One popular use for FTP servers is to provide anonymous FTP access. As noted earlier in this chapter, anonymous FTP servers partially overlap in function with Web servers, so you might prefer to use only a Web server. On the other hand, using only an anonymous FTP server, or even using both, might be worthwhile in some situations. For instance, you might want both anonymous file retrieval and username/password login file transfer on one system, but have no need for HTTP. Running both might make sense as a convenience to your users, some of whom might prefer or have readier access to just one type of client program.
Before setting up an anonymous FTP server, you should be aware of the special needs and security concerns that come with these servers. Indeed, these issues may be critical in your decision of whether to run an anonymous FTP server. Once you've made the decision, you'll need to dig into your FTP server's configuration files to set up the appropriate options to allow anonymous FTP access. You may also need to modify additional options on your system, such as directory permissions.
Special Needs of Anonymous Servers
The usual purpose of an anonymous FTP server is to deliver files from the server to the client. You might set up such a server to hold software, documentation files, and so on that you want to be publicly available. You can link to these files by specifying a URL in a Web page that begins with ftp:// , such as ftp://ftp.threeroomco.com/pub/manual.pdf . A couple of points in this description deserve special emphasis:
Because the FTP server runs in a chroot jail, you may need to copy some system configuration files into the chroot jail directory. Many FTP server packages for Linux already include appropriate copies of the critical system files. Some servers, including ProFTPd, are able to read some of their configuration files before locking themselves in the chroot jail, so the number of files that must be copied is minimal.
Some configurations, such as those generally used with ProFTPd, work best with a chroot jail if the server is run from a SysV startup script. Other configurations, such as those generally used with WU- FTPD , permit anonymous server configurations even when the server is run from a super server. The trick is that the chroot() system call can only be used by a program that's run as root . If your super server configuration for the FTP server calls the FTP server as anything but root , it won't be able to set up the chroot jail. (The username-setting options in FTP server configuration files generally operate after the chroot() call; until that time, a server run from a SysV or local startup script runs as root .)
Anonymous FTP servers require that certain files reside in particular directories. These are described in the upcoming section, "Setting Up an Anonymous Directory Tree."
Security Concerns of Anonymous Servers
Anonymous FTP servers, because they are normally accessible to the outside world, are a potential security threat. In theory, this threat need not be any greater than the threat from, say, Web or mail servers. In practice, though, anonymous FTP's risk may be somewhat greater. Part of the reason for this is that FTP servers, and WU-FTPD in particular, have a less than stellar security history. A further part of the problem is that FTP was designed for two-way file transfer, so a security flaw that allows a user to break out of the chroot jail may allow the user to overwrite critical system files, or at least arbitrary user files. A mail server, by contrast, gives an attacker less leverage, because the mail is processed in certain specified ways. (To be sure, bugs in mail servers have been discovered that can be used to acquire more power.)
On the plus side, a server that functions only as an anonymous FTP server doesn't pose a risk due to the transfer of usernames and passwords, as is a concern for a non-anonymous FTP server. The anonymous FTP server accepts all comers and any password, so there are no sensitive passwords to be compromised. Thus, in some respects, an anonymous server can be more secure than a non-anonymous server.
Because a single FTP server can be configured to perform both anonymous and non-anonymous operations, you run the risk of getting the worst of both worlds if you run both types of FTP server configurations on one system. Your best bet when running an anonymous FTP server is to configure it to accept only anonymous access, at least from the outside world. Minimize the number of user accounts on the system, and don't run unnecessary servers or store any sensitive data on the computer. These steps can help minimize the damage should your anonymous FTP server be compromised.
Setting Anonymous Options
Most FTP packages that ship with Linux distributions include operational or almost-operational anonymous FTP configurations. You may need to fine-tune these configurations to get the system truly working, though. This section describes the options in WU-FTPD and ProFTPd that accomplish this task, beginning with the creation of the directory tree that's common to both servers and moving on to server-specific configuration options.
Setting Up an Anonymous Directory Tree
The first step to creating an anonymous FTP site is creating an appropriate directory tree. A common choice for this tree's location is /home/ftp , but you can place it somewhere else if you prefer. In most cases, this tree should be owned by root or a user who is to maintain the FTP site, and have 755 ( rwxr-xr-x ) permissions. This allows the administrator to edit files in the directory, but it gives nobody else write access. In particular, the ftp user (or whatever username you use for anonymous access) can't write to the anonymous FTP directory. Subdirectories and files should follow the same pattern, although most files will lack the execute permission bit.
A typical anonymous FTP directory contains subdirectories as follows :
Once you've set up these directories and files, the basic directory structure should be adequate. You may need to add a few more files, or modify existing files, for particular purposes. For instance, if you add the ability to compress files using a tool other than gzip , you'll need to copy an appropriate executable to the FTP server's /bin directory.
WU-FTPD Anonymous Options
The most important anonymous FTP server configuration options for WU-FTPD appear in the /etc/ftpaccess file. Specifically, you may need to set or adjust the following options:
Most WU-FTPD configurations run from a super server with root privileges. When such a system receives an anonymous login, it spawns a subprocess as ftp , so WU-FTPD can run an anonymous server even from a super server.
ProFTPd Anonymous Options
The main ProFTPd options for configuring an anonymous FTP server appear in the proftpd.conf file, along with the other major server options. A simple but workable anonymous FTP configuration in this file might resemble the following:
<Anonymous /home/ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as #"ftp" UserAlias anonymous ftp # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous>
Some key points about this configuration include the following:
If you want the server to function only as an anonymous FTP server, you should take steps to limit or eliminate FTP access to ordinary users. If possible, run the FTP server on a computer that supports just the bare minimum of administrative users, and deny them access by entering their usernames in the /etc/ftpusers file.