Manager,
select
View Log.
By default, the FTP Server Manager displays log
entries for the primary FTP domain and all configured
virtual domains.
To restrict the domains for which entries are displayed:
-
Select
Edit Modify.
-
To hide the log entries for a domain, select it from the list of visible
domains, then click on Hide to move it to the
list of hidden domains.
To reveal the log entries for a domain, select it from the list of hidden
domains, then click on Reveal to move it to the
list of visible domains.
-
Click on OK to accept the changes.
To change the level of detail shown for log entries, use
View Expand
and
View Collapse.
The FTP Server Manager will update the displayed log entries
at regular intervals.
To change the time interval between autorefreshes, select
View Set Auto Refresh,
enter the interval period in minutes, then click on OK.
To turn off autorefreshing, select
View Set Auto Refresh,
then select Off.
To turn on autorefreshing, select
View Set Auto Refresh,
then select On.
To refresh the view yourself, select
View Refresh now.
See
``Setting FTP server options''
for information on how to control the types of events that are logged.
Configuring login and change directory messages
To configure the messages that are configured to be displayed when a
user logs in using FTP, or when a user changes directory:
-
In the FTP Server Manager, select
View Messages.
-
If a suitable message does not already exist, select
Edit Add.
If a message does already exist, select
Edit Modify.
-
Select the type of message:
Login message-
Display a message file to users when they log in.
Enter the pathname of the file containing the message, or click on
Select to select a file using a file browser.
Login README-
Tell users about a README file when they log in.
Enter the pathname of the file containing the message, or click on
Select to select a file using a file browser.
See
``Magic cookies''
for details of the text insertion macros that you can insert in this file.
Directory message-
Display a message file to users
when they change to the specified directory.
Enter the pathname of the file containing the message, or
click on Select to select a file using a file browser.
Directory README-
Tell users about a README file
when they change to the specified directory.
Enter the pathname of the file containing the message, or
click on Select to select a file using a file browser.
See
``Magic cookies''
for details of the text insertion macros that you can insert in this file.
You can specify the classes to which the server will display messages.
If no classes are specified, all FTP users will see the messages.
You can use the character ``'' to replace
any element of a change directory path or the pathname of a
README file.
For example, specifying ``'' for a change directory path would cause
the associated message to be displayed whenever the user changes directory.
A README file path specified as ``README''
would match any file with this pattern such as README or
READMENOW in the root directory of the FTP user.
NOTE:
For anonymous FTP users, pathnames are assumed to be relative
to the anonymous FTP home directory.
-
Click on OK to accept the changes.
Configuring FTP home directories
You can use the FTP Server Manager to manage the home
directories of the anonymous FTP user in the
primary domain, of anonymous FTP users in virtual domains,
and of guest groups:
-
Select one of Anonymous FTP, FTP virtual
domains, or Guest groups from the Home menu, then
select the operation that you want to perform on their home directories:
Install-
Set up the home directories, and populate them with the
files needed for FTP operation. You can also control whether users
are allowed to put files on the server in the ~ftp/pub/incoming
directory using the Allow incoming transfers option.
Deselect this if you want
to allow read access only to the ~ftp/pub directory hierarchy.
By default, incoming transfers are allowed.
NOTE:
Even if you allow incoming transfers, users
are not permitted to view the contents of the ~ftp/pub/incoming
directory by default.
If you want to permit this, change the permissions
on the ~ftp/pub/incoming directory to 1777 using the
chmod(C)
command.
The default permissions on this directory are 1733.
Modify-
Enable or disable incoming file transfers after the home
directories have already been set up.
Verify-
Check the sizes, permissions and ownerships of files in the home directories.
Discrepancies are reported but not corrected.
NOTE:
You may see warnings about possible discrepancies in the passwd and
group files that have been copied to an FTP home area.
This is intended to remind you to check these files for entries
that could compromise your system's security.
Correct-
Check the sizes, permissions and ownerships of files in the home
directories. Any discrepancies are automatically reported and corrected.
