Using Commands in the ftpaccess File to Configure wu-ftpdThe ftpaccess file contains most of the server configuration details. Each line contains a definition or parameter that is passed to the server to specify how the server is to operate. The directives can be broken down into the following categories, including
Tip Many more options can be specified for the wu-ftpd FTP server in its ftpaccess file. The most common commands have been covered here. A full list of configuration options can be found in the ftpaccess man page after you install the server. You can edit the ftpaccess file at the command line to make configuration changes in any of these categories. The following sections describe some configuration changes and how to edit these files to accomplish them. Configure Access ControlControlling which users can access the FTP server and how they can do so are critical parts of system security. Use the following entries in the ftpaccess file to specify to which group the user accessing the server is assigned. Limit Access for Anonymous UsersThis command imposes increased security on the anonymous user: autogroup <groupname> <class> [<class>] If the anonymous user is a member of a group, he is allowed access to only files and directories owned by him or his group. The group must be a valid group from /etc/groups or /var/ftp/etc/groups. Define User ClassesThis command defines a class of users by the address to which the user is connected: class <class> <typelist> <addrglob> [<addrglob>] There might be multiple members for a class of users, and multiple classes might apply to individual members. When multiple classes apply to one user, the first class that applies is used. The typelist field is a comma-separated list of the keywords anonymous, guest, and real. anonymous applies to the anonymous user, and guest applies to the guest access account, as specified in the guestgroup directive. real defines those users who have a valid entry in the /etc/passwd file. The addrglob field is a regular expression that specifies addresses to which the class is to be applied. The (*) entry specifies all hosts. Block a Host's Access to the ServerSometimes it is necessary to block entire hosts from accessing the server. This can be useful to protect the system from individual hosts or entire blocks of IP addresses, or to force the use of other servers. Use this command to do so: deny <addrglob> <message_file> deny always denies access to hosts that match a given address. addrglob is a regular expression field that contains a list of addresses, either numeric or a DNS name. This field can also be a file reference that contains a listing of addresses. If the address is a file reference, it must be an absolute file reference; that is, starting with a /. To ensure that IP addresses can be mapped to a valid domain name, use the !nameserver parameter. A sample deny line resembles the following: deny *.exodous.net /home/ftp/.message_exodous_deny This entry denies access to the FTP server from all users who are coming from the exodous.net domain, and displays the message contained in the .message_exoduous_deny file in the /home/ftp directory.
Restrict Permissions Based on Group IDsThe guestgroup line assigns a given group name or group names to behave exactly like the anonymous user. Here is the command: guestgroup <groupname> [<groupname>] This command confines the users to a specific directory structure in the same way anonymous users are confined to /var/ftp. This command also limits these users to access files for which their assigned group has permissions. The groupname parameter can be the name of a group or that group's corresponding group ID (GID). If you use a GID as the groupname parameter, put a percentage symbol (%) in front of it. You can use this command to assign permissions to a range of group IDs, as in this example: guestgroup %500-550 This entry restricts all users with the group IDs 500550 to being treated as a guest group, rather than individual users. For guestgroup to work, you must set up the users' home directories with the correct permissions, exactly like the anonymous FTP user. Limit Permissions Based on Individual IDThe guestuser line works exactly like the guestgroup command you just read about, except it specifies a user ID (UID) instead of a group ID. Here's the command: guestuser <username> [<username>] This command limits the guest user to files for which the user has privileges. Generally, a user has more privileges than a group, so this type of assignment can be less restrictive than the guestgroup line. Restrict the Number of Users in a Classlimit restricts the number of users in a class during given times. Here is the command, which contains fields for specifying a class, a number of users, a time