OpenBSD Archive › openbsd user - www

FAQ 10: AnonFTP

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

4 messages Options

Craig Skinner-3

FAQ 10: AnonFTP

$HOME of /var/spool/ftp instead of /home/ftp

$SHELL of /sbin/nologin instead of /usr/bin/false

'useradd' instead of 'adduser', which sets a /home prefix

Change the 'Directory Setup' section as the existing article duplicates
what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
mirror.

Index: faq10.html
===================================================================
RCS file: /cvs/www/faq/faq10.html,v
retrieving revision 1.180
diff -u -r1.180 faq10.html
--- faq10.html 1 Nov 2013 14:05:56 -0000 1.180
+++ faq10.html 11 Jan 2014 18:30:45 -0000
@@ -963,115 +963,100 @@
<h3>Adding the FTP account</h3>


-To start off, you need to have an ftp account on your system.
+To start off, you need to have an ftp user account on your system.
This account should not have a usable password. Here we will set the login
-directory to /home/ftp, but you can put it wherever you want.
+directory to the pre-existing /var/spool/ftp, as
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&sektion=7">hier(7)</a>
+says: 'Commonly ~ftp; the anonymous ftp root directory'
+but you can put it wherever you want, such as another disk partition:
+
+<blockquote><pre>
+$ fgrep ftp /etc/fstab
+/dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime 0 2
+</pre></blockquote>
+
When using anonymous ftp, the ftp daemon will chroot itself to the home
directory of the ftp user. To read up more on that, read the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> and
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&sektion=2">chroot(2)</a>
man pages. Here is an example of adding the ftp user. I will do
this using
-<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&sektion=8">adduser(8)</a>.
-We also need to add /usr/bin/false to our /etc/shells, this is
-the "shell" that we will be giving to the ftp user.
-This won't allow them to login, even though we will give them an empty
-password. To do this you can simply do
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&sektion=8">useradd(8)</a>.

<blockquote><pre>
-echo /usr/bin/false >> /etc/shells
+$ sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp
+
+$ sudo userinfo ftp
+login ftp
+passwd *************
+uid 212121
+groups ftp
+change NEVER
+class
+gecos anonymous ftp
+dir /var/spool/ftp
+shell /sbin/nologin
+expire NEVER
+
+$ grep ^ftp /etc/group
+ftp:*:212121:
</pre></blockquote>

-After this, you are ready to add the ftp user:
+<h3>Directory Setup</h3>
+
+
+From a default OpenBSD install, ftp's home directory is already
+there, and mostly pre-populated for anonymous ftp duties:
+

<blockquote><pre>
-# adduser
-Use option ``-silent'' if you don't want to see all warnings and questions.
+$ sudo ls -lAR /var/spool/ftp
+total 12
+dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin
+dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc
+d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden

-Reading /etc/shells
-Check /etc/master.passwd
-Check /etc/group
-
-Ok, let's go.
-Don't worry about mistakes. There will be a chance later to correct any input.
-Enter username []: ftp
-Enter full name []: anonymous ftp
-Enter shell csh false ksh nologin sh [ksh]: false
-Uid [1002]: Enter
-Login group ftp [ftp]: Enter
-Login group is ``ftp''. Invite ftp into other groups: guest no
-[no]: no
-Login class authpf daemon default staff [default]: Enter
-Enter password []: Enter
-Set the password so that user cannot logon? (y/n) [n]: y
-
-Name: ftp
-Password: ****
-Fullname: anonymous ftp
-Uid: 1002
-Gid: 1002 (ftp)
-Groups: ftp
-Login Class: default
-HOME: /home/ftp
-Shell: /usr/bin/false
-OK? (y/n) [y]: y
-Added user ``ftp''
-Copy files from /etc/skel to /home/ftp
-Add another user? (y/n) [y]: n
-Goodbye!
-</pre></blockquote>
+/var/spool/ftp/bin:

