How to setup WU-FTPD Guest Accounts

By Michael Brennen

This document was originally published by Michael Brennen on Fri, 15 Sep 1995 and contributed to the WU-FTPD Development Group on Fri, 28 Jul 2000.


Table of Contents

  • OS DEPENDENCIES / QUIRKS
  • Additionally

    Introduction

    There are three kinds of FTP logins that wu-ftpd provides:
    1. anonymous FTP
    2. real FTP
    3. guest FTP
    Anonymous FTP is well known; one logs in with the username 'anonymous' and an email type password.

    Real FTP is when someone logs in with a real username and password and has access to the entire disk structure. This form of access can be extremely dangerous to system security and should be avoided unless absolutely necessary and well controlled.

    Guest FTP is a form of real FTP; one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. This is much safer, and it is a useful way for remote clients to maintain their Web accounts.

    If you want to learn more about 'chroot', the following two commands should help, as should any good Unix text.

    man chroot

    There may be different man pages in sections 1, 2 and 8 (or others, perhaps) depending on your operating system. ('man # chroot')

    This howto will describe in detail the steps necessary to set up a guest FTP account. It does not describe anonymous or real FTP setup, though the procedures for setting up an operational 'ls' command will apply equally to anonymous FTP because of the chroot'ed nature of anonymous FTP.


    Working Example

    The working example here will be as if it were a directory under a Web tree, /home/web. The Web account will be maintained remotely by FTP. The remote user is Mortimer. Mortimer's account name is "mort", group "client".

    (Yes, there is some droll humor here for the French speakers...)

    1. Do the /etc hacks

    Create Mort's entry in /etc/passwd and /etc/group. Do so manually, or use adduser or whatever your Unix supports. If you use adduser, you will probably have to make manual modifications to get the /./ information in the home path.

    There are also entries to make in /etc/ftpaccess.

    /etc/passwd:

    mort:*:403:400:Mortimer Snerd:/home/web/mort/./:/etc/ftponly
                                                ^^^
    

    The /./ sequence determines where the chroot() is done to. If you want the chroot() done to the web directory and a chdir() to mort, it would look like this:

    mort:*:403:400:Mortimer Snerd:/home/web/./mort/:/etc/ftponly
                                           ^^^
    

    --------> (make sure "/etc/ftponly" is in /etc/shells.)

    /etc/group:

    client::400:mort
    Set Mort's password as you wish, or better yet use S/KEY.

    The current releases of wu-ftpd come with /etc/ftpaccess enabled by default. If your version does not do this for some reason, you must do one of two thing to properly use /etc/ftpaccess:

    1. compile the source to use /etc/ftpaccess by default; modify the source to set use_accessfile = 1;

      OR

    2. run the daemon with the -a option.
    /etc/ftpaccess:
    class   local   real,guest,anonymous ......
    ...                  ^^^^^
    ...                    +----------- define 'guest' in the proper classes;
    ...                                 this is site dependent.
    ...
    ...
    delete     no   anonymous,guest               # delete permission?
    overwrite  no   anonymous,guest               # overwrite permission?
    rename     no   anonymous,guest               # rename permission?
    chmod      no   anonymous,guest               # chmod permission?
    umask      no   anonymous,guest               # umask permission?
    ...                       ^^^^^
    ...                         +------ decide if guest should be in this 
    ...                                 permission list; this is site dependent.
    ...
    ...
    path-filter  guest      /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
    ...
    guestgroup client
    ...
    

    2. Create Mort's home directory and set its ownership and protections


    3. Build the directory structure under Mort's account.

    Create the /etc, /lib, and any other directory you need in the directory that the chroot() is done into.


    4. Build the contents of the ~/bin directory.

    NOTE WELL: if you cannot see the directory contents after you login as the guest user, the 'ls' program that you installed is not working. If you use an 'ls' linked for dynamic libraries, and you do not have the required libraries and/or devices installed properly in the guest tree, 'ls' will not work and you will not see the contents of the guest directory.

    This is the single most FAQ on the wu-ftpd list. Repeating: if you cannot see the contents of the directory, your installed 'ls' is not working. The proper installation procedures for 'ls' vary by operating system. There are some OS specific notes at the bottom of this howto that may be of help.

    Another problem that has been reported is that the chroot() directory given in your /etc/passwd file for the guest account must be to the directory where your ~/bin directory is located. That is, if your chroot directory is /u01/ftp/ftptest/ and your /etc/passwd account is

    yourftp:x:42:42:guest ftp account:/u01/ftp/./ftptest:/etc/ftponly
    it will not work, as the ~/bin directory is not under the chroot()ed directory. It must be set as follows.
    yourftp:x:42:42:guest ftp account:/u01/ftp/ftptest/./:/etc/ftponly
    There are additional resources to help if you still cannot see files after an FTP login. See the FAQ and Resource Center and http://www.wuftpd.org/ for more information.

    USE STATIC LINKED COPIES OF ALL UTILITIES IF POSSIBLE.

    You may get the source to build your own static 'ls' by downloading the GNU fileutils source package from .

    Optional for on the fly compression and tar:

    If the utilities are not static, create the necessary devices in ~/dev and copy the necessary libraries into ~/lib. Check the man page for ftpd that comes with your system; it may be of help.