range, and the name of a text file that contains an appropriate message: limit <class> <n> <times> <message_file> If the specified number of users from the listed class is exceeded during the given time period, the user sees the contents of the file given in the message_file parameter. The times parameter is somewhat terse. Its format is a comma-delimited string in the form of days, hours. Valid day strings are Su, Mo, Tu, We, Th, Fr, Sa, and Any. The hours string is formatted in a 24-hour format. An example is as follows: limit anonymous 10 MoTuWeThFr,Sa0000-2300 /home/ftp/.message_limit_anon_class This line limits the anonymous class to 10 concurrent connections on Monday through Friday, and on Saturday from midnight to 11:00 p.m. For example, if the number of concurrent connections is exceeded at 11:00 p.m. on Saturday, the users will see the contents of the file /home/ftp/.message_limit_anon_class. Syntax for finer control over limiting user connections can be found in the ftpaccess man page. Limit the Number of Invalid Password EntriesThis line allows control over how many times a user can enter an invalid password before the FTP server terminates the session: loginfails <number> The default for loginfails is set to 5. This command prevents users without valid passwords from experimenting until they get it right. Configure User InformationProviding users with information about the server and its use is a good practice for any administrator of a public FTP server. Adequate user information can help prevent user problems and eliminate tech support calls. You also can use this information to inform users of restrictions governing the use of your FTP server. User information gives you an excellent way to document how your FTP server should be used. You can use the commands detailed in the following sections to display messages to users as they log in to the server and as they perform specific actions. The following commands enable messages to be displayed to users when logging in to the server and when an action is performed. Display a Prelogin BannerThis command is a reference to a file that is displayed before the user receives a login prompt from the FTP server: banner <path> This file generally contains information to identify the server. The path is an absolute pathname relative to the system root (/), not the base of the anonymous FTP user's home. The entry might look like this: banner /etc/rh8ftp.banner This example uses the file named rh8ftp.banner under the /etc directory. The file can contain one or more lines of text, such as Welcome to Widget, Inc.'s Red Hat Linux FTP server. This server is only for use of authorized users. Third-party developers should use a mirror site. When an FTP user attempts to log in, the banner is displayed like so: $ ftp shuttle2 Connected to shuttle2.home.org. 220-Welcome to Widget, Inc.'s Red Hat Linux FTP server. 220-This server is only for use of authorized users. 220-Third-party developers should use a mirror site. 220- 220- 220 shuttle2 FTP server (Version wu-2.6.2-8) ready. 504 AUTH GSSAPI not supported. 504 AUTH KERBEROS_V4 not supported. KERBEROS_V4 rejected as an authentication type Name (shuttle2:phudson): Note Note that the banner does not replace the greeting text that, by default, displays the hostname and server information, such as 220 shuttle2 FTP server (Version wu-2.6.2-8) ready. To hide version information, use the greeting command in ftpaccess with a keyword, such as terse, like so: greeting terse FTP users will then see a short message like this as part of the login text: 220 FTP server ready. Also, not all FTP clients can handle multiline responses from the FTP server. The banner <path> command is how the banner line passes the file contents to the client. If a client cannot interrupt multiline responses, the FTP server is useless to them. You should also edit the default banner to remove identity and version information. Display a FileThis line specifies a text file to be displayed to the user during login and when the user issues the cd command: message <path> {<when> {<class> ...}} The optional when clause can be LOGIN or CWD=(dir), where dir is the name of a directory that is current. The optional class parameter enables messages to be shown to only a given class or classes of users. Using messages is a good way to give information about where things are on your site as well as information that is system dependent, such as alternative sites, general policies regarding available data, server availability times, and so on. You can use magic cookies to breathe life into your displayed messages. Magic cookies are symbolic constants that are replaced by system information. Table 24.1 lists the message command's valid magic cookies and their representations.