-<h3>Directory Setup</h3>
+/var/spool/ftp/etc:
+
+/var/spool/ftp/hidden:
+
+</pre></blockquote>


-Along with the user, this created the directory /home/ftp. This
-is what we want, but there are some changes that we will have to make to
-get it ready for anonymous ftp. Again these changes are explained in the
-<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> man page.
+All we need to do is add the public directory. In this example,
+we'll also set up the directory structure for a local OpenBSD
+ftp mirror, for both i386 & sparc64 machines:
+
+
+<blockquote><pre>
+$ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}
+$ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}
+$ sudo find /var/spool/ftp
+/var/spool/ftp
+/var/spool/ftp/bin
+/var/spool/ftp/etc
+/var/spool/ftp/hidden
+/var/spool/ftp/pub
+/var/spool/ftp/pub/OpenBSD
+/var/spool/ftp/pub/OpenBSD/5.4
+/var/spool/ftp/pub/OpenBSD/5.4/i386
+/var/spool/ftp/pub/OpenBSD/5.4/sparc64
+/var/spool/ftp/pub/OpenBSD/5.4/packages
+/var/spool/ftp/pub/OpenBSD/5.4/packages/i386
+/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64
+</pre></blockquote>


-You do not need to make a /home/ftp/usr or /home/ftp/bin
-directory.
-<ul>
-<li>/home/ftp - This is the main directory. It should be owned by
-root and have permissions of 555.
-<li>/home/ftp/etc - This is entirely optional and not
-recommended, as it only serves to give out information on users which
-exist on your box. If you want your anonymous ftp directory to appear to
-have real users attached to your files, you should copy /etc/pwd.db and
-/etc/group to this directory. This directory should be mode 511, and the
-two files should be mode 444. These are used to give owner names as
-opposed to numbers. There are no passwords stored in pwd.db, they are
-all in spwd.db, so don't copy that over.
-<li>/home/ftp/pub - This is a standard directory to place files
-in which you wish to share. This directory should also be mode 555.
-</ul>
-
-
-Note that all these directories should be owned by ''root''. Here is a
-listing of what the directories should look like after their creation.
+Now we'll set the directory permissions so the ftp user can read,
+and the wheel group can write (ftp get base tarballs and packages):
+

<blockquote><pre>
-# pwd
-/home
-# ls -laR ftp
-total 5
-dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .
-drwxr-xr-x 7 root wheel 512 Jul 6 10:58 ..
-dr-x--x--x 2 root ftp 512 Jul 6 11:34 etc
-dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 pub
-
-ftp/etc:
-total 43
-dr-x--x--x 2 root ftp 512 Jul 6 11:34 .
-dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 ..
--r--r--r-- 1 root ftp 316 Jul 6 11:34 group
--r--r--r-- 1 root ftp 40960 Jul 6 11:34 pwd.db
-
-ftp/pub:
-total 2
-dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 .
-dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 ..
+$ sudo chown -R root:wheel /var/spool/ftp/pub
+$ sudo chmod 555 /var/spool/ftp/pub
+$ sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/
</pre></blockquote>

<h3>Starting up the server and logging</h3>

Craig Skinner-3

Re: FAQ 10: AnonFTP

On 2014-01-11 Sat 18:35 PM |, Craig R. Skinner wrote:

> $HOME of /var/spool/ftp instead of /home/ftp
>
> $SHELL of /sbin/nologin instead of /usr/bin/false
>
> 'useradd' instead of 'adduser', which sets a /home prefix
>
> Change the 'Directory Setup' section as the existing article duplicates
> what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
> mirror.
>

Whoops, evidence it works:

$ grep ^/ /etc/shells
/bin/sh
/bin/csh
/bin/ksh
/bin/rksh

$ sudo userinfo ftp
Password:
login ftp
passwd *************
uid 212121
groups ftp
change NEVER
class
gecos anonymous ftp
dir /var/spool/ftp
shell /sbin/nologin
expire NEVER

