On 01/11/14 13:35, Craig R. Skinner wrote: > $HOME of /var/spool/ftp instead of /home/ftp
um. There are a lot of choices for where to put your ftp's home... /var/spool/ftp is not in my top five. I see your reasoning in the diff itself, but the most likely place I'd put an ftp home would be /var/www/<site> so it could be served both by FTP and HTTP. /var/spool/ftp is one of those things left over from another date and time, right now, I have trouble imagining running an FTP server that isn't also a http server for downloads...and I can't imagine expecting Joe Average to be able to work an FTP client for uploads anymore, either. > $SHELL of /sbin/nologin instead of /usr/bin/false benefit? to me, "nologin" sounds like the account is disabled, I think I like /usr/bin/false slightly better philosophically. > 'useradd' instead of 'adduser', which sets a /home prefix bah. I can never remember all the options of useradd, I much prefer using adduser to get prompted for the options. > Change the 'Directory Setup' section as the existing article duplicates > what's in the default /var/spool/ftp/, and set up a local OpenBSD ftp > mirror. which again, would be better served in /var/www/htdocs or something similar in the httpd chroot. All in all, I don't think this is an improvement, and certain things (like /var/spool/ftp) I disagree with strongly. If developers disagree with me, let me know, but otherwise not-ok. Nick. > > Index: faq10.html > =================================================================== > RCS file: /cvs/www/faq/faq10.html,v > retrieving revision 1.180 > diff -u -r1.180 faq10.html > --- faq10.html 1 Nov 2013 14:05:56 -0000 1.180 > +++ faq10.html 11 Jan 2014 18:30:45 -0000 > @@ -963,115 +963,100 @@ > <h3>Adding the FTP account</h3> > > <p> > -To start off, you need to have an <i>ftp</i> account on your system. > +To start off, you need to have an <i>ftp</i> user account on your system. > This account should not have a usable password. Here we will set the login > -directory to /home/ftp, but you can put it wherever you want. > +directory to the pre-existing <i>/var/spool/ftp</i>, as > +<a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=hier&sektion=7";>hier(7)</a> > +says: '<i>Commonly ~ftp; the anonymous ftp root directory</i>' > +but you can put it wherever you want, such as another disk partition: > + > +<blockquote><pre> > +$ <b>fgrep ftp /etc/fstab</b> > +/dev/sd3a /var/spool/ftp ffs rw,nodev,nosuid,softdep,noatime > 0 2 > +</pre></blockquote> > + > When using anonymous ftp, the ftp daemon will chroot itself to the home > directory of the <i>ftp</i> user. To read up more on that, read the > <a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8";>ftpd(8)</a> > and > <a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=chroot&sektion=2";>chroot(2)</a> > man pages. Here is an example of adding the <i>ftp</i> user. I will do > this using > -<a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=adduser&sektion=8";>adduser(8)</a>. > -We also need to add /usr/bin/false to our <i>/etc/shells</i>, this is > -the "shell" that we will be giving to the <i>ftp</i> user. > -This won't allow them to login, even though we will give them an empty > -password. To do this you can simply do > +<a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=useradd&sektion=8";>useradd(8)</a>. > > <blockquote><pre> > -echo /usr/bin/false >> /etc/shells > +$ <b>sudo useradd -v -c 'anonymous ftp' -d /var/spool/ftp -u 212121 -g =uid > -s /sbin/nologin ftp</b> > + > +$ <b>sudo userinfo ftp</b> > +login ftp > +passwd ************* > +uid 212121 > +groups ftp > +change NEVER > +class > +gecos anonymous ftp > +dir /var/spool/ftp > +shell /sbin/nologin > +expire NEVER > + > +$ <b>grep ^ftp /etc/group</b> > +ftp:*:212121: > </pre></blockquote> > > -After this, you are ready to add the <i>ftp</i> user: > +<h3>Directory Setup</h3> > + > +<p> > +From a default OpenBSD install, <i>ftp</i>'s home directory is already > +there, and mostly pre-populated for anonymous ftp duties: > +</p> > > <blockquote><pre> > -# <b>adduser</b> > -Use option ``-silent'' if you don't want to see all warnings and questions. > +$ <b>sudo ls -lAR /var/spool/ftp</b> > +total 12 > +dr-x--x--x 2 root wheel 512 Jul 30 18:52 bin > +dr-x--x--x 2 root wheel 512 Jul 30 18:52 etc > +d--x--x--x 2 root wheel 512 Jul 30 18:52 hidden > > -Reading /etc/shells > -Check /etc/master.passwd > -Check /etc/group > - > -Ok, let's go. > -Don't worry about mistakes. There will be a chance later to correct any > input. > -Enter username []: <b>ftp</b> > -Enter full name []: <b>anonymous ftp</b> > -Enter shell csh false ksh nologin sh [ksh]: <b>false</b> > -Uid [1002]: <b><i>Enter</i></b> > -Login group ftp [ftp]: <b><i>Enter</i></b> > -Login group is ``ftp''. Invite ftp into other groups: guest no > -[no]: <b>no</b> > -Login class authpf daemon default staff [default]: <b><i>Enter</i></b> > -Enter password []: <b><i>Enter</i></b> > -Set the password so that user cannot logon? (y/n) [n]: <b>y</b> > - > -Name: ftp > -Password: **** > -Fullname: anonymous ftp > -Uid: 1002 > -Gid: 1002 (ftp) > -Groups: ftp > -Login Class: default > -HOME: /home/ftp > -Shell: /usr/bin/false > -OK? (y/n) [y]: <b>y</b> > -Added user ``ftp'' > -Copy files from /etc/skel to /home/ftp > -Add another user? (y/n) [y]: <b>n</b> > -Goodbye! > -</pre></blockquote> > +/var/spool/ftp/bin: > > -<h3>Directory Setup</h3> > +/var/spool/ftp/etc: > + > +/var/spool/ftp/hidden: > + > +</pre></blockquote> > > <p> > -Along with the user, this created the directory <i>/home/ftp</i>. This > -is what we want, but there are some changes that we will have to make to > -get it ready for anonymous ftp. Again these changes are explained in the > -<a > href="http://www.openbsd.org/cgi-bin/man.cgi?query=ftpd&sektion=8";>ftpd(8)</a> > man page. > +All we need to do is add the <b>pub</b>lic directory. In this example, > +we'll also set up the directory structure for a local OpenBSD > +ftp mirror, for both i386 & sparc64 machines: > +</p> > + > +<blockquote><pre> > +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/{i386,sparc64,packages}</b> > +$ <b>sudo mkdir -p /var/spool/ftp/pub/OpenBSD/5.4/packages/{i386,sparc64}</b> > +$ <b>sudo find /var/spool/ftp</b> > +/var/spool/ftp > +/var/spool/ftp/bin > +/var/spool/ftp/etc > +/var/spool/ftp/hidden > +/var/spool/ftp/pub > +/var/spool/ftp/pub/OpenBSD > +/var/spool/ftp/pub/OpenBSD/5.4 > +/var/spool/ftp/pub/OpenBSD/5.4/i386 > +/var/spool/ftp/pub/OpenBSD/5.4/sparc64 > +/var/spool/ftp/pub/OpenBSD/5.4/packages > +/var/spool/ftp/pub/OpenBSD/5.4/packages/i386 > +/var/spool/ftp/pub/OpenBSD/5.4/packages/sparc64 > +</pre></blockquote> > > <p> > -You <b>do not</b> need to make a /home/ftp/usr or /home/ftp/bin > -directory. > -<ul> > -<li><i>/home/ftp</i> - This is the main directory. It should be owned by > -root and have permissions of 555. > -<li><i>/home/ftp/etc</i> - This is entirely optional and not > -recommended, as it only serves to give out information on users which > -exist on your box. If you want your anonymous ftp directory to appear to > -have real users attached to your files, you should copy /etc/pwd.db and > -/etc/group to this directory. This directory should be mode 511, and the > -two files should be mode 444. These are used to give owner names as > -opposed to numbers. There are no passwords stored in pwd.db, they are > -all in spwd.db, so don't copy that over. > -<li><i>/home/ftp/pub</i> - This is a standard directory to place files > -in which you wish to share. This directory should also be mode 555. > -</ul> > - > -<p> > -Note that all these directories should be owned by ''root''. Here is a > -listing of what the directories should look like after their creation. > +Now we'll set the directory permissions so the <i>ftp</i> user can read, > +and the <i>wheel</i> group can write (ftp get base tarballs and packages): > +</p> > > <blockquote><pre> > -# pwd > -/home > -# ls -laR ftp > -total 5 > -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 . > -drwxr-xr-x 7 root wheel 512 Jul 6 10:58 .. > -dr-x--x--x 2 root ftp 512 Jul 6 11:34 etc > -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 pub > - > -ftp/etc: > -total 43 > -dr-x--x--x 2 root ftp 512 Jul 6 11:34 . > -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .. > --r--r--r-- 1 root ftp 316 Jul 6 11:34 group > --r--r--r-- 1 root ftp 40960 Jul 6 11:34 pwd.db > - > -ftp/pub: > -total 2 > -dr-xr-xr-x 2 root ftp 512 Jul 6 11:33 . > -dr-xr-xr-x 5 root ftp 512 Jul 6 11:33 .. > +$ <b>sudo chown -R root:wheel /var/spool/ftp/pub</b> > +$ <b>sudo chmod 555 /var/spool/ftp/pub</b> > +$ <b>sudo chmod -R 575 /var/spool/ftp/pub/OpenBSD/</b> > </pre></blockquote> > > <h3>Starting up the server and logging</h3>
