[plug] ftpd query

Matt Kemner zombie at networx.net.au
Wed Jun 9 08:32:45 WST 1999


On Wed, 9 Jun 1999, David Campbell wrote:

> This could create more holes since the anonymous ftp account runs in 
> a "chroot" (eg: limited view only the account directory). There is a 
> list of things that need to be done for setting up an anonymous ftp 
> account properly - more than I can remember.

> Anonymous FTP should be more secure than 
> standard FTP since you use chroot to put the blinkers on

You can do one better and create a "guest" FTP account.
guest FTP accounts are just like anonymous accounts in that they are
chroot'd, but they also need a password to access the information.

Setting up a guest account is a little trickier, and depends on which ftpd
you are running. For wu-ftpd you need to create a new group in /etc/group
(eg I added the line "ftponly::999")
Then you need to edit your ftpaccess (usually either /etc/ftpaccess or
/etc/ftpd/ftpaccess) and add a line that says
"guestgroup ftponly"

Then you can add guest FTP accounts by adding accounts such as:
virsigs:x:1020:999:Virus Signatures:/home/virsigs/./sigs:/bin/ftponly

Make sure the fourth field is set to the group number you created above
(in my case 999)
The /home/virsigs/./sigs needs to be specified like that, and it tells
ftpd to chroot to /home/virsigs, and dump the client in the
/home/virsigs/sigs directory on connect.

Then you need to symlink /bin/false to /bin/ftponly and add /bin/ftponly
to /etc/shells

Finally you need to copy all the files (libraries etc) for the chroot
environment - assuming you have anonymous ftp set up somewhere you can:

cd ~ftp && cp -a bin etc lib /home/virsigs

If you don't want people to be able to get directory listings, delete the
ls command from /home/virsigs/bin

You should now have a working guest FTP account.

 - Matt
P.S. I believe proftpd is a LOT easier to set up for anonymous/guest
accounts, but have never played with it.



More information about the plug mailing list