DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Configuring File Transfer Protocol (FTP) servers

Configuring File Transfer Protocol (FTP) servers

The File Transfer Protocol (FTP) server included in the system provides support for an anonymous FTP account. There may be several access points for this account, known as ``FTP virtual domains'' depending on the IP addresses (real and aliased) that are defined on the system.

The FTP Server Manager allows you to perform common configuration and administration tasks on the FTP server, such as:


WARNING: Because of the inherent security problems associated with FTP, you should read the guidelines given in ``FTP server security'' if you want to provide FTP services.

FTP server security

You can use the FTP Server Manager to check on various aspects of FTP server security:

Additionally, if you are setting up a publicly available FTP server, you should consider assigning a dedicated mountable filesystem to the ~ftp/pub/incoming directory. This will protect your system against an attacker who tries to fill your hard disk with large files or many small files (to use up the available inodes). Such an attack could render your system practically unusable until you remove the offending files. It is most convenient to reserve a filesystem for the incoming directory when you install your system or when you add a hard disk (see diskadd(ADM)). Alternatively, if the incoming directory is on a ufs or vxfs filesystem, you can set up hard and soft limit quotas for the disk space and number of inodes that the ftp user is allowed (see quota(ADM) and related manual pages ).

It is also advisable to set up a regular cron job to purge the directory of old or excessively large files, and to report any possible problems with disk usage (see crontab(C)). For example, the following crontab entries for root check hourly for the existence of files bigger than 10MB, and once per day delete files which have not been modified within the last 30 days:

   0 * * * * ksh -c "find ~ftp/pub/incoming -type f -size +10485760c -exec ls -l {} \; >> /var/adm/log/incoming.log"
   0 0 * * * ksh -c "find ~ftp/pub/incoming -type f -mtime +30 -exec rm -f {} \; 2>&1 > /dev/null"
For more on anonymous FTP security, consult the information available from CERT at the URL: ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config.

You can also obtain information about the known abuses of anonymous FTP at the URL: ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses.

The FTP Server Manager interface

You can use the FTP Server Manager to administer local or remote FTP servers. You can start the FTP Server Manager in any of these ways:

For more information about using the \*(sOadmin managers, see ``Administering your system with \*(sOadmin''.

Configuring anonymous FTP

To configure anonymous FTP using the FTP Manager:

  1. Select FTP -> Anonymous -> Configure.

  2. Enter the following information for the anonymous FTP account:

    Anonymous FTP home
    The home directory for anonymous FTP access. The default value is /home/ftp.


    NOTE: For preference, specify a home directory on a local filesystem. If the FTP server system uses NFS to mount the home filesystem from a remote file server, it must have root access to this filesystem for FTP to work correctly (see exportfs(NADM)).

    Click on Suggest if you want the FTP Server Manager to suggest a value for the home directory.

    Click on Select if you want to choose a directory using a file browser.


    User ID
    The user ID of the anonymous FTP account. Click on Suggest if you want the FTP Server Manager to suggest a value for the user ID. The default user ID is 300.

    Allow incoming transfers
    Select this if you want to allow anonymous FTP users to be able to put files in the ~ftp/pub/incoming directory hierarchy in the anonymous FTP area. Deselect this if you want the anonymous FTP account only to allow read access to the ~ftp/pub directory hierarchy. By default, incoming transfers are allowed.


    NOTE: If you allow incoming transfers, anonymous FTP users are permitted to view the contents of the ~ftp/pub/incoming directory by default. If you want to prevent possible abusers from viewing the contents of this directory, change its mode to 1733 using the chmod(C) command. Alternatively, you can prevent unauthorized access to the contents of uploaded files by controlling their owner, group, and mode as described in ``Controlling access to directories''.

    If the host being configured is an NIS client, creation of the anonymous FTP user account will fail if ftp is present in the passwd map for the NIS domain. To create a local anonymous FTP user, stop NIS using the command sh /etc/inid.d/nis stop, configure anonymous FTP, and then restart NIS using the command sh /etc/inid.d/nis start.


