One final topic before leaving the subject of network login services: the FTP service. Like other services, to access the FTP server, a user must provide a username and a password. The sample user kathy could ftp to the local system, and log in. The FTP server would set her default directory to/home/kathy, and she would be able to download and upload files to and from the system based on her normal file read and write permissions.
In addition to its standard service, ftp provides anonymous FTP, which allows anyone to log in to the FTP server with the username anonymous and any password. Traditionally, the password used is your e-mail address. The purpose of anonymous FTP is, of course, to make certain files publicly available. Many of the great Linux files available from the Internet are available through anonymous FTP.
Anonymous FTP is a great service, but it can present a security problem—and a big headache— if it is set up incorrectly. Several steps are involved in doing it right. The steps to create an anonymous FTP server are as follows:
1. Add the user ftp to the /etc/passwd file.
2. Create an ftp home directory owned by user ftp that cannot be written to by anyone.
3. Create a bin directory under the ftp home directory that is owned by root, and that cannot be written to by anyone. The programs needed by FTP should be placed in this directory.
4. Create an etc directory in the ftp home directory that is owned by root, and that cannot be written to by anyone. Create special passwd and group files in this directory, and change the mode of both files to 444 (read-only).
5. Create a pub directory in the ftp home directory that is owned by root and is only writable by root; that is, mode 644. Don't allow remote users to store files on your server unless it is absolutely necessary and your system is on a private, non-connected network. If you must allow users to store files on the server, change the ownership of this directory to ftp and the mode to 666 (read and write). This should be the only directory in which anonymous FTP users can store files.
6. For systems, such as Linux, that use dynamic linking, create a lib directory in the ftp home directory that contains the runtime loader and the library modules needed by FTP.
On Linux, setting up anonymous FTP is simple because the steps described previously have already been done for you. Most Linux systems come with anonymous FTP preconfigured and installed. Simply select the anonymous FTP component during the initial installation, or add it later using a package manager. Figure 3.1 shows the results of a Gnome RPM query for the anonymous FTP package on a Red Hat 7.2 system.
:igure 3.1: The anonymous FTP RPM
Figure 3.1 shows a Red Hat system in which the anonymous FTP package has already been installed. The effects of the installation are visible on the system. Look in the /etc/passwd file; you'll notice that the user account ftp is already there. You'll also find the anonymous FTP home directory, which is /var/ftp on a Red Hat 7.2 system. Finally, test the system with the command ftp localhost, and you should be able to log in as anonymous.
Properly set up, anonymous FTP is less of a security risk than regular FTP. If you don't want to offer an FTP server at all, comment the ftp entry out of the inetd.conf file, or disable it in the xinetd configuration. If you specifically don't want anonymous FTP, don't install it in the first place, or comment the ftp entry out of the /etc/passwd file if it is already installed.
Basic FTP and anonymous FTP are the only FTP services offered on most Linux systems. Basic service is configured by enabling the service through xinetd or inetd, and by creating user accounts. Anonymous FTP is configured by installing the anonymous FTP package. For many Linux systems, this is all there is to FTP configuration. However, Linux systems that use Washington University FTP (WU-FTPD) have additional configuration options.
Was this article helpful?