Copyright ©1996, Que Corporation. All rights reserved. No part of this book may be used or reproduced in any form or by any means, or stored in a database or retrieval system without prior written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Making copies of any part of this book for any purpose other than your own personal use is a violation of United States copyright laws. For information, address Que Corporation, 201 West 103^rd Street, Indianapolis, IN 46290 or at support@mcp .com.

Chapter 10 - Installing FTP Server Software

Having an FTP server is an excellent way to make information available to people, regardless of what kind of Internet software they're using. You can also use it to allow people to upload files to your system, either anonymously or through an account with a password. So, whether you want to make information on your company's services available, or allow the people with whom you're working on an important project to upload their work to your system so you can take a look at it, setting up your FTP server is worth the time and effort.

In this chapter, you learn:

• How to compile your FTP server
• How to install your FTP server
• How to make sure your FTP server is secure
• How to verify that your FTP server works

How To Compile Your FTP Server

Slackware comes with an FTP server that you can install automatically, but I've chosen a more feature-rich server for you to install. If you would rather use the simple FTP server that comes with Slackware for now, you can access the man pages for it by typing man tftpd. However, this is a very basic server. Installing the one included in this chapter will give you better site security. It will also give you more features, since the FTP server installed in this chapter supports a number of nonstandard FTP services, including the capability to:

• Log file transfers
• Compress and archive files in the middle of tasks
• Classify users
• Define what each class of users can do
• Set upload permissions for individual directories
• Create restricted guest accounts, so unknown users can only get to a limited number of files

Finding and Uncompressing the Server Source

The FTP server you're going to use is wu-ftpd-2.4, from Washington University (the site of WUArchive). The features it has to offer in addition to the standard FTP protocols make it a worthwhile addition to your site's servers.

To locate and uncompress wuftpd:

1. Locate the file wu-ftpd-2.4.tar.Z on the CD-ROM.
2. Copy it to /usr/src.
3. Type gunzip wu-ftpd-2.4.tar.Z.
4. Type tar -xvf wu-ftpd-2.4.tar.

Editing pathnames.h

Before compiling your FTP server, you need to look at the file that defines where wuftpd's configuration and data files go. To do this, you will edit the file pathnames.h (located in the directory where you have stored your wuftpd files in the src subdirectory) and determine whether the defaults set there fit your needs. If they don't, change them to where you want the files listed to be stored.

You can either choose to have the various configuration files used for wuftpd in various locations, or within one directory. I generally prefer to keep the configuration files for an individual program all in one place. This makes my life easier when I try to locate problems with the server, or make configuration changes later.

Other sysadmins have other ways of handling such configuration files, of course. If you have another structure in mind, or prefer to go with the defaults given, go ahead and use it. There is no one true way to structure your files.

For example, perhaps you prefer to keep all path configuration files for the programs you compile together in one directory. Or maybe you prefer to keep your program configuration files together, but grouped according to program type (e.g., all server configuration files in a single directory, all configuration files for programs for the sysadmin in one place, and so on).

To change a statement to what you want for your own system, just change the path within the quotes. The various path statements stand for:

