Advanced Linux Networking

2017-07-07 02:10:07

One popular use for FTP servers is to provide anonymous FTP access. As noted earlier in this chapter, anonymous FTP servers partially overlap in function with Web servers, so you might prefer to use only a Web server. On the other hand, using only an anonymous FTP server, or even using both, might be worthwhile in some situations. For instance, you might want both anonymous file retrieval and username/password login file transfer on one system, but have no need for HTTP. Running both might make sense as a convenience to your users, some of whom might prefer or have readier access to just one type of client program.

Before setting up an anonymous FTP server, you should be aware of the special needs and security concerns that come with these servers. Indeed, these issues may be critical in your decision of whether to run an anonymous FTP server. Once you've made the decision, you'll need to dig into your FTP server's configuration files to set up the appropriate options to allow anonymous FTP access. You may also need to modify additional options on your system, such as directory permissions.

Special Needs of Anonymous Servers

The usual purpose of an anonymous FTP server is to deliver files from the server to the client. You might set up such a server to hold software, documentation files, and so on that you want to be publicly available. You can link to these files by specifying a URL in a Web page that begins with ftp:// , such as ftp://ftp.threeroomco.com/pub/manual.pdf . A couple of points in this description deserve special emphasis:

The files on an anonymous FTP site are generally transferred from the server to the client, much as in a typical Web server configuration. For this reason, anonymous FTP configurations usually disallow file uploads. There are exceptions to this rule, but these are generally accompanied by configurations that immediately hide the uploaded files from callers , to prevent the site from becoming a trading post for illicit materials. If you need to receive files from others, you may want to set up a regular FTP server and give a username and password to the individual from whom you need to receive files. You might also consider exchanging documents via e-mail.

The files on an anonymous FTP site are publicly available. This means you should never place confidential material on such a server. In order to protect the server's own OS files and the files of any regular users, anonymous FTP servers restrict the anonymous access to a special directory tree; everything outside of that tree is off limits. Most FTP servers use the chroot() system call to create a chroot jail, as described in Chapter 23, to accomplish this goal.

WARNING

Although a chroot jail can be a useful security tool, it's not foolproof. The best practice is to keep sensitive data off of the anonymous FTP server so that it won't fall into the wrong hands should a miscreant break out of the chroot jail.

Because the FTP server runs in a chroot jail, you may need to copy some system configuration files into the chroot jail directory. Many FTP server packages for Linux already include appropriate copies of the critical system files. Some servers, including ProFTPd, are able to read some of their configuration files before locking themselves in the chroot jail, so the number of files that must be copied is minimal.

Some configurations, such as those generally used with ProFTPd, work best with a chroot jail if the server is run from a SysV startup script. Other configurations, such as those generally used with WU- FTPD , permit anonymous server configurations even when the server is run from a super server. The trick is that the chroot() system call can only be used by a program that's run as root . If your super server configuration for the FTP server calls the FTP server as anything but root , it won't be able to set up the chroot jail. (The username-setting options in FTP server configuration files generally operate after the chroot() call; until that time, a server run from a SysV or local startup script runs as root .)

Anonymous FTP servers require that certain files reside in particular directories. These are described in the upcoming section, "Setting Up an Anonymous Directory Tree."

Security Concerns of Anonymous Servers

Anonymous FTP servers, because they are normally accessible to the outside world, are a potential security threat. In theory, this threat need not be any greater than the threat from, say, Web or mail servers. In practice, though, anonymous FTP's risk may be somewhat greater. Part of the reason for this is that FTP servers, and WU-FTPD in particular, have a less than stellar security history. A further part of the problem is that FTP was designed for two-way file transfer, so a security flaw that allows a user to break out of the chroot jail may allow the user to overwrite critical system files, or at least arbitrary user files. A mail server, by contrast, gives an attacker less leverage, because the mail is processed in certain specified ways. (To be sure, bugs in mail servers have been discovered that can be used to acquire more power.)

On the plus side, a server that functions only as an anonymous FTP server doesn't pose a risk due to the transfer of usernames and passwords, as is a concern for a non-anonymous FTP server. The anonymous FTP server accepts all comers and any password, so there are no sensitive passwords to be compromised. Thus, in some respects, an anonymous server can be more secure than a non-anonymous server.

Because a single FTP server can be configured to perform both anonymous and non-anonymous operations, you run the risk of getting the worst of both worlds if you run both types of FTP server configurations on one system. Your best bet when running an anonymous FTP server is to configure it to accept only anonymous access, at least from the outside world. Minimize the number of user accounts on the system, and don't run unnecessary servers or store any sensitive data on the computer. These steps can help minimize the damage should your anonymous FTP server be compromised.

