$HOME of /var/spool/ftp instead of /home/ftp
$SHELL of /sbin/nologin instead of /usr/bin/false 'useradd' instead of 'adduser', which sets a /home prefix Change the 'Directory Setup' section as the existing article duplicates what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp mirror. Index: faq10.html =================================================================== RCS file: /cvs/www/faq/faq10.html,v retrieving revision 1.180 diff -u -r1.180 faq10.html --- faq10.html 1 Nov 2013 14:05:56 -0000 1.180 +++ faq10.html 11 Jan 2014 18:30:45 -0000 @@ -963,115 +963,100 @@ <h3>Adding the FTP account</h3> <p> -To start off, you need to have an <i>ftp</i> account on your system. +To start off, you need to have an <i>ftp</i> user account on your system. This account should not have a usable password. Here we will set the login -directory to /home/ftp, but you can put it wherever you want. +directory to the pre-existing <i>/var/spool/ftp</i>, as +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&sektion=7">hier(7)</a> +says: '<i>Commonly ~ftp; the anonymous ftp root directory</i>' +but you can put it wherever you want, such as another disk partition: + +<blockquote><pre> +$ <b>fgrep ftp /etc/fstab</b> +/dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime 0 2 +</pre></blockquote> + When using anonymous ftp, the ftp daemon will chroot itself to the home directory of the <i>ftp</i> user. To read up more on that, read the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&sektion=2">chroot(2)</a> man pages. Here is an example of adding the <i>ftp</i> user. I will do this using -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&sektion=8">adduser(8)</a>. -We also need to add /usr/bin/false to our <i>/etc/shells</i>, this is -the "shell" that we will be giving to the <i>ftp</i> user. -This won't allow them to login, even though we will give them an empty -password. To do this you can simply do +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&sektion=8">useradd(8)</a>. <blockquote><pre> -echo /usr/bin/false >> /etc/shells +$ <b>sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp</b> + +$ <b>sudo userinfo ftp</b> +login ftp +passwd ************* +uid 212121 +groups ftp +change NEVER +class +gecos anonymous ftp +dir /var/spool/ftp +shell /sbin/nologin +expire NEVER + +$ <b>grep ^ftp /etc/group</b> +ftp:*:212121: </pre></blockquote> -After this, you are ready to add the <i>ftp</i> user: +<h3>Directory Setup</h3> + +<p> +From a default OpenBSD install, <i>ftp</i>'s home directory is already +there, and mostly pre-populated for anonymous ftp duties: +</p> <blockquote><pre> -# <b>adduser</b> -Use option ``-silent'' if you don't want to see all warnings and questions. +$ <b>sudo ls -lAR /var/spool/ftp</b> +total 12 +dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin +dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc +d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden -Reading /etc/shells -Check /etc/master.passwd -Check /etc/group - -Ok, let's go. -Don't worry about mistakes. There will be a chance later to correct any input. -Enter username []: <b>ftp</b> -Enter full name []: <b>anonymous ftp</b> -Enter shell csh false ksh nologin sh [ksh]: <b>false</b> -Uid [1002]: <b><i>Enter</i></b> -Login group ftp [ftp]: <b><i>Enter</i></b> -Login group is ``ftp''. Invite ftp into other groups: guest no -[no]: <b>no</b> -Login class authpf daemon default staff [default]: <b><i>Enter</i></b> -Enter password []: <b><i>Enter</i></b> -Set the password so that user cannot logon? (y/n) [n]: <b>y</b> - -Name: ftp -Password: **** -Fullname: anonymous ftp -Uid: 1002 -Gid: 1002 (ftp) -Groups: ftp -Login Class: default -HOME: /home/ftp -Shell: /usr/bin/false -OK? (y/n) [y]: <b>y</b> -Added user ``ftp'' -Copy files from /etc/skel to /home/ftp -Add another user? (y/n) [y]: <b>n</b> -Goodbye! -</pre></blockquote> +/var/spool/ftp/bin: -<h3>Directory Setup</h3> +/var/spool/ftp/etc: + +/var/spool/ftp/hidden: + +</pre></blockquote> <p> -Along with the user, this created the directory <i>/home/ftp</i>. This -is what we want, but there are some changes that we will have to make to -get it ready for anonymous ftp. Again these changes are explained in the -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> man page. +All we need to do is add the <b>pub</b>lic directory. In this example, +we'll also set up the directory structure for a local OpenBSD +ftp mirror, for both i386 & sparc64 machines: +</p> + +<blockquote><pre> +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}</b> +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}</b> +$ <b>sudo find /var/spool/ftp</b> +/var/spool/ftp +/var/spool/ftp/bin +/var/spool/ftp/etc +/var/spool/ftp/hidden +/var/spool/ftp/pub +/var/spool/ftp/pub/OpenBSD +/var/spool/ftp/pub/OpenBSD/5.4 +/var/spool/ftp/pub/OpenBSD/5.4/i386 +/var/spool/ftp/pub/OpenBSD/5.4/sparc64 +/var/spool/ftp/pub/OpenBSD/5.4/packages +/var/spool/ftp/pub/OpenBSD/5.4/packages/i386 +/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64 +</pre></blockquote> <p> -You <b>do not</b> need to make a /home/ftp/usr or /home/ftp/bin -directory. -<ul> -<li><i>/home/ftp</i> - This is the main directory. It should be owned by -root and have permissions of 555. -<li><i>/home/ftp/etc</i> - This is entirely optional and not -recommended, as it only serves to give out information on users which -exist on your box. If you want your anonymous ftp directory to appear to -have real users attached to your files, you should copy /etc/pwd.db and -/etc/group to this directory. This directory should be mode 511, and the -two files should be mode 444. These are used to give owner names as -opposed to numbers. There are no passwords stored in pwd.db, they are -all in spwd.db, so don't copy that over. -<li><i>/home/ftp/pub</i> - This is a standard directory to place files -in which you wish to share. This directory should also be mode 555. -</ul> - -<p> -Note that all these directories should be owned by ''root''. Here is a -listing of what the directories should look like after their creation. +Now we'll set the directory permissions so the <i>ftp</i> user can read, +and the <i>wheel</i> group can write (ftp get base tarballs and packages): +</p> <blockquote><pre> -# pwd -/home -# ls -laR ftp -total 5 -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 . -drwxr-xr-x 7 root wheel 512 Jul 6 10:58 .. -dr-x--x--x 2 root ftp 512 Jul 6 11:34 etc -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 pub - -ftp/etc: -total 43 -dr-x--x--x 2 root ftp 512 Jul 6 11:34 . -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .. --r--r--r-- 1 root ftp 316 Jul 6 11:34 group --r--r--r-- 1 root ftp 40960 Jul 6 11:34 pwd.db - -ftp/pub: -total 2 -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 . -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .. +$ <b>sudo chown -R root:wheel /var/spool/ftp/pub</b> +$ <b>sudo chmod 555 /var/spool/ftp/pub</b> +$ <b>sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/</b> </pre></blockquote> <h3>Starting up the server and logging</h3> |
On 2014-01-11 Sat 18:35 PM |, Craig R. Skinner wrote:
> $HOME of /var/spool/ftp instead of /home/ftp > > $SHELL of /sbin/nologin instead of /usr/bin/false > > 'useradd' instead of 'adduser', which sets a /home prefix > > Change the 'Directory Setup' section as the existing article duplicates > what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp > mirror. > Whoops, evidence it works: $ grep ^/ /etc/shells /bin/sh /bin/csh /bin/ksh /bin/rksh $ sudo userinfo ftp Password: login ftp passwd ************* uid 212121 groups ftp change NEVER class gecos anonymous ftp dir /var/spool/ftp shell /sbin/nologin expire NEVER $ grep ^ftp /etc/inetd.conf ftp stream tcp nowait root /usr/libexec/ftpd ftpd -4AlUS $ cd $(mktemp -d) $ ls $ ftp -a ftp://localhost/pub/OpenBSD/5.4/ANNOUNCEMENT Connected to localhost.britvault.co.uk. 220 palm.britvault.co.uk FTP server ready. 