$ grep ^ftp /etc/inetd.conf
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -4AlUS

$ cd $(mktemp -d)
$ ls

$ ftp -a ftp://localhost/pub/OpenBSD/5.4/ANNOUNCEMENT
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/OpenBSD/5.4/ANNOUNCEMENT
local: ANNOUNCEMENT remote: ANNOUNCEMENT
150 Opening BINARY mode data connection for 'ANNOUNCEMENT' (25686 bytes).
100% |************************************************************************************************| 25686 00:00
226 Transfer complete.
25686 bytes received in 0.03 seconds (867.99 KB/s)
221 Goodbye.

$ ftp -a ftp://localhost/pub/OpenBSD/5.4/ports.tar.gz
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/OpenBSD/5.4/ports.tar.gz
local: ports.tar.gz remote: ports.tar.gz
150 Opening BINARY mode data connection for 'ports.tar.gz' (22457239 bytes).
100% |************************************************************************************************| 21930 KB 00:03
226 Transfer complete.
22457239 bytes received in 3.28 seconds (6.53 MB/s)
221 Goodbye.

$ ftp -a ftp://localhost/pub/OpenBSD/5.4/packages/i386/passwdqc*
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/OpenBSD/5.4/packages/i386/passwdqc*
local: passwdqc-1.3.0.tgz remote: passwdqc-1.3.0.tgz
150 Opening BINARY mode data connection for 'passwdqc-1.3.0.tgz' (37483 bytes).
100% |************************************************************************************************| 37483 00:00
226 Transfer complete.
37483 bytes received in 0.01 seconds (5.89 MB/s)
221 Goodbye.

$ ftp -a ftp://localhost/pub/Sun/patches/1086*
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/Sun/patches/1086*
local: 108620-04.tar.Z remote: 108620-04.tar.Z
150 Opening BINARY mode data connection for '108620-04.tar.Z' (35733 bytes).
100% |************************************************************************************************| 35733 00:00
226 Transfer complete.
35733 bytes received in 0.02 seconds (1.81 MB/s)
local: 108673-02.tar.Z remote: 108673-02.tar.Z
150 Opening BINARY mode data connection for '108673-02.tar.Z' (772029 bytes).
100% |************************************************************************************************| 753 KB 00:00
226 Transfer complete.
772029 bytes received in 0.08 seconds (8.78 MB/s)
221 Goodbye.

$ ls -l
total 45672
-rw-r----- 1 me wheel 35733 May 11 2009 108620-04.tar.Z
-rw-r----- 1 me wheel 772029 May 11 2009 108673-02.tar.Z
-rw-r----- 1 me wheel 25686 Oct 25 19:56 ANNOUNCEMENT
-rw-r----- 1 me wheel 37483 Nov 28 22:26 passwdqc-1.3.0.tgz
-rw-r----- 1 me wheel 22457239 Jul 30 00:47 ports.tar.gz

$ tail -n 5 /var/log/ftpd
Mon Jan 13 14:23:27 2014 1 localhost 25686 /pub/OpenBSD/5.4/ANNOUNCEMENT b * o a me@ ftp 0 *
Mon Jan 13 14:23:53 2014 4 localhost 22457239 /pub/OpenBSD/5.4/ports.tar.gz b * o a me@ ftp 0 *
Mon Jan 13 14:28:35 2014 1 localhost 37483 /pub/OpenBSD/5.4/packages/i386/passwdqc-1.3.0.tgz b * o a me@ ftp 0 *
Mon Jan 13 14:31:31 2014 1 localhost 35733 /pub/Sun/patches/108620-04.tar.Z b * o a me@ ftp 0 *
Mon Jan 13 14:31:31 2014 1 localhost 772029 /pub/Sun/patches/108673-02.tar.Z b * o a me@ ftp 0 *

$ last
ftp ftp localhost Mon Jan 13 14:31 - 14:31 (00:00)
ftp ftp localhost Mon Jan 13 14:28 - 14:28 (00:00)
ftp ftp localhost Mon Jan 13 14:23 - 14:23 (00:00)
ftp ftp localhost Mon Jan 13 14:23 - 14:23 (00:00)
...
...

