Using Commands in the ftpaccess File to Configure wu-ftpd

 < Day Day Up > 

Using Commands in the ftpaccess File to Configure wu-ftpd

The ftpaccess file contains most of the server configuration details. Each line contains a definition or parameter that is passed to the server to specify how the server is to operate. The directives can be broken down into the following categories, including

  • Access Control Settings that determine who can access the FTP server and how it is accessed

  • Information Settings that determine what information is provided by the server or displayed to a user

  • Logging Settings that determine if logging is enabled and what information is logged

  • Permission Control Settings that control the behavior of users when accessing the server; in other words, what actions users are allowed to perform, such as create a directory, upload a file, delete a file or directory, and so on

TIP

Many more options can be specified for the wu-ftpd FTP server in its ftpaccess file. The most common commands have been covered here. A full list of configuration options can be found in the ftpaccess man page after you install the server.


You can edit the ftpaccess file at the command line to make configuration changes in any of these categories. The following sections describe some configuration changes and how to edit these files to accomplish them.

Configure Access Control

Controlling which users can access the FTP server and how they can access it is a critical part of system security. Use the following entries in the ftpaccess file to specify to which group the user accessing the server is assigned.

Limit Access for Anonymous Users

This command imposes increased security on the anonymous user:

 autogroup <groupname> <class> [<class>] 

If the anonymous user is a member of a group, he will only be allowed access to files and directories owned by him or his group. The group must be a valid group from /etc/groups or /var/ftp/etc/groups.

Define User Classes

This command defines a class of users by the address to which the user is connected.

 class <class> <typelist> <addrglob> [<addrglob>] 

There might be multiple members for a class of users, and multiple classes might apply to individual members. When multiple classes apply to one user, the first class that applies will be used.

The typelist field is a comma-separated list of the keywords anonymous, guest, and real. anonymous applies to the anonymous user, and guest applies to the guest access account, as specified in the guestgroup directive. real defines those users who have a valid entry in the /etc/passwd file.

The addrglob field is a regular expression that specifies addresses to which the class is to be applied. The (*) enTRy specifies all hosts.

Block a Host's Access to the Server

Sometimes it is necessary to block access to the server to entire hosts. This can be useful in order to protect the system from individual hosts or entire blocks of IP addresses, or to force the use of other servers. Use this command to do so:

 deny <addrglob> <message_file> 

deny will always deny access to hosts that match a given address.

addr_glob is a regular expression field that contains a list of addresses, either numeric or a DNS name. This field can also be a file reference, which contains a listing of addresses. If the address is a file reference, it must be an absolute file reference; that is, starting with a /. To ensure that IP addresses can be mapped to a valid domain name, use the !nameserver parameter.

A sample deny line resembles the following:

 deny *.exodous.net /home/ftp/.message_exodous_deny 

This entry will deny access to the FTP server from all users who are coming from the exodous.net domain, and will display the message contained in the file .message_exoduous_deny in the /home/ftp directory.

ftpusers File Purpose Now Implemented in ftpaccess

Certain accounts are created during the installation of Linux that are for the system to segment and separate tasks with specific permissions. The ftpusers file (located in /etc/ftpusers) is where accounts for system purposes are listed. It is possible that the version of wu-ftp you will use with Fedora has depreciated the usage of this file, and instead implements the specific functionality of this file in the ftpaccess file with the commands of deny-uid/deny-gid.


Restrict Permissions Based on Group IDs

The guestgroup line assigns a given group name or group names to behave exactly like the anonymous user. Here is the command:

 guestgroup <groupname> [<groupname>] 

This command confines the user to a specific directory structure in the same way anonymous users are confined to /var/ftp. This command also limits these users to access files for which their assigned group has permissions.

The groupname parameter can be the name of a group or that group's corresponding GID (Group ID). If you use a GID as the groupname parameter, put a percentage symbol (%) in front of it. You can use this command to assign permissions to a range of group IDs, as in this example:

 guestgroup %500-550 

This entry would restrict all users with the group IDs 500 550 to be treated as a guest group, rather than individual users. In order for guestgroup to work, you must set up the user's home directories with the correct permissions, exactly like the anonymous FTP user.