331 Guest login ok, send your email address as password. 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. 200 Type set to I. 250 CWD command successful. Retrieving pub/OpenBSD/5.4/ANNOUNCEMENT local: ANNOUNCEMENT remote: ANNOUNCEMENT 150 Opening BINARY mode data connection for 'ANNOUNCEMENT' (25686 bytes). 100% |************************************************************************************************| 25686 00:00 226 Transfer complete. 25686 bytes received in 0.03 seconds (867.99 KB/s) 221 Goodbye. $ ftp -a ftp://localhost/pub/OpenBSD/5.4/ports.tar.gz Connected to localhost.britvault.co.uk. 220 palm.britvault.co.uk FTP server ready. 331 Guest login ok, send your email address as password. 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. 200 Type set to I. 250 CWD command successful. Retrieving pub/OpenBSD/5.4/ports.tar.gz local: ports.tar.gz remote: ports.tar.gz 150 Opening BINARY mode data connection for 'ports.tar.gz' (22457239 bytes). 100% |************************************************************************************************| 21930 KB 00:03 226 Transfer complete. 22457239 bytes received in 3.28 seconds (6.53 MB/s) 221 Goodbye. $ ftp -a ftp://localhost/pub/OpenBSD/5.4/packages/i386/passwdqc* Connected to localhost.britvault.co.uk. 220 palm.britvault.co.uk FTP server ready. 331 Guest login ok, send your email address as password. 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. 200 Type set to I. 250 CWD command successful. Retrieving pub/OpenBSD/5.4/packages/i386/passwdqc* local: passwdqc-1.3.0.tgz remote: passwdqc-1.3.0.tgz 150 Opening BINARY mode data connection for 'passwdqc-1.3.0.tgz' (37483 bytes). 100% |************************************************************************************************| 37483 00:00 226 Transfer complete. 37483 bytes received in 0.01 seconds (5.89 MB/s) 221 Goodbye. $ ftp -a ftp://localhost/pub/Sun/patches/1086* Connected to localhost.britvault.co.uk. 220 palm.britvault.co.uk FTP server ready. 331 Guest login ok, send your email address as password. 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. 200 Type set to I. 250 CWD command successful. Retrieving pub/Sun/patches/1086* local: 108620-04.tar.Z remote: 108620-04.tar.Z 150 Opening BINARY mode data connection for '108620-04.tar.Z' (35733 bytes). 100% |************************************************************************************************| 35733 00:00 226 Transfer complete. 35733 bytes received in 0.02 seconds (1.81 MB/s) local: 108673-02.tar.Z remote: 108673-02.tar.Z 150 Opening BINARY mode data connection for '108673-02.tar.Z' (772029 bytes). 100% |************************************************************************************************| 753 KB 00:00 226 Transfer complete. 772029 bytes received in 0.08 seconds (8.78 MB/s) 221 Goodbye. $ ls -l total 45672 -rw-r----- 1 me wheel 35733 May 11 2009 108620-04.tar.Z -rw-r----- 1 me wheel 772029 May 11 2009 108673-02.tar.Z -rw-r----- 1 me wheel 25686 Oct 25 19:56 ANNOUNCEMENT -rw-r----- 1 me wheel 37483 Nov 28 22:26 passwdqc-1.3.0.tgz -rw-r----- 1 me wheel 22457239 Jul 30 00:47 ports.tar.gz $ tail -n 5 /var/log/ftpd Mon Jan 13 14:23:27 2014 1 localhost 25686 /pub/OpenBSD/5.4/ANNOUNCEMENT b * o a me@ ftp 0 * Mon Jan 13 14:23:53 2014 4 localhost 22457239 /pub/OpenBSD/5.4/ports.tar.gz b * o a me@ ftp 0 * Mon Jan 13 14:28:35 2014 1 localhost 37483 /pub/OpenBSD/5.4/packages/i386/passwdqc-1.3.0.tgz b * o a me@ ftp 0 * Mon Jan 13 14:31:31 2014 1 localhost 35733 /pub/Sun/patches/108620-04.tar.Z b * o a me@ ftp 0 * Mon Jan 13 14:31:31 2014 1 localhost 772029 /pub/Sun/patches/108673-02.tar.Z b * o a me@ ftp 0 * $ last ftp ftp localhost Mon Jan 13 14:31 - 14:31 (00:00) ftp ftp localhost Mon Jan 13 14:28 - 14:28 (00:00) ftp ftp localhost Mon Jan 13 14:23 - 14:23 (00:00) ftp ftp localhost Mon Jan 13 14:23 - 14:23 (00:00) ... ... Cheers, -- Craig Skinner | http://web.hope-church-falkirk.org.uk/ |
