(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sunlogo.gif)
Tips & techniques for Users of Sunsoft Solaris
If you spend a lot of time exploring the Internet, you quickly discover that one of the most prevalent resources on the Internet is anonymous ftp sites; that is, ftp sites that allow you to log in as the user anonymous. This type of ftp site is very useful for organizations that want to make files available to anyone who wants them but that want to maintain a secure computing environment.
In this article, we'll walk through the steps necessary to set up an anonymous ftp site on a PC or Sparc workstation running Solaris 2.4. First, we'll create a dedicated group and user that can be used by the anonymous ftp process; then, we'll build a special subdirectory hierarchy to which users will be confined when making an anonymous ftp connection to the system. Finally, we'll test the anonymous ftp site and show you what users will see when they access it.
To start the process, log on as root to the system that will contain the anonymous ftp site. Then, start OpenWindows, open a Command Tool window, and type
to run Administration Tool. You'll use this utility to define a new ftp group and ftp user.
In the Administration Tool window, click the Database Manager icon. When you do, you'll see the Load Database window, shown in Figure A.
In this window, first click the button in the Naming Service section that corresponds to the type of naming service your network uses. Next, in the Databases list box, click the Group entry. Then, click Load to view the Group database. At this point, you'll see the Database Manager - Group Database window, shown in Figure B, which displays all currently defined groups.
To add an ftp group, click Edit and select Add Entry... from the resulting button menu. Then, enter the information for the new group in the Database Manager: Add Entry window, shown in Figure C. Type ftp in the Group Name field and 99 in the Group ID field. After you've entered these values, click Add to add the ftp group to the Group database.
Incidentally, our choice of the number 99 for the ftp group's ID is completely arbitrary. You can choose a different number. However, the group ID you choose shouldn't be assigned to any other group in the Group database.
When you've defined the new group, click the pushpin to close the current window. Then, quit Database Manager and return to the main Administration Tool window.
Once you've created the ftp group, you must create an ftp user. Start by clicking the User Account Manager icon in the Administration Tool window. When you do, you'll see the User Account Manager window, shown in Figure D.
In this window, click Edit and then select Add User... from the resulting button menu. At this point, you'll see the User Account Manager: Add User window, shown in Figure E.
You must enter into the fields in this window specific information defining the special ftp user. First, type ftp in the User Name field and 99 in the User ID field. (Again, we chose the number 99 arbitrarily. You should choose a user ID that hasn't already been assigned to another user.) Next, type ftp in the Primary Group field to make the user a member of group you defined in the previous section. Then, move to the Comment field and type Anonymous ftp user.
Next, for security reasons, you must make two unusual changes to the ftp user's settings. For the first change, open the Login Shell button menu and select Other from the menu. Then, type /nosuchshell in the Login Shell field. For the second change, open the Password button menu and select the option No passwd -- setuid only. These two changes prevent anyone from logging on to the system by using the ftp account.
At this point, move the cursor to the Path field in the HOME DIRECTORY section of the window. You must now decide where you're going to place all the files associated with the anonymous ftp site. Be sure to select a location that has sufficient disk space. On our machine, we'll use the directory /export/ftp as the home directory for the anonymous ftp site.
Type the full path name of the anonymous ftp site's home directory into the Path field. If you're following our example, you'd type /export/ftp in this field. Then, in the Server field, type the host name of the machine on which the home directory resides. (In most cases, it's the host name of the machine upon which you're currently working.) For our example, we'll type the host name widget2 in the Server field.
When you've entered all the information in the window, click Add to create an entry for the new user in the /etc/passwd and /etc/shadow files. Then, click the pushpin to close the current window. Finally, quit User Account Manager and Administration Tool.
The key to setting up an anonymous ftp site is building a miniature UNIX file system with its own /bin, /usr, /usr/lib, /etc, /dev , and /pub directories. When anonymous ftp users connect to your system, this miniature file system is all that they'll have access to. Furthermore, you define file and directory permissions so the only directory in this file system they have read or write access to is /pub.
The process of creating the ftp file system consists of two basic steps: creating the directory hierarchy and copying or creating critical system files within the directory hierarchy. Let's examine these steps one at a time.
In our example, we place the ftp file system in the /export directory. Therefore, you first use the cd command to change directories to /export and then create the directories in the ftp file system. Here are the commands you use to perform this step:
cd /export
mkdir ftp
cd ftp
mkdir usr
mkdir usr/lib
mkdir usr/bin
mkdir etc
mkdir dev
mkdir pub
ln -s usr/bin bin
Next, you need to assign permissions to these directories. From a security standpoint, this is undeniably the most important step in the entire process. The permissions on these directories prevent hackers from altering your ftp site and gaining access to your system. Therefore, it's critical that you set permissions that will protect all but the pub directory from unauthorized tampering. Use the following commands to assign permissions to the directories in the ftp file system.
cd /export
chmod ugo+rx-w ftp
chown ftp ftp
chgrp ftp ftp
cd ftp
chmod 111 bin
chmod 111 usr
chmod 111 usr/lib
chmod 111 usr/bin
chmod 000 etc
chmod 111 dev
chmod 444 pub
Notice that the final command gives only read and execute permissions to the pub directory for anonymous ftp users. This is the setting you'll want to use if you don't want anonymous ftp users to be able to put new files in the pub directory. On the other hand, if you do want anonymous ftp users to be able to put files in the pub directory, you should use the command
to set permissions for the directory.
