FAQ 10: AnonFTP

Craig R. Skinner Sat, 11 Jan 2014 10:37:02 -0800

$HOME of /var/spool/ftp instead of /home/ftp

$SHELL of /sbin/nologin instead of /usr/bin/false


'useradd' instead of 'adduser', which sets a /home prefix

Change the 'Directory Setup' section as the existing article duplicates
what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp
mirror.


Index: faq10.html
===================================================================
RCS file: /cvs/www/faq/faq10.html,v
retrieving revision 1.180
diff -u -r1.180 faq10.html
--- faq10.html  1 Nov 2013 14:05:56 -0000       1.180
+++ faq10.html  11 Jan 2014 18:30:45 -0000
@@ -963,115 +963,100 @@
 <h3>Adding the FTP account</h3>
 
 <p>
-To start off, you need to have an <i>ftp</i> account on your system.
+To start off, you need to have an <i>ftp</i> user account on your system.
 This account should not have a usable password. Here we will set the login
-directory to /home/ftp, but you can put it wherever you want.
+directory to the pre-existing <i>/var/spool/ftp</i>, as
+<a 
href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&amp;sektion=7";>hier(7)</a>
+says: '<i>Commonly ~ftp; the anonymous ftp root directory</i>'
+but you can put it wherever you want, such as another disk partition:
+
+<blockquote><pre>
+$ <b>fgrep ftp /etc/fstab</b>
+/dev/sd3a /var/spool/ftp        ffs rw,nodev,nosuid,softdep,noatime            
 0 2
+</pre></blockquote>
+
 When using anonymous ftp, the ftp daemon will chroot itself to the home
 directory of the <i>ftp</i> user. To read up more on that, read the
 <a 
href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&amp;sektion=8";>ftpd(8)</a>
 and 
 <a 
href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&amp;sektion=2";>chroot(2)</a>
 man pages. Here is an example of adding the <i>ftp</i> user. I will do
 this using
-<a 
href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&amp;sektion=8";>adduser(8)</a>.
-We also need to add /usr/bin/false to our <i>/etc/shells</i>, this is
-the &quot;shell&quot; that we will be giving to the <i>ftp</i> user.
-This won't allow them to login, even though we will give them an empty
-password. To do this you can simply do
+<a 
href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&amp;sektion=8";>useradd(8)</a>.
 
 <blockquote><pre>
-echo /usr/bin/false &gt;&gt; /etc/shells
+$ <b>sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid -s 
/sbin/nologin ftp</b>
+
+$ <b>sudo userinfo ftp</b>
+login   ftp
+passwd  *************
+uid     212121
+groups  ftp
+change  NEVER
+class
+gecos   anonymous ftp
+dir     /var/spool/ftp
+shell   /sbin/nologin
+expire  NEVER
+
+$ <b>grep ^ftp /etc/group</b>
+ftp:*:212121:
 </pre></blockquote>
 
-After this, you are ready to add the <i>ftp</i> user:
+<h3>Directory Setup</h3>
+
+<p>
+From a default OpenBSD install, <i>ftp</i>'s home directory is already
+there, and mostly pre-populated for anonymous ftp duties:
+</p>
 
 <blockquote><pre>
-# <b>adduser</b>
-Use option ``-silent'' if you don't want to see all warnings and questions.
+$ <b>sudo ls -lAR /var/spool/ftp</b>
+total 12
+dr-x--x--x  2 root  wheel  512 Jul 30 18:52 bin
+dr-x--x--x  2 root  wheel  512 Jul 30 18:52 etc
+d--x--x--x  2 root  wheel  512 Jul 30 18:52 hidden
 
-Reading /etc/shells
-Check /etc/master.passwd
-Check /etc/group
-
-Ok, let's go.
-Don't worry about mistakes. There will be a chance later to correct any input.
-Enter username []: <b>ftp</b>
-Enter full name []: <b>anonymous ftp</b>
-Enter shell csh false ksh nologin sh [ksh]: <b>false</b>
-Uid [1002]: <b><i>Enter</i></b>
-Login group ftp [ftp]: <b><i>Enter</i></b>
-Login group is ``ftp''. Invite ftp into other groups: guest no 
-[no]: <b>no</b>
-Login class authpf daemon default staff [default]: <b><i>Enter</i></b>
-Enter password []: <b><i>Enter</i></b>
-Set the password so that user cannot logon? (y/n) [n]: <b>y</b>
-
-Name:        ftp
-Password:    ****
-Fullname:    anonymous ftp
-Uid:         1002
-Gid:         1002 (ftp)
-Groups:      ftp
-Login Class: default
-HOME:        /home/ftp
-Shell:       /usr/bin/false
-OK? (y/n) [y]: <b>y</b>
-Added user ``ftp''
-Copy files from /etc/skel to /home/ftp
-Add another user? (y/n) [y]: <b>n</b>
-Goodbye!
-</pre></blockquote>
+/var/spool/ftp/bin:
 
