FAQ 10: AnonFTP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

FAQ 10: AnonFTP

Craig Skinner-3
$HOME of /var/spool/ftp instead of /home/ftp

$SHELL of /sbin/nologin instead of /usr/bin/false

'useradd' instead of 'adduser', which sets a /home prefix

Change the 'Directory Setup' section as the existing article duplicates
what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
mirror.


Index: faq10.html
===================================================================
RCS file: /cvs/www/faq/faq10.html,v
retrieving revision 1.180
diff -u -r1.180 faq10.html
--- faq10.html 1 Nov 2013 14:05:56 -0000 1.180
+++ faq10.html 11 Jan 2014 18:30:45 -0000
@@ -963,115 +963,100 @@
 <h3>Adding the FTP account</h3>
 
 <p>
-To start off, you need to have an <i>ftp</i> account on your system.
+To start off, you need to have an <i>ftp</i> user account on your system.
 This account should not have a usable password. Here we will set the login
-directory to /home/ftp, but you can put it wherever you want.
+directory to the pre-existing <i>/var/spool/ftp</i>, as
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&amp;sektion=7">hier(7)</a>
+says: '<i>Commonly ~ftp; the anonymous ftp root directory</i>'
+but you can put it wherever you want, such as another disk partition:
+
+<blockquote><pre>
+$ <b>fgrep ftp /etc/fstab</b>
+/dev/sd3a /var/spool/ftp        ffs rw,nodev,nosuid,softdep,noatime             0 2
+</pre></blockquote>
+
 When using anonymous ftp, the ftp daemon will chroot itself to the home
 directory of the <i>ftp</i> user. To read up more on that, read the
 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&amp;sektion=8">ftpd(8)</a> and
 <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&amp;sektion=2">chroot(2)</a>
 man pages. Here is an example of adding the <i>ftp</i> user. I will do
 this using
-<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&amp;sektion=8">adduser(8)</a>.
-We also need to add /usr/bin/false to our <i>/etc/shells</i>, this is
-the &quot;shell&quot; that we will be giving to the <i>ftp</i> user.
-This won't allow them to login, even though we will give them an empty
-password. To do this you can simply do
+<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&amp;sektion=8">useradd(8)</a>.
 
 <blockquote><pre>
-echo /usr/bin/false &gt;&gt; /etc/shells
+$ <b>sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp</b>
+
+$ <b>sudo userinfo ftp</b>
+login   ftp
+passwd  *************
+uid     212121
+groups  ftp
+change  NEVER
+class
+gecos   anonymous ftp
+dir     /var/spool/ftp
+shell   /sbin/nologin
+expire  NEVER
+
+$ <b>grep ^ftp /etc/group</b>
+ftp:*:212121:
 </pre></blockquote>
 
-After this, you are ready to add the <i>ftp</i> user:
+<h3>Directory Setup</h3>
+
+<p>
+From a default OpenBSD install, <i>ftp</i>'s home directory is already
+there, and mostly pre-populated for anonymous ftp duties:
+</p>
 
 <blockquote><pre>
-# <b>adduser</b>
-Use option ``-silent'' if you don't want to see all warnings and questions.
+$ <b>sudo ls -lAR /var/spool/ftp</b>
+total 12
+dr-x--x--x  2 root  wheel  512 Jul 30 18:52 bin
+dr-x--x--x  2 root  wheel  512 Jul 30 18:52 etc
+d--x--x--x  2 root  wheel  512 Jul 30 18:52 hidden
 