To understand how this command works, imagine that you want to display a welcome message to everyone who logs in to the FTP server. An entry of message /home/ftp/welcome.msg login message /welcome.msg login shows the contents of the welcome.msg file to all real users who log in to the server. The second entry shows the same message to the anonymous user. The welcome.msg file is not created with the installation of the RPM, but you can create it using a text editor. Type the following: Welcome to the anonymous ftp service on %L! There are %N out of %M users logged in. Current system time is %T Please send email to %E if there are any problems with this service. Your current working directory is %C Save this file as /var/ftp/welcome.msg. Verify that it works by connecting to the FTP server: 220 FTP server ready. 504 AUTH GSSAPI not supported. 504 AUTH KERBEROS_V4 not supported. KERBEROS_V4 rejected as an authentication type Name (shuttle:phudson): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230-Welcome to the anonymous ftp service on shuttle.home.org! 230- 230-There are 1 out of unlimited users logged in. 230- 230-Current system time is Mon Nov 3 10:57:06 2003 230- 230-Please send email to root@localhost if there are 230-any problems with this service. 230-Your current working directory is / Display Administrator's Email AddressThis line sets the email address for the FTP administrator: email <name> This string is printed whenever the %E magic cookie is specified. This magic cookie is used in the message line or in the shutdown file. You should display this string to users in the login banner message so that they know how to contact you (the administrator) in case of problems with the FTP server. Caution Do not use your live email address in the display banner; you want others to be able to access user emails as necessary. Instead, use an alias address that routes the messages to the appropriate IT department or other address. Notify User of Last Modification DateThe readme line tells the server if a notification should be displayed to the user when a specific file was last modified. Here's the command: readme <path> {<when {<class>}} The path parameter is any valid path for the user. The optional when parameter is exactly as seen in the message line. class can be one or more classes as defined in the class file. The path is absolute for real users. For the anonymous user, the path is relative to the anonymous home directory, which is /var/ftp by default. Configure System LoggingPart of system administration involves reviewing log files for what the server is doing, who accessed it, what files were transferred, and other pieces of important information. You can use a number of commands within /etc/ftpacess to control your FTP server's logging actions. Redirect Logging RecordsThis line allows the administrator to redirect where logging information from the FTP server is recorded: log <syslog>{+<xferlog>} By default, the information for commands is stored in /var/log/messages, although the man pages packaged in some RPMs state that this information is written to /var/log/xferlog. Check your server's settings for information regarding the location of your file transfer logs. Log All User-Issued CommandsThis line enables logging for all commands issued by the user: log commands [<typelist>] typelist is a comma-separated list of anonymous, guest, and real. If no typelist is given, commands are logged for all users. Some wu-ftpd RPMs set the logging of all file transfers to /var/log/xferlog (see the next section). However, you can add the log command to ftpaccess with the commands keyword to capture user actions. Logging is then turned on and user actions are captured in /var/log/messages. Here is a sample log file:
The sample log shows the username and password entries for an anonymous login. The CWD entry shows that a cd command is used to navigate to the pub directory. Note that the commands shown do not necessarily reflect the syntax the user typed, but instead list corresponding system calls the FTP server received. For example, the LIST entry is actually the ls command. Log Security Violations and File TransfersTwo other logging commands are useful in the /etc/ftpaccess configuration file. This line enables the logging of security violations: log security [<typelist>] Violations are logged for anonymous, guest, and real users, as specified in the typelistthe same as other log commands. If you do not specify a typelist, security violations for all users will be logged. This line writes a log of all files transferred to and from the server: log transfers [<typelist> [<directions>]] typelist is the same as in log commands and log security lines. directions is a comma-separated list of the keywords inbound for uploaded files and outbound for downloaded files. If no directions list is given, both uploaded and downloaded files will be logged. Inbound and outbound logging is turned on by default. Configure Permission ControlControlling user activity is an important component of securing your system's server. The ftpaccess file includes a number of commands that enable you to determine what users can and cannot execute during an FTP session. You can use these permission controls to allow users to change file permissions, delete and overwrite files, rename files, and create new files with default permissions. You learn how to use all these ftpaccess file command lines in the following sections. Note By default, all the