In reply to this post by Craig Skinner-3
On 01/11/14 13:35, Craig R. Skinner wrote:
> $HOME of /var/spool/ftp instead of /home/ftp um. There are a lot of choices for where to put your ftp's home... /var/spool/ftp is not in my top five. I see your reasoning in the diff itself, but the most likely place I'd put an ftp home would be /var/www/<site> so it could be served both by FTP and HTTP. /var/spool/ftp is one of those things left over from another date and time, right now, I have trouble imagining running an FTP server that isn't also a http server for downloads...and I can't imagine expecting Joe Average to be able to work an FTP client for uploads anymore, either. > $SHELL of /sbin/nologin instead of /usr/bin/false benefit? to me, "nologin" sounds like the account is disabled, I think I like /usr/bin/false slightly better philosophically. > 'useradd' instead of 'adduser', which sets a /home prefix bah. I can never remember all the options of useradd, I much prefer using adduser to get prompted for the options. > Change the 'Directory Setup' section as the existing article duplicates > what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp > mirror. which again, would be better served in /var/www/htdocs or something similar in the httpd chroot. All in all, I don't think this is an improvement, and certain things (like /var/spool/ftp) I disagree with strongly. If developers disagree with me, let me know, but otherwise not-ok. Nick. > > Index: faq10.html > =================================================================== > RCS file: /cvs/www/faq/faq10.html,v > retrieving revision 1.180 > diff -u -r1.180 faq10.html > --- faq10.html 1 Nov 2013 14:05:56 -0000 1.180 > +++ faq10.html 11 Jan 2014 18:30:45 -0000 > @@ -963,115 +963,100 @@ > <h3>Adding the FTP account</h3> > > <p> > -To start off, you need to have an <i>ftp</i> account on your system. > +To start off, you need to have an <i>ftp</i> user account on your system. > This account should not have a usable password. Here we will set the login > -directory to /home/ftp, but you can put it wherever you want. > +directory to the pre-existing <i>/var/spool/ftp</i>, as > +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&sektion=7">hier(7)</a> > +says: '<i>Commonly ~ftp; the anonymous ftp root directory</i>' > +but you can put it wherever you want, such as another disk partition: > + > +<blockquote><pre> > +$ <b>fgrep ftp /etc/fstab</b> > +/dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime 0 2 > +</pre></blockquote> > + > When using anonymous ftp, the ftp daemon will chroot itself to the home > directory of the <i>ftp</i> user. To read up more on that, read the > <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> and > <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&sektion=2">chroot(2)</a> > man pages. Here is an example of adding the <i>ftp</i> user. I will do > this using > -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&sektion=8">adduser(8)</a>. > -We also need to add /usr/bin/false to our <i>/etc/shells</i>, this is > -the "shell" that we will be giving to the <i>ftp</i> user. > -This won't allow them to login, even though we will give them an empty > -password. To do this you can simply do > +<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&sektion=8">useradd(8)</a>. > > <blockquote><pre> > -echo /usr/bin/false >> /etc/shells > +$ <b>sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp</b> > + > +$ <b>sudo userinfo ftp</b> > +login ftp > +passwd ************* > +uid 212121 > +groups ftp > +change NEVER > +class > +gecos anonymous ftp > +dir /var/spool/ftp > +shell /sbin/nologin > +expire NEVER > + > +$ <b>grep ^ftp /etc/group</b> > +ftp:*:212121: > </pre></blockquote> > > -After this, you are