How to Set Up a Proper Anonymous FTP Account

The following procedure is designed to help you set up a network-accessible anonymous FTP account. As usual, understanding the various steps and continually monitoring how the account is used are necessary to protect your system security.

1. Create the anonymous FTP user entry in /etc/passwd. The user name should be "ftp." Put an asterisk (*) in the password field, and assign user and group IDs, a home directory, and a login shell. The following is an example of a typical entry in /etc/passwd for an anonymous FTP account:

   ftp:*:997:999:anonymous FTP account:/usr/people/ftp:/dev/null

   The login shell /dev/null is recommended but not required, and the home directory can be anywhere, with reservations as explained in the next step.

2. Create an anonymous FTP directory. This may be wherever you like but, especially if you are going to allow writes to it, it should probably be on a separate partition from / or usr. That way, if the partition fills up, it will not disable basic system operations.

   In this example procedure, /usr/people/ftp is the name of the anonymous FTP directory. First, make the directory:

   # mkdir /usr/people/ftp

   and then, if it is a separate disk or disk partition, you can mount the device on it (see mount(1M)). The anonymous FTP home directory you make must be the same one you specify in the /etc/passwd file.

3. Set global read and access permission for the anonymous FTP directory, and change the owner to "ftp" and the group to "other":

   # chmod 555 /usr/people/ftp

   # chown ftp.other /usr/people/ftp

4. Change directory to the ftp home directory and create the subdirectories used for FTP access:

   # cd /usr/people/ftp

   # mkdir bin etc pub private

   In addition to the standard bin, etc, and pub directories, you may wish to make a private directory for private transmissions, as explained below.

5. For the bin and etc directories, set the owner to "root," group to "sys," and global read and access permissions:

   # chmod 555 bin etc

   # chown root.sys bin etc

6. For the pub directory, set the owner to "ftp," the group to "other," and global read, write, and access permission:

   # chown ftp.other pub

   # chmod 777 pub

   Caution: By allowing write permission, you make it possible for anonymous FTP users to fill the disk partition.

7. If you created a private directory, set the permissions to allow anybody to write to it but not to read its contents:

   # chown ftp.guest private

   # chown 773 private

   Anybody logging in can now place or retrieve files in the private directory, but they must be told the name of the file beforehand, because they cannot list the directory contents.

   Caution: By allowing write permission, you make it possible for anonymous FTP users to fill the disk partition.

8. Copy the ls command from /bin to ~ftp/bin:

   # cp bin/ls bin

9. Copy /etc/passwd and /etc/group to ~ftp/etc and edit the files to an acceptable minimum:

   # cp /etc/passwd etc

   # cp /etc/group etc

   A good choice for the contents of passwd might be

   root:*:0:0:super-user:/:/dev/null

   bin:*:2:2:system tools owner:/bin:/dev/null

   sys:*:4:0:system activity owner:/usr/adm:/dev/null

   ftp:*:997:999:anonymous FTP account:/usr/people/ftp:/dev/null

   A good choice for the contents of group might be

   other::995:

   guest:*:998:

   ftp:*:999:

10. Set restrictive permissions on ~ftp/etc/passwd and ~ftp/etc/group:

    # chmod 444 etc/*

11. Add appropriate device and library files for anonymous FTP as follows:

    # mkdir dev

    # /sbin/mknod /usr/people/ftp/dev/zero c 37 0

    # mkdir lib

    # cp /lib/libc.so.1 lib

    # cp /lib/rld lib

12. Add the following entry to the file /etc/aliases to cause mail sent to the user ftp to go to the postmaster:

    ftp: postmaster

    Run the command newaliases to make this take effect. (This assumes you have an alias of postmaster in /etc/aliases. See aliases(4) and newaliases(1M).)

13. Enable FTP logging as described in "Limiting inetd Services" in Chapter 5 in IRIX Admin: Backup, Security, and Accounting . Note that if you use one -l argument with ftpd, you record only successful and unsuccessful FTP login attempts. If you use two "l"s, you also record actions on files and directories performed during ftp login sessions, and three "l"s cause the report to include the number of bytes transferred in get and put operations.

    For example, the following entry in /etc/inetd.conf means all logging information but the byte count is sent to /var/adm/SYSLOG:

    ftp stream tcp nowait root /usr/etc/ftpd ftpd -ll

14. Once you have edited /etc/inetd.conf, restart inetd with the following command:

    # /etc/killall -HUP inetd

    Note: Although the FTP logging records in /var/adm/SYSLOG now show any passwords entered by users logging in, no password checking is done for anonymous FTP. The convention is for anonymous users to enter their e-mail addresses for passwords, but they could just as easily enter another user's address or anything at all.

Refer to crontab(1), syslogd(1M), and the file /var/spool/cron/crontabs/root for information on changing the frequency or nature of system log file maintenance--you may, for example, want to increase the length of time you keep log files. To help you keep track of the demands made on your public FTP server, see Chapter 6 of IRIX Admin: Backup, Security, and Accounting for information on auditing system resource usage, and Chapter 7 of IRIX Admin: Backup, Security, and Accounting for general system accounting information.