Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1068931
  • 博文数量: 135
  • 博客积分: 10182
  • 博客等级: 上将
  • 技术积分: 1565
  • 用 户 组: 普通用户
  • 注册时间: 2006-08-07 16:05
文章分类

全部博文(135)

文章存档

2011年(5)

2010年(20)

2009年(3)

2008年(16)

2007年(91)

分类:

2008-05-09 20:14:16

Setting Up an Anonymous FTP Account
 
  An anonymous FTP account is a way for you to make information on your system available to anybody, while still restricting access to your system. An anonymous FTP account lets anybody log in to your system as the "anonymous" or "ftp" user. The FTP daemon does a chroot to the FTP home directory (~ftp) for anonymous FTP users, which effectively prevents them from accessing parts of the system that are not subdirectories of ~ftp.  The following procedure is designed to help you set up a network-accessible anonymous FTP account.
 
  1. Create the anonymous FTP user entry in /etc/passwd. The username should be ftp. Put an asterisk (*) in the password field, and assign user and group IDs, a home directory, and a login shell. The following is an example of a typical entry in /etc/passwd for the anonymous FTP account:
    ftp:*:997:995:Anonymous FTP Account:/disk2/ftp:/dev/null

    The login shell /dev/null is recommended but not required, and the home directory can be anywhere, with reservations as explained in the next step.

    Tip: For public servers, Silicon Graphics recommends that you create a shadow password file. Run the pwconv command from the /etc directory:

    # pwconv

    This command updates the contents of /etc/passwd and moves encrypted passwords to /etc/shadow, which is then inaccessible to non-privileged users.

  2. Create an FTP home directory. This may be wherever you like but, especially if you are going to allow writes to it, it should probably be on a separate partition from / or /usr. That way, if the partition fills up, it will not disable basic system operations. In this example procedure, /disk2/ftp is the name of the anonymous FTP directory. First, make the directory:
    # mkdir /disk2/ftp

    Then, if it is a separate disk or disk partition, you can mount the device on it.The anonymous FTP home directory you make must be the same one you specify in the /etc/passwd file.

  3. Change directory to the ftp home directory and create the subdirectories used for FTP access:
    # cd /disk2/ftp
    # mkdir bin dev etc lib lib32 pub incoming

    In addition to the standard bin, dev, etc, lib, and pub directories, you may wish to create an incoming directory for incoming files.

  4. Copy the ls command from /sbin to ~ftp/bin:
    # cp /sbin/ls bin

    Note: In order for the ls command to work with an IRIX 6.5.x system, perform the following steps:

    # cp /lib32/libc.so.1 /disk2/ftp/lib32# cp /lib32/rld /dir2/ftp/lib32# chmod -R 555 /dir2/ftp/lib32
  5. Copy /etc/passwd and /etc/group to ~ftp/etc and edit them to an acceptable minimum:
    # cp /etc/passwd /etc/group etc

    A good choice for the contents of ~ftp/etc/passwd might be

    root:*:0:0:Super-User:/:/dev/null
    bin:*:2:2:System Tools Owner:/bin:/dev/null
    sys:*:4:0:System Activity Owner:/var/adm:/dev/null
    ftp:*:997:999:Anonymous FTP Account:/disk2/ftp:/dev/null

    A good choice for the contents of ~ftp/etc/group might be

    sys:*:0:
    other::995:
    guest:*:998:
  6. Add appropriate device and library files for anonymous FTP as follows:
    # /sbin/mknod dev/zero c 37 0
    # cp /lib/libc.so.1 /lib/rld lib

    The dev/zero file helps zero out sensitive data; ~ftp/bin/ls requires the library files.

  7. Set restrictive permissions on ~ftp/etc/passwd, ~ftp/etc/group and ~ftp/dev/zero:
    # chmod 444 etc/* dev/*
  8. Make sure the bin, dev, etc, lib and ~ftp directories are owned by root, with group being sys, having restricted write permission:
    # chown root.sys bin dev etc lib .
    # chmod 511 bin dev etc lib .

    In the chown command, the dot separates owner and group.

  9. For the pub directory, set the owner to root, the group to sys, and global read and access permission:
    # chown root.sys pub
    # chmod 755 pub
  10. If you created an incoming directory, set the permissions to allow anybody to write there but not to read its contents:
    # chown ftp.other incoming
    # chmod 333 incoming

    Any FTP user can now get or put files in the incoming directory, but they must know the name of the file beforehand, because they cannot list directory contents.

    Caution: By allowing write permission, you make it possible for anonymous FTP users to fill the entire disk partition.

  11. As a security precaution, add the following entry to the /etc/aliases file to cause mail sent to the user ftp to be intercepted by the postmaster:
    ftp: postmaster

    Run the command newaliases to make this take effect.

  12.  Note that if you use one -l argument with ftpd, you record only successful and failed FTP login attempts. If you use two ls, you also record the retrieve (get), store (put), append, delete, make directory, remove directory, and rename operations (and their filename arguments) performed during ftp login sessions. If you use three ls, the report includes the number of bytes transferred in get and put operations.

    For example, the following entry in /etc/inetd.conf means FTP sessions and get or put operations (excluding byte count) are logged in /var/adm/SYSLOG:

    ftp     stream  tcp     nowait  root    /usr/etc/ftpd   ftpd -ll
  13. Once you have edited /etc/inetd.conf, restart inetd with the following command:
    # /etc/killall -HUP inetd

    Note: Although FTP logging records in /var/adm/SYSLOG show any passwords entered by users logging in, no password checking is done for anonymous FTP. The convention is for anonymous users to enter their e-mail addresses for passwords, but they could just as easily enter another user's address or anything at all.

14.chang the mode of your directory by type command:

   #chmod 777 /disk2/ftp 

That's all,enjoy it.:-)。

You can get help from   infosearch directory.

阅读(2778) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~