FTP server? - HINT

Richard Lightman richard at reika.demon.co.uk
Wed Jan 3 14:49:28 PST 2001


Modifications as requested by Gerard, and added a note about .netrc
and corrected a couple of typo's.

TITLE:		proftp server, lukemftp client and wget
LFS VERSION:	<2.4.3>
AUTHOR:		<Richard Lightman> <richard at reika.demon.co.uk>

SYNOPSIS:
	proftp is an ftp server designed with security in mind. I have
	heard nasty things about the (lack of) security in wu-ftp.
	There are about as many ftp clients as there are window
	manglers. I have found lukemftp to be reliable, and it
	uses gnu readline to give tab completion of file names.
	The one thing lukemftp does not do is continue where it
	left off if a download fails. For large downloads, I recommend
	wget.

HINT:

Downloads
=========

There is a draft user guide for proftp at:
http://hamster.wibble.org/proftpd/

There is a good FAQ for proftp is at:
http://www.proftpd.net/docs/proftpdfaq-full.html

There is a list of mirrors in the FAQ, so try picking one near you
instead of:
"ftp://ftp.linux.co.uk/mirrors/ftp.proftpd.net/\
pub/proftpd/proftpd-1.2.0pre10.tar.gz"

If you do not have an ftp client, try lukemftp:
ftp://ftp.netbsd.org/pub/NetBSD/misc/lukemftp/lukemftp-1.5.tar.gz

lukemftp uses readline for tab completion:
ftp://ftp.gnu.org/gnu/readline/readline-4.0.tar.gz

wget can continue a download where it left off - very handy for
downloading X with a wobbly ISP:
ftp://ftp.gnu.org/gnu/wget/wget-1.5.3.tar.gz


Installing proftp
=================

First we will need to known two unused system group id's and a system
user id. The third field of /etc/group or /etc/password contains the
group or user id.

[root at fire_fly richard]# cat /etc/group
root:x:0:
bin:x:1:
sys:x:2:
kmem:x:3:
tty:x:4:
uucp:x:5:
daemon:x:6:
floppy:x:7:
disk:x:8:
users:x:9:
nofiles:x:10:
qmail:x:11:
dnscache:x:12:
dnslog:x:13:
cvsadmin:x:14:
[root at fire_fly richard]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
richard:x:1000:9::/home/richard:/bin/bash
postgress:x:1:9::/home/postgress:/bin/bash
lp:x:2:9::/home/lp:/bin/bash
alias:x:3:10::/var/qmail/alias:/bin/bash
qmaild:x:4:10::/var/qmail:/bin/bash
qmaill:x:5:10::/var/qmail:/bin/bash
qmailp:x:6:10::/var/qmail:/bin/bash
qmailq:x:7:11::/var/qmail:/bin/bash
qmailr:x:8:11::/var/qmail:/bin/bash
qmails:x:9:11::/var/qmail:/bin/bash
dnscache:x:10:9::/home/dnscache:/bin/bash
dnslog:x:11:9::/home/dnslog:/bin/bash
build:x:12:1::/home/build:/bin/bash
install:x:13:1::/home/install:/bin/bash

On my system the first available system group id's are 15 and 16.
The first available system user id is 14.  Now we need some new groups
which will be used to prevent proftp from reading and writing the
wrong files:

[root at fire_fly richard]# groupadd -g 15 nogroup
[root at fire_fly richard]# groupadd -g 16 ftp
[root at fire_fly richard]# useradd -u 14 -g ftp -s /bin/sh -m ftp
[root at fire_fly richard]# useradd -u 65534 -g nogroup -d /home nobody

proftpd needs to start running as root - to get access to port 21. Each
time proftpd recieves a connection, it will fork off a new process running
as an appropriate user to service the connection. Anonymous connections are
handled by user ftp.

