Configuring WU-FTP with Real Users

The information in this and the previous section is based on the WU-FTP server package, which must now be loaded from a third-party site such as those described earlier. We ve already described how to enable anonymous user access. In this section, you ll learn about the configuration files associated with WU-FTP and how to apply them to regular users on your system.

Configuration Files

Several configuration files are associated with the WU-FTP package, all in the /etc directory: ftpaccess , ftpconversions , ftpgroups , ftphosts , and ftpusers .

Of these files, ftpusers is now obsolete and ftpgroups is rarely used; the functionality of these files is now part of ftpaccess . In this section, we describe the other configuration files in detail.

Alternate examples of each of these configuration files are available in the WU-FTP documentation, in the /usr/share/doc/wu- ftpd - versionnumber /examples directory.

/etc/ftpaccess

We examined a couple of characteristics of the default /etc/ftpaccess file earlier in this chapter. Now it is time to examine this file line by line. The first lines take the functionality of /etc/ftpusers :

 deny-uid %-99 %65534- deny-gid %-99 %65534- allow-uid ftp allow-uid ftp 

These lines deny access to User and Group IDs less than 99 and greater than 65534, except user ftp. If you examine your /etc/passwd and /etc/group files, you ll see that these ID numbers are associated with administrative accounts. You can limit access to all users except ftp with a simple change:

 deny-uid * deny-gid * allow-uid ftp allow-uid ftp 

The following line sets up the chroot jail. All users are classified as guest users, and they re limited to their home directories. For example, if user mj logs in, he is sent to /home/mj :

 guestuser * 

We discussed the next line in the previous section ; user mj isn t allowed to navigate to the /home or root ( / ) directory unless the following line is activated:

 # realuser user1,user2 

Remember, the hashmark ( # ) makes Linux ignore the information that follows ; if you remove the # , user1 and user2 gain full user privileges on that FTP server. The following line can be used to limit the users on the realuser list. For example, if the previous line was realuser * , you can add the ftpchroot group to /etc/group . Members of the ftpchroot group would not be allowed to navigate above their respective home directories:

 # guestgroup ftpchroot 
Note  

The management of user and group configuration files such as /etc/passwd and /etc/group is discussed in Chapter 09 .

As described earlier, the first line that follows allows access from real, guest, and anonymous users. The next line, if active, limits access to real users who log in from the 192.168.0.0/24 network. Anonymous access is not allowed; users need to enter their passwords. One obvious drawback is that real user passwords are sent over your LAN in clear text:

 class    all    real,guest,anonymous    * # class    all    real    192.168.0.0/24 

If you comment out the previous guestuser * line, you can substitute real for guest :

 class    all    guest   192.168.0.0/24 

If you re the administrator for your server, you ll want to substitute your e-mail address here:

 email root@localhost 

The following command limits the number of attempted logins. In this case, after five login attempts this FTP server closes the connection:

 loginfails 5 

In the Linux and Unix worlds , README* files are commonly used for instructions or to supply more information about the packages contained in a specific directory. The following lines return a Please read the file README message whenever a user logs into and changes to a directory with a README file:

 readme    README*    login readme    README*    cwd=* 

As the administrator of the FTP server, you may want to send other messages to your users. The following lines allow you to add a welcome message to the welcome.msg file in the opening directory. You can also add .message files to send additional messages to users who use the cd command to navigate to those directories:

 message    /welcome.msg    login message    .message        cwd=* 

You can see what happens when I added a README file to the /var/ftp directory as well as information to various message files in Figure 27.6.

click to expand
Figure 27.6: FTP login messages

It s useful to store packages in compressed format on an FTP server. The following commands allow users who access such packages to have them uncompressed or unpackaged automatically, per the commands in /etc/ftpconversions , which is described in a later section, " /etc/ftpconversions ":

 compress    yes     all tar         yes     all 

You ll recognize the following commands from an earlier section. If you keep the guestuser * line, with slight modifications to /etc/ftpaccess (shown in bold), you can prevent all users from using these commands.

 chmod      no    guest,anonymous delete     no  guest,  anonymous overwrite  no  guest,  anonymous rename     no  guest,  anonymous 

While logins to the FTP server are normally stored in /var/log/messages , file transfers to and from the server are logged to /var/log/xferlog :

 log transfers anonymous,guest,real inbound,outbound 

If you run the ftpshut command, it creates a temporary /etc/shutmsg file. This command refuses additional logins if a shutdown of the FTP server is imminent:

 shutdown /etc/shutmsg 

Anonymous users are supposed to enter their e-mail address as the password. If they do, you can see their password in /var/log/messages . The following command sends a warning to users who connect to the FTP server without entering an e-mail address in proper format. As configured, users are still logged onto the server even with an invalid e-mail address.

