Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2534650
  • 博文数量: 609
  • 博客积分: 10061
  • 博客等级: 上将
  • 技术积分: 5920
  • 用 户 组: 普通用户
  • 注册时间: 2008-06-25 08:30
文章分类

全部博文(609)

文章存档

2010年(13)

2009年(39)

2008年(558)

我的朋友

分类:

2008-09-14 11:19:33

Document
ProFTPD Server Configuration
Author
Mark



What Is It

ProFTPD is a freeware FTP daemon distributed under the GNU Public License. It provides a large number of features that have resulted in it being chosen as the default FTP server on the machines I administer..

The installation of the ProFTPD is controlled by the package subsystem, thus it is quite easy to install and upgrade when new versions become available.

The main web site for the software is .



Installation Of The Software

Remeber to back up your original proftpd.conf file if upgrading!!!

the package and install it with:

    # umask 0
    # gunzip -c proftpd.1.2.0.p10.SPARC.Solaris.2.6.pkg.tgz | /usr/bin/tar -xvvf -
    # pkgadd -d. proftpd
    # rm -rf proftpd
    # cp /bin/true /bin/ftponly
    # chmod 755 /bin/ftponly
    # /bin/chown root:root /bin/ftponly
    # echo "/bin/ftponly" >> /etc/shells
If necessary, create the user ftp with its home directory on a sufficiently big file system, owned by ftp, group ftp, mode 0755. The ftp user should have /bin/ftponly as its shell.

Install this line in /etc/inetd.conf:

ftp   stream tcp   nowait root   /usr/local/etc/in.proftpd   in.proftpd



Configuration Of The Daemon

Below is an annotated copy of a proftpd.conf file which achieves several outcomes useful to me.

Firstly, the global server configuration:

###########################################
#
# Server Configuration
#
###########################################

ServerName                   "This is a FTP Server"
ServerType                   inetd
DefaultServer                on
Port                         21
Umask                        022
MaxInstances                 100
User                         nobody
Group                        nobody

   AllowOverwrite            on


The above defines the connection message, server mode, (inetd or standalone), port to listen on, default umask value and the user id and group id to run as. It also allows people to write/read/list their files by default.

###########################################
#
# FTP only home directories
#
###########################################


   User                    foo
   Group                   bar
   UserAlias               applic-ftp foo
   AnonRequirePassword     on
   DirFakeUser             on applicuser
   DirFakeGroup            on applicgrp
   DirFakeMode             0644
   
      AllowAll
   



The above enables a user to log in as applic-ftp and be placed directly into the /opt/applic/spool directory, with the user id of foo and group id of bar. They login is applic-ftp but they are required to enter the password for foo to be authenticated.

The second part of the section shows how to have all files displayed as owned by applicuser user id and applicgrp group id, with file permissions appearing as always being 0644, irrespective of what they really are. These options may be used for security reasons, but care must be taken to not trust the ftp output if problems arise with the real file permissions. If the file modes appear as 0644 but the real modes are 0600 then strange errors may be encountered. For this and other reasons we wouldn't generally use the attribute faking commands.


   User                    joe
   Group                   prod
   UserPassword            joe afwhf%2gf9gfh
   AnonRequirePassword     on
   
       AllowAll
   



This section shows how to have FTP only accounts for users who require them in addition to their normal application usage. If you include a UserPassword line with any user id and a password encrypted with crypt(3) then the username will be validated with the encrypted password specified. We need to do this since the user may not have a password in the unix /etc/shadowfile, but we want to have them be validated. This might be the case where the shell they run handles the authentication. There is an issue in that an admin has to manually paste in the crypted password.

In the above example the user is locked into the /usr/local/spool/applic/joe directory with full access to his/her files. They are unable to wander the rest of the system.

To summarize, if you have accounts that have no passwords so users can run an application but you have, for instance, a maintainer of the application files then you can give the maintainer the password and only he or she can use the FTP access.

If you simply had straight out FTP only accounts then it's even simpler, have /bin/ftponly as their shell and have a slightly modified version of the above, (no UserPassword line), and they can log into the directory and not go anywhere else. The documentation has examples of other setups. It's worth perservering. (Now what do I mean by that :)

###########################################
#
# Anonymous FTP
#
###########################################


   User                      ftp
   Group                     ftp
   UserAlias                 anonymous ftp
   MaxClients                100
   DisplayLogin              welcome.msg
   DisplayFirstChdir         .message
   # Limit WRITE everywhere in the anonymous chroot
   
       DenyAll
   



This is the anonymous FTP section. It includes directives that tell the FTP server to accept anonymous as a valid alternative to the ftp username. None of the usernames require a valid password to be entered. Writing anywhere in the ftp directory structure is explicitly denied, although this could be overwritten for specific directories with a sub-section.



Email To
Send email to proftpd@proftpd.net

Solaris Issues
Each proftpd package requires installation on the Solaris release it was built on. Only install the correct version for your system.

Click to read about the 32 bit and 64 bit Solaris 7 and 8 packages.

Source Code
You can download the source code from

Special Issues
See the main packages for installation information.
阅读(1126) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~