• _PATH_FTPUSERS
• Points to the file that lists the userids that are not allowed to FTP in. For example, most services don't allow access by anyone using root or "services" accounts (nobody, ftp, etc.) If you prefer to keep such files centralized in one particular directory to make them easier to locate later, change this item. The default location is /etc/ftpusers.
• _PATH_FTPACCESS
• Points to the server's configuration file. If you prefer to keep your server configuration files together or all of your FTP server files together, change this item to the same as _PATH_FTPUSERS. The default location is /etc/ftpaccess.
• _PATH_EXECPATH
• Points to the directory that contains the binary files used with the SITE EXEC command. This directory is relative to the FTP home directory (~ftp). If you prefer to keep all of your FTP files together, change this item to the same location as the others. The default location is /bin/ftp-exec.
• _PATH_PIDNAMES
• Points to the file template that handles which classes get which PIDs (process id's). The percent sign (%) in the file name refers to a specific class. The server will automatically choose the proper pid file for each class (as long as that file exists). If you prefer to keep all of your FTP files in one place, change this item to match the others. The default location is /usr/adm/ftpd/ftp.pids-%s.
• _PATH_CVT
• Points to the file that contains the configuration for converting a file to a UNIX compressed (.Z) file. If you would rather keep this file somewhere else or want to keep it with your other FTP files, change this item. The default location is /etc/ftpconversions.
• _PATH_XFERLOG
• Points to the file where your FTP logs will be kept. If you prefer to keep all of your FTP or log files in one place, change this item. The default location is /usr/adm/ftpd/xferlog.
• _PATH_PRIVATE
• Points to the file that contains the group password file for the SITE GROUP and SITE GPASS commands. If you prefer to keep your FTP files together, change this item. The default location is /etc/ftpgroups.
• _PATH_UTMP
• Points to your utmp file, one of the files used to record the details of access to your services. If you keep your utmp file somewhere other than the default, change the appropriate pointer. There should be only one utmp file on your system. The default location is /etc/utmp.
• _PATH_WTMP
• Points to your wtmp file, one of the files used to record the details of access to your services. If you keep your wtmp file somewhere other than the default, change the appropriate pointer. There should be only one wtmp file on your system. The default location is /usr/adm/wtmp.
• _PATH_LASTLOG
• Points to your lastlog file, which is used to show the last X logins by various people. There should be only one lastlog file on your system, so if the default does not point to your lastlog file, change it to the appropriate path. The default location is /usr/adm/lastlog.
• _PATH_BSHELL
• Points to where your bourne shell (sh) is. If this item is not accurate, change it to the appropriate path. The default location is /bin/sh.
• _PATH_DEVNULL
• Points to where to send things that are trashed instead of stored. This one is pretty standard. If you use something other than /dev/null to mean "dump it," change this to the appropriate path. The default location is /dev/null.
• _PATH_FTPHOSTS
• Points to the configuration file that handles individual user access. If you would rather keep this file in a central place with your other FTP files, change this item appropriately. The default location is /etc/ftphosts.

Compiling wuftpd

To compile wuftpd, do the following:

1. Log in as root.
2. Change to the directory in which your wuftpd pre-compilation files are stored.
3. Type build lnx to build the Linux version of the daemon. This is a script that comes with wuftpd that handles compiling (which you would otherwise do with make) and installation (which you would otherwise usually do with make install).
4. Watch the compilation progress. Keep in mind that just because it looks like it finished, it didn't necessarily compile correctly. So, if you find that you try to move on to the installation and nothing is happening, check over your compilation and make sure it completed properly.

If you aren't sure the compilation finished correctly, and want to make sure that you didn't miss any error messages, use the following syntax when telling it to compile:

build lnx > blort 2>&1

The first > redirects the output from the command build lnx to the file blort. The second instance, using 2>&1 tells your system to send any error messages to the file blort as well. Therefore, when you're done compiling, you'll have a file containing all the messages the compiler gave, both standard and error.

You won't see any of the compiler messages on your screen because of this. The redirecting tells your system to send them to the file blort instead of to your screen.

1. Fix any problems that surface. Return to step 3.

If the compile ends before it should, listing as its problems strunames, typenames, modenames or other such items being undefined, go to the directory /usr/include/arpa and make a backup of the file ftp.h. Then, go back to the directory in which you have your FTP files for compilation, change to the support directory, and copy the file ftp.h from there to /usr/include/arpa. That should fix the problem.

If the compiler ends before it should listing problems ith pid_t, go to the directory in which you have your FTP files for compilation, go to the src directory, and edit the config.h file. Add the line:

Installing and Starting Your FTP Server

Installing your FTP server will take a while because you need to make sure there are no tricky little security holes! So, just take your time and follow along carefully.

Basic wuftpd Installation

To complete the basic wuftpd installation, do the following:

1. Log in as root.
2. Change to the directory in which your wuftpd files are stored.
3. Type build install to install your server.
4. Go to the directory in which your pre-compilation FTP server files are stored.
5. Copy /bin/compress to ~ftp/bin/compress. When I refer to any directory with a tilde (~) at the beginning, I'm talking about /home/directory_name (e.g. ~ftp is the same as saying /home/ftp). Just like ~fred would be the same as /home/fred.

Often, you would use a soft link to handle this instead of copying the program. However, when wuftpd starts up, it changes its definition of "root directory" to ~ftp. Once it does this, it can't see outside of ~ftp, and so a soft link pointing to /bin/compress would be pointing to somewhere that wouldn't exist to wuftpd. Wuftpd would try to find it in ~ftp/bin/compress, which is where you're putting it, not where it's coming from.

