$HOME of /var/spool/ftp instead of /home/ftp
$SHELL of /sbin/nologin instead of /usr/bin/false
'useradd' instead of 'adduser', which sets a /home prefix
Change the 'Directory Setup' section as the existing article duplicates
what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
mirror.
Index: faq10.html
===================================================================
RCS file: /cvs/www/faq/faq10.html,v
retrieving revision 1.180
diff -u -r1.180 faq10.html
--- faq10.html 1 Nov 2013 14:05:56 -0000 1.180
+++ faq10.html 11 Jan 2014 18:30:45 -0000
@@ -963,115 +963,100 @@
<h3>Adding the FTP account</h3>
<p>
-To start off, you need to have an <i>ftp</i> account on your system.
+To start off, you need to have an <i>ftp</i> user account on your system.
This account should not have a usable password. Here we will set the login
-directory to /home/ftp, but you can put it wherever you want.
+directory to the pre-existing <i>/var/spool/ftp</i>, as
+<a href="
http://www.openbsd.org/cgi-bin/man.cgi?query=hier&sektion=7">hier(7)</a>
+says: '<i>Commonly ~ftp; the anonymous ftp root directory</i>'
+but you can put it wherever you want, such as another disk partition:
+
+<blockquote><pre>
+$ <b>fgrep ftp /etc/fstab</b>
+/dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime 0 2
+</pre></blockquote>
+
When using anonymous ftp, the ftp daemon will chroot itself to the home
directory of the <i>ftp</i> user. To read up more on that, read the
<a href="
http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> and
<a href="
http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&sektion=2">chroot(2)</a>
man pages. Here is an example of adding the <i>ftp</i> user. I will do
this using
-<a href="
http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&sektion=8">adduser(8)</a>.
-We also need to add /usr/bin/false to our <i>/etc/shells</i>, this is
-the "shell" that we will be giving to the <i>ftp</i> user.
-This won't allow them to login, even though we will give them an empty
-password. To do this you can simply do
+<a href="
http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&sektion=8">useradd(8)</a>.
<blockquote><pre>
-echo /usr/bin/false >> /etc/shells
+$ <b>sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp</b>
+
+$ <b>sudo userinfo ftp</b>
+login ftp
+passwd *************
+uid 212121
+groups ftp
+change NEVER
+class
+gecos anonymous ftp
+dir /var/spool/ftp
+shell /sbin/nologin
+expire NEVER
+
+$ <b>grep ^ftp /etc/group</b>
+ftp:*:212121:
</pre></blockquote>
-After this, you are ready to add the <i>ftp</i> user:
+<h3>Directory Setup</h3>
+
+<p>
+From a default OpenBSD install, <i>ftp</i>'s home directory is already
+there, and mostly pre-populated for anonymous ftp duties:
+</p>
<blockquote><pre>
-# <b>adduser</b>
-Use option ``-silent'' if you don't want to see all warnings and questions.
+$ <b>sudo ls -lAR /var/spool/ftp</b>
+total 12
+dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin
+dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc
+d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden
-Reading /etc/shells
-Check /etc/master.passwd
-Check /etc/group
-
-Ok, let's go.
-Don't worry about mistakes. There will be a chance later to correct any input.
-Enter username []: <b>ftp</b>
-Enter full name []: <b>anonymous ftp</b>
-Enter shell csh false ksh nologin sh [ksh]: <b>false</b>
-Uid [1002]: <b><i>Enter</i></b>
-Login group ftp [ftp]: <b><i>Enter</i></b>
-Login group is ``ftp''. Invite ftp into other groups: guest no
-[no]: <b>no</b>
-Login class authpf daemon default staff [default]: <b><i>Enter</i></b>
-Enter password []: <b><i>Enter</i></b>
-Set the password so that user cannot logon? (y/n) [n]: <b>y</b>
-
-Name: ftp
-Password: ****
-Fullname: anonymous ftp
-Uid: 1002
-Gid: 1002 (ftp)
-Groups: ftp
-Login Class: default
-HOME: /home/ftp
-Shell: /usr/bin/false
-OK? (y/n) [y]: <b>y</b>
-Added user ``ftp''
-Copy files from /etc/skel to /home/ftp
-Add another user? (y/n) [y]: <b>n</b>
-Goodbye!
-</pre></blockquote>
+/var/spool/ftp/bin:
-<h3>Directory Setup</h3>
+/var/spool/ftp/etc:
+
+/var/spool/ftp/hidden:
+
+</pre></blockquote>
<p>
-Along with the user, this created the directory <i>/home/ftp</i>. This
-is what we want, but there are some changes that we will have to make to
-get it ready for anonymous ftp. Again these changes are explained in the
-<a href="
http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> man page.
+All we need to do is add the <b>pub</b>lic directory. In this example,
+we'll also set up the directory structure for a local OpenBSD
+ftp mirror, for both i386 & sparc64 machines:
+</p>
+
+<blockquote><pre>
+$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}</b>
+$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}</b>
+$ <b>sudo find /var/spool/ftp</b>
+/var/spool/ftp
+/var/spool/ftp/bin
+/var/spool/ftp/etc
+/var/spool/ftp/hidden
+/var/spool/ftp/pub
+/var/spool/ftp/pub/OpenBSD
+/var/spool/ftp/pub/OpenBSD/5.4
+/var/spool/ftp/pub/OpenBSD/5.4/i386
+/var/spool/ftp/pub/OpenBSD/5.4/sparc64
+/var/spool/ftp/pub/OpenBSD/5.4/packages
+/var/spool/ftp/pub/OpenBSD/5.4/packages/i386
+/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64
+</pre></blockquote>
<p>
-You <b>do not</b> need to make a /home/ftp/usr or /home/ftp/bin
-directory.
-<ul>
-<li><i>/home/ftp</i> - This is the main directory. It should be owned by
-root and have permissions of 555.
-<li><i>/home/ftp/etc</i> - This is entirely optional and not
-recommended, as it only serves to give out information on users which
-exist on your box. If you want your anonymous ftp directory to appear to
-have real users attached to your files, you should copy /etc/pwd.db and
-/etc/group to this directory. This directory should be mode 511, and the
-two files should be mode 444. These are used to give owner names as
-opposed to numbers. There are no passwords stored in pwd.db, they are
-all in spwd.db, so don't copy that over.
-<li><i>/home/ftp/pub</i> - This is a standard directory to place files
-in which you wish to share. This directory should also be mode 555.
-</ul>
-
-<p>
-Note that all these directories should be owned by ''root''. Here is a
-listing of what the directories should look like after their creation.
+Now we'll set the directory permissions so the <i>ftp</i> user can read,
+and the <i>wheel</i> group can write (ftp get base tarballs and packages):
+</p>
<blockquote><pre>
-# pwd
-/home
-# ls -laR ftp
-total 5
-dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .
-drwxr-xr-x 7 root wheel 512 Jul 6 10:58 ..
-dr-x--x--x 2 root ftp 512 Jul 6 11:34 etc
-dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 pub
-
-ftp/etc:
-total 43
-dr-x--x--x 2 root ftp 512 Jul 6 11:34 .
-dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 ..
--r--r--r-- 1 root ftp 316 Jul 6 11:34 group
--r--r--r-- 1 root ftp 40960 Jul 6 11:34 pwd.db
-
-ftp/pub:
-total 2
-dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 .
-dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 ..
+$ <b>sudo chown -R root:wheel /var/spool/ftp/pub</b>
+$ <b>sudo chmod 555 /var/spool/ftp/pub</b>
+$ <b>sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/</b>
</pre></blockquote>
<h3>Starting up the server and logging</h3>
Locked