Cheers,
--
Craig Skinner | http://web.hope-church-falkirk.org.uk/

Nick Holland

Re: FAQ 10: AnonFTP

In reply to this post by Craig Skinner-3

On 01/11/14 13:35, Craig R. Skinner wrote:
> $HOME of /var/spool/ftp instead of /home/ftp

um. There are a lot of choices for where to put your ftp's home...
/var/spool/ftp is not in my top five. I see your reasoning in the diff
itself, but the most likely place I'd put an ftp home would be
/var/www/<site> so it could be served both by FTP and HTTP.

/var/spool/ftp is one of those things left over from another date and
time, right now, I have trouble imagining running an FTP server that
isn't also a http server for downloads...and I can't imagine expecting
Joe Average to be able to work an FTP client for uploads anymore, either.

> $SHELL of /sbin/nologin instead of /usr/bin/false

benefit? to me, "nologin" sounds like the account is disabled, I think
I like /usr/bin/false slightly better philosophically.

> 'useradd' instead of 'adduser', which sets a /home prefix

bah. I can never remember all the options of useradd, I much prefer
using adduser to get prompted for the options.

> Change the 'Directory Setup' section as the existing article duplicates
> what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
> mirror.

which again, would be better served in /var/www/htdocs or something
similar in the httpd chroot.

All in all, I don't think this is an improvement, and certain things
(like /var/spool/ftp) I disagree with strongly.

If developers disagree with me, let me know, but otherwise not-ok.

Nick.

