Necessary Daemons | Mac OS X Bible, Panther Edition

As we discuss earlier in this Chapter, you’ll want to ensure that you are only offering services that you intend to provide. In the process of auditing the services you wish to offer, you may find that now is a good time to upgrade some of the daemons from those that are provided by Apple with Mac OS X. Apple does you a real favor by including all the software you need to share services with your local network and the Internet, and if you ever just need to turn on something quickly, it’s handy to have that service located only a preference pane away. However, if you’ve decided that you want to run a service full time from your computer, it’s probably a good idea to replace the basic software supplied with Mac OS X with a more configurable and security orientated package.

As we see in Chapter 25 many open-source Unix programs build quite simply on Mac OS X. This is true in the case of Internet server programs as well. There are many server programs to choose from, for any service you can imagine wanting to serve from your computer, and most of them build and run quite easily and well on Mac OS X.

There are also commercial alternatives for most of the servers that are available for Mac OS X. The choice between installing a commercial product versus free software is yours. For the most part both options will work comparably to each other. Often times the commercial products require a bit less work in order to install, as they are usually .pkg files that install with a simple double-click.

A multitude of servers are available for Mac OS X, but in this section, focus only on replacing the default FTP server. Other servers can be replaced using similar procedures, however FTP is one of the more exposed services, and it is important to system security to ensure that you are only offering access to the files and folders that you want shared.

Replacing FTPd

The default FTP server is very good for simple needs. One shortcoming of using the built-in FTP server is that for users to access your server they will require an account on your system. Perhaps you don’t want to give out accounts, have to manage security for multiple users on your system, nor ensure that every new user you create for FTP sharing has shell access revoked, etc. Several replacement servers offer FTP access utilizing a separate users and groups database. Additionally the default FTP server can only listen on your given IP address or hostname. With ProFTPd you can create several virtual FTP servers, allowing for a good bit of flexibility. Additionally the configuration file is very similar to Apache’s config file, which will help you leverage any knowledge you have from one or the other product. While there are many very good FTP servers to choose from, I recommend ProFTPd. The main reason for this recommendation is that this server is included in the Fink package database. That means that you can use Fink for the installation, as well as for updating the software. Please keep in mind is that by replacing the Apple-supplied software, you will no longer receive the benefits of Apple Software Update keeping your server software up to date. If you install any third-party server software, I urge you to join the respective mailing lists, and keep up to date with software updates and security updates. As you are opening your computer to the Internet, you must be aware of the risks involved. Security experts (and hackers) constantly find bugs in software, for which the developers release bug fixes. Your system is only immune to these bugs if you keep your software up to date. If you would prefer not to spend the time keeping your software at the latest revision, then I suggest that you do not replace the software that Apple has provided you. If you’re still intrigued, then read on, we’ve got some work to do!

Installing ProFTPd using fink

Fink supports and builds ProFTPd properly. However at the current time the software is not included in fink’s stable build directory. This will probably change at some time in the near future. For now there is some additional work required in order to use fink to install ProFTPd. First we have to move the installation files to a place where they are available to fink. Open the Terminal application and type the following commands at a prompt:

sudo cp /sw/fink/dists/unstable/main/finkinfo/net/proftpd* \ /sw/fink/dists/local/main/finkinfo  sudo cp /sw/fink/10.2/unstable/main/finkinfo/base/ftpfiles* \ /sw/fink/dists/local/main/finkinfo fink install proftpd

Fink will give the following output:

fink needs help picking an alternative to satisfy a virtual dependency. The candidates: (1)   proftpd-pam: Incredibly configurable and secure FTP daemon (Default) (2)   proftpd-ldap: Incredibly configurable and secure FTP daemon (LDAP) (3)   proftpd-mysql: Incredibly configurable and secure FTP daemon (MySQL) (4)   proftpd-pgsql: Incredibly configurable and secure FTP daemon (PostgreSQL)

Enter number 1 to use proftpd-pam.

Fink will then request permission to install three additional packages, anacron, ftpfiles and proftpd-pam. Grant permission by entering Y or hitting enter.

The following package will be installed or updated: proftpd The  following 3 additional packages will be installed: anacron ftpfiles  proftpd-pam Do you want to continue? [Y/n]

Fink will then ask for permission to set up anacron. Anacron is used by proftpd to do log rotation. You will want to grant this permission by entering Y or hitting enter.

Anacron is not currently set up to be run periodically by cron. Would  you like for anacron to be run automatically? In most cases, you probably  want to say yes to this option. [Y/n]

Skip the following section and continue to Configuring ProFTPd below.

