Anonymous FTP is mentioned throughout this book as a technique for retrieving publicly available files and programs from the many FTP servers around the Internet. Anonymous FTP is simply an ftp session in which you log into the remote server using the username anonymous and, by convention, your email address as the password. [1] The anonymous FTP example below should make this simple process clear:
[1] Some FTP servers request your real username as a password.
% ftp ftp.ncsa.edu Connected to ftp.ncsa.uiuc.edu. 220 FTP server Wed May 21 1997 ready. Name (ftp.ncsa.edu:kathy): anonymous 331 Guest login ok, use email address as password. Password: ftp> cd /Web/Mosaic/Unix/binaries/2.6 250 CWD command successful. ftp> binary 200 Type set to I. ftp> get Mosaic-hp-2.6.Z Mosaic.Z 200 PORT command successful. 150 Opening BINARY mode data connection for Mosaic-hp-2.6.Z. 226 Transfer complete. local: Mosaic.Z remote: Mosaic-hp-2.6.Z 809343 bytes received in 3.5 seconds (2.3e+02 Kbytes/s) ftp> quit 221 Goodbye.
In this example, the user logs into the server ftp.ncsa.edu using the username anonymous and the password [email protected] , which is her email address. With anonymous FTP, she can log in even though she doesn't have an account on ftp.ncsa.edu . Of course what she can do is restricted, but she can retrieve certain files from the system, and that's just what she does. She changes to the /Web/Mosaic/Unix/binaries/2.6 directory and gets the compressed file Mosaic-hp-2.6.Z . The file is retrieved in binary mode.
Using the anonymous FTP service offered by a remote server is very simple. However, setting up an anonymous FTP service on your own system is a little more complicated. Here are the steps to set up an anonymous FTP server:
Add user ftp to the /etc/passwd file.
Create an ftp home directory owned by user ftp that cannot be written to by anyone.
Create a bin directory under the ftp home directory that is owned by root , and that cannot be written to by anyone. The ls program should be placed in this directory and changed to mode 111 (execute-only).
Create an etc directory in the ftp home directory that is owned by root , and that cannot be written to by anyone. Create special passwd and group files in this directory, and change the mode of both files to 444 (read-only).
Create a pub directory in the ftp home directory that is owned by root and is only writable by root , i.e., mode 644. Don't allow remote users to store files on your server, unless it is absolutely necessary and your system is on a private, non-connected network. If you must allow users to store files on the server, change the ownership of this directory to ftp and the mode to 666 (read and write). This should be the only directory where anonymous FTP users can store files.
The following examples show each of these steps. First, create the ftp home directory and the required subdirectories. In our example, we create the ftp directory under the /usr directory.
#mkdir /usr/ftp
#cd /usr/ftp
#mkdir bin
#mkdir etc
#mkdir pub
Then copy ls to /usr/ftp/bin , and set the correct permissions.
#cp /bin/ls /usr/ftp/bin
#chmod 111 /usr/ftp/bin/ls
Create a group that will be used only by anonymous FTP, a group that has no other members. In our example we create a group called anonymous . An entry for this new group is added to the /etc/group file, and a file named /usr/ftp/etc/group is created that contains only this single entry.
anonymous:*:15:
Create a user named ftp by placing an entry for that user in the file /etc/passwd . Also create a file named /usr/ftp/etc/passwd that contains only the ftp entry. Here's the entry we used in both files:
ftp:*:15:15:Anonymous ftp:/usr/ftp:
These examples use a GID of 15 and a UID of 15. These are only examples; pick a UID and GID that aren't used for anything else on your system.
A cat of the newly created /usr/ftp/etc/passwd and /usr/ftp/etc/group files shows the following:
%cat /usr/ftp/etc/passwd
ftp:*:15:15:Anonymous ftp:/usr/ftp: %cat /usr/ftp/etc/group
anonymous:*:15:
After the edits are complete, set both files to mode 444:
#chmod 444 /usr/ftp/etc/passwd
#chmod 444 /usr/ftp/etc/group
Set the correct ownership and mode for each of the directories. The ownership of /usr/ftp/pub , /usr/ftp/bin , and /usr/ftp/etc do not need to be changed because the directories were created by root .
#cd /usr/ftp
#chmod 644 pub
#chmod 555 bin
#chmod 555 etc
#cd ..
#chown ftp ftp
#chmod 555 ftp
If you must allow users to write their own files in the pub directory, make the following changes: [2]
[2] This opens a large security hole. Allow users to write their own files to the anonymous FTP server only if you must.
#chown ftp pub
#chmod 666 pub
For most UNIX systems, the installation is complete. But if you have a Sun OS 4.x system, a few more steps are necessary. The dynamic linking used by Sun OS requires that the ftp home directory contains:
The runtime loader
The shared C library
/dev/zero
These Sun-specific steps are shown in the following examples. First, create the directory /usr/ftp/usr/lib , then copy the files ld.so and libc.so.* into the new directory, and set the file permissions:
#cd /usr/ftp
#mkdir usr
#mkdir usr/lib
#cp /usr/lib/ld.so usr/lib
#cp /usr/lib/libc.so.* usr/lib
#chmod 555 libc.so.*
#chmod 555 usr/lib
#chmod 555 usr
Next, create the ftp/dev directory, and run mknod to create dev/zero :
#cd /usr/ftp
#mkdir dev
#cd dev
#mknod zero c 3 12
#cd ..
#chmod 555 dev
Now you can copy the files you wish to make publicly available into /usr/ftp/pub . To prevent these files from being overwritten by remote users, set the mode to 644 and make sure the files are not owned by user ftp .
Once you complete the configuration steps necessary for your system, test it thoroughly before announcing the service. Make sure that your server provides the anonymous FTP service you want, without providing additional "services" that you don't want (such as allowing anonymous users access to files outside of the ftp home directory). Anonymous FTP is a potential security risk. If you offer this service at all, limit the number of systems at your site that provide it (one is usually enough), and take care to ensure that the installation is done properly.