ftpaccess file command lines prohibit anonymous users from executing actions and enable authorized users to do so. Allow Users to Change File PermissionsThe chmod line determines whether a user has the ability to change a file's permissions. Here is the command line: chmod <yes|no> <typelist> This command acts the same as the standard chmod command. The yes|no parameter designates whether the command can be executed. typelist is a comma-delimited string of the keywords anonymous, guest, and real. If you do not specify a typelist string, the command will be applied to all users. An exhaustive description of its purpose and parameters can be found in the man page. Assign Users File-Delete PermissionThe delete line determines whether the user can delete files with the rm command. Here's the command line: delete<yes|no> <typelist> The yes|no parameter is used to turn this permission on or off, and typelist is the same as the chmod command. Assign Users File-Overwrite PermissionThis command line of the ftpaccess file allows or denies users the ability to overwrite an existing file. Here's the command line: overwrite <yes|no> <typelist> The FTP client determines whether users can overwrite files on their own local machines; this line specifically controls overwrite permissions for uploads to the server. The yes|no parameter toggles the permission on or off, and typelist is the same as in the chmod line. Allow Users to Rename FilesYou can enable or prevent a user from renaming files using this command line: rename <yes|no> <typelist> The yes|no parameter toggles the permission on or off, and typelist is the same commade limited string as in chmod. Allow Users to Compress FilesThis line determines whether the user is able to use the compress command on files: compress <yes|no> [<classglob>] The yes|no parameter toggles the permission on or off, and classglob is a regular expression string that specifies one or more defined classes of users. The conversions that result from the use of this command are specified in the ftpconversions file, which contains directions on what compression or extraction command is to be used on a file with a specific extension, such as .Z for the compress command, .gz for the gunzip command, and so on. See the section "Configure FTP Server File-Conversion Actions" later in this chapter. Assign or Deny Permission to Use tarThis line determines whether the user is able to use the tar (tape archive) command on files: tar <yes|no> [<classglob> ...] The yes|no parameter toggles the permission on or off, and classglob is a regular expression string that specifies one or more defined classes of users. Again, the conversions that result from the use of this command are specified in the ftpconversions file. Determine What Permissions Can Apply to User-Created Upload FilesThis line is a bit different from the other commands in the permission control section. The umask command determines with what permissions a user can create new files; here it is. umask <yes|no> <typelist> The yes|no parameter toggles based on whether a user is allowed to create a file with his default permissions when uploading a file. Like the overwrite command you read about earlier in this section, this command line is specific to uploaded files because the client machine determines how new files are created from a download. Configure Commands Directed Toward the cdpathThis alias command allows the administrator to provide another name for a directory other than its standard name: alias <string> <dir> The alias line applies to only the cd command. This line is particularly useful if a popular directory is buried deep within the anonymous FTP user's directory tree. The following is a sample entry: alias linux-386 /pub/redhat/7.3/en/i386/ This line would allow the user to type cd linux-386 and be automatically taken to the /pub/redhat/7.3/en/i386 directory. The cdpath <dir> line specifies the order in which the cd command looks for a given user-entered string. The search is performed in the order in which the cdpath lines are entered in the ftpacess file. For example, if the following cdpath enTRies are in the ftpaccess file, cdpath /pub/redhat/ cdpath /pub/linux/ and the user types cd i386, the server searches for an entry in any defined aliases first in the /pub/redhat directory and then in the /pub/linux directory. If a large number of aliases are defined, it is recommended that symbolic links to the directories be created instead of aliases. Doing so reduces the amount of work on the FTP server and decreases the wait time for the user. Structure of the shutdown FileThe shutdown command tells the server where to look for the shutdown message generated by the ftpshut command or by the user. The shutdown command is used with a pathname to a shutdown file, such as shudown /etc/rh8ftpshutdown If this file exists, the server checks the file to see when the server should shut down. The syntax of this file is as follows: <year> <month> <day> <hour> <minute> <deny_offset> <disc_offset> <text> year can be any year after 1970 (called the epoch), month is from 0-11, hour is 0-23, and minute is 0-59. deny_offset is the number of minutes before shutdown in which the server disallows new connections. disc_offset is the number of minutes before connected users are disconnected, and text is the message displayed to the users at login. In addition to the valid magic cookies defined in the messages section, those listed in Table 24.2 are also available.
|