  3. Click on OK to accept.
This procedure will set up the anonymous FTP account and home directory hierarchy for the primary domain. If you subsequently want to enable or disable incoming transfers, follow the instructions given in ``Configuring FTP home directories''.

For information on setting up anonymous FTP access to virtual domains and their home directories, see ``Configuring FTP virtual domains'' and ``Configuring FTP home directories''.

Configuring compression and archival commands

Compression, uncompression, and tar archival are implicit operations that you can use with the get command in ftp(TC). When you request a file from an FTP server using get, ftpd attempts to supply a file with the specified name from the current directory. If the server cannot find the file, it will then attempt to generate the requested filename from those listed in the current directory using the conversion rules in /etc/ftpconversions. If ftpd finds an output filename that matches the one specified, it performs the conversion and sends the result to you.

For example, you would enter the ftp command get foo to have the remote FTP server uncompress the file named foo.Z before sending it to you. (If a file named foo also exists in the same directory as foo.Z, the server will send you this instead.) Similarly, the command get bar.Z would cause the server to compress the file named bar before transmitting it. To archive and compress the hierarchy below a directory named src so that it can be sent as one file, you would enter get src.tar.Z.

To control who is allowed to use the compression and archival commands on an FTP server, edit the arguments to the compress and tar keyword lines in /etc/ftpaccess. By default, the following lines in this file allow the class all (consisting of anonymous, guest, and real users) to use the commands:

compress	yes	all
tar		yes	all
If you want to prevent anonymous FTP users from using these commands, create a class anonclass containing anonymous and amend the lines to read:
compress	no	anonclass
compress	yes	all
tar		no	anonclass
tar		yes	all

By default, the FTP Server Manager configures the compress and tar binaries for use on an FTP server. To make additional compression and archival programs available for use:

  1. Edit /etc/ftpconversions to define the rules for automatically compressing, uncompressing, archiving, and unarchiving files based on their file extension. Suitable rules are already given in ftpconversions for the compress, cpio and tar commands.

    Rules are also listed in the ftpconversions file for archival and compression programs such as gzip, zip, and unzip. These programs are not provided, but you can obtain them from the Internet if required.

  2. Each rule in the ftpconversions file show which programs are needed to perform a particular conversion. The pathnames are specified relative to the FTP home directory. If the programs do not already exist in the FTP home area, you must copy them there together with any dynamic linked libraries that they need.

    Copy the binary for each program to the appropriate directory (usually ~ftp/bin) in the FTP home area. Change the mode of each copied binary to 111, and change its owner and group to root and sys:

    chmod 111 filename
    chown root:sys filename


    NOTE: Some commands require other commands to be copied to the FTP area. For example, to be able to archive directory hierarchies, cpio needs to read output piped from find. To perform the piping, cpio also needs the pipeline program which must exist in FTP's ~ftp/etc/inet directory. The FTP Server Manager installs pipeline when the FTP home area is created.

  3. Run the command dump -Lv filename on each binary to find out which dynamic linked libraries it uses. (You can also use the ldd command if this is available on your system.) For example, cpio requires the libraries libc.so.1, libxattr.so, and libthread.so.1 from /usr/lib. Copy each library to the appropriate ~ftp/usr/lib or ~ftp/lib directory in the FTP home area if it is not already present. Change the mode of the copied library to 444, and change its owner and group to root and sys:

    chmod 444 filename
    chown root:sys filename


    NOTE: As an exception, the mode of the library libc.so.1 must be 111. This library should already be present in the FTP area's ~ftp/usr/lib directory.

See also:

Controlling access to anonymous FTP

To disable access to anonymous FTP using the FTP Server Manager, select FTP -> Anonymous -> Disable.

To re-enable access to anonymous FTP using the FTP Server Manager, select FTP -> Anonymous -> Enable.

Removing anonymous FTP

To remove anonymous FTP using the FTP Manager, select FTP -> Anonymous -> Remove. Click on OK when asked to confirm.