Installing ProFTPd manually

If you wish to manually install ProFTPd, download the source from http://www.proftpd.org/ to a temporary directory. You’ll have to extract the archive, run the configure script, make the software then install the software. This whole process goes very smoothly on Mac OS X. Open the Terminal Application and type the following at a shell prompt.

tar -zxvf proftpd-1.2.8p.tar.gz cd proftpd-1.2.8 make sudo make install

Configuring ProFTPd

ProFTPd’s configuration file is installed at /sw/etc/proftpd.conf, if ProFTPd was installed using fink. Otherwise the file can be found at /etc/proftpd.conf. Either way the same changes will be made to the file. Some changes are necessary to get our server up and running. You’ll notice when looking at the file that there are two kinds of directives. The first kind of directive is a single line directive such as ServerName and ServerType. The second type of directive is a container directive such as <Directory> and <Limit>. The container directives are much like html tags where a container is opened with a <Directive> and closed with a </Directive>.

The first section of the file defines how the server will run. There are two choices, either stand-alone or inetd. A stand-alone server launches when the machine boots and is always running. If your machine is a dedicated FTP server this is the best choice. The other option is to use inetd, the Internet superserver. Apple ships xinetd an improved version of the basic inetd server, inetd listens on all configured ports on your computer and when a request comes in on a port that it is listening to, it launches the application configured for that port and hands the connection to that application. This is the best solution for a low-volume part-time server, as system resources are not tied up by the server program except for when it is actually in use. We will configure the server as inetd. If you wish to run as stand-alone you will need to create a StartupItem for the FTP server.

Open the configuration file in your favorite editor and make the following changes:

ServerName                                "Your Server’s name goes  here" ServerType                                       inetd # Set the user and group under which the server will run.  User              nobody  Group              nobody

Note the change in group to nobody from nogroup.

Uncomment the DefaultRoot ~ line below for security purposes. This will make the user’s home directory appear as the root volume when they connect. In other words users can not navigate up past their own home directory. This makes the system far more secure as users are not allowed to see anything that has not been explicitly given to them. In order to uncomment the line remove the # character that begins the line, so that it looks like the line below.

# To cause every FTP user to be "jailed" (chrooted) into their home  # directory, uncomment this line.  DefaultRoot ~

The configuration file as it is shipped allows for anonymous access for a user named FTP. If you truly want to offer anonymous access, you’ll need to create an FTP user on your computer. Apple ships with an FTP group pre-installed, but not a user FTP. To create the user go into the Accounts preferences pane and create a user FTP. For a more secure server, you’ll want to disable anonymous access by commenting out the following section of the configuration file Comment out the section by adding # marks at the beginning of each line so that it looks like the lines below:

#<Anonymous ~ftp>  # User             ftp  # Group             ftp

Comment out the file by adding a # mark to the beginning of all three lines.

By commenting out the anonymous user your server will only allow users who have accounts on your computer to connect..

ProFTPd can also use its own password file, in lieu of consulting your existing system users. In order to create the password file for ProFTPd, you’ll use the provided ftpasswd utility, then configure proFTPd to use that password file for access to the server.

Depending how you installed ProFTPd you’ll find ftpasswd in /sw/sbin/ or /usr/local/sbin. Create a new password file /etc/ftp_passwd by opening the Terminal application and typing the following command:

sudo /sw/sbin/ftpasswd --passwd --file /etc/ftp_passwd \ --name craigz --home /Users/ftp/ --shell /usr/bin/false \  --uid 1000 --gid 1000 --des ftpasswd: using alternate file: /etc/ftp_passwd ftpasswd: creating passwd entry for user craigz Please be aware that only the first 8 characters of a DES password are relevant. Use the --md5 option to select MD5 passwords, as they  do not have this limitation. Password:  Re-type password: ftpasswd: entry created

Repeat the command for each user you wish to add. List the newly created file by typing the following command at a shell prompt:

sudo more /etc/ftp_passwd  craigz:qXkl3YMWB/Zvg:1000:1000::/Users/ftp:/usr/bin/false

There are many more options to ftpasswd. To read about them all please visit the following Web site: http://www.castaglia.org/proftpd/contrib/ftpasswd.html.

Next we’ll need to configure our server to use the newly created password file located at /etc/ftp_passwd.

Add the following line to the configuration file proftpd.conf

AuthUserFile                /etc/ftp_passwd

The final step is to configure xinetd to launch the ProFTPd server when FTP connections are opened. To do this, use sudo to open the file /etc/xinetd.d/ftp

Change the line server = /usr/libexec/ftpd

To server = /sw/sbin/proftpd

if proftpd was installed by fink , or

server     = /usr/local/sbin/proftpd

if proftpd was installed by hand.

In order to force xinetd to reread it’s configuration we’ll need to restart it. Type the following command:

sudo kill -HUP `/bin/cat /var/run/xinetd.pid`