Limit Permissions Based on Individual ID

The guestuser line works exactly like the guestgroup command you just read about, except it specifies a User ID (UID) instead of a group ID. Here's the command:

 guestuser <username> [<username>] 

This command limits the guest user to files for which the user has privileges. Generally, a user has more privileges than a group, so this type of assignment can be less restrictive than the guestgroup line.

Restrict the Number of Users in a Class

limit restricts the number of users in a class during given times. Here is the command, which contains fields for specifying a class, a number of users, a time range, and the name of a text file that contains an appropriate message:

 limit <class> <n> <times> <message_file> 

If the specified number of users from the listed class is exceeded during the given time period, the user sees the contents of the file given in the message_file parameter.

The times parameter is somewhat terse. The format for this is a comma-delimited string in the form of days, hours. Valid day strings are Su, Mo, Tu, We, Th, Fr, Sa, and Any. The hours are formatted in a 24-hour format. An example is as follows:

 limit anonymous 10 MoTuWeThFr,Sa0000-2300 /home/ftp/.message_limit_anon_class 

This line will limit the anonymous class to 10 concurrent connections on Monday through Friday, and on Saturday from midnight to 11:00 p.m. If the number of concurrent connections is exceeded or at 11:00 p.m. on Saturday, the users will see the contents of the file /home/ftp/.message_limit_anon_class.

Syntax for finer control over limiting user connections can be found in the ftpaccess man page.

Limit the Number of Invalid Password Entries

This line allows control over how many times a user can enter an invalid password before the FTP server terminates the session:

 loginfails <number> 

The default for loginfails is set to 5. This command prevents users without valid passwords from experimenting until they "get it right."

Configure User Information

Providing users with information about the server and its use is a good practice for any administrator of a public FTP server. Adequate user information can help prevent user problems and eliminate tech support calls. You also can use this information to inform users of restrictions governing the use of your FTP server. User information gives you an excellent way to document how your FTP server should be used.

You can use the commands detailed in the following sections to display messages to users as they log in to the server or as they perform specific actions. The following commands enable messages to be displayed to users when logging in to the server or when an action is performed.

Display a Prelogin Banner

This command is a reference to a file that is displayed before the user receives a login prompt from the FTP server:

 banner <path> 

Generally, this file contains information to identify the server. The path is an absolute pathname, relative to the system root (/), not the base of the anonymous FTP user's home. The entry might look like this:

 banner /etc/rh8ftp.banner 

This example uses the file named rh8ftp.banner under the /etc directory. The file can contain one or more lines of text, such as

 Welcome to Widget, Inc.'s Red Hat Linux FTP server. This server is only for use of authorized users. Third-party developers should use a mirror site. 

When an FTP user attempts to log in, the banner will be displayed like so:

 $ ftp shuttle2 Connected to shuttle2.home.org. 220-Welcome to Widget, Inc.'s Red Hat Linux FTP server. 220-This server is only for use of authorized users. 220-Third-party developers should use a mirror site. 220- 220- 220 shuttle2 FTP server (Version wu-2.6.2-8) ready. 504 AUTH GSSAPI not supported. 504 AUTH KERBEROS_V4 not supported. KERBEROS_V4 rejected as an authentication type Name (shuttle2:phudson): 

NOTE

Note that the banner does not replace the greeting text, which, by default, displays the hostname and server information, such as

 220 shuttle2 FTP server (Version wu-2.6.2-8) ready. 

To hide version information, use the greeting command in ftpaccess with a keyword, such as terse, like so:

 greeting terse  

FTP users will then see a short messages like this as part of the login text:

 220 FTP server ready. 

Also, not all FTP clients can handle multiline responses from the FTP server. The banner<path> command is how the banner line passes the file contents to the client. If a client cannot interrupt multiline responses, the FTP server will be useless to them. You should also edit the default banner to remove identity and version information.