-Reading /etc/shells
-Check /etc/master.passwd
-Check /etc/group
-
-Ok, let's go.
-Don't worry about mistakes. There will be a chance later to correct any input.
-Enter username []: <b>ftp</b>
-Enter full name []: <b>anonymous ftp</b>
-Enter shell csh false ksh nologin sh [ksh]: <b>false</b>
-Uid [1002]: <b><i>Enter</i></b>
-Login group ftp [ftp]: <b><i>Enter</i></b>
-Login group is ``ftp''. Invite ftp into other groups: guest no
-[no]: <b>no</b>
-Login class authpf daemon default staff [default]: <b><i>Enter</i></b>
-Enter password []: <b><i>Enter</i></b>
-Set the password so that user cannot logon? (y/n) [n]: <b>y</b>
-
-Name:        ftp
-Password:    ****
-Fullname:    anonymous ftp
-Uid:         1002
-Gid:         1002 (ftp)
-Groups:      ftp
-Login Class: default
-HOME:        /home/ftp
-Shell:       /usr/bin/false
-OK? (y/n) [y]: <b>y</b>
-Added user ``ftp''
-Copy files from /etc/skel to /home/ftp
-Add another user? (y/n) [y]: <b>n</b>
-Goodbye!
-</pre></blockquote>
+/var/spool/ftp/bin:
 
-<h3>Directory Setup</h3>
+/var/spool/ftp/etc:
+
+/var/spool/ftp/hidden:
+
+</pre></blockquote>
 
 <p>
-Along with the user, this created the directory <i>/home/ftp</i>. This
-is what we want, but there are some changes that we will have to make to
-get it ready for anonymous ftp. Again these changes are explained in the
-<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&amp;sektion=8">ftpd(8)</a> man page.
+All we need to do is add the <b>pub</b>lic directory. In this example,
+we'll also set up the directory structure for a local OpenBSD
+ftp mirror, for both i386 &amp; sparc64 machines:
+</p>
+
+<blockquote><pre>
+$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}</b>
+$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}</b>
+$ <b>sudo find /var/spool/ftp</b>
+/var/spool/ftp
+/var/spool/ftp/bin
+/var/spool/ftp/etc
+/var/spool/ftp/hidden
+/var/spool/ftp/pub
+/var/spool/ftp/pub/OpenBSD
+/var/spool/ftp/pub/OpenBSD/5.4
+/var/spool/ftp/pub/OpenBSD/5.4/i386
+/var/spool/ftp/pub/OpenBSD/5.4/sparc64
+/var/spool/ftp/pub/OpenBSD/5.4/packages
+/var/spool/ftp/pub/OpenBSD/5.4/packages/i386
+/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64
+</pre></blockquote>
 
 <p>
-You <b>do not</b> need to make a /home/ftp/usr or /home/ftp/bin
-directory.
-<ul>
-<li><i>/home/ftp</i> - This is the main directory. It should be owned by
-root and have permissions of 555.
-<li><i>/home/ftp/etc</i> - This is entirely optional and not
-recommended, as it only serves to give out information on users which
-exist on your box. If you want your anonymous ftp directory to appear to
-have real users attached to your files, you should copy /etc/pwd.db and
-/etc/group to this directory. This directory should be mode 511, and the
-two files should be mode 444. These are used to give owner names as
-opposed to numbers. There are no passwords stored in pwd.db, they are
-all in spwd.db, so don't copy that over.
-<li><i>/home/ftp/pub</i> - This is a standard directory to place files
-in which you wish to share. This directory should also be mode 555.
-</ul>
-
-<p>
-Note that all these directories should be owned by ''root''. Here is a
-listing of what the directories should look like after their creation.
+Now we'll set the directory permissions so the <i>ftp</i> user can read,
+and the <i>wheel</i> group can write (ftp get base tarballs and packages):
+</p>
 