ready to add the <i>ftp</i> user: > +<h3>Directory Setup</h3> > + > +<p> > +From a default OpenBSD install, <i>ftp</i>'s home directory is already > +there, and mostly pre-populated for anonymous ftp duties: > +</p> > > <blockquote><pre> > -# <b>adduser</b> > -Use option ``-silent'' if you don't want to see all warnings and questions. > +$ <b>sudo ls -lAR /var/spool/ftp</b> > +total 12 > +dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin > +dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc > +d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden > > -Reading /etc/shells > -Check /etc/master.passwd > -Check /etc/group > - > -Ok, let's go. > -Don't worry about mistakes. There will be a chance later to correct any input. > -Enter username []: <b>ftp</b> > -Enter full name []: <b>anonymous ftp</b> > -Enter shell csh false ksh nologin sh [ksh]: <b>false</b> > -Uid [1002]: <b><i>Enter</i></b> > -Login group ftp [ftp]: <b><i>Enter</i></b> > -Login group is ``ftp''. Invite ftp into other groups: guest no > -[no]: <b>no</b> > -Login class authpf daemon default staff [default]: <b><i>Enter</i></b> > -Enter password []: <b><i>Enter</i></b> > -Set the password so that user cannot logon? (y/n) [n]: <b>y</b> > - > -Name: ftp > -Password: **** > -Fullname: anonymous ftp > -Uid: 1002 > -Gid: 1002 (ftp) > -Groups: ftp > -Login Class: default > -HOME: /home/ftp > -Shell: /usr/bin/false > -OK? (y/n) [y]: <b>y</b> > -Added user ``ftp'' > -Copy files from /etc/skel to /home/ftp > -Add another user? (y/n) [y]: <b>n</b> > -Goodbye! > -</pre></blockquote> > +/var/spool/ftp/bin: > > -<h3>Directory Setup</h3> > +/var/spool/ftp/etc: > + > +/var/spool/ftp/hidden: > + > +</pre></blockquote> > > <p> > -Along with the user, this created the directory <i>/home/ftp</i>. This > -is what we want, but there are some changes that we will have to make to > -get it ready for anonymous ftp. Again these changes are explained in the > -<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8">ftpd(8)</a> man page. > +All we need to do is add the <b>pub</b>lic directory. In this example, > +we'll also set up the directory structure for a local OpenBSD > +ftp mirror, for both i386 & sparc64 machines: > +</p> > + > +<blockquote><pre> > +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}</b> > +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}</b> > +$ <b>sudo find /var/spool/ftp</b> > +/var/spool/ftp > +/var/spool/ftp/bin > +/var/spool/ftp/etc > +/var/spool/ftp/hidden > +/var/spool/ftp/pub > +/var/spool/ftp/pub/OpenBSD > +/var/spool/ftp/pub/OpenBSD/5.4 > +/var/spool/ftp/pub/OpenBSD/5.4/i386 > +/var/spool/ftp/pub/OpenBSD/5.4/sparc64 > +/var/spool/ftp/pub/OpenBSD/5.4/packages > +/var/spool/ftp/pub/OpenBSD/5.4/packages/i386 > +/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64 > +</pre></blockquote> > > <p> > -You <b>do not</b> need to make a /home/ftp/usr or /home/ftp/bin > -directory. > -<ul> > -<li><i>/home/ftp</i> - This is the main directory. It should be owned by > -root and have permissions of 555. > -<li><i>/home/ftp/etc</i> - This is entirely optional and not > -recommended, as it only serves to give out information on users which > -exist on your box. If you want your anonymous ftp directory to appear to > -have real users attached to your files, you should copy /etc/pwd.db and > -/etc/group to this directory. This directory should be mode 511, and the > -two files should be mode 444. These are used to give owner names as > -opposed to numbers. There are no passwords stored in pwd.db, they are > -all in spwd.db, so don't copy that over. > -<li><i>/home/ftp/pub</i> - This is a standard directory to place files > -in which you wish to share. This directory should also be mode 555. > -</ul> > - > -<p> > -Note that all these directories should be owned by ''root''. Here is a > -listing of what the directories should look like after their creation. > +Now