The information in this and the previous section is based on the WU-FTP server package, which must now be loaded from a third-party site such as those described earlier. We ve already described how to enable anonymous user access. In this section, you ll learn about the configuration files associated with WU-FTP and how to apply them to regular users on your system.
Several configuration files are associated with the WU-FTP package, all in the /etc directory: ftpaccess , ftpconversions , ftpgroups , ftphosts , and ftpusers .
Of these files, ftpusers is now obsolete and ftpgroups is rarely used; the functionality of these files is now part of ftpaccess . In this section, we describe the other configuration files in detail.
Alternate examples of each of these configuration files are available in the WU-FTP documentation, in the /usr/share/doc/wu- ftpd - versionnumber /examples directory.
We examined a couple of characteristics of the default /etc/ftpaccess file earlier in this chapter. Now it is time to examine this file line by line. The first lines take the functionality of /etc/ftpusers :
deny-uid %-99 %65534- deny-gid %-99 %65534- allow-uid ftp allow-uid ftp
These lines deny access to User and Group IDs less than 99 and greater than 65534, except user ftp. If you examine your /etc/passwd and /etc/group files, you ll see that these ID numbers are associated with administrative accounts. You can limit access to all users except ftp with a simple change:
deny-uid * deny-gid * allow-uid ftp allow-uid ftp
The following line sets up the chroot jail. All users are classified as guest users, and they re limited to their home directories. For example, if user mj logs in, he is sent to /home/mj :
We discussed the next line in the previous section ; user mj isn t allowed to navigate to the /home or root ( / ) directory unless the following line is activated:
# realuser user1,user2
Remember, the hashmark ( # ) makes Linux ignore the information that follows ; if you remove the # , user1 and user2 gain full user privileges on that FTP server. The following line can be used to limit the users on the realuser list. For example, if the previous line was realuser * , you can add the ftpchroot group to /etc/group . Members of the ftpchroot group would not be allowed to navigate above their respective home directories:
# guestgroup ftpchroot
The management of user and group configuration files such as /etc/passwd and /etc/group is discussed in Chapter 09 .
As described earlier, the first line that follows allows access from real, guest, and anonymous users. The next line, if active, limits access to real users who log in from the 192.168.0.0/24 network. Anonymous access is not allowed; users need to enter their passwords. One obvious drawback is that real user passwords are sent over your LAN in clear text:
class all real,guest,anonymous * # class all real 192.168.0.0/24
If you comment out the previous guestuser * line, you can substitute real for guest :
class all guest 192.168.0.0/24
If you re the administrator for your server, you ll want to substitute your e-mail address here:
The following command limits the number of attempted logins. In this case, after five login attempts this FTP server closes the connection:
In the Linux and Unix worlds , README* files are commonly used for instructions or to supply more information about the packages contained in a specific directory. The following lines return a Please read the file README message whenever a user logs into and changes to a directory with a README file:
readme README* login readme README* cwd=*
As the administrator of the FTP server, you may want to send other messages to your users. The following lines allow you to add a welcome message to the welcome.msg file in the opening directory. You can also add .message files to send additional messages to users who use the cd command to navigate to those directories:
message /welcome.msg login message .message cwd=*
You can see what happens when I added a README file to the /var/ftp directory as well as information to various message files in Figure 27.6.
It s useful to store packages in compressed format on an FTP server. The following commands allow users who access such packages to have them uncompressed or unpackaged automatically, per the commands in /etc/ftpconversions , which is described in a later section, " /etc/ftpconversions ":
compress yes all tar yes all
You ll recognize the following commands from an earlier section. If you keep the guestuser * line, with slight modifications to /etc/ftpaccess (shown in bold), you can prevent all users from using these commands.