 <blockquote><pre>
-# pwd
-/home
-# ls -laR ftp
-total 5
-dr-xr-xr-x  5 root  ftp    512 Jul  6 11:33 .
-drwxr-xr-x  7 root  wheel  512 Jul  6 10:58 ..
-dr-x--x--x  2 root  ftp    512 Jul  6 11:34 etc
-dr-xr-xr-x  2 root  ftp    512 Jul  6 11:33 pub
-
-ftp/etc:
-total 43
-dr-x--x--x  2 root  ftp    512 Jul  6 11:34 .
-dr-xr-xr-x  5 root  ftp    512 Jul  6 11:33 ..
--r--r--r--  1 root  ftp    316 Jul  6 11:34 group
--r--r--r--  1 root  ftp  40960 Jul  6 11:34 pwd.db
-
-ftp/pub:
-total 2
-dr-xr-xr-x  2 root  ftp  512 Jul  6 11:33 .
-dr-xr-xr-x  5 root  ftp  512 Jul  6 11:33 ..
+$ <b>sudo chown -R root:wheel /var/spool/ftp/pub</b>
+$ <b>sudo chmod 555 /var/spool/ftp/pub</b>
+$ <b>sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/</b>
 </pre></blockquote>
 
 <h3>Starting up the server and logging</h3>

Reply | Threaded
Open this post in threaded view
|

Re: FAQ 10: AnonFTP

Craig Skinner-3
On 2014-01-11 Sat 18:35 PM |, Craig R. Skinner wrote:

> $HOME of /var/spool/ftp instead of /home/ftp
>
> $SHELL of /sbin/nologin instead of /usr/bin/false
>
> 'useradd' instead of 'adduser', which sets a /home prefix
>
> Change the 'Directory Setup' section as the existing article duplicates
> what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
> mirror.
>

Whoops, evidence it works:

$ grep ^/ /etc/shells
/bin/sh
/bin/csh
/bin/ksh
/bin/rksh

$ sudo userinfo ftp
Password:
login   ftp
passwd  *************
uid     212121
groups  ftp
change  NEVER
class
gecos   anonymous ftp
dir     /var/spool/ftp
shell   /sbin/nologin
expire  NEVER

$ grep ^ftp /etc/inetd.conf
ftp             stream  tcp     nowait  root    /usr/libexec/ftpd ftpd -4AlUS

$ cd $(mktemp -d)
$ ls

$ ftp -a ftp://localhost/pub/OpenBSD/5.4/ANNOUNCEMENT
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/OpenBSD/5.4/ANNOUNCEMENT
local: ANNOUNCEMENT remote: ANNOUNCEMENT
150 Opening BINARY mode data connection for 'ANNOUNCEMENT' (25686 bytes).
100% |************************************************************************************************| 25686       00:00
226 Transfer complete.
25686 bytes received in 0.03 seconds (867.99 KB/s)
221 Goodbye.

$ ftp -a ftp://localhost/pub/OpenBSD/5.4/ports.tar.gz
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/OpenBSD/5.4/ports.tar.gz
local: ports.tar.gz remote: ports.tar.gz
150 Opening BINARY mode data connection for 'ports.tar.gz' (22457239 bytes).
100% |************************************************************************************************| 21930 KB    00:03
226 Transfer complete.
22457239 bytes received in 3.28 seconds (6.53 MB/s)
221 Goodbye.

$ ftp -a ftp://localhost/pub/OpenBSD/5.4/packages/i386/passwdqc*
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/OpenBSD/5.4/packages/i386/passwdqc*
local: passwdqc-1.3.0.tgz remote: passwdqc-1.3.0.tgz
150 Opening BINARY mode data connection for 'passwdqc-1.3.0.tgz' (37483 bytes).
100% |************************************************************************************************| 37483       00:00
226 Transfer complete.
37483 bytes received in 0.01 seconds (5.89 MB/s)
221 Goodbye.

$ ftp -a ftp://localhost/pub/Sun/patches/1086*
Connected to localhost.britvault.co.uk.
220 palm.britvault.co.uk FTP server ready.
331 Guest login ok, send your email address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
250 CWD command successful.
Retrieving pub/Sun/patches/1086*
local: 108620-04.tar.Z remote: 108620-04.tar.Z
150 Opening BINARY mode data connection for '108620-04.tar.Z' (35733 bytes).
100% |************************************************************************************************| 35733       00:00
226 Transfer complete.
35733 bytes received in 0.02 seconds (1.81 MB/s)
local: 108673-02.tar.Z remote: 108673-02.tar.Z
150 Opening BINARY mode data connection for '108673-02.tar.Z' (772029 bytes).
100% |************************************************************************************************| 753 KB    00:00
226 Transfer complete.
772029 bytes received in 0.08 seconds (8.78 MB/s)
221 Goodbye.

