Project94.Configure the FTP Service


Project 94. Configure the FTP Service

"How do I configure my FTP server?"

This project shows you how to enable and configure the FTP (File Transfer Protocol) server that is part of a standard Mac OS X install. It describes how to enable the server, open the necessary ports, and configure it to be a little more secure. This project assumes that you are familiar with the concept of FTP and are able to use an FTP client.

Enable FTP

Mac OS X provides both an FTP server and an FTP client. FTP is a not a service most people need to run, so the server is disabled by default. It's easily enabled, which causes the FTP server to be launched on demand when a client connects.

It's easy to start the FTP server from System Preferences: Select the Sharing pane, click the Services tab, and check FTP Access. This enables the FTP server and opens port 21 in the firewall. (In systems before Mac OS X 10.4 [Tiger], other ports are opened, too.)

Unfortunately, Apple's firewall rules don't open all the ports necessary for the FTP server to support passive FTP (discussed later in this project). We must open those ports manually. After enabling FTP access, click the Firewall tab and then the New button. In the resulting drop-down sheet, select Port Name Other, enter 1024-65535 in the TCP Port Number(s) box, and add a description such as FTP Passive. The new rule will automatically be checked, meaning that our newly enabled server is able to accept connections from an FTP client in Passive mode. No ports need be opened on the client.

Test the server by connecting to it from another machine. Use the hostname or IP address of the server, and type a command such as

$ ftp myhostname


You must have a Unix account to connect to the FTP server.

System Preferences doesn't provide a mechanism to configure the FTP server. That's unfortunate, because the server can be configured in many ways, not the least of which is to increase security. However, and as you might have guessed, we can configure FTP from the Unix command line.

Tip

To test your server configuration, use the command-line FTP tool, appropriately called ftp. Alternatively, many graphical clients are available, such as Transmit from Panic (http://panic.com/).


Active and Passive FTP

To run an FTP server, we must open port 21. A client connects to this port to send control information (commands such as ls and get). We can choose to support active connections, or passive connections. Active and Passive modes use different ports for transferring data (such as files from the get command or the results of issuing the ls command). To use passive mode, we must open additional ports in the firewall.

Active mode operates as follows. Data is sent over a connection established by the server. It moves from port 20 on the server to a high-numbered port (>=1024) on the client. The client must open ports 1024 through 65535 but accepting connections originating from only port 20.

Passive mode is preferred because it does not involve opening ports on the client. It operates as follows. Data is sent over a connection established by the client; it moves between a high-numbered port on the client and a high-numbered port on the server. The server must open ports 1024 through 65535, accepting connections originating from all high-numbered ports.

Summary of open ports necessary for Active mode:

  • Server: Port 21

  • Client: Ports 1024 through 65535 from 20

Summary of open ports necessary for Passive mode:

  • Server: Port 21, Ports 1024 through 65535

  • Client: None

Enable FTP from Unix

Let's enable FTP and add the necessary firewall rules to allow clients to connect to our server in Passive mode. What we'll do is the command-line equivalent to checking FTP Access in System Preferences and adding the new firewall ruletherefore, reverse the steps we took earlier in the project so that we start from a clean sheet.

Learn More

Refer to "How to Become the Root User" in Project 2 for more information on the sudo command.


Enabling and configuring FTP, and configuring the firewall, require root permissions. For the remainder of this project, we'll assume the status of the root user by issuing the command

$ sudo -s Password: #


Learn More

Project 72 covers Apple's Launch Daemon and shows how you might add your own tasks to its configuration.


The FTP server itself is launched on demand by Apple's Launch Daemon. To enable a service, we use the launchctl command, specifying subcommand load to load the configuration file for that service and option -w to remove the disabled key and write the altered configuration file back to disk.

Tip

To disable FTP, issue the same launchd command as you did to enable it, except specify the subcommand unload instead of load.


Type the following command.

# launchctl load -w /System/Library/LaunchDaemons/ftp.plist


Apple's Launch Daemon was introduced in Mac OS X 10.4 (Tiger). For versions before Tiger, you must enable FTP by changing the configuration of xinetd. Edit the file /etc/xinetd.d/ftp, and change the line disable = yes to be disable = no. Restart xinetd to make it reread the changed configuration by typing

# kill -HUP $(cat /var/run/xinetd.pid)


Next, we'll configure the firewall by adding rules to open the ports described in "Active and Passive FTP " earlier in this project. Note: It's better that you configure the firewall from System Preferences, because after you've tampered with its settings, System Preferences disowns the firewall, and you'll have to maintain it by hand (until you reboot). If you still want to configure the firewall from the command line, type the following.