    REGARDING HARD AND SOFT/SYMBOLIC LINKS:

    The chroot() obviates the use of soft links in this case. However, it it is possible to make these hard links back to the master copy of the utilities rather than copies. This can save some disk space if that is a concern.


    5. Build the contents of the ~/etc directory.


    6. Add some extra security touches

    You should now be the proud owner of a working guest group FTP login. Connect to the machine via FTP and login as "mort". You should end up in Mort's account with a current directory of "/".

    If not, go over it carefully again, as there is a lot of detail here. If you still can't get it to work, yell for help on [email protected].


    OS DEPENDENCIES / QUIRKS

    LINUX:

    Linux does not need a ~/dev dir. It does need the ~/lib dir if the utilities in ~/bin are dynamically linked.

    Use the 'ldd' command to find out what libraries are necessary for a given dynamically linked utility.

    LINUX REDHAT 6.1: (reported by Steven Schramm <[email protected]>)

    I found the following steps for the lib directory critical to my success:

    SOLARIS:

    Solaris can't handle SETPROCTITLE, so turn the compile time option off.

    (The following was culled from a post by Tom Leach to the wu-ftpd list.)

    >For people who are having problems with ls -al and dir on solaris 2.x
    >systems, you might try the following to find out what's missing...

    >truss -f chroot ~ftp /bin/ls

    >This will run the ls command in the same chroot'd environment that
    >anonymous FTP runs in. The truss will show you what
    >files/libraries/devices are accessed and where the ls is looking for them.

    >Tom Leach
    >[email protected]

    SUN 4.1.x:

    Create a ~dev/zero and ~dev/tcp device for the FTP directory as follows. Run the following 'ls' command, then create the devices in the ~/dev directory with the 'mknod' command, using the major and minor numbers from the 'ls' results (thanks to Jim Davis <[email protected]>).

    ls -lL /dev/zero /dev/tcp

    cd dev
    mknod zero c <major> <minor>
    mknod tcp c <major> <minor>
    cd ..
    chmod 555 dev

    You may also wish to use the following method to create the device, per Ian Willis <[email protected]>; repeat this command for each device (zero, tcp, etc.).

    find /dev/zero -print | cpio -pd ~ftp

    Also, you probably need the following shared libraries:

    BSDI:

    Set 555 protections on the ~ftp/shlib and its contents if shared libraries are used.

    From Darci Chapman ([email protected]):

    The following directories and files need to be created in whatever directory/ies are being chrooted to (~ftp for anon ftp or for whatever directory guest users are chrooted):

    dr-xr-xr-x root/wheel        0 Nov  3 01:43 1995 bin/
    -r-xr-xr-x root/wheel    12288 Nov  3 01:43 1995 bin/compress
    -r-xr-xr-x root/wheel    45056 Nov  3 01:43 1995 bin/gzip
    -r-xr-xr-x root/wheel    12288 Nov  3 01:43 1995 bin/ls
    -r-xr-xr-x root/wheel    65536 Nov  3 01:43 1995 bin/pax
    dr-xr-xr-x root/wheel        0 Nov  3 01:43 1995 etc/
    -r--r--r-- root/wheel      793 Nov  3 01:43 1995 etc/group
    -r--r--r-- root/wheel      817 Nov  3 01:43 1995 etc/localtime
    -r--r--r-- root/wheel    40960 Nov  3 01:43 1995 etc/pwd.db
    dr-xr-xr-x root/wheel        0 Feb  3 12:34 1995 pub/
    dr-xr-xr-x root/wheel        0 Nov  3 01:43 1995 shlib/
    -r-xr-xr-x root/wheel   298407 Nov  3 01:43 1995 shlib/libc_s.2.0
    

    IRIX (5.3, 6.x):

    From Frans Stekelenburg <[email protected]>:

    (as in SUN 4.1.x, but without /dev/tcp)

    Create a ~dev/zero and ~dev/tcp device for the FTP directory as follows. (tip: search on 'dev/zero' in your IRIX systems' Online Books.) Run the following 'ls' command, then create the devices in the ~/dev directory with the 'mknod' command, using the major and minor numbers from the 'ls' results (thanks to Jim Davis <[email protected]>).

    ls -lL /dev/zero

    cd dev
    mknod zero c <major> <minor>
    cd ..
    chmod 555 dev

    You may also wish to use the following method to create the device, per Ian Willis <[email protected]>; repeat this command for each device (zero, etc.).

    find /dev/zero -print | cpio -pd ~ftp

    Also, you probably need the following shared libraries:

    Also read the manpages on FTPD, or look in the IRIX Insight Library (Online Books) in the book/chapter "IRIX Admin: Networking and Mail" for the paragraph 'How to Set Up a Proper Anonymous FTP Account' (search helps:-)) on your IRIX system.

    AIX:

    Per Chuque Berry <[email protected]> and Joseph Matusiewicz <[email protected]>, AIX needs the following files for the external ls to work:

    You may also need:


    Additionally:

    For tips on security of anonymous FTP see CERT documents:

    Also, check out Christopher Klaus's older Anonymous FTP FAQ.


  • If you run across some special trick required to get guest access to run on your OS, or some security cleanup, please let me know and I will update the master of this document.

  • Don't contact me individually for help. Go through the wu-ftpd list for that and I will see the post there.

    Michael Brennen
    [email protected]