$ ls -l
total 45672
-rw-r-----  1 me  wheel     35733 May 11  2009 108620-04.tar.Z
-rw-r-----  1 me  wheel    772029 May 11  2009 108673-02.tar.Z
-rw-r-----  1 me  wheel     25686 Oct 25 19:56 ANNOUNCEMENT
-rw-r-----  1 me  wheel     37483 Nov 28 22:26 passwdqc-1.3.0.tgz
-rw-r-----  1 me  wheel  22457239 Jul 30 00:47 ports.tar.gz

$ tail -n 5 /var/log/ftpd
Mon Jan 13 14:23:27 2014 1 localhost 25686 /pub/OpenBSD/5.4/ANNOUNCEMENT b * o a me@ ftp 0 *
Mon Jan 13 14:23:53 2014 4 localhost 22457239 /pub/OpenBSD/5.4/ports.tar.gz b * o a me@ ftp 0 *
Mon Jan 13 14:28:35 2014 1 localhost 37483 /pub/OpenBSD/5.4/packages/i386/passwdqc-1.3.0.tgz b * o a me@ ftp 0 *
Mon Jan 13 14:31:31 2014 1 localhost 35733 /pub/Sun/patches/108620-04.tar.Z b * o a me@ ftp 0 *
Mon Jan 13 14:31:31 2014 1 localhost 772029 /pub/Sun/patches/108673-02.tar.Z b * o a me@ ftp 0 *

$ last
ftp       ftp      localhost                Mon Jan 13 14:31 - 14:31 (00:00)
ftp       ftp      localhost                Mon Jan 13 14:28 - 14:28 (00:00)
ftp       ftp      localhost                Mon Jan 13 14:23 - 14:23 (00:00)
ftp       ftp      localhost                Mon Jan 13 14:23 - 14:23 (00:00)
...
...


Cheers,
--
Craig Skinner | http://web.hope-church-falkirk.org.uk/

Reply | Threaded
Open this post in threaded view
|

Re: FAQ 10: AnonFTP

Nick Holland
In reply to this post by Craig Skinner-3
On 01/11/14 13:35, Craig R. Skinner wrote:
> $HOME of /var/spool/ftp instead of /home/ftp

um.  There are a lot of choices for where to put your ftp's home...
/var/spool/ftp is not in my top five.  I see your reasoning in the diff
itself, but the most likely place I'd put an ftp home would be
/var/www/<site> so it could be served both by FTP and HTTP.

/var/spool/ftp is one of those things left over from another date and
time, right now, I have trouble imagining running an FTP server that
isn't also a http server for downloads...and I can't imagine expecting
Joe Average to be able to work an FTP client for uploads anymore, either.

> $SHELL of /sbin/nologin instead of /usr/bin/false

benefit?  to me, "nologin" sounds like the account is disabled, I think
I like /usr/bin/false slightly better philosophically.

> 'useradd' instead of 'adduser', which sets a /home prefix

bah.  I can never remember all the options of useradd, I much prefer
using adduser to get prompted for the options.

> Change the 'Directory Setup' section as the existing article duplicates
> what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
> mirror.

which again, would be better served in /var/www/htdocs or something
similar in the httpd chroot.

All in all, I don't think this is an improvement, and certain things
(like /var/spool/ftp) I disagree with strongly.

If developers disagree with me, let me know, but otherwise not-ok.

Nick.