>
> Index: faq10.html
> ===================================================================
> RCS file: /cvs/www/faq/faq10.html,v
> retrieving revision 1.180
> diff -u -r1.180 faq10.html
> --- faq10.html 1 Nov 2013 14:05:56 -0000 1.180
> +++ faq10.html 11 Jan 2014 18:30:45 -0000
> @@ -963,115 +963,100 @@
> <h3>Adding the FTP account</h3>
>
> 
> -To start off, you need to have an ftp account on your system.
> +To start off, you need to have an ftp user account on your system.
> This account should not have a usable password. Here we will set the login
> -directory to /home/ftp, but you can put it wherever you want.
> +directory to the pre-existing /var/spool/ftp, as
> +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&sektion=7">hier(7)</a>
> +says: 'Commonly ~ftp; the anonymous ftp root directory'
> +but you can put it wherever you want, such as another disk partition:
> +
> +<blockquote><pre>
> +$ fgrep ftp /etc/fstab
> +/dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime 0 2
> +</pre></blockquote>
> +
> When using anonymous ftp, the ftp daemon will chroot itself to the home
> directory of the ftp user. To read up more on that, read the
> <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> and
> <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&sektion=2">chroot(2)</a>
> man pages. Here is an example of adding the ftp user. I will do
> this using
> -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&sektion=8">adduser(8)</a>.
> -We also need to add /usr/bin/false to our /etc/shells, this is
> -the "shell" that we will be giving to the ftp user.
> -This won't allow them to login, even though we will give them an empty
> -password. To do this you can simply do
> +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&sektion=8">useradd(8)</a>.
>
> <blockquote><pre>
> -echo /usr/bin/false >> /etc/shells
> +$ sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp
> +
> +$ sudo userinfo ftp
> +login ftp
> +passwd *************
> +uid 212121
> +groups ftp
> +change NEVER
> +class
> +gecos anonymous ftp
> +dir /var/spool/ftp
> +shell /sbin/nologin
> +expire NEVER
> +
> +$ grep ^ftp /etc/group
> +ftp:*:212121:
> </pre></blockquote>
>
> -After this, you are ready to add the ftp user:
> +<h3>Directory Setup</h3>
> +
> +
> +From a default OpenBSD install, ftp's home directory is already
> +there, and mostly pre-populated for anonymous ftp duties:
> +
>
> <blockquote><pre>
> -# adduser
> -Use option ``-silent'' if you don't want to see all warnings and questions.
> +$ sudo ls -lAR /var/spool/ftp
> +total 12
> +dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin
> +dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc
> +d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden
>
> -Reading /etc/shells
> -Check /etc/master.passwd
> -Check /etc/group
> -
> -Ok, let's go.
> -Don't worry about mistakes. There will be a chance later to correct any input.
> -Enter username []: ftp
> -Enter full name []: anonymous ftp
> -Enter shell csh false ksh nologin sh [ksh]: false
> -Uid [1002]: Enter
> -Login group ftp [ftp]: Enter
> -Login group is ``ftp''. Invite ftp into other groups: guest no
> -[no]: no
> -Login class authpf daemon default staff [default]: Enter
> -Enter password []: Enter
> -Set the password so that user cannot logon? (y/n) [n]: y
> -
> -Name: ftp
> -Password: ****
> -Fullname: anonymous ftp
> -Uid: 1002
> -Gid: 1002 (ftp)
> -Groups: ftp
> -Login Class: default
> -HOME: /home/ftp
> -Shell: /usr/bin/false
> -OK? (y/n) [y]: y
> -Added user ``ftp''
> -Copy files from /etc/skel to /home/ftp
> -Add another user? (y/n) [y]: n
> -Goodbye!
> -</pre></blockquote>
> +/var/spool/ftp/bin:
>
> -<h3>Directory Setup</h3>
> +/var/spool/ftp/etc:
> +
> +/var/spool/ftp/hidden:
> +
> +</pre></blockquote>
>
> 
> -Along with the user, this created the directory /home/ftp. This
> -is what we want, but there are some changes that we will have to make to
> -get it ready for anonymous ftp. Again these changes are explained in the
> -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> man page.
> +All we need to do is add the public directory. In this example,
> +we'll also set up the directory structure for a local OpenBSD
> +ftp mirror, for both i386 & sparc64 machines:
> +
> +
> +<blockquote><pre>
> +$ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}
> +$ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}
> +$ sudo find /var/spool/ftp
> +/var/spool/ftp
> +/var/spool/ftp/bin
> +/var/spool/ftp/etc
> +/var/spool/ftp/hidden
> +/var/spool/ftp/pub
> +/var/spool/ftp/pub/OpenBSD
> +/var/spool/ftp/pub/OpenBSD/5.4
> +/var/spool/ftp/pub/OpenBSD/5.4/i386
> +/var/spool/ftp/pub/OpenBSD/5.4/sparc64
> +/var/spool/ftp/pub/OpenBSD/5.4/packages
> +/var/spool/ftp/pub/OpenBSD/5.4/packages/i386
> +/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64
> +</pre></blockquote>
>
> 
> -You do not need to make a /home/ftp/usr or /home/ftp/bin
> -directory.
> -<ul>
> -<li>/home/ftp - This is the main directory. It should be owned by
> -root and have permissions of 555.
> -<li>/home/ftp/etc - This is entirely optional and not
> -recommended, as it only serves to give out information on users which
> -exist on your box. If you want your anonymous ftp directory to appear to
> -have real users attached to your files, you should copy /etc/pwd.db and
> -/etc/group to this directory. This directory should be mode 511, and the
> -two files should be mode 444. These are used to give owner names as
> -opposed to numbers. There are no passwords stored in pwd.db, they are
> -all in spwd.db, so don't copy that over.
> -<li>/home/ftp/pub - This is a standard directory to place files
> -in which you wish to share. This directory should also be mode 555.
> -</ul>
> -
> -
> -Note that all these directories should be owned by ''root''. Here is a
> -listing of what the directories should look like after their creation.
> +Now we'll set the directory permissions so the ftp user can read,
> +and the wheel group can write (ftp get base tarballs and packages):
> +
>
> <blockquote><pre>
> -# pwd
> -/home
> -# ls -laR ftp
> -total 5
> -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .
> -drwxr-xr-x 7 root wheel 512 Jul 6 10:58 ..
> -dr-x--x--x 2 root ftp 512 Jul 6 11:34 etc
> -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 pub
> -
> -ftp/etc:
> -total 43
> -dr-x--x--x 2 root ftp 512 Jul 6 11:34 .
> -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 ..
> --r--r--r-- 1 root ftp 316 Jul 6 11:34 group
> --r--r--r-- 1 root ftp 40960 Jul 6 11:34 pwd.db
> -
> -ftp/pub:
> -total 2
> -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 .
> -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 ..
> +$ sudo chown -R root:wheel /var/spool/ftp/pub
> +$ sudo chmod 555 /var/spool/ftp/pub
> +$ sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/
> </pre></blockquote>
>
> <h3>Starting up the server and logging</h3>