we'll set the directory permissions so the <i>ftp</i> user can read, > +and the <i>wheel</i> group can write (ftp get base tarballs and packages): > +</p> > > <blockquote><pre> > -# pwd > -/home > -# ls -laR ftp > -total 5 > -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 . > -drwxr-xr-x 7 root wheel 512 Jul 6 10:58 .. > -dr-x--x--x 2 root ftp 512 Jul 6 11:34 etc > -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 pub > - > -ftp/etc: > -total 43 > -dr-x--x--x 2 root ftp 512 Jul 6 11:34 . > -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .. > --r--r--r-- 1 root ftp 316 Jul 6 11:34 group > --r--r--r-- 1 root ftp 40960 Jul 6 11:34 pwd.db > - > -ftp/pub: > -total 2 > -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 . > -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .. > +$ <b>sudo chown -R root:wheel /var/spool/ftp/pub</b> > +$ <b>sudo chmod 555 /var/spool/ftp/pub</b> > +$ <b>sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/</b> > </pre></blockquote> > > <h3>Starting up the server and logging</h3> |
In reply to this post by Craig Skinner-3
On 2014-01-13 Mon 14:52 PM |, Craig R. Skinner wrote:
> On 2014-01-11 Sat 18:35 PM |, Craig R. Skinner wrote: > > $HOME of /var/spool/ftp instead of /home/ftp > > > > $SHELL of /sbin/nologin instead of /usr/bin/false > > > > 'useradd' instead of 'adduser', which sets a /home prefix > > > > Change the 'Directory Setup' section as the existing article duplicates > > what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp > > mirror. > > > > Whoops, evidence it works: > Anyone else? Plain text result from the earlier diff: ---------------------------------------- Adding the FTP account To start off, you need to have an ftp user account on your system. This account should not have a usable password. Here we will set the login directory to the pre-existing /var/spool/ftp, as hier(7) says: 'Commonly ~ftp; the anonymous ftp root directory' but you can put it wherever you want, such as another disk partition: $ fgrep ftp /etc/fstab /dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime 0 2 When using anonymous ftp, the ftp daemon will chroot itself to the home directory of the ftp user. To read up more on that, read the ftpd(8) and chroot(2) man pages. Here is an example of adding the ftp user. I will do this using useradd(8). $ sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s /sbin/nologin ftp $ sudo userinfo ftp login ftp passwd ************* uid 212121 groups ftp change NEVER class gecos anonymous ftp dir /var/spool/ftp shell /sbin/nologin expire NEVER $ grep ^ftp /etc/group ftp:*:212121: Directory Setup From a default OpenBSD install, ftp's home directory is already there, and mostly pre-populated for anonymous ftp duties: $ sudo ls -lAR /var/spool/ftp total 12 dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden /var/spool/ftp/bin: /var/spool/ftp/etc: /var/spool/ftp/hidden: All we need to do is add the public directory. In this example, we'll also set up the directory structure for a local OpenBSD ftp mirror, for both i386 & sparc64 machines: $ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages} $ sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64} $ sudo find /var/spool/ftp /var/spool/ftp /var/spool/ftp/bin /var/spool/ftp/etc /var/spool/ftp/hidden /var/spool/ftp/pub /var/spool/ftp/pub/OpenBSD /var/spool/ftp/pub/OpenBSD/5.4 /var/spool/ftp/pub/OpenBSD/5.4/i386 /var/spool/ftp/pub/OpenBSD/5.4/sparc64 /var/spool/ftp/pub/OpenBSD/5.4/packages /var/spool/ftp/pub/OpenBSD/5.4/packages/i386 /var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64 Now we'll set the directory permissions so the ftp user can read, and the wheel group can write (ftp get base tarballs and packages): $ sudo chown -R root:wheel /var/spool/ftp/pub $ sudo chmod 555 /var/spool/ftp/pub $ sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/ |
Free forum by Nabble | Edit this page |