>
> Index: faq10.html
> ===================================================================
> RCS file: /cvs/www/faq/faq10.html,v
> retrieving revision 1.180
> diff -u -r1.180 faq10.html
> --- faq10.html 1 Nov 2013 14:05:56 -0000 1.180
> +++ faq10.html 11 Jan 2014 18:30:45 -0000
> @@ -963,115 +963,100 @@
>  <h3>Adding the FTP account</h3>
>  
>  <p>
> -To start off, you need to have an <i>ftp</i> account on your system.
> +To start off, you need to have an <i>ftp</i> user account on your system.
>  This account should not have a usable password. Here we will set the login
> -directory to /home/ftp, but you can put it wherever you want.
> +directory to the pre-existing <i>/var/spool/ftp</i>, as
> +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&amp;sektion=7">hier(7)</a>
> +says: '<i>Commonly ~ftp; the anonymous ftp root directory</i>'
> +but you can put it wherever you want, such as another disk partition:
> +
> +<blockquote><pre>
> +$ <b>fgrep ftp /etc/fstab</b>
> +/dev/sd3a /var/spool/ftp        ffs rw,nodev,nosuid,softdep,noatime             0 2
> +</pre></blockquote>
> +
>  When using anonymous ftp, the ftp daemon will chroot itself to the home
>  directory of the <i>ftp</i> user. To read up more on that, read the
>  <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&amp;sektion=8">ftpd(8)</a> and
>  <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&amp;sektion=2">chroot(2)</a>
>  man pages. Here is an example of adding the <i>ftp</i> user. I will do
>  this using
> -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&amp;sektion=8">adduser(8)</a>.
> -We also need to add /usr/bin/false to our <i>/etc/shells</i>, this is
> -the &quot;shell&quot; that we will be giving to the <i>ftp</i> user.
> -This won't allow them to login, even though we will give them an empty
> -password. To do this you can simply do
> +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&amp;sektion=8">useradd(8)</a>.
>  
>  <blockquote><pre>
> -echo /usr/bin/false &gt;&gt; /etc/shells
> +$ <b>sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp</b>
> +
> +$ <b>sudo userinfo ftp</b>
> +login   ftp
> +passwd  *************
> +uid     212121
> +groups  ftp
> +change  NEVER
> +class
> +gecos   anonymous ftp
> +dir     /var/spool/ftp
> +shell   /sbin/nologin
> +expire  NEVER
> +
> +$ <b>grep ^ftp /etc/group</b>
> +ftp:*:212121:
>  </pre></blockquote>
>  
> -After this, you are ready to add the <i>ftp</i> user:
> +<h3>Directory Setup</h3>
> +
> +<p>
> +From a default OpenBSD install, <i>ftp</i>'s home directory is already
> +there, and mostly pre-populated for anonymous ftp duties:
> +</p>
>  
>  <blockquote><pre>
> -# <b>adduser</b>
> -Use option ``-silent'' if you don't want to see all warnings and questions.
> +$ <b>sudo ls -lAR /var/spool/ftp</b>
> +total 12
> +dr-x--x--x  2 root  wheel  512 Jul 30 18:52 bin
> +dr-x--x--x  2 root  wheel  512 Jul 30 18:52 etc
> +d--x--x--x  2 root  wheel  512 Jul 30 18:52 hidden
>  
> -Reading /etc/shells
> -Check /etc/master.passwd
> -Check /etc/group
> -
> -Ok, let's go.
> -Don't worry about mistakes. There will be a chance later to correct any input.
> -Enter username []: <b>ftp</b>
> -Enter full name []: <b>anonymous ftp</b>
> -Enter shell csh false ksh nologin sh [ksh]: <b>false</b>
> -Uid [1002]: <b><i>Enter</i></b>
> -Login group ftp [ftp]: <b><i>Enter</i></b>
> -Login group is ``ftp''. Invite ftp into other groups: guest no
> -[no]: <b>no</b>
> -Login class authpf daemon default staff [default]: <b><i>Enter</i></b>
> -Enter password []: <b><i>Enter</i></b>
> -Set the password so that user cannot logon? (y/n) [n]: <b>y</b>
> -
> -Name:        ftp
> -Password:    ****
> -Fullname:    anonymous ftp