-<h3>Directory Setup</h3>
+/var/spool/ftp/etc:
+
+/var/spool/ftp/hidden:
+
+</pre></blockquote>
 
 <p>
-Along with the user, this created the directory <i>/home/ftp</i>. This
-is what we want, but there are some changes that we will have to make to
-get it ready for anonymous ftp. Again these changes are explained in the
-<a 
href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&amp;sektion=8";>ftpd(8)</a>
 man page.
+All we need to do is add the <b>pub</b>lic directory. In this example,
+we'll also set up the directory structure for a local OpenBSD
+ftp mirror, for both i386 &amp; sparc64 machines:
+</p>
+
+<blockquote><pre>
+$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}</b>
+$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}</b>
+$ <b>sudo find /var/spool/ftp</b>
+/var/spool/ftp
+/var/spool/ftp/bin
+/var/spool/ftp/etc
+/var/spool/ftp/hidden
+/var/spool/ftp/pub
+/var/spool/ftp/pub/OpenBSD
+/var/spool/ftp/pub/OpenBSD/5.4
+/var/spool/ftp/pub/OpenBSD/5.4/i386
+/var/spool/ftp/pub/OpenBSD/5.4/sparc64
+/var/spool/ftp/pub/OpenBSD/5.4/packages
+/var/spool/ftp/pub/OpenBSD/5.4/packages/i386
+/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64
+</pre></blockquote>
 
 <p>
-You <b>do not</b> need to make a /home/ftp/usr or /home/ftp/bin
-directory.
-<ul>
-<li><i>/home/ftp</i> - This is the main directory. It should be owned by
-root and have permissions of 555.
-<li><i>/home/ftp/etc</i> - This is entirely optional and not
-recommended, as it only serves to give out information on users which
-exist on your box. If you want your anonymous ftp directory to appear to
-have real users attached to your files, you should copy /etc/pwd.db and
-/etc/group to this directory. This directory should be mode 511, and the
-two files should be mode 444. These are used to give owner names as
-opposed to numbers. There are no passwords stored in pwd.db, they are
-all in spwd.db, so don't copy that over.
-<li><i>/home/ftp/pub</i> - This is a standard directory to place files
-in which you wish to share. This directory should also be mode 555.
-</ul>
-
-<p> 
-Note that all these directories should be owned by ''root''. Here is a
-listing of what the directories should look like after their creation.
+Now we'll set the directory permissions so the <i>ftp</i> user can read,
+and the <i>wheel</i> group can write (ftp get base tarballs and packages):
+</p>
 
 <blockquote><pre>
-# pwd
-/home
-# ls -laR ftp
-total 5
-dr-xr-xr-x  5 root  ftp    512 Jul  6 11:33 .
-drwxr-xr-x  7 root  wheel  512 Jul  6 10:58 ..
-dr-x--x--x  2 root  ftp    512 Jul  6 11:34 etc
-dr-xr-xr-x  2 root  ftp    512 Jul  6 11:33 pub
-
-ftp/etc:
-total 43
-dr-x--x--x  2 root  ftp    512 Jul  6 11:34 .
-dr-xr-xr-x  5 root  ftp    512 Jul  6 11:33 ..
--r--r--r--  1 root  ftp    316 Jul  6 11:34 group
--r--r--r--  1 root  ftp  40960 Jul  6 11:34 pwd.db
-
-ftp/pub:
-total 2
-dr-xr-xr-x  2 root  ftp  512 Jul  6 11:33 .
-dr-xr-xr-x  5 root  ftp  512 Jul  6 11:33 ..
+$ <b>sudo chown -R root:wheel /var/spool/ftp/pub</b>
+$ <b>sudo chmod 555 /var/spool/ftp/pub</b>
+$ <b>sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/</b>
 </pre></blockquote>
 
 <h3>Starting up the server and logging</h3>

FAQ 10: AnonFTP

Reply via email to