NOTE: This procedure removes the anonymous user account as well as its home directory hierarchy. If you want to re-use the anonymous user's ID, you may not be able to do so until the time period defined by the variable UIDAGE in /etc/default/userdel has elapsed. The default time period is 12 months.

Scheduling the shutdown of the FTP server

To schedule when the FTP server will be shut down using the FTP Server Manager:

  1. If you have not already configured a shutdown file, select Options -> General, then enter the pathname of the file that the FTP server should use. Click on OK to accept.

  2. Select FTP -> Server -> Disable.

  3. Enter the date and time at which you want to shut down the FTP server.

  4. Enter the number of hours and minutes before shutdown when new connections will be denied. The default value is 30 minutes.

  5. Enter the number of hours and minutes before shutdown when existing connections will be closed. The default value is 10 minutes.

  6. If required, you can edit the message that will warn users of the impending shutdown. See ftpshut(ADMN) for the magic cookies, such as ``%s'' for the shutdown time, that you can use in this message.

  7. Click on OK to accept.
To re-enable the server, select FTP -> Server -> Enable.

Configuring user classes

A user class defines a set of users according to the account type they are accessing and their IP address or domain name. You can then limit access by classes as described in ``Setting class limits''.


NOTE: The special class anon is predefined for anonymous FTP users accessing the FTP server from any IP address. If you remove this class, an anonymous user will not be able to log into the FTP server unless the anonymous user is defined as a member of another class whose address matches that of their system.

To configure a class using the FTP Server Manager:

  1. Select View -> Classes.

  2. To define a new class, select Edit -> Add.

    To modify an existing class, click on the group from those displayed, then select Edit -> Modify.

  3. Enter the following information for the class:

    Class name
    A unique name for the class.

    User types
    The types of user who will be included in this class. Select one or more of:

    Anon
    corresponds to ftp or anonymous

    Guest
    members of a guest group

    Real
    real users defined on the system

    Addresses
    One or more IP addresses or domain names which define where you expect users in this class to be coming from. You can use the character ``*'' to replace any element of an address. For example, ``*'' would match all addresses, ``*.mynet.com'' would match both rivers.mynet.com and seas.mynet.com, and ``200.25.*.*'' would match any IP address that begins 200.25.

    For each address you enter, click on Add to add it to the list.


    Anon group
    The name of the group to which an anonymous user in this class will be set. This allows you to set up directories and files that only certain classes of anonymous users can access.

  4. Click on OK to accept.

Setting class limits

To configure limits for a class using the FTP Server Manager:

  1. Select View -> Class limits.

  2. To define new limits for a class, select Edit -> Add.

    To modify existing limits for a class, click on the class from those displayed, then select Edit -> Modify.

  3. Enter the following information for the class:

    Class
    The name of the class to which the limit will be applied.

    Max users
    The maximum number of users in this class who can gain access at the same time. Enter the value -1 or select Unlimited if you do not want to restrict the number.

    Times
    The days and times at which the limit will be applied. To edit these, click on Select. Enter the time range and day, then click on Add to add it to the list of access times. Repeat this for each access time range you require, then click on OK to accept.

    Message file
    (Optional) The pathname of a message file that will be displayed to a user if they are denied access. Click on Select to choose the file using a file browser.

  4. Click on OK to accept.


NOTE: If you define more than one limit for a class, the FTP server will use the first limit listed that is applicable to the time at which a user attempts to access the system. To change the position of a limit, select it from those listed and use View -> Raise and View -> Lower to move it up or down the list.

Controlling access to directories

To control access permissions to directories into which users can put files:

  1. In the FTP Server Manager, select View -> Directory access.

  2. To define new directory access permissions, select Edit -> Add.

    To modify existing directory access permissions, click on the directory from those displayed, then select Edit -> Modify.

  3. Enter the following information for the directory:

    Home directory
    The name of the home directory used for FTP access. You can select from a list of all home directories known to the system.

    Directory pattern
    The directory below the home directory to which access permissions will apply. You can use the character ``*'' to replace any element of a directory's pathname. For example, ``*'' would match all directories, ``/incoming/*'' would match all directories below /incoming.