> -Uid:         1002
> -Gid:         1002 (ftp)
> -Groups:      ftp
> -Login Class: default
> -HOME:        /home/ftp
> -Shell:       /usr/bin/false
> -OK? (y/n) [y]: <b>y</b>
> -Added user ``ftp''
> -Copy files from /etc/skel to /home/ftp
> -Add another user? (y/n) [y]: <b>n</b>
> -Goodbye!
> -</pre></blockquote>
> +/var/spool/ftp/bin:
>  
> -<h3>Directory Setup</h3>
> +/var/spool/ftp/etc:
> +
> +/var/spool/ftp/hidden:
> +
> +</pre></blockquote>
>  
>  <p>
> -Along with the user, this created the directory <i>/home/ftp</i>. This
> -is what we want, but there are some changes that we will have to make to
> -get it ready for anonymous ftp. Again these changes are explained in the
> -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&amp;sektion=8">ftpd(8)</a> man page.
> +All we need to do is add the <b>pub</b>lic directory. In this example,
> +we'll also set up the directory structure for a local OpenBSD
> +ftp mirror, for both i386 &amp; sparc64 machines:
> +</p>
> +
> +<blockquote><pre>
> +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}</b>
> +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}</b>
> +$ <b>sudo find /var/spool/ftp</b>
> +/var/spool/ftp
> +/var/spool/ftp/bin
> +/var/spool/ftp/etc
> +/var/spool/ftp/hidden
> +/var/spool/ftp/pub
> +/var/spool/ftp/pub/OpenBSD
> +/var/spool/ftp/pub/OpenBSD/5.4
> +/var/spool/ftp/pub/OpenBSD/5.4/i386
> +/var/spool/ftp/pub/OpenBSD/5.4/sparc64
> +/var/spool/ftp/pub/OpenBSD/5.4/packages
> +/var/spool/ftp/pub/OpenBSD/5.4/packages/i386
> +/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64
> +</pre></blockquote>
>  
>  <p>
> -You <b>do not</b> need to make a /home/ftp/usr or /home/ftp/bin
> -directory.
> -<ul>
> -<li><i>/home/ftp</i> - This is the main directory. It should be owned by
> -root and have permissions of 555.
> -<li><i>/home/ftp/etc</i> - This is entirely optional and not
> -recommended, as it only serves to give out information on users which
> -exist on your box. If you want your anonymous ftp directory to appear to
> -have real users attached to your files, you should copy /etc/pwd.db and
> -/etc/group to this directory. This directory should be mode 511, and the
> -two files should be mode 444. These are used to give owner names as
> -opposed to numbers. There are no passwords stored in pwd.db, they are
> -all in spwd.db, so don't copy that over.
> -<li><i>/home/ftp/pub</i> - This is a standard directory to place files
> -in which you wish to share. This directory should also be mode 555.
> -</ul>
> -
> -<p>
> -Note that all these directories should be owned by ''root''. Here is a
> -listing of what the directories should look like after their creation.
> +Now we'll set the directory permissions so the <i>ftp</i> user can read,
> +and the <i>wheel</i> group can write (ftp get base tarballs and packages):
> +</p>
>  
>  <blockquote><pre>
> -# pwd
> -/home
> -# ls -laR ftp
> -total 5
> -dr-xr-xr-x  5 root  ftp    512 Jul  6 11:33 .
> -drwxr-xr-x  7 root  wheel  512 Jul  6 10:58 ..
> -dr-x--x--x  2 root  ftp    512 Jul  6 11:34 etc
> -dr-xr-xr-x  2 root  ftp    512 Jul  6 11:33 pub
> -
> -ftp/etc:
> -total 43
> -dr-x--x--x  2 root  ftp    512 Jul  6 11:34 .
> -dr-xr-xr-x  5 root  ftp    512 Jul  6 11:33 ..
> --r--r--r--  1 root  ftp    316 Jul  6 11:34 group
> --r--r--r--  1 root  ftp  40960 Jul  6 11:34 pwd.db
> -
> -ftp/pub:
> -total 2
> -dr-xr-xr-x  2 root  ftp  512 Jul  6 11:33 .
> -dr-xr-xr-x  5 root  ftp  512 Jul  6 11:33 ..
> +$ <b>sudo chown -R root:wheel /var/spool/ftp/pub</b>
> +$ <b>sudo chmod 555 /var/spool/ftp/pub</b>
> +$ <b>sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/</b>
>  </pre></blockquote>
>  
>  <h3>Starting up the server and logging</h3>