Remove-
Remove the entire home directory hierarchy for the user.
-
Click on OK to accept the changes.
Setting FTP server options
To set FTP server options using the FTP Server Manager:
-
Select the type of options you want to configure from the
Options menu:
-
Enter the new settings for the options, then click on OK to
accept.
General options
You can set the following general options:
Max number of failed logins-
The maximum number of times that a user may attempt to log in and fail
before the connection will be terminated.
The default value is 5 attempts.
Session timeout (seconds)-
The period of time in seconds that must elapse before
an inactive connection will be terminated.
The default value is 900 seconds.
Max session timeout (seconds)-
The maximum inactive period in seconds that an FTP client can request.
The default value is 7200 seconds (2 hours).
Shutdown file-
The pathname of the file that the FTP server checks to see if and
when it is going to be shut down, and the message that should be displayed
to users. This file is created by the shutdown procedure described in
``Scheduling the shutdown of the FTP server''.
See
ftpshut(ADMN)
for the format of this file
including details of the ``magic cookies''
(text insertion macros) that you can use.
Click on Select to change the
shutdown file using a file browser.
Banner file-
The pathname of the file that contains the message that is displayed to
users when they connect to the FTP server. Click on
Select to change the banner file using a file browser.
See
``Magic cookies''
for details of the text insertion macros that you can insert in this file.
Email address-
The e-mail address of the FTP server administrator.
Logging options
You can set the following event logging options:
Commands-
Select whether to log commands issued by anonymous, guest, and real users.
Uploads-
Select whether to log transfers of files to the server
by anonymous, guest, and real users.
Downloads-
Select whether to log transfers of files from the server
by anonymous, guest, and real users.
Permission options
You can set the following command permission options:
chmod-
Select whether anonymous, guest, and real users are allowed to change
file permissions.
delete-
Select whether anonymous, guest, and real users are allowed to delete
files.
overwrite-
Select whether anonymous, guest, and real users are allowed to overwrite
files.
Security options
You can set the following security options for anonymous FTP
access:
Level of password checking-
Select how strict anonymous user passwords are checked.
If Trivial is selected,
the password must contain an ``@'' character.
If Strict is selected, the password is checked to see if
it complies with RFC 822.
Enforcement-
If Warning is selected, an anonymous user
who gives an invalid password is warned and then allowed to log in.
If Logout is selected, an anonymous user who gives an invalid
password is warned and their connection is terminated.
For more about FTP
For more information about FTP, see the following manual pages:
Manual page
|
Information provided
|
ftp(TC)
|
File transfer program
|
ftp(SLIB)
|
FTP API functions
|
ftpaccess(SFF)
|
FTP server configuration file
|
ftpconversions(SFF)
|
FTP server conversions database
|
ftpcount(ADMN)
|
Show current number of FTP users for each class
|
ftpd(ADMN)
|
DARPA Internet File Transfer Protocol server
|
ftpgroups(SFF)
|
FTP group access file
|
ftphosts(SFF)
|
Allow or deny access to individual FTP users from various hosts
|
ftpshut(ADMN)
|
Close down the FTP servers at a given time
|
ftpusers(SFF)
|
Deny access to individual FTP users
|
ftpwho(ADMN)
|
Show current process information for each FTP user
|
xferlog(SFF)
|
Format of FTP server logfile
|
More information about FTP may be obtained by consulting the
following
RFCs:
RFC
|
Title
|
959
|
File Transfer Protocol (FTP)
|
1123
|
Requirements for Internet Hosts -- Application and Support
|
1127
|
Perspective on the Host Requirements RFCs
|
1579
|
Firewall-Friendly FTP
|
For more on anonymous FTP security,
consult the information available from CERT at the
URL:
ftp://info.cert.org/pub/tech_tips/security_info.
You can also obtain information about the known abuses of anonymous
FTP at the URL:
ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses.
© 2007 The Santa Cruz Operation, Inc. All rights reserved
OpenServer 6 and UnixWare (SVR5) HDK - 05 June 2007