    Uploads
    Whether a user can put files onto the server.

    Owner
    The user who will own uploaded files.

    Group
    The group who will own uploaded files.

    Mode
    The octal mode for uploaded files. Click on Select to change the read, write, and execute permissions for the owner, group, and other users.

    Create subdirs
    Whether a user can create new subdirectories of the directory.

  4. Click on OK to accept.

Denying access to hosts

To deny access to users from certain host addresses:

  1. In the FTP Server Manager, select View -> Denied hosts.

  2. To define new denied hosts, select Edit -> Add.

    To modify existing denied hosts, click on the address pattern from those displayed, then select Edit -> Modify.

  3. Enter the following information for the denied host address:

    Address
    An IP address or domain name which defines the host(s) that are to be denied access. You can use the character ``*'' to replace any element of an address. For example, ``*'' would match all addresses, ``*.mynet.com'' would deny access to any host in the domain mynet.com, and ``200.25.*.*'' would deny access to any host having an IP address that begins 200.25.

    Deny unresolvable address
    Deny access to users from any host whose IP address cannot be resolved into a domain name.

    Message file
    (Optional) The pathname of a message file that will be displayed to a user if they are denied access. Click on Select to choose the file using a file browser.

  4. Click on OK to accept.

Denying access to users

To deny access to a user:

  1. In the FTP Server Manager, select View -> Denied users.

  2. To define a user to be denied access, select Edit -> Add.

  3. Choose the name of the user from the pull-down list.

  4. Click on OK to accept.


WARNING: To maintain system security, we recommend that you always deny access to root. We also recommend that you deny access to accounts which do not use one of the standard shells listed in /etc/shells. If you choose to enable access by root, uncomment the /sbin/sh line in /etc/shells.

You do not need to deny access to accounts which do not have passwords. The FTP server will not service these users.


Configuring FTP virtual domains

Virtual domains allow you to create alternative access points for anonymous FTP on the same FTP server. Each virtual domain name may be associated with the IP address of a real networking interface, or with an IP address that is an alias of a real IP address. You can use virtual domains to set up FTP areas that are specific to anonymous FTP users for different departments, organizations or companies.

The primary FTP domain is defined as the domain name with which you initially configured a server. If required, you can set up an FTP virtual domain with the same IP address and domain name as the primary domain. Anonymous FTP users will be directed to this virtual domain instead of to the primary domain. Guest and real users will continue to use the primary domain. See ``Virtual domains'' for more information.

To configure a virtual domain using the FTP Server Manager:

  1. Select View -> FTP virtual domains.

  2. To define a new virtual domain, select Edit -> Add.

    To modify an existing virtual domain, click on the domain from those displayed, then select Edit -> Modify.

  3. Enter the following information for the virtual domain:

    IP Address
    The IP address of the virtual domain. Click on Select to select an IP address from those configured on the server. You cannot select default values for the other fields until you have entered an IP address in this field.

    Anonymous FTP home
    The pathname of the root directory for anonymous FTP to this virtual domain. Click on Select to choose a directory using a file browser, or click on Default to use the default location under /var/internet/ip/IP_address/ftp/ftp.

    Banner file
    The pathname of the file containing the message that is displayed to users before they enter their user name and password. Click on Select to choose a file using a file browser, or click on Default to use the default pathname for this virtual domain.

    Log file
    The pathname of the file used to log FTP file transfers. Click on Select to choose a file using a file browser, or click on Default to use the default pathname for this virtual domain. Alternatively, select Use primary log file to use the same log file as that used by the primary domain (/var/adm/xferlog).

  4. Click on OK to accept.
You must now set up the home directories for each virtual domain as described in ``Configuring FTP home directories''.

Configuring guest groups

If a real user accessing the FTP server is a member of a guest group defined in /etc/group, they will be permitted access to a different FTP home directory from that available to anonymous FTP users. All users in the same guest group share an FTP home directory for access to the FTP server.