Setting Anonymous Options

Most FTP packages that ship with Linux distributions include operational or almost-operational anonymous FTP configurations. You may need to fine-tune these configurations to get the system truly working, though. This section describes the options in WU-FTPD and ProFTPd that accomplish this task, beginning with the creation of the directory tree that's common to both servers and moving on to server-specific configuration options.

Setting Up an Anonymous Directory Tree

The first step to creating an anonymous FTP site is creating an appropriate directory tree. A common choice for this tree's location is /home/ftp , but you can place it somewhere else if you prefer. In most cases, this tree should be owned by root or a user who is to maintain the FTP site, and have 755 ( rwxr-xr-x ) permissions. This allows the administrator to edit files in the directory, but it gives nobody else write access. In particular, the ftp user (or whatever username you use for anonymous access) can't write to the anonymous FTP directory. Subdirectories and files should follow the same pattern, although most files will lack the execute permission bit.

A typical anonymous FTP directory contains subdirectories as follows :

pub ” This is the traditional location for the files that users will access. You can structure it in whatever way you feel is appropriate and populate it with whatever files you like. Be sure that all files are world readable, or at least readable by the ftp user.

bin ” The FTP server may call other programs to perform some functions. These programs must be accessible in the /bin directory (relative to the root created by chroot() ). Most commonly, ls is required. You may also need tar , gzip , and zcat (this being a symbolic link to gzip ). In FTP packages, the directory of this name may include executables that are larger than the ones in the main computer's /bin directory, because the FTP directory's executables are built statically linked, so as to obviate the need for separate library files, as described next . Be sure that your executable programs in this directory have their execute bits set.

lib ” This directory contains dynamic library files that are used by the binary files in /bin . If you copy binary files from your regular /bin directory, you can use the ldd command to determine what library files you must copy to the FTP tree's lib directory to match. For instance, you can type ldd /bin/ls to learn what libraries ls requires.

etc ” The FTP server may rely upon two files from the /etc directory to do its work: passwd and group . You don't need to (and should probably not) copy your entire regular passwd and group files. The most critical entry is the one for ftp , or whatever username you use for anonymous access.

Once you've set up these directories and files, the basic directory structure should be adequate. You may need to add a few more files, or modify existing files, for particular purposes. For instance, if you add the ability to compress files using a tool other than gzip , you'll need to copy an appropriate executable to the FTP server's /bin directory.

WU-FTPD Anonymous Options

The most important anonymous FTP server configuration options for WU-FTPD appear in the /etc/ftpaccess file. Specifically, you may need to set or adjust the following options:

class ” You must create a class that includes anonymous access. This class may be the same as a class for other types of access.

compress , tar , chmod , delete , overwrite , and rename ” These options, described earlier, allow you to specify who may issue commands that involve specific types of options. You may want to exclude anonymous users from the last four of these to prevent them from changing files on the server. This setting may be redundant with filesystem controls, but redundancy can be useful in the event one type of control malfunctions or is misconfigured.

anonymous-root ” Set this option to the root directory for the chroot jail in which WU-FTPD will run itself.

Most WU-FTPD configurations run from a super server with root privileges. When such a system receives an anonymous login, it spawns a subprocess as ftp , so WU-FTPD can run an anonymous server even from a super server.

ProFTPd Anonymous Options

The main ProFTPd options for configuring an anonymous FTP server appear in the proftpd.conf file, along with the other major server options. A simple but workable anonymous FTP configuration in this file might resemble the following:

<Anonymous /home/ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as #"ftp" UserAlias anonymous ftp # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous>

Some key points about this configuration include the following:

The <Anonymous> directive grouping is the key to the ProFTPd anonymous access configuration. When this directive is present, ProFTPd knows to handle matching logins somewhat differently than normal ”namely, to create a chroot jail in the specified directory ( /home/ftp in this example).

The User and Group directives tell ProFTPd which username and group name to use for the anonymous server configuration. ProFTPd launches itself and then spawns a subprocess under the appropriate username and group. You should be sure that your FTP directory configuration is accessible to the username and group you choose.

The UserAlias directive tells ProFTPd to admit users who type anonymous as the username as anonymous users.

The <Limit WRITE> grouping tells ProFTPd to deny write access to all users. If you set up your permissions appropriately in the anonymous FTP directory tree, this setting should be redundant. Redundant security measures are a good precaution, though; in case one setting is in error or subject to a bug, the other should provide protection.

If you wanted to create a pseudo-anonymous server that takes an anonymous username but requires a password, you could use the AnonRequiresPassword on directive. You would then also need to set an appropriate password in /etc/passwd or /etc/shadow . (ProFTPd will authenticate the user before locking itself in its chroot jail, so use your system's password file, not the matching file in the chroot jail directory.)

If you want the server to function only as an anonymous FTP server, you should take steps to limit or eliminate FTP access to ordinary users. If possible, run the FTP server on a computer that supports just the bare minimum of administrative users, and deny them access by entering their usernames in the /etc/ftpusers file.