Some Initial Security Measures

Now, you're going to set up some necessary directories and files, according to smart security precautions. To accomplish this, do the following:

1. Change to the ~ftp directory.
2. Make sure this new directory has the following ownerships and permissions to ensure that it's secure:
3. chmod 111 bin
4. Using 111 sets the permissions so that everyone can execute what's in this directory, but no one can read or write to it. This makes it hard for people to snoop around in this directory.
5. Change to the bin directory.
6. Copy /bin/ls into ~/ftp/bin. For the same reasons as with compress, you can't use a soft link for this.
7. Change the ownerships and permissions of ls, once again, to root.wheel and 111.
8. Change to ~ftp/etc.
9. Create the files passwd and group, just as you find in /etc.
10. Make these files mode 444. Using 444 sets the files as readable by everyone. This might seem to be lax security, but keep in mind that even your standard /etc/passwd and /etc/group files have these permissions-though the passwords in these files are encrypted. For some, this is a good enough reason to use shadow passwords (discussed in Chapter 12).
11. If you want user and group names to show when doing an ls -l while someone is in your FTP server, do the following:

• Edit ~ftp/etc/passwd. You want the following users in this file: root, daemon, uucp, and ftp. You can also add users for people who you want to show as owning various files. An example of an entry is:
• ftpadmin:*:350:4:FTP Administrator::
• This entry tells your FTP server that you want user number 350 to show in an ls -l as username ftpadmin. Group number 4, as a general rule, would be the group ftp.
• Edit ~ftp/etc/group. You only want one group in this file, ftp. In the case of the example above, the entry would be:
• ftp:*:4:root,daemon,uucp,ftpadmin

1. No one can actually log in using the items you have set in the ~ftp/etc passwd and group files. This is simply a way of mapping user and group numbers to words within the FTP server.
2. You do not need to create these files if you don't want to do so. If you don't do this, all the users and groups will show as UID and GID numbers instead of being mapped to names.
3. 10. Return to the ~ftp directory.
4. 11. Create the directory pub. This is where the files you want to offer to the public are stored. Now, set its ownership to the account that will be used to maintain the FTP server and root (i.e. ftpadmin.root). Set the permissions to 2555. Mode 555 sets the item so that everyone can read and execute it. The 2 in the front (set-group-id) sets the directory so that every file created inside it will also be of the group assigned to the directory (in this case, group ftp).

Some additional simple things you can do to ensure that no one can take advantage of the user ftp existing on your system are the following:

1. Log in as root.
2. Change to the directory ~ftp.
3. Create the file .rhosts, but leave it empty.

If you want to create an empty file, you can use the command touch.

1. Create the empty file .forward.
2. Change the permissions of the two new empty files to 400. This makes the files readable by their owners (root, in this case), and not accessible at all by anyone else. This precaution makes sure that if someone does get logged in as FTP somehow, he can't change the .rhosts file to allow himself to log in to FTP again remotely later. It also makes sure that he can't change the .forward file to sneak mail through your system.

Creating Data Files

There are a few files you need to create now for server security. The examples shown in this section can be found by going to the directory where you stored your pre-compilation FTP server files, and then changing to the doc/examples directory.

The ftpconversions File

You might not need to change the ftpconversions file, as its purpose is to handle file compression and uncompression. The contents are as follows:

:.Z: :  :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
 :   : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
 :.gz: :  :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP
 :   : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP
 :   : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
 :   : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
 :   : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP

If the paths above are not correct, you need to change them to the appropriate value.

Now, copy this file to the location you assigned in pathnames.h.

The ftpusers File

First, take a look at the example file for ftpusers:

root
bin
boot
daemon
digital
field
gateway
guest
nobody
operator
ris
sccs
sys
uucp

These are usernames that cannot log into your FTP server. You can remove or add to this list as you wish, but keep in mind that the defaults were chosen because of the possible security holes they cause.

When finished with this file, copy it to the location you assigned in pathnames.h.

The ftpgroups File

The ftpgroups file is meant to allow you to create a group of predefined people who are allowed to FTP into your system. The contents of the example of the ftpgroups file is as follows:

test:ENCRYPTED PASSWORD HERE:archive

The items in the example above stand for:

• test This is the access group name. You can make this name up out of letters, numbers, and punctuation.
• ENCRYPTED PASSWORD HERE This is the password for the group, encrypted via crypt (which is also the program that encrypts the passwords for /etc/passwd).
• archive This is the group name from the /etc/group file with which this entry is associated.

One way to create this password is to create a dummy user, give that user a password, and then copy that password straight from /etc/passwd to where you need it. Then, just delete the dummy user.

For a user to take advantage of this feature, he would log in to your FTP server through the standard anon procedure. Then, he would execute the commands SITE GROUP and SITE GPASS to gain the additional group privileges assigned to the /etc/group item to which he assigned himself.