To define a guest group using the FTP Server Manager:

  1. Select View -> Guest groups.

  2. Select Edit -> Add.

  3. Choose the name of the group from the pull-down list.

  4. Click on OK to accept.
You must now set up the home directories for each guest group as described in ``Configuring FTP home directories''.

See Administering users and groups for information on how to set up user accounts and groups.

Viewing FTP logs

To view the FTP logs using the FTP Server Manager, select View -> Log.

By default, the FTP Server Manager displays log entries for the primary FTP domain and all configured virtual domains. To restrict the domains for which entries are displayed:

  1. Select Edit -> Modify.

  2. To hide the log entries for a domain, select it from the list of visible domains, then click on Hide to move it to the list of hidden domains.

    To reveal the log entries for a domain, select it from the list of hidden domains, then click on Reveal to move it to the list of visible domains.

  3. Click on OK to accept the changes.
To change the level of detail shown for log entries, use View -> Expand and View -> Collapse.

The FTP Server Manager will update the displayed log entries at regular intervals. To change the time interval between autorefreshes, select View -> Set Auto Refresh, enter the interval period in minutes, then click on OK.

To turn off autorefreshing, select View -> Set Auto Refresh, then select Off.

To turn on autorefreshing, select View -> Set Auto Refresh, then select On.

To refresh the view yourself, select View -> Refresh now.

See ``Setting FTP server options'' for information on how to control the types of events that are logged.

Configuring login and change directory messages

To configure the messages that are configured to be displayed when a user logs in using FTP, or when a user changes directory:

  1. In the FTP Server Manager, select View -> Messages.

  2. If a suitable message does not already exist, select Edit -> Add.

    If a message does already exist, select Edit -> Modify.

  3. Select the type of message:

    Login message
    Display a message file to users when they log in. Enter the pathname of the file containing the message, or click on Select to select a file using a file browser.

    Login README
    Tell users about a README file when they log in. Enter the pathname of the file containing the message, or click on Select to select a file using a file browser.

    See ``Magic cookies'' for details of the text insertion macros that you can insert in this file.


    Directory message
    Display a message file to users when they change to the specified directory. Enter the pathname of the file containing the message, or click on Select to select a file using a file browser.

    Directory README
    Tell users about a README file when they change to the specified directory. Enter the pathname of the file containing the message, or click on Select to select a file using a file browser.

    See ``Magic cookies'' for details of the text insertion macros that you can insert in this file.

    You can specify the classes to which the server will display messages. If no classes are specified, all FTP users will see the messages.

    You can use the character ``*'' to replace any element of a change directory path or the pathname of a README file. For example, specifying ``*'' for a change directory path would cause the associated message to be displayed whenever the user changes directory. A README file path specified as ``README*'' would match any file with this pattern such as README or READMENOW in the root directory of the FTP user.


    NOTE: For anonymous FTP users, pathnames are assumed to be relative to the anonymous FTP home directory.

  4. Click on OK to accept the changes.

Configuring FTP home directories

You can use the FTP Server Manager to manage the home directories of the anonymous FTP user in the primary domain, of anonymous FTP users in virtual domains, and of guest groups:

  1. Select one of Anonymous FTP, FTP virtual domains, or Guest groups from the Home menu, then select the operation that you want to perform on their home directories:

    Install
    Set up the home directories, and populate them with the files needed for FTP operation. You can also control whether users are allowed to put files on the server in the ~ftp/pub/incoming directory using the Allow incoming transfers option. Deselect this if you want to allow read access only to the ~ftp/pub directory hierarchy. By default, incoming transfers are allowed.


    NOTE: Even if you allow incoming transfers, users are not permitted to view the contents of the ~ftp/pub/incoming directory by default. If you want to permit this, change the permissions on the ~ftp/pub/incoming directory to 1777 using the chmod(C) command. The default permissions on this directory are 1733.


    Modify
    Enable or disable incoming file transfers after the home directories have already been set up.

    Verify
    Check the sizes, permissions and ownerships of files in the home directories. Discrepancies are reported but not corrected.