 passwd-check rfc822 warn 

Limits in /etc/ftpaccess

If you re running an FTP server on the Internet, you may want to limit the number of simultaneous users connected to your server. This can help ration the speed at which your users can download their files. One simple way to create a limit in /etc/ftpacess is with the limit command. For example, the following command prevents more than 20 users from signing on to your FTP server at any one time. The warning.msg file is sent to users who try to log in when the limit is reached:

 limit    all    20    Any     warning.msg 

Perhaps you just want to limit access to users during the day (8 a.m. “5 p.m. ), when your server may be busy with other tasks :

 limit    all    20    Wk0800-1700    warning.msg 

The syntax of time in this command is based on the UUCP remote host description file. The easiest way to find this file is by searching for l.sys in your favorite search engine.

Tip  

I like to search the newsgroups for answers to common Linux problems. Remember, Linux is under constant development by a worldwide community of users and developers; they often discuss their Linux issues through newsgroups and many other forums. It s easy to search through the newsgroups via groups.google.com .

You can also limit the amount of data that a user can download from your FTP server. For example, the following command limits the amount of downloadable files to 100MB:

 byte-limit    out    100000000    all 

Alternatives to out (downloads) are in (uploads) and total (both directions).

/etc/ftpconversions

The /etc/ftpconversions file, shown in Figure 27.7, allows you to run selected commands during the upload or download process. For example, if you have a compressed file of pictures named pictures.gz on your FTP server, the third line in /etc/ftpconversions lets you download and uncompress the pictures directly with the following command at the ftp > prompt:

 ftp> get pictures 
click to expand
Figure 27.7: /etc/ ftpconversions      

Note how the .gz is left out of the request. The FTP server automatically refers to /etc/ ftpconversions for the needed command.

/etc/ftphosts

The /etc/ftphosts file looks conceptually similar to the /etc/ hosts .allow and /etc/hosts.deny files associated with xinetd services (see Chapter 23 ). You can allow and deny access to the FTP server from specific users. However, the functionality isn t quite what you might expect.

For example, the following line allows FTP access only from user hdean from the computer with the given IP address. No other users and no other computers are allowed access to this FTP server. You can substitute the FQDN for the IP address.

 allow    hdean     192.168.0.32 

Alternatively, the following line denies access to user glocke only from the noted computer:

 deny    glocke     linux.example.com 

Commands

FTP server commands let you regulate when FTP servers are active, and allow you to view a list of currently connected users. For example, the following command warns users at their next command that the FTP server will shut down in 15 minutes, or at 3:30 p.m. :

 ftpshut +15 "The FTP Server will close in 15 minutes" ftpshut 1530 "The FTP server will stop at 3:30 PM" 

You can set this up as a cron script, as discussed in Chapter 13 . This allows you to shut down the FTP server on a regular basis. Other FTP server “ related commands are listed in Table 27.4.

Table 27.4: FTP Server Commands

Command

Description

ftpwho

Lists connected users and origin IP addresses

ftpcount

Lists number of connections

ftpshut

Allows you to shut down an FTP server now or at a specified time

ftprestart

Stops and restarts an FTP server

Anonymous Uploads

By default, anonymous users aren t allowed to write to any of the /var/ftp directories. In some cases, you may want to allow users to supply their files in a directory such as /var/ftp/pub .

To allow uploads, you ll need to modify the /etc/ftpaccess file and the permissions on the appropriate directory. For example, the following line allows uploads to the /var/ftp/letter directory:

 upload    /var/ftp    /letter   yes   cindy   ywow    0660 

On the FTP server, these files are owned by user cindy, group ywow, with 660 permissions that allow the user cindy and members of the ywow group to read and write to uploaded files.

You ll also need proper permissions on the upload directory. To write a file to a directory, you need at least write and execute permissions. In this case, the chmod 733 /var/ftp/letter command would meet these minimum requirements. Of course, if you want regular users on the server to read the files in that directory, you can provide less restrictive permissions with a command such as chmod 733 /var/ftp/letter . For more information on permissions, see Chapter 06 .

 


Mastering Red Hat Linux 9
Building Tablet PC Applications (Pro-Developer)
ISBN: 078214179X
EAN: 2147483647
Year: 2005
Pages: 220

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net