Once you finish editing this file (if you want to use it at all; I didn't), copy it to the directory to which it's assigned in your pathnames.h file.

The ftphosts File

If you want some control over where various users can FTP in from (allowing and disallowing certain hosts), you can use the ftphosts file to allow or deny access. This is useful if you only want people to be able to FTP in from particular locations, or if you find someone is using your site in a way you want to prevent from particular locations (e.g., uploading files you don't allow, such as copyrighted material). The contents of the ftphosts file are:

# Example host access file
#
# Everything after a '#' is treated as comment,
# empty lines are ignored

    allow   bartm   somehost.domain
    deny    fred    otherhost.domain 131.211.32.*

Note that the syntax is in three columns:

• allow or deny
• Username of the account whose access you want to allow or restrict
• List of full domain names or IP address(es) from which the person is allowed or forbidden to log in, including the name of the specific host (or an * if you are referring to all hosts at that site). Only a space is required between names/IPs.

If you use allows, only people coming from the hosts you explicitly listed can FTP in as the specified username.

Setting Up SITE EXEC Programs

If you want to allow anonymous users to run executables on your FTP server, put these programs into the directory assigned in pathnames.h.

Be extra careful what you put in this directory; you do not want to create a security hole for yourself!

Final Installation Steps

There are just a few more things you need to do to install your FTP server:

1. Log in as root.
2. Go to the directory in which you stored your FTP pre-compilation files.
3. Change to the bin directory.
4. Run the file ckconfig to double-check that you've installed the extra files properly. This program will tell you if all of the extra configuration files were put where they need to be. You may want to redirect the output to a file (I'll use blort again here) so you can catch any mistakes, by typing instead:
5. ckconfig > blort

Starting Your FTP Server

Starting your FTP server now is easy! Just do the following:

1. Find the process ID for inetd.
2. Type kill -HUP process ID # (i.e. kill -HUP 345) to kill and restart your server.

Verifying That Your FTP Server Works

After all of this work, it will feel good to be able to use your FTP server! Let's put a file into your FTP site to look at, install a better FTP client, and test the server to make sure it works.

Storing Files in Your FTP Server

If you want to know what people will see when they log in to your FTP server, take a look in the directory ~ftp. This is the directory in which they start. From there, you can structure your server's filesystem as you wish. As a general rule, the ~ftp/pub directory you already created is where the files you want to make available to the public are placed.

Another standard is the ~ftp/incoming directory, from which people can upload materials to your site. If you do create this directory, be sure the permissions are set so that people can write to it!

Only create an incoming directory if you're certain you want to allow people to FTP materials onto your site. You may find that you have problems with people using this directory to upload any number of illegal items so their friends can pick them up before you see and remove them, such as pirated software and child pornography.

If you do use an incoming directory, be sure to check it on a regular basis and look over the files it contains beyond just looking at the file name.

If you are seriously concerned with determining what kinds of files are illegal, etc., you'll need to contact a local lawyer. You can also contact the EFF (Electronic Freedom Foundation). The URL for their home pages is given in chapter 9, "Installing UseNet Server Software."

Also, check all MS-DOS and Macintosh System files that appear in your incoming directory for viruses, especially if you're not sure who uploaded them!

If you have any files you want to make available, go ahead and start arranging them in your FTP server! Be sure that the permissions on your directories and files are as you want them.

Alternative FTP Client

Even though you already have an FTP client, another alternative is NcFTP. This is a more flexible and "fancy" client that allows you to do extra things, such as view files without downloading them and resumes file transfers that died for one reason or another.

Finding and Uncompressing the Client Source

The FTP client you're going to install here is ncftp-2.1.0.

To locate and uncompress NcFTP:

1. Locate the file ncftp-2.1.0.tgz on the CD-ROM.
2. Copy it to /tmp or /incoming.
3. Type gunzip ncftp-2.1.0.tgz.
4. Type tar -xvf wu ncftp-2.1.0.tar.

Compiling and Installing NcFTP

NcFTP is set up to configure fairly painlessly. To install this client, do the following:

1. Log in as root.
2. Change to the directory in which your NcFTP files are stored.
3. You need to have ncurses installed to compile this client. Keep in mind that it might not work so well, but if it doesn't, you can always recompile NcFTP to not use it (I'm choosing not to use it; if I want windows, I'll use X-Windows). This comes with Slackware, but if you didn't choose to install it during the installation process, just type install, install a package, and choose the D series of disks.
4. Type configure to run the configuration script. By doing this, you can avoid the usual file editing you have to do before compiling most packages (tweaking configuration files, etc.). This script actually builds your configuration files and Makefile for you. All you have to do while running it is watch text scroll by as the script determines the locations of the files needed to compile your FTP server and client.
5. Type make to compile your new FTP client. As usual, keep an eye out for errors that may kill your compilation.
6. Type make install to install NcFTP.

