< Day Day Up > |
Setting Up Anonymous FTPAs you've seen, setting up the FTP server to allow real users to have FTP access is not difficult. Unfortunately, it suffers from the basic design vulnerability of transmitting the user's information in clear text. In some instances, you can reduce this risk by setting up an anonymous FTP server instead. Anonymous FTP servers allow users to connect, upload, and (potentially) download files without the use of a real-user user ID and password. Of course, this brings the risk that you will not know who is logging in to your system via the anonymous FTP service, and preventing unauthorized users from accessing the system is difficult if everyone is known only as "anonymous." But if anonymous users can't do anything damaging or see any data that's private while so connected, this might be a good trade-off for the security of not allowing real user connections and the problems this brings. Anonymous FTP servers also are useful for enabling users with no account on your machine to acquire or provide information, such as to download product literature, or upload suggestions or possible modifications to a project on which you're working. In other words, anonymous FTP servers provide an easy cross-platform way to conveniently distribute or receive files.
Setting up the FTP server to allow anonymous FTP takes some work, however. Be warned that setting up anonymous FTP makes your machine vulnerable to more attacks. We recommend that you do not enable anonymous FTP unless you need it. However, we more strongly recommend against enabling unprotected FTP for real users. Setting up anonymous FTP involves making an ftp user, whose home directory is where anonymous FTP users connect. Additionally, you copy the necessary system components to ftp's account so that users can run ls properly. When a user requests a list of files via the FTP ls command, the command that is actually executed is a server-side binary program kept in a special directory for the FTP server's use, the home directory of the ftp user. When the FTP server is chrooted, it can't access /bin/ls; therefore, placing a copy of ls and any other system components that the FTP server needs in its special directory is normally an important step. However, starting with the Mac OS X 10.2 release, the system components don't seem to help for running ls. This isn't a problem with the default ftpd in the 10.3 or 10.4. Because it's difficult to predict how a new release of either system software or FTP server software will change things, we include the steps for the system components to install in case Apple modifies Mac OS X so that it is not using an ftp server with its own ls. Steps 4 10 listed in the following pages include the instructions for copying the appropriate system components and can be skipped with the current default ftpd available. To set up an anonymous FTP site, do the following:
If you decide to allow anonymous FTP, make sure that you regularly check the anonymous FTP area and your logs for any unusual activity. In addition, regularly check Apple's website for any updates to Mac OS X that include ftp updates. Security holes are regularly found in ftpd and regularly fixed. For your convenience, here's a listing of our ftp user's home directory: brezup:sage Users $ ls -lRaF ftp total 0 dr-xr-xr-x 7 root admin 238 Jan 23 21:46 ./ drwxrwxr-t 9 root admin 306 Dec 28 17:36 ../ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 System/ dr-xr-xr-x 3 root admin 102 Dec 28 17:47 bin/ drwxr-x-wx 2 root admin 68 Dec 28 17:52 incoming/ drwxr-xr-x 3 root admin 102 Dec 28 18:03 pub/ dr-xr-xr-x 3 root admin 102 Dec 28 17:48 usr/ ftp/System: total 0 dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ./ dr-xr-xr-x 7 root admin 238 Dec 28 17:51../ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 Library/ ftp/System/Library: total 0 dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ./ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ../ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 Frameworks/ ftp/System/Library/Frameworks: total 0 dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ./ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ../ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 System.framework/ ftp/System/Library/Frameworks/System.framework: total 0 dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ./ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ../ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 Versions/ ftp/System/Library/Frameworks/System.framework/Versions: total 0 dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ./ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ../ dr-xr-xr-x 3 root admin 102 Dec 28 17:52 B/ ftp/System/Library/Frameworks/System.framework/Versions/B: total 10312 dr-xr-xr-x 3 root admin 102 Dec 28 17:52 ./ dr-xr-xr-x 3 root admin 102 Dec 28 17:51 ../ -r-xr-xr-x 1 root admin 5278668 Dec 28 17:52 System* ftp/bin: total 72 dr-xr-xr-x 3 root admin 102 Dec 28 17:47 ./ dr-xr-xr-x 7 root admin 238 Dec 28 17:47../ -r-xr-xr-x 1 root admin 33112 Dec 28 17:47 ls* ftp/incoming: total 0 drwxr-x-wx 2 root admin 68 Dec 28 17:52 ./ dr-xr-xr-x 7 root admin 238 Dec 28 17:52 ../ ftp/pub: total 8 drwxr-xr-x 3 root admin 102 Dec 28 18:03 ./ dr-xr-xr-x 7 root admin 238 Dec 28 18:03 ../ ftp/usr: total 0 dr-xr-xr-x 3 root admin 102 Dec 28 17:48 ./ dr-xr-xr-x 7 root admin 238 Dec 28 17:48 ../ dr-xr-xr-x 4 root admin 136 Dec 28 17:50 lib/ ftp/usr/lib: total 13072 dr-xr-xr-x 4 root admin 136 Dec 28 17:50 ./ dr-xr-xr-x 3 root admin 102 Dec 28 17:48 ../ -r-xr-xr-x 1 root admin 1412900 Dec 28 17:49 dyld* -r-xr-xr-x 1 root admin 5278668 Dec 28 17:50 libSystem.B.dylib* For additional thoughts on anonymous FTP configuration, you might want to check these websites:
|
< Day Day Up > |