    NOTE: You may see warnings about possible discrepancies in the passwd and group files that have been copied to an FTP home area. This is intended to remind you to check these files for entries that could compromise your system's security.


    Correct
    Check the sizes, permissions and ownerships of files in the home directories. Any discrepancies are automatically reported and corrected.

    Remove
    Remove the entire home directory hierarchy for the user.

  2. Click on OK to accept the changes.

Setting FTP server options

To set FTP server options using the FTP Server Manager:

  1. Select the type of options you want to configure from the Options menu:

  2. Enter the new settings for the options, then click on OK to accept.

General options

You can set the following general options:


Max number of failed logins
The maximum number of times that a user may attempt to log in and fail before the connection will be terminated. The default value is 5 attempts.

Session timeout (seconds)
The period of time in seconds that must elapse before an inactive connection will be terminated. The default value is 900 seconds.

Max session timeout (seconds)
The maximum inactive period in seconds that an FTP client can request. The default value is 7200 seconds (2 hours).

Shutdown file
The pathname of the file that the FTP server checks to see if and when it is going to be shut down, and the message that should be displayed to users. This file is created by the shutdown procedure described in ``Scheduling the shutdown of the FTP server''. See ftpshut(ADMN) for the format of this file including details of the ``magic cookies'' (text insertion macros) that you can use. Click on Select to change the shutdown file using a file browser.

Banner file
The pathname of the file that contains the message that is displayed to users when they connect to the FTP server. Click on Select to change the banner file using a file browser. See ``Magic cookies'' for details of the text insertion macros that you can insert in this file.

Email address
The e-mail address of the FTP server administrator.

Logging options

You can set the following event logging options:


Commands
Select whether to log commands issued by anonymous, guest, and real users.

Uploads
Select whether to log transfers of files to the server by anonymous, guest, and real users.

Downloads
Select whether to log transfers of files from the server by anonymous, guest, and real users.

Permission options

You can set the following command permission options:


chmod
Select whether anonymous, guest, and real users are allowed to change file permissions.

delete
Select whether anonymous, guest, and real users are allowed to delete files.

overwrite
Select whether anonymous, guest, and real users are allowed to overwrite files.

Security options

You can set the following security options for anonymous FTP access:


Level of password checking
Select how strict anonymous user passwords are checked. If Trivial is selected, the password must contain an ``@'' character. If Strict is selected, the password is checked to see if it complies with RFC 822.

Enforcement
If Warning is selected, an anonymous user who gives an invalid password is warned and then allowed to log in. If Logout is selected, an anonymous user who gives an invalid password is warned and their connection is terminated.

For more about FTP

For more information about FTP, see the following manual pages:

Manual page Information provided
ftp(TC) File transfer program
ftp(SLIB) FTP API functions
ftpaccess(SFF) FTP server configuration file
ftpconversions(SFF) FTP server conversions database
ftpcount(ADMN) Show current number of FTP users for each class
ftpd(ADMN) DARPA Internet File Transfer Protocol server
ftpgroups(SFF) FTP group access file
ftphosts(SFF) Allow or deny access to individual FTP users from various hosts
ftpshut(ADMN) Close down the FTP servers at a given time
ftpusers(SFF) Deny access to individual FTP users
ftpwho(ADMN) Show current process information for each FTP user
xferlog(SFF) Format of FTP server logfile
More information about FTP may be obtained by consulting the following RFCs:

RFC Title
959 File Transfer Protocol (FTP)
1123 Requirements for Internet Hosts -- Application and Support
1127 Perspective on the Host Requirements RFCs
1579 Firewall-Friendly FTP
For more on anonymous FTP security, consult the information available from CERT at the URL: ftp://info.cert.org/pub/tech_tips/security_info.

You can also obtain information about the known abuses of anonymous FTP at the URL: ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses.


© 2007 The Santa Cruz Operation, Inc. All rights reserved
OpenServer 6 and UnixWare (SVR5) HDK - 05 June 2007