Administering TCP/IP

Setting up anonymous ftp

The ftp server included in the system provides support for an anonymous ftp account. Because of the inherent security problems with such a facility, you should read this section carefully if you want to provide such a service.

When a client accesses the anonymous ftp account, a chroot(ADM) system call is performed by the server to restrict the client from moving outside that part of the filesystem where the ftp home directory is located. Because a chroot call is used, certain programs and files used by the server process must be placed in the ftp home directory.

It is recommended that you use the FTP Manager to setup anonymous FTP, as shown in the procedure below, since it will install these files for you under the FTP home directory.

Start up the FTP Manager by entering:
```
   scoadmin ftp
```
from a shell prompt, or by selecting System Administration->Networks->ftp from the Desktop.
Select FTP->Anonymous->Configure. The FTP Configuration window is displayed.
Use the Suggest and Choose buttons to select the home directory and user ID for anonymous FTP. Uncheck the Allow Incoming Tranfers check box if you don't want to allow remote users to transfer files onto your system. Select OK when you are finished. A message is displayed indicating that the anonymous ftp user has been successfully created. Select OK.
Select Home->Anonymous FTP->Install to copy all the required files into the FTP home directory. The Anonymous FTP Home Directory window is displayed. Uncheck the Allow Incoming Transfers check box if you don't want to allow remote users to transfer files onto your system. Select OK when you are finished. A report window is displayed showing the results of copying the files into the FTP home directory. Check the output (note that it may contain error messages for uninstalled components that can be ignored). Select OK when you are finshed.
Select Home->Exit to close the FTP Manager.

You should now be able to use the ftp command from other systems to reach your system's FTP server and log into the system. Similary, remote browsers should be able to list the FTP home directory using the URL ftp://servername where servername is the network name or IP address of your system.

Files put in the anonymous FTP home directory by local users should be placed in a subdirectory. In the setup described here, the directory ~ftp/pub is used.

WARNING: Another issue to consider is the /etc/passwd file placed in ~/ftp/etc/passwd. Because anonymous ftp does not actually use the password stored in the encrypted password field, you should edit the copied file to contain blanks in this field such that anonymous users cannot obtain the encrypted passwords.

For example, you could edit the following line in ~/ftp/etc/passwd:

   root:UDOkW7PLd1/ZQ,..EI:0:3:Superuser:/:

to read:

   root::0:3:Superuser:/:

The ftp server provides a security loophole if certain user accounts are allowed. To prevent this, the file /etc/ftpusers is checked on each connection. If the requested user name is located in the file, the request for service is denied. This file should be owned by root in the sys group, have permissions set to 444, and contain at least the following names:

   uucp
   root

Accounts with nonstandard shells should be listed in this file. Accounts without passwords need not be listed in this file; the ftp server does not service these users.