There should be no files accessable by group nogroup, or by user nobody.
Under strange and unlikely circumstances it is possible for a remote user
to get access to a linux box with a user id of 65534. As we have given
this id to an account with no special privileges there should not be anything
for a cracker to play with.


unpack the source, and configure:

../configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var\
            --infodir=/usr/share/info --mandir=/usr/share/man

If you do not like installing as root, change the default owner
and group in the Makefile. User install's default group must be
bin, and lots of system directories must be writable by bin.
Plenty of packages will happily screw this up up you install
them as root.

sed -e "s@^\(INSTALL_USER=\).*@\1install@"\
    -e "s@^\(INSTALL_GROUP=\).*@\1bin@"\
    Makefile >Makefile~
mv  Makefile~ Makefile

compile and install:

make
make install

Put a boot script in /etc/init.d:

#!/bin/bash
#/etc/init.d/proftpd

.. /etc/init.d/functions

case "$1" in
  start)
    echo -n "Summoning Pro FTP daemon..."
    loadproc /usr/sbin/proftpd
    print_status
    ;;

  stop)
    echo -n "Exorcising Pro FTP daemon..."
    killproc /usr/sbin/proftpd
    print_status
    ;;

  reload)
    echo -n "Reloading Pro FTP daemon..."
    reloadproc /usr/sbin/proftpd -HUP
    ;;

  restart)
    $0 stop
    sleep 1
    $0 start
    ;;

  status)
    statusproc /usr/sbin/proftpd
    ;;

  *)
    echo "Usage: $0 {start|stop|restart|reload|status}"
    ;;

esac


configuring proftpd
===================

Take a look through /etc/proftpd.conf and fiddle with any settings
you do not like. Make ftp's home directory (/home/ftp) put some files
in there, and make them readable by user ftp. If you think that anonymous
users should be able to modify these files, make them writable by ftp,
but get you head examined first.

Enable proftp on future reboots, and start it now:

chmod 754 /etc/init.d/proftpd
ln -s  ../init.d/proftpd /etc/rc0.d/K40proftpd
ln -s  ../init.d/proftpd /etc/rc1.d/K40proftpd
ln -s  ../init.d/proftpd /etc/rc2.d/K40proftpd
ln -s  ../init.d/proftpd /etc/rc3.d/S60proftpd
ln -s  ../init.d/proftpd /etc/rc4.d/S60proftpd
ln -s  ../init.d/proftpd /etc/rc5.d/S60proftpd
ln -s  ../init.d/proftpd /etc/rc6.d/K40proftpd
/etc/init.d/proftpd start

Try out your new ftp server:
ftp 127.0.0.1


lukemftp
========

Did you forget to install an ftp client? My favourate is lukemftp.
You will need readline so you can have tab completion.

unpack the readline sources, and:

../configure --prefix=/usr --with-curses"
make
make shared
make install
cd shlib
make install


unpack the lukemftp source and:

../configure --prefix=/usr --sysconfdir=/etc\
            --sharedstatedir=/var/cache --localstatedir=/var\
            --infodir=/usr/share/info --mandir=/usr/share/man
make
make install

The configure script has a --mandir option, but it does not do anything useful:
cp src/ftp.1 $LFS/usr/share/man/man1/

Many ftp sites want you to use you e-mail address as a password for
anonymous access. If you are too lazy to type it, try:

echo 'default login anonymous password user at site' >~/.netrc
chmod 600 ~/.netrc

You can add all the passwords to your ftp sites to .netrc and wget
will use them too. Any program run with your user id will be able
to read .netrc, also will this file get backed up? Are you backups
encrypted?


installing wget
===============

unpack the source, and:

../configure --prefix=/usr --sysconfdir=/etc\
            --sharedstatedir=/var/cache --localstatedir=/var\
            --infodir=/usr/share/info --mandir=/usr/share/man
make
make install

This time it is --infodir that needs help:

cp doc/wget.info* /usr/share/info
install-info -e\
       "* wget: (wget).                                Get files from www"\
       /usr/share/info/wget.info /usr/share/info/dir



-- 
Unsubscribe: send email to lfs-apps-request at linuxfromscratch.org
and put unsubscribe in the subject header of the message




More information about the blfs-support mailing list