Debian Lenny ftp setup 

% aptitude install wu-ftpd
The following NEW packages will be installed:
  wu-ftpd
Need to get 281kB of archives. After unpacking 803kB will be used.
Setting up wu-ftpd (2.6.2-28) ...
The anonymous FTP user has been successfully removed.
Its home directory, /home/ftp, has been left intact.
Starting FTP server: wu-ftpd.

setup for Debian anonymous login 

Subject: Re: Debian FTP server setup questions
Newsgroups: gmane.linux.debian.user
Date: 2008-03-01

http://article.gmane.org/gmane.linux.debian.user/317784

> Do I need special setup for anonymous login to work?

yes, via addftpuser/rmftpuser:

% addftpuser --group tong
Adding system user `ftp' (UID 102) ...
Adding new group `ftp' (GID 104) ...
Adding new user `ftp' (UID 102) with group `ftp' ...
Not creating home directory `/home/ftp'.
The anonymous FTP user has been successfully set up.

Without addftpuser, will get:

$ ftp localhost
Connected to my.host.org.
220 my.host.org FTP server (Version wu-2.6.2(1) Fri Jul 27 12:19:39 UTC 2007) ready.
Name (localhost:tong): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
530 Login incorrect.
Login failed