After creating the directories and setting the permissions, you must copy a few system files to some of these directories so anonymous ftp users will have a required minimum of functionality while attached to the system. Specifically, you need to copy to the bin and usr/lib directories the executable file for the ls command and the shared object libraries needed by the ls command, respectively. Here are the commands you use to copy the necessary files:
cd /export/ftp
cp /usr/ucb/ls bin
chmod 111 bin/ls
cp /usr/lib/ld.so* usr/lib
cp /usr/lib/libc.so* usr/lib
cp /usr/lib/libdl.so* usr/lib
cp /usr/lib/libintl.so* usr/lib
cp /usr/lib/libnsl.so* usr/lib
cp /usr/lib/libsocvket.so*
cp /usr/lib/nss_nis.so* usr/lib
cp /usr/lib/nss_nisplus.so* usr/lib
cp /usr/lib/nss_dns.so* usr/lib
cp /usr/nss_files.so* usr/lib
cp /usr/lib/straddr.so* usr/lib
Next, you must place special group, passwd, and netconfig files in the /export/ftp/etc directory. You can create these files using the following commands:
cd /export/ftp
cp /etc/netconfig etc
echo ftp:*:99: > etc/group
echo ftp:*:99:99:Anon ftp:/export/ftp: > \ etc/passwd
chmod 444 etc/*
Finally, you need to create four devices--zero,tcp, udp, and ticotsord--in the dev directory. These are just four of the many devices found in the /dev directory of a typical Solaris workstation. Because the anonymous ftp site allows only a miniscule subset of standard UNIX operations, these are the only devices needed to implement the site. You create these devices by using the commands
cd /export
mknod dev/zero c 13 12
mknod dev/tcp c 11 42
mknod dev/udp c 11 41
mknod dev/ticotsord c 99 1
chmod 444 dev/*
At this point, you're done creating the ftp file system's directory hierarchy-except for one important step. You need to copy some sample files to the /export/ftp/pub directory so you'll have something to download when you test the ftp site in the next section.
You can test the anonymous ftp site from another machine on the network or from the same machine that contains the site. In either case, you establish a connection to the ftp site by opening a Command Tool window and typing
where ftphost is the host name of the machine containing the ftp file system you just created. For example, we'd use the command ftp widget2, since widget2 is the host where we created our ftp site.
If the physical connection between the machines is working, the first prompt you see will look something like the one shown in Figure F.
At the Name prompt, type anonymous and press [Enter]. The ftp site will respond with the prompt
331 Guest login ok, send ident as password.
Password:
The accepted convention is that you should enter your E-mail address as the password. After you do, you'll see the message
230 Guest login ok, access restrictions apply.
followed by the prompt
At this point, you're connected to the ftp site as an anonymous user. If you issue the command ls -al, you'll see the root directory of the ftp site, as shown in Figure G.
Then, you can use the cd /pub command to move to the /pub directory and issue the ls -al command again to view that directory's contents. For instance, when we did this on our system, we saw the response shown in Figure H. As you can see, we populated our /pub directory with four files. Because this directory listing shows you the files' sizes, you can see which files might take a long time to download before you actually use the get command to retrieve them.
If you see a file that you want to download, first type bin and press [Enter] to switch to binary mode. Then, type get filename and press [Enter], where filename is the name of the file.
The ftp program will copy the file to the current directory on your machine. To change the current directory on your machine, use the lcd (local change directory) command.
Many organizations have established anonymous ftp sites on the Internet. In this article, we showed how you can create you own anonymous ftp site. However, we would be remiss if we didn't leave you with this warning: There's no guarantee that any anonymous ftp site is ever 100-percent safe from hackers.
If you make an anonymous ftp site publicly available, you may want to take additional safety precautions. For example, you might want to completely isolate the machine containing the ftp site from the rest of your network. That way, the worst a hacker can do is corrupt or delete files on that one machine. As long as you keep good backups and periodically verify the machine's files, you can quickly recover from such intrusions, should they ever occur.
[Return to Index for Inside Solaris - May Issue]
Copyright (c) 1995 The Cobb Group, a division of Ziff-Davis Publishing Company. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis
Publishing Company is prohibited. The Cobb Group and The Cobb Group logo are trademarks of
Ziff-Davis Publishing Company.
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551a.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551b.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551c.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551d.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551e.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551f.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551g.gif){kind=link}
(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sol9505/sun9551h.gif){kind=link}