If you would rather be able to type ftp instead of ncftp, you can create a symbolic link to redirect it (you can also use an alias, but you would have to set this alias on every computer). Change to /usr/local/bin, which is the directory to which ncftp was installed. Now, type ln -sf ncftp ftp (keep in mind that if you have an ftp file in this directory, it will be overwritten; so if you want to err on the side of caution, you might want to move it to ftp.old).

Now, type which ftp to see which program will be run if you type ftp. If it is not the one in /usr/local/bin, you need to edit the path in your /etc/profile or /etc/login file so /usr/local/bin comes before /usr/bin. If you have to do this, type which ftp again afterwards to ensure that you are now using the proper FTP client.

Testing Your FTP Server

Now let's see if everything works! There are a number of access avenues and features that need to be tested.

FTPing into Your Site

Test both the ability to FTP in anonymously, and FTP into a user account.

For example, I'll FTP anonymously into ftp.renaissoft.com. From my personal account, I'll just type ftp ftp.renaissoft.com. NcFTP is smart enough to figure out your e-mail address for itself, so you don't have to type it in as your anon password. Then, I get the welcome message to the machine and am given a prompt (see fig. 10.1).

Fig. 10.1 FTPing anonymously into ftp.renaissoft.com.

A handy feature of NcFTP is that it remembers site names. Next time I wanted to go to ftp.renaissoft.com anonymously, I could just type ftp renaissoft.

As you noticed, you didn't even have to type in anonymous as a userid. This is because NcFTP assumes you want to do an anon FTP by default. I'll do another example here of a non-anonymous FTP. This time, I want to go to the same machine, but to my own account. I'll type ftp -u ftp.renaissoft.com. Then, I'll enter my userid at the prompt (dee), and my password at the password prompt. From there, I go straight to a prompt in my own home directory (see fig. 10.2).

Fig. 10.2 FTPing into a machine as a non-anonymous user.

Access

Test the following directory and file access concerns:

• Getting into directories people should be able to access. Following from the anonymous login example, I'll get a directory listing using the command dir (see fig. 10.3).

Fig. 10.3 Getting a directory listing in an FTP server

• Now, I'll choose a directory to enter. Generally, the /pub directory will be your first step, so I'll go there using cd pub (see fig. 10.4).

Fig. 10.4 Changing into a directory on an FTP server, and looking to see what's there.

• Fetching files people should be able to access. Backing up to ftp.renaissoft.com's main directory (using cd ..), I'll get the site's welcome.msg. Such files tend to give information about the FTP site and its policies. I'll get the file with the command get welcome.msg. I'm given both a progress bar and a countdown of the projected time left in the transfer. When the file transfer is complete, I'm told how many bytes were received how quickly (see fig. 10.5).

Fig. 10.5 Getting a file from an FTP server.

With some servers, if you want to get a number of files, you can use the command mget. For example, if you wanted to get file1 and file2, you could type mget file1 file2. However, this command doesn't work with all servers.

NcFTP remembers the directory you were in the last time you left a particular server and takes you back to it when you return.

• Putting files into the incoming directory. Log into the FTP site (I'm going in as anon), then change to the incoming directory. Now, set the directory you want to be in on the machine you FTP'd in from by using the lcd (local change directory) command. For example, I want to take a file from /home/dee, so I'll type in lcd /home/dee. The lcd is confirmed. Then, I can put the file into the directory if I have permission to do so. To put the file example.txt into /incoming, I need to type put example.txt (see figure 10.6).

Fig. 10.6 Putting a file into /incoming on an FTP site.

Just as some servers support mget, some also support mput for putting multiple files.

• Making sure people cannot put files into directories other than incoming. As a simple example of the difference in permissions between an /incoming directory and another directory, take a look at the two file listings in figure 10.7.

Fig. 10.7 The difference between the permissions for an /incoming directory and any other FTP directory

If you have problems with one or more of these items, check the permissions and ownerships carefully.

Special Configuration Options

If you used any of the special items from the pathnames.h file, such as user groups, test these as well. If you're having problems with these and cannot figure them out, keep in mind that because you installed the server, you have access to the manual pages.

There is an X-Windows FTP client called xftp. You can find it through a Web search using Netscape. It should be available at sunsite.unc.edu and its mirrors.