Display a File

This line specifies a text file to be displayed to the user during login and when the user issues the cd command:

 message <path> {<when> {<class> ...}} 

The optional when clause can be LOGIN or CWD=(dir), where dir is the name of a directory that is current. The optional class parameter enables messages to be shown only to a given class or classes of users.

Using messages is a good way to give information about where things are on your site as well as information that is system dependent, such as alternative sites, general policies regarding available data, server availability times, and so on.

You can use magic cookies to breathe life into your displayed messages. Magic cookies are symbolic constants that are replaced by system information. Table 22.1 lists valid magic cookies for the message command and their representation.

Table 22.1. Magic Cookies and Their Descriptions

Cookie

Description

%T

Local time (form Thu Nov 15 17:12:42 1990)

%F

Free space in partition of CWD (kbytes)

[Not supported on all systems]

%C

Current working directory

%E

The maintainer's email address as defined in ftpaccess

%R

Remote hostname

%L

Local hostname

%u

Username as determined via RFC931 authentication

%U

Username given at login time

%M

Maximum allowed number of users in this class

%N

Current number of users in this class

%B

Absolute limit on disk blocks allocated

%b

Preferred limit on disk blocks

%Q

Current block count

%I

Maximum number of allocated inodes (+1)

%i

Preferred inode limit

%q

Current number of allocated inodes

%H

Time limit for excessive disk use

%h

Time limit for excessive files

Ratios

%xu

Uploaded bytes

%xd

Downloaded bytes

%xR

Upload/Download ratio (1:n)

%xc

Credit bytes

%xT

Time limit (minutes)

%xE

Elapsed time since login (minutes)

%xL

Time left

%xU

Upload limit

%xD

Download limit


To understand how this command works, imagine that you want to display a welcome message to everyone who logs in to the FTP server. An entry of

 message /home/ftp/welcome.msg  login message /welcome.msg           login 

shows the contents of the welcome.msg file to all real users who log in to the server. The second entry shows the same message to the anonymous user.

The welcome.msg file is not created with the installation of the RPM, but you can create it using a text editor. Type the following:

 Welcome to the anonymous ftp service on %L! There are %N out of %M users logged in. Current system time is %T Please send email to %E if there are  any problems with this service. Your current working directory is %C 

Save this file as /var/ftp/welcome.msg. Verify that it works by connecting to the FTP server:

 220 FTP server ready. 504 AUTH GSSAPI not supported. 504 AUTH KERBEROS_V4 not supported. KERBEROS_V4 rejected as an authentication type Name (shuttle:phudson): anonymous 331 Guest login ok, send your complete e-mail address as password. Password: 230-Welcome to the anonymous ftp service on shuttle.home.org! 230- 230-There are 1 out of unlimited users logged in. 230- 230-Current system time is Mon Nov  3 10:57:06 2003 230- 230-Please send email to root@localhost if there are 230-any problems with this service. 230-Your current working directory is / 

Display Administrator's Email Address

This line sets the email address for the FTP administrator:

 email <name> 

This string is printed whenever the %E magic cookie is specified. This magic cookie is used in the messages line or in the shutdown file. You should display this string to users in the login banner message so that they know how to contact you (the administrator) in case of problems with the FTP server.

CAUTION

Do not use your live email address in the display banner; you want others to be able to access user emails as necessary. Instead, use an alias address that routes the messages to the appropriate IT department or other address.


Notify User of Last Modification Date

The readme line tells the server if a notification should be displayed to the user when a specific file was last modified. Here's the command:

 readme <path> {<when {<class>}} 

The path parameter is any valid path for the user. The optional when parameter is exactly as seen in the message line. class can be one or more classes as defined in the class file. The path is absolute for real users. For the anonymous user, the path is relative to the anonymous home directory, which is /var/ftp by default.