Craig Skinner-3

Re: FAQ 10: AnonFTP

In reply to this post by Craig Skinner-3

On 2014-01-13 Mon 14:52 PM |, Craig R. Skinner wrote:

> On 2014-01-11 Sat 18:35 PM |, Craig R. Skinner wrote:
> > $HOME of /var/spool/ftp instead of /home/ftp
> >
> > $SHELL of /sbin/nologin instead of /usr/bin/false
> >
> > 'useradd' instead of 'adduser', which sets a /home prefix
> >
> > Change the 'Directory Setup' section as the existing article duplicates
> > what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
> > mirror.
> >
>
> Whoops, evidence it works:
>

Anyone else?

Plain text result from the earlier diff:
----------------------------------------

Adding the FTP account

To start off, you need to have an ftp user account on your system. This account should not have a usable password. Here we will set the login directory to the pre-existing /var/spool/ftp, as hier(7) says: 'Commonly ~ftp; the anonymous ftp root directory' but you can put it wherever you want, such as another disk partition:

$ fgrep ftp /etc/fstab
/dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime 0 2

When using anonymous ftp, the ftp daemon will chroot itself to the home directory of the ftp user. To read up more on that, read the ftpd(8) and chroot(2) man pages. Here is an example of adding the ftp user. I will do this using useradd(8).

$ sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp

$ sudo userinfo ftp
login ftp
passwd *************
uid 212121
groups ftp
change NEVER
class
gecos anonymous ftp
dir /var/spool/ftp
shell /sbin/nologin
expire NEVER

$ grep ^ftp /etc/group
ftp:*:212121:

Directory Setup

From a default OpenBSD install, ftp's home directory is already there, and mostly pre-populated for anonymous ftp duties:

$ sudo ls -lAR /var/spool/ftp
total 12
dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin
dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc
d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden

/var/spool/ftp/bin:

/var/spool/ftp/etc:

/var/spool/ftp/hidden:

All we need to do is add the public directory. In this example, we'll also set up the directory structure for a local OpenBSD ftp mirror, for both i386 & sparc64 machines:

$ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}
$ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}
$ sudo find /var/spool/ftp
/var/spool/ftp
/var/spool/ftp/bin
/var/spool/ftp/etc
/var/spool/ftp/hidden
/var/spool/ftp/pub
/var/spool/ftp/pub/OpenBSD
/var/spool/ftp/pub/OpenBSD/5.4
/var/spool/ftp/pub/OpenBSD/5.4/i386
/var/spool/ftp/pub/OpenBSD/5.4/sparc64
/var/spool/ftp/pub/OpenBSD/5.4/packages
/var/spool/ftp/pub/OpenBSD/5.4/packages/i386
/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64

Now we'll set the directory permissions so the ftp user can read, and the wheel group can write (ftp get base tarballs and packages):

$ sudo chown -R root:wheel /var/spool/ftp/pub
$ sudo chmod 555 /var/spool/ftp/pub
$ sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/