| The FTP service involves a fairly large number of configuration files; some of them exist in /etc, and some are in /var/ftp/etc. The reason for this is that some of the files have to be accessible by anonymous FTP users, and, as you've seen, such users can't see any files outside of /var/ftp. Here are a few of the files in /etc that apply globally to the FTP server as a whole (not all of them exist in the default installationsome must be created manually): /etc/ftpusers A "blacklist" of users who are disallowed FTP access. Add usernames to this file to prevent them from logging in via FTP. /etc/ftpchroot Any users listed in this file will be placed in a chroot "jail," similar to that of anonymous FTP, limiting the user's access solely to his home directory. It's a good idea to put every user in the system into this file, unless there is a reason the user needs full system access; you might even want to modify the adduser script to add new users to this file. /etc/ftphosts Allows you to configure virtual hosts, much like with Apache (as you saw in Chapter 26, "Configuring a Web Server"). You'll learn more about virtual hosting later in this chapter. /etc/ftpwelcome A welcome notice. The contents of this file are displayed to everyone who connects, immediately after the connection is opened, before the login prompt. /etc/ftpmotd A second welcome notice ("message of the day"); this one appears after a regular account user has logged in. You can update this file regularly to present system news or policy changes. /etc/shells You encountered this file in Chapter 9, "Customizing the Shell." Its purpose is to ensure that anybody logging in to the system has a valid shell, thus preventing people from logging in to accounts such as bin, tty, and nobody, which don't have shells listed in this file.
Beyond the config files in /etc, a number of additional files control anonymous FTP. These aren't just config files, either. If /var/ftp is mapped to / for anonymous users, that means the tools in the system binary directories (such as /bin) are as inaccessible as the files in /etc. The FTP server relies on a few system toolsnotably /bin/ls and /bin/dateto generate file listings to send to the client. These tools have to be available to anonymous users, too; that's what the /var/ftp/bin directory is for. The /var/ftp TRee contains the following files and directories. Any anonymous user can see these files, but none of them are inherently "dangerous" for users to see (the /var/ftp/etc files don't contain any passwords, for example): /var/ftp/bin This directory contains ls and date executables. These are provided because they're necessary for the FTP server to be able to generate directory listings, and the system /bin/ls and /bin/date programs are not available if you've configured the server to chroot or have limited the anonymous FTP user's access to within /var/ftp. (This is the default behavior.) /var/ftp/etc/passwd and /var/ftp/etc/group As with the tools in /var/ftp/bin, these are copies of the default (skeleton) /etc/passwd and /etc/group files, whose purpose is to provide file ownership mappings during directory listings. Because anonymous FTP access is limited to what's in /var/ftp, these files must exist in order to show who owns the various files in /var/ftp. Typically, any files in the public FTP area will be owned by root or another system account because they will be put there by you, as the administrator. Other usernames, because they don't exist in /var/ftp/etc/passwd, will not be mapped and will appear to FTP users as raw UIDs for files owned by them. /var/ftp/etc/ftpmotd Operates the same way as /etc/ftpmotd, except that this one is displayed to anonymous FTP users instead of regular login users. From their perspective (with the chroot making /var/ftp appear to be / to them), this is /etc/ftpmotd. /var/ftp/pub Visible to anonymous FTP users as /pub, this is where all downloadable files should go. The hierarchy under /pub is up to you to determine, but convention says at least that /pub should contain everything that's meant to be of interest to the public. /var/ftp/incoming This optional directory has world-writable permissions with the "sticky bit" set (1777). This means that any anonymous user can upload files into this directory. This can be dangerous; having an open upload directory is an invitation for people to use it as a trading point for MP3 files and pirated software. Use this option only if you really need to, and if your situation is one where you can trust people not to abuse the uploading system (such as in a lab environment). Otherwise, you should remove this directory entirely just to be safe.
One final configuration file that concerns the FTP server is /etc/inetd.conf. As mentioned earlier, ftpd runs as a subsidiary to the inetd super-server, and as such it won't work if inetd isn't running. First, use ps to check to see whether the daemon is serving requests, using the w (wide format), -a (all users' processes), -u (user-oriented fields shown), and x (processes that aren't necessarily attached to terminals) options: # ps -waux | grep inetd root 1640 0.0 0.6 1048 780 ?? Ss Thu08PM 0:00.15 inetd -Ww
If you don't see the inetd process running, it might never have been enabled in /etc/rc.conf, such as during the initial installation of the system in Chapter 2, "Installing FreeBSD"or you might have disabled it. Check that file for the inetd_enable line and make sure it is present and set to YES. Second, open up /etc/inetd.conf and make sure the ftpd service is enabled: ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
If this line is commented out, uncomment it, and then start or restart inetd (using the command /etc/rc.d/inetd restart). Check your configuration by trying to connect to the server (ftp localhost). If you are presented with a login prompt, you're in business. If not, look over the preceding steps again; check to make sure the inetd process is running after your modifications. |