Configure System Logging

Part of any system administration involves reviewing log files for what the server is doing, who accessed it, what files were transferred, and other pieces of important information. You can use a number of commands within /etc/ftpacess to control your FTP server logging actions.

Redirect Logging Records

This line allows the administrator to redirect where logging information from the FTP server will be recorded:

 log <syslog>{+<xferlog>} 

By default, the information for commands is stored in /var/log/messages, although the man pages packaged in some RPMs state that this information will be written to /var/log/xferlog. Check your server's settings for information regarding the location of your file transfer logs.

Log All User-Issued Commands

This line enables logging for all commands issued by the user:

 log commands [<typelist>] 

typelist is a comma-separated list of anonymous, guest, and real. If no typelist is given, commands are logged for all users. Some wu-ftpd RPMs set the logging of all file transfers to /var/log/xferlog (see the next section). However, you can add the log command to ftpaccess with the commands keyword to capture user actions. Logging will then be turned on and user actions captured in /var/log/messages. Here is an example of a sample log file:

 Oct  6 12:21:42 shuttle2 ftpd[5229]: USER anonymous Oct  6 12:21:51 shuttle2 ftpd[5229]: PASS phudson@widget.com Oct  6 12:21:51 shuttle2 ftpd[5229]: ANONYMOUS FTP LOGIN FROM 192.168.2.31 [192.168.2.31], phudson@widget.com Oct  6 12:21:51 shuttle2 ftpd[5229]: SYST Oct  6 12:21:54 shuttle2 ftpd[5229]: CWD pub Oct  6 12:21:57 shuttle2 ftpd[5229]: PASV Oct  6 12:21:57 shuttle2 ftpd[5229]: LIST Oct  6 12:21:59 shuttle2 ftpd[5229]: QUIT Oct  6 12:21:59 shuttle2 ftpd[5229]: FTP session closed  

The example log shows the username and password entries for an anonymous login. The CWD entry shows that a cd command is used to navigate to the pub directory. Note that the commands shown do not necessarily reflect the syntax the user typed in, but instead list corresponding system calls the FTP server received. For example, the LIST entry is actually the ls command.

Log Security Violations and File Transfers

Two other logging commands are useful in the /etc/ftpaccess configuration file. This line enables the logging of security violations:

 log security [<typelist>] 

Violations are logged for anonymous, guest, and real users, as specified in the typelist the same as other log commands. If you do not specify a typelist, security violations for all users will be logged.

This line writes a log of all files transferred to and from the server:

 log transfers [<typelist> [<directions>]] 

typelist is the same as seen in log commands and log security lines. directions is a comma-separated list of the keywords inbound for uploaded files and outbound for downloaded files. If no directions are given, both uploaded and downloaded files will be logged. Inbound and outbound logging is turned on by default.

Configure Permission Control

Controlling user activity is an important component of securing your system's server. The ftpaccess file includes a number of commands that enable you to determine what users can and cannot execute during an FTP session. You can use these permission controls to allow users to change file permissions, delete or overwrite files, rename files, and to create new files with default permissions. You learn how to use all these ftpaccess file command lines in the following sections.

NOTE

By default, all the ftpaccess file command lines prohibit anonymous users from executing actions and enable authorized users to do so.


Allow Users to Change File Permissions

The chmod line determines if a user has the ability to change a file's permissions. Here is the command line:

 chmod <yes|no> <typelist> 

This command acts the same as the standard chmod command.

The yes|no parameter designates whether the command can be executed. typelist is a comma-delimited string of the keywords anonymous, guest, and real. If you do not specify a typelist string, the command will be applied to all users. An exhaustive description of its purpose and parameters can be found in the man page.

Assign Users File-Delete Permission

The delete line determines whether the user can delete files with the rm command. Here's the command line:

 delete<yes|no> <typelist> 

The yes|no parameter is used to turn this permission on or off, and typelist is the same as the chmod command.

