Administering TCP/IP

Setting up anonymous ftp

The ftp server included in the system provides support for an anonymous ftp account. Because of the inherent security problems with such a facility, you should read this section carefully if you want to provide such a service.

When a client accesses the anonymous ftp account, a chroot(ADM) system call is performed by the server to restrict the client from moving outside that part of the filesystem where the ftp home directory is located. Because a chroot call is used, certain programs and files used by the server process must be placed in the ftp home directory as shown in the following procedure:

  1. Create a user called ftp with the Account Manager. Do not set a password for the account. Most importantly, set the login shell to rsh(C) to deny access to the rest of the system.

  2. Run the following to set up directories below ftp's home directory:

    cd ~ftp
    chmod 755 .; chown root .; chgrp root .
    mkdir bin dev etc lib pub usr usr/lib
    chown root bin etc dev lib usr usr/lib
    chmod 555 bin etc dev lib usr usr/lib
    chown ftp pub
    chmod 777 pub
    cd bin
    cp /bin/ls .
    chmod 111 ls
    cd ../etc
    cp /etc/passwd .
    cp /etc/group .
    chmod 444 passwd group
    cd ../lib
    cp /lib/ .
    chmod 555 lib*
    chown bin lib*
    cd ../usr/lib
    cp /usr/lib/ .
    cp /usr/lib/ .
    cp /usr/lib/ .
    cp /usr/lib/ .
    cp /usr/lib/ .
    cp /usr/lib/ .
    chmod 555 lib*
    chown bin lib*
    cd ../..
    find /dev/socksys -print | cpio -dumpv ~ftp
    find /dev/zero -print | cpio -dumpv ~ftp
    ln -s ~ftp /usr/internet/ip/

Files put in the anonymous area by local users must be placed in a subdirectory. In the setup described here, the directory ~ftp/pub is used.

WARNING: Another issue to consider is the /etc/passwd file placed in ~/ftp/etc/passwd. Because anonymous ftp does not actually use the password stored in the encrypted password field, you should edit the copied file to contain blanks in this field such that anonymous users cannot obtain the encrypted passwords.

For example, you could edit the following line in ~/ftp/etc/passwd:

to read:

The ftp server provides a security loophole if certain user accounts are allowed. To prevent this, the file /etc/ftpusers is checked on each connection. If the requested user name is located in the file, the request for service is denied. This file should be owned by root in the sys group, have permissions set to 444, and contain at least the following names:

Accounts with nonstandard shells should be listed in this file. Accounts without passwords need not be listed in this file; the ftp server does not service these users.

See also:

Next topic: Adding or removing pseudo-ttys
Previous topic: Protecting against SYN flood attacks

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003