Original request.
>
> Does anyone have any information on how to setup an anonymous ftp on a
> sun3 system running SunOS 4.1.1U1. Are there any recommended patches
> I should be aware about?
>
> If it is in the FM then could that person let me know where?
>
Special thanks to the following people:
>From john@mlb.semi.harris.com Sat Aug 1 03:14:59 1992
>From higgins@math.niu.edu Sat Aug 1 03:57:39 1992
>From daneel@Trantor.DSO.gov.SG Sun Aug 2 20:19:40 1992
>From Roberto@sunsci.cern.ch Mon Aug 3 03:34:39 1992
>From Stephan.Edman@eua.ericsson.se Mon Aug 3 06:36:07 1992
>From halvard@trd.sdata.no Mon Aug 3 10:52:11 1992
>From cagroth@snll-arpagw.llnl.gov Mon Aug 3 11:18:29 1992
>From solomon!kevinc@qiclab.scn.rain.com Tue Aug 4 03:38:42 1992
>From macphed@dvinci.usask.ca Tue Aug 4 10:58:24 1992
The majority of replys were do 'man ftpd'.
cagroth@snll-arpagw.llnl.gov gave this interesting reply:
>The "Unix System Administration handbook" by evi nemeth, garth snyder and
>scott seebass (ISBN 0-13-933441-6) provides excellent examples on how to
>set up your site as an anonymous ftp site.
All replies were very helpful with the most thorough one going to
higgins@math.niu.edu
Thank you!
-----------------------------------------------------------------------------
>From higgins@math.niu.edu Sat Aug 1 03:57:39 1992
1) Find a free partition about the right size. This makes it easy to
back the thing up and restore it.
2) I made a directory /ftproot on the machine where it needs to sit, with
555 permissions.
3) Mount the partition on /ftproot.
4) Make sure you have an ftp user in the /etc/passwd for that machine.
I run NIS (YP) here, and passwords are network wide, but I only allow
ftp into one machine. So it's /etc/passwd has an ftp user-id, but
there is none in the master passwd file.
5) Jump over to wuarchive and get
wuarchive.wustl.edu:/packages/ftpd.wuarchive.shar
6) In /ftproot
mkdir bin etc dev pub usr usr/lib
check the ownership and permissions; I set all my top dir to be root.wheel
except for ftproot/etc which is root.daemon all have 555 permisions.
usr/lib is root.daemon and 555 also.
7) cp /usr/bin/ls to /ftproot/usr
cp /usr/lib/ld.so to /ftproot/usr/lib
cp /usr/lib/libc.so.1.6 to /ftproot/usr/lib
make the owner.group and permissions match the originals.
8) ls -l /dev/zero
in /ftproot/dev mknod zero c major minor
using the major and minor from the ls.
9) create /ftproot/etc/passwd
you'll need the usual entries, mine look like this:
root:*:0:0::/:/dev/null
ditto for daemon, sys,bin, ftp
10) create /ftproot/etc/group
again, you really only want the group names and numbers, you
don't need group members. This is to make listings look pretty.
11) create the ftp entry in /etc/passwd
mine looks like this
ftp:*:400:400:Anonymous FTP:/ftproot:/bin/csh
12) At this point in time, if a real user can ftp into the machine,
anonymous ftp should be working too. If real users can't ftp
(non-anonymously) into the machine, you'll need to uncomment
or install the following line in /etc/inetd.conf
ftp stream tcp nowait root /usr/etc/in.ftpd in.ftpd
and restart inetd. (Use ps to find the pid and kill -HUP pid ).
13) Unshar the ftpd.wuarchive stuff, read thru it and decide if you
want to install it. Many, many sites are going to it. It essentially
replaces /usr/etc/in.ftpd, so you'll eventually end up changing some
of (13) if you use it. Put in the time and install it.
14) Since the stated purpose of our anonymous ftp is to all our professors
to 'publish' their papers, in my math.niu.edu:/pub, I put a directory
for the professors to put their papers in. Each person owns their own
papers subdirectory. Since we run C2, to protect the user-ids, I
installed into /ftproot/etc/passwd each users id with a locked passwd,
and instead of the username, gave them all the name papers. Since
the directorys are all named Lastname,Firstname, even though we
identify the person, we give away neither their login name, nor
their user-id. (This works since you can't do an ls -n) eg:
papers:5001:5000::/:/dev/null
papers:5002:5000::/:/dev/null
Depending upon what you're using your anon ftp service for, you
might find this technique usefull. It's not really a security
technique, as much as it is a blankie for the more paranoid of
our users.
15) Run thru the system and make sure that all 'protected' files are
non-writeable, protected directories are non-writaable. You may
want to consider creating a contrib directory 1777 for people to
stick stuff in.
16) My ftp machine is olympus.math.niu.edu, but in my nameserver
I put in an A record for the domain with the address of olympus
so that ftp math.miu.edu gets you to the right machine, and a
CNAME record for ftp.math.niu.edu so it takes you to the same
place.
It's been 6 or 7 months since I set this up, but unless I've forgotten
something you should be happening.
-Gregory Higgins, Systems Manager, higgins@math.niu.edu
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:46 CDT