Assign Users File-Overwrite Permission

This command line of the ftpaccess file allows or denies users the ability to overwrite an existing file. Here's the command line:

 overwrite <yes|no> <typelist> 

The FTP client determines whether users can overwrite files on their own local machines; this line specifically controls overwrite permissions for uploads to the server. The yes|no parameter toggles the permission on or off, and typelist is the same as seen in the chmod line.

Allow Users to Rename Files

You can enable or prevent a user from renaming files using this command line:

 rename <yes|no> <typelist> 

The yes|no parameter toggles the permission on or off, and typelist is the same comma-delimited string as seen in chmod.

Allow Users to Compress Files

This line determines whether the user will be able to use the compress command on files:

 compress <yes|no> [<classglob>] 

The yes|no parameter toggles the permission on or off, and classglob is a regular express string that specifies one or more defined classes of users. The conversions that result from the use of this command are specified in the ftpconversions file, which contains directions on what compression or extraction command is to be used on a file with a specific extension, such as .Z for the compress command, .gz for the gunzip command, and so on. See the section "Configure FTP Server File-Conversion Actions" later in this chapter.

Assign or Deny Permission to Use tar

This line determines whether the user will be able to use the tar (tape archive) command on files:

 tar <yes|no> [<classglob> ...] 

The yes|no parameter toggles the permission on or off, and classglob is a regular express string that specifies one or more defined classes of users. Again, the conversions that result from the use of this command are specified in the ftpconversions file.

Determine What Permissions Can Apply to User-Created Upload Files

This line is a bit different from the other commands in the permission control section. The umask command determines with what permissions a user can create new files; here it is.

 umask <yes|no> <typelist> 

The yes|no parameter toggles based on whether a user is allowed to create a file with his default permissions when uploading a file. Like the overwrite command you read about earlier in this section, this command line is specific to uploaded files because the client machine determines how new files are created from a download.

Configure Commands Directed Toward the cdpath

This alias command allows the administrator to provide another name for a directory other than its standard name:

 alias <string> <dir> 

The alias line only applies to the cd command. This line is particularly useful if a popular directory is buried deep within the anonymous FTP user's directory tree. A sample entry is the following:

 alias linux-386 /pub/redhat/7.3/en/i386/ 

This line would allow the user to type cd linux-386 and be automatically taken to the /pub/redhat/7.3/en/i386 directory.

The cdpath <dir> line specifies in what order the cd command will look for a given string the user enters. The search path is done in the order in which the cdpath lines are entered in the ftpacess file.

For example, if the following cdpath entries are in the ftpaccess file,

 cdpath /pub/redhat/ cdpath /pub/linux/ 

And the user types cd i386, the server will search for an entry in any defined aliases first in the /pub/redhat directory and then in the /pub/linux directory. If a large number of aliases are defined, it is recommended that symbolic links to the directories be created instead of aliases. This will reduce the amount of work on the FTP server and decrease wait time for the user.

Structure of the shutdown File

The shutdown command tells the server where to look for the shutdown message generated by the ftpshut command or by the user. The shutdown command is used with a pathname to a shutdown file, such as

 shudown /etc/rh8ftpshutdown 

If this file exists, the server will check the file to see when the server should shut down. The syntax of this file is as follows:

 <year> <month> <day> <hour> <minute> <deny_offset> <disc_offset> <text> 

year can be any year after 1970 (called the epoch), month is from 0 11, hour is 0 23, minute is 0 59, deny_offset is a number in minutes before shutdown in which the server will disable new connections, disc_offset is the number of minutes before connected users will be disconnected, and text is a message that will be displayed to the users at login. In addition to valid magic cookies defined in the messages section, those listed in Table 22.2 are also available.

Table 22.2. Magic Cookies for the Shutdown File

Cookie

Description

%s

The time the system will be shut down

%r

The time new connections will be denied

%d

The time current connections will be dropped


     < Day Day Up > 


    Red Hat Fedora 4 Unleashed
    Red Hat Fedora 4 Unleashed
    ISBN: 0672327929
    EAN: 2147483647
    Year: 2006
    Pages: 361

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net