Project 94. Configure the FTP Service"How do I configure my FTP server?" This project shows you how to enable and configure the FTP (File Transfer Protocol) server that is part of a standard Mac OS X install. It describes how to enable the server, open the necessary ports, and configure it to be a little more secure. This project assumes that you are familiar with the concept of FTP and are able to use an FTP client. Enable FTPMac OS X provides both an FTP server and an FTP client. FTP is a not a service most people need to run, so the server is disabled by default. It's easily enabled, which causes the FTP server to be launched on demand when a client connects. It's easy to start the FTP server from System Preferences: Select the Sharing pane, click the Services tab, and check FTP Access. This enables the FTP server and opens port 21 in the firewall. (In systems before Mac OS X 10.4 [Tiger], other ports are opened, too.) Unfortunately, Apple's firewall rules don't open all the ports necessary for the FTP server to support passive FTP (discussed later in this project). We must open those ports manually. After enabling FTP access, click the Firewall tab and then the New button. In the resulting drop-down sheet, select Port Name Other, enter 1024-65535 in the TCP Port Number(s) box, and add a description such as FTP Passive. The new rule will automatically be checked, meaning that our newly enabled server is able to accept connections from an FTP client in Passive mode. No ports need be opened on the client. Test the server by connecting to it from another machine. Use the hostname or IP address of the server, and type a command such as $ ftp myhostname You must have a Unix account to connect to the FTP server. System Preferences doesn't provide a mechanism to configure the FTP server. That's unfortunate, because the server can be configured in many ways, not the least of which is to increase security. However, and as you might have guessed, we can configure FTP from the Unix command line. Tip
Active and Passive FTPTo run an FTP server, we must open port 21. A client connects to this port to send control information (commands such as ls and get). We can choose to support active connections, or passive connections. Active and Passive modes use different ports for transferring data (such as files from the get command or the results of issuing the ls command). To use passive mode, we must open additional ports in the firewall. Active mode operates as follows. Data is sent over a connection established by the server. It moves from port 20 on the server to a high-numbered port (>=1024) on the client. The client must open ports 1024 through 65535 but accepting connections originating from only port 20. Passive mode is preferred because it does not involve opening ports on the client. It operates as follows. Data is sent over a connection established by the client; it moves between a high-numbered port on the client and a high-numbered port on the server. The server must open ports 1024 through 65535, accepting connections originating from all high-numbered ports. Summary of open ports necessary for Active mode:
Summary of open ports necessary for Passive mode:
Enable FTP from UnixLet's enable FTP and add the necessary firewall rules to allow clients to connect to our server in Passive mode. What we'll do is the command-line equivalent to checking FTP Access in System Preferences and adding the new firewall ruletherefore, reverse the steps we took earlier in the project so that we start from a clean sheet. Learn More
Enabling and configuring FTP, and configuring the firewall, require root permissions. For the remainder of this project, we'll assume the status of the root user by issuing the command $ sudo -s Password: # Learn More
The FTP server itself is launched on demand by Apple's Launch Daemon. To enable a service, we use the launchctl command, specifying subcommand load to load the configuration file for that service and option -w to remove the disabled key and write the altered configuration file back to disk. Tip
Type the following command. # launchctl load -w /System/Library/LaunchDaemons/ftp.plist Apple's Launch Daemon was introduced in Mac OS X 10.4 (Tiger). For versions before Tiger, you must enable FTP by changing the configuration of xinetd. Edit the file /etc/xinetd.d/ftp, and change the line disable = yes to be disable = no. Restart xinetd to make it reread the changed configuration by typing # kill -HUP $(cat /var/run/xinetd.pid) Next, we'll configure the firewall by adding rules to open the ports described in "Active and Passive FTP " earlier in this project. Note: It's better that you configure the firewall from System Preferences, because after you've tampered with its settings, System Preferences disowns the firewall, and you'll have to maintain it by hand (until you reboot). If you still want to configure the firewall from the command line, type the following. # ipfw add 3000 allow tcp from any to any dst-port 21 in # ipfw add 3010 allow tcp from any to any dst-port ¬ 1024-65535 in # ipfw show The rule numbers (3000 and 3010) shown here should not clash with any of those already used. To delete a rule such as 3000, type # ipfw delete 3000 Tip