chmod no guest,anonymous delete no guest, anonymous overwrite no guest, anonymous rename no guest, anonymous
While logins to the FTP server are normally stored in /var/log/messages , file transfers to and from the server are logged to /var/log/xferlog :
log transfers anonymous,guest,real inbound,outbound
If you run the ftpshut command, it creates a temporary /etc/shutmsg file. This command refuses additional logins if a shutdown of the FTP server is imminent:
Anonymous users are supposed to enter their e-mail address as the password. If they do, you can see their password in /var/log/messages . The following command sends a warning to users who connect to the FTP server without entering an e-mail address in proper format. As configured, users are still logged onto the server even with an invalid e-mail address.
passwd-check rfc822 warn
If you re running an FTP server on the Internet, you may want to limit the number of simultaneous users connected to your server. This can help ration the speed at which your users can download their files. One simple way to create a limit in /etc/ftpacess is with the limit command. For example, the following command prevents more than 20 users from signing on to your FTP server at any one time. The warning.msg file is sent to users who try to log in when the limit is reached:
limit all 20 Any warning.msg
Perhaps you just want to limit access to users during the day (8 a.m. “5 p.m. ), when your server may be busy with other tasks :
limit all 20 Wk0800-1700 warning.msg
The syntax of time in this command is based on the UUCP remote host description file. The easiest way to find this file is by searching for l.sys in your favorite search engine.
I like to search the newsgroups for answers to common Linux problems. Remember, Linux is under constant development by a worldwide community of users and developers; they often discuss their Linux issues through newsgroups and many other forums. It s easy to search through the newsgroups via groups.google.com .
You can also limit the amount of data that a user can download from your FTP server. For example, the following command limits the amount of downloadable files to 100MB:
byte-limit out 100000000 all
Alternatives to out (downloads) are in (uploads) and total (both directions).
The /etc/ftpconversions file, shown in Figure 27.7, allows you to run selected commands during the upload or download process. For example, if you have a compressed file of pictures named pictures.gz on your FTP server, the third line in /etc/ftpconversions lets you download and uncompress the pictures directly with the following command at the ftp > prompt:
ftp> get pictures
Note how the .gz is left out of the request. The FTP server automatically refers to /etc/ ftpconversions for the needed command.
The /etc/ftphosts file looks conceptually similar to the /etc/ hosts .allow and /etc/hosts.deny files associated with xinetd services (see Chapter 23 ). You can allow and deny access to the FTP server from specific users. However, the functionality isn t quite what you might expect.
For example, the following line allows FTP access only from user hdean from the computer with the given IP address. No other users and no other computers are allowed access to this FTP server. You can substitute the FQDN for the IP address.
allow hdean 192.168.0.32
Alternatively, the following line denies access to user glocke only from the noted computer:
deny glocke linux.example.com
FTP server commands let you regulate when FTP servers are active, and allow you to view a list of currently connected users. For example, the following command warns users at their next command that the FTP server will shut down in 15 minutes, or at 3:30 p.m. :
ftpshut +15 "The FTP Server will close in 15 minutes" ftpshut 1530 "The FTP server will stop at 3:30 PM"
You can set this up as a cron script, as discussed in Chapter 13 . This allows you to shut down the FTP server on a regular basis. Other FTP server “ related commands are listed in Table 27.4.
Lists connected users and origin IP addresses
Lists number of connections
Allows you to shut down an FTP server now or at a specified time
Stops and restarts an FTP server
By default, anonymous users aren t allowed to write to any of the /var/ftp directories. In some cases, you may want to allow users to supply their files in a directory such as /var/ftp/pub .
To allow uploads, you ll need to modify the /etc/ftpaccess file and the permissions on the appropriate directory. For example, the following line allows uploads to the /var/ftp/letter directory:
upload /var/ftp /letter yes cindy ywow 0660
On the FTP server, these files are owned by user cindy, group ywow, with 660 permissions that allow the user cindy and members of the ywow group to read and write to uploaded files.
You ll also need proper permissions on the upload directory. To write a file to a directory, you need at least write and execute permissions. In this case, the chmod 733 /var/ftp/letter command would meet these minimum requirements. Of course, if you want regular users on the server to read the files in that directory, you can provide less restrictive permissions with a command such as chmod 733 /var/ftp/letter . For more information on permissions, see Chapter 06 .