# ipfw add 3000 allow tcp from any to any dst-port 21 in # ipfw add 3010 allow tcp from any to any dst-port ¬     1024-65535 in # ipfw show


The rule numbers (3000 and 3010) shown here should not clash with any of those already used. To delete a rule such as 3000, type

# ipfw delete 3000


Tip

If you use the ipfw command to configure the firewall by hand, System Preferences will disable its own firewall configuration. To change back to using System Preferences, you must flush all firewall rules by typing

# ipfw flush


You might have to close and reopen System Preferences for it to resume responsibility for the firewall. This trick averts rebooting.


Test the FTP server from another machine, which need not have any ports open and which should connect by using the default Passive mode. Specify the hostname or IP address of the server, and type a command such as

$ ftp myhostname


Configure FTP

Let's look at an example FTP configuration. First, display the file /etc/ftpusers. This file gives the default setup for a Mac OS X installation, and you'll see that it lists users who are not allowed to connect via FTP. We can improve on this blacklist policy with a white-list policy in which we list all users who are allowed to connect via FTP and then disallow all others. Here's our new white-list ftpusers.

# cat /etc/ftpusers # all admin users are set to class 'free' *:admin allow free # other accounts that can ftp are set to class 'restricted' loraine allow restricted jan allow restricted # all other users are denied ftp access * deny


Learn More

Project 73 covers firewall configuration in a little more detail.


Lines that start with a hash (#) symbol are comments and ignored by the FTP server. The first (proper) line says to allow all (represented by *) administrator users (those belonging to the group admin) to connect. The next lines allow the users loraine and jan (who are not administrators) to connect. The last line denies all users not otherwise mentioned.

You'll notice the free and restricted tags attached to user entries. They are classes used by FTP to define the capabilities and restrictions applied to the associated users. By using classes, we avoid the necessity to repeat ourselves for every user.

We define classes (among other things) in the file /etc/ftpd.conf. Let' s create such a file to define the two classes we previously assumed. It should look like this.

# cat /etc/ftpd.conf # users of class 'free' (see /etc/ftpusers) chroot to / #  with their ftp home directory set to their login home chroot free / homedir free %d # users of class 'restricted' chroot to their home directory #  with their ftp home directory set to their new root #  (ie their login home) chroot restricted %d homedir restricted /


The first two configuration commands specify that members of the class free have access to the entire file system, from the root directory down (chroot free /), and that their FTP home directory is the same as their Unix account home directory (homedir free %d). This setup is actually no different from the usual (and unrestricted) configuration any FTP connection would enjoy. (The FTP home directory is the directory in which a user is placed when she connects; it need not be the same as her Unix account home directory.)

We'd like to give nonadministrative users a little less freedom by restricting their view of the file system to their Unix account home directory. We do this by writing the configuration line chroot restricted %d. Such users cannot move outside their home directory; consequently, the FTP command

$ cd /


Learn More

Refer to the projects in Chapter 4 if you are not familiar with using any of the Unix text editors.


takes them to their home directory.

The next configuration line, homedir restricted /, sets these users' FTP home directory to be the file system root as the users now see it: their Unix account home directory.

Finally, we must specify that all users be subject to chrooting (or be jailed) according to the chroot configuration applied to their class. To do this, we must mention all users in the file /etc/ftpchroot or, better, use star (*) to mean all users.

# cat /etc/ftpchroot # all users are chrooted (see /etc/ftpd.conf) # according to the their class (see /etc/ftpusers) *


Reduce Open Ports

When we configured the firewall, it was necessary to open all high-numbered ports on the server. In passive FTP, the server tells the client which port the client should connect to when opening the data channel. The server normally chooses a port within the range 1024 to 65535, but by limiting this range, we also limit the number of ports that must be open in the firewall. Add the following lines to the file ftpd.conf.

# set port range for passive for all classes portrange all 40000 40999


Now we need open only ports 40000 to 40999, which we do by deleting the original firewall rule and reissuing it with the reduced port range.

# ipfw delete 3010 # ipfw add 3010 allow tcp from any to any dst-port ¬    40000-40999 in


Learn More

Project 8 covers Unix permissions and the umask.


Change the Default umask

If you find the permissions of FTP-created files to be too restrictive, and find that they differ from those you would normally expect to see, set FTP's umask to reflect the permissions enjoyed by a normal Unix account. Add the following lines to the file ftpd.conf.

# change the umask from the FTP default 027 for all users umask all 022


Tip

To lean more about FTP configuration, consult the following Unix man pages:

$ man ftpusers $ man ftpd.conf



Check the Log Files

The FTP daemon writes information to a log file. This information is useful for monitoring who has connected to your server. You'll find the log entries in the file /var/log/ftp.log.

View them with the tail command by typing

$ tail -f /var/log/ftp.log


Learn More

Project 21 explores the tail command.





Mac OS X UNIX 101 Byte-Sized Projects
Mac OS X Unix 101 Byte-Sized Projects
ISBN: 0321374118
EAN: 2147483647
Year: 2003
Pages: 153
Authors: Adrian Mayo

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net