Reply | Threaded
Open this post in threaded view
|

Re: FAQ 10: AnonFTP

Craig Skinner-3
In reply to this post by Craig Skinner-3
On 2014-01-13 Mon 14:52 PM |, Craig R. Skinner wrote:

> On 2014-01-11 Sat 18:35 PM |, Craig R. Skinner wrote:
> > $HOME of /var/spool/ftp instead of /home/ftp
> >
> > $SHELL of /sbin/nologin instead of /usr/bin/false
> >
> > 'useradd' instead of 'adduser', which sets a /home prefix
> >
> > Change the 'Directory Setup' section as the existing article duplicates
> > what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
> > mirror.
> >
>
> Whoops, evidence it works:
>

Anyone else?

Plain text result from the earlier diff:
----------------------------------------


Adding the FTP account

To start off, you need to have an ftp user account on your system. This account should not have a usable password. Here we will set the login directory to the pre-existing /var/spool/ftp, as hier(7) says: 'Commonly ~ftp; the anonymous ftp root directory' but you can put it wherever you want, such as another disk partition:

    $ fgrep ftp /etc/fstab
    /dev/sd3a /var/spool/ftp        ffs rw,nodev,nosuid,softdep,noatime             0 2

When using anonymous ftp, the ftp daemon will chroot itself to the home directory of the ftp user. To read up more on that, read the ftpd(8) and chroot(2) man pages. Here is an example of adding the ftp user. I will do this using useradd(8).

    $ sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp

    $ sudo userinfo ftp
    login   ftp
    passwd  *************
    uid     212121
    groups  ftp
    change  NEVER
    class
    gecos   anonymous ftp
    dir     /var/spool/ftp
    shell   /sbin/nologin
    expire  NEVER

    $ grep ^ftp /etc/group
    ftp:*:212121:

Directory Setup

From a default OpenBSD install, ftp's home directory is already there, and mostly pre-populated for anonymous ftp duties:

    $ sudo ls -lAR /var/spool/ftp
    total 12
    dr-x--x--x  2 root  wheel  512 Jul 30 18:52 bin
    dr-x--x--x  2 root  wheel  512 Jul 30 18:52 etc
    d--x--x--x  2 root  wheel  512 Jul 30 18:52 hidden

    /var/spool/ftp/bin:

    /var/spool/ftp/etc:

    /var/spool/ftp/hidden:

All we need to do is add the public directory. In this example, we'll also set up the directory structure for a local OpenBSD ftp mirror, for both i386 & sparc64 machines:

    $ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}
    $ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}
    $ sudo find /var/spool/ftp
    /var/spool/ftp
    /var/spool/ftp/bin
    /var/spool/ftp/etc
    /var/spool/ftp/hidden
    /var/spool/ftp/pub
    /var/spool/ftp/pub/OpenBSD
    /var/spool/ftp/pub/OpenBSD/5.4
    /var/spool/ftp/pub/OpenBSD/5.4/i386
    /var/spool/ftp/pub/OpenBSD/5.4/sparc64
    /var/spool/ftp/pub/OpenBSD/5.4/packages
    /var/spool/ftp/pub/OpenBSD/5.4/packages/i386
    /var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64

Now we'll set the directory permissions so the ftp user can read, and the wheel group can write (ftp get base tarballs and packages):

    $ sudo chown -R root:wheel /var/spool/ftp/pub
    $ sudo chmod 555 /var/spool/ftp/pub
    $ sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/