Test the FTP server from another machine, which need not have any ports open and which should connect by using the default Passive mode. Specify the hostname or IP address of the server, and type a command such as $ ftp myhostname Configure FTPLet's look at an example FTP configuration. First, display the file /etc/ftpusers. This file gives the default setup for a Mac OS X installation, and you'll see that it lists users who are not allowed to connect via FTP. We can improve on this blacklist policy with a white-list policy in which we list all users who are allowed to connect via FTP and then disallow all others. Here's our new white-list ftpusers. # cat /etc/ftpusers # all admin users are set to class 'free' *:admin allow free # other accounts that can ftp are set to class 'restricted' loraine allow restricted jan allow restricted # all other users are denied ftp access * deny Learn More
Lines that start with a hash (#) symbol are comments and ignored by the FTP server. The first (proper) line says to allow all (represented by *) administrator users (those belonging to the group admin) to connect. The next lines allow the users loraine and jan (who are not administrators) to connect. The last line denies all users not otherwise mentioned. You'll notice the free and restricted tags attached to user entries. They are classes used by FTP to define the capabilities and restrictions applied to the associated users. By using classes, we avoid the necessity to repeat ourselves for every user. We define classes (among other things) in the file /etc/ftpd.conf. Let' s create such a file to define the two classes we previously assumed. It should look like this. # cat /etc/ftpd.conf # users of class 'free' (see /etc/ftpusers) chroot to / # with their ftp home directory set to their login home chroot free / homedir free %d # users of class 'restricted' chroot to their home directory # with their ftp home directory set to their new root # (ie their login home) chroot restricted %d homedir restricted / The first two configuration commands specify that members of the class free have access to the entire file system, from the root directory down (chroot free /), and that their FTP home directory is the same as their Unix account home directory (homedir free %d). This setup is actually no different from the usual (and unrestricted) configuration any FTP connection would enjoy. (The FTP home directory is the directory in which a user is placed when she connects; it need not be the same as her Unix account home directory.) We'd like to give nonadministrative users a little less freedom by restricting their view of the file system to their Unix account home directory. We do this by writing the configuration line chroot restricted %d. Such users cannot move outside their home directory; consequently, the FTP command $ cd / Learn More
takes them to their home directory. The next configuration line, homedir restricted /, sets these users' FTP home directory to be the file system root as the users now see it: their Unix account home directory. Finally, we must specify that all users be subject to chrooting (or be jailed) according to the chroot configuration applied to their class. To do this, we must mention all users in the file /etc/ftpchroot or, better, use star (*) to mean all users. # cat /etc/ftpchroot # all users are chrooted (see /etc/ftpd.conf) # according to the their class (see /etc/ftpusers) * Reduce Open PortsWhen we configured the firewall, it was necessary to open all high-numbered ports on the server. In passive FTP, the server tells the client which port the client should connect to when opening the data channel. The server normally chooses a port within the range 1024 to 65535, but by limiting this range, we also limit the number of ports that must be open in the firewall. Add the following lines to the file ftpd.conf. # set port range for passive for all classes portrange all 40000 40999 Now we need open only ports 40000 to 40999, which we do by deleting the original firewall rule and reissuing it with the reduced port range. # ipfw delete 3010 # ipfw add 3010 allow tcp from any to any dst-port ¬ 40000-40999 in Learn More
Change the Default umaskIf you find the permissions of FTP-created files to be too restrictive, and find that they differ from those you would normally expect to see, set FTP's umask to reflect the permissions enjoyed by a normal Unix account. Add the following lines to the file ftpd.conf. # change the umask from the FTP default 027 for all users umask all 022 Tip
Check the Log FilesThe FTP daemon writes information to a log file. This information is useful for monitoring who has connected to your server. You'll find the log entries in the file /var/log/ftp.log. View them with the tail command by typing $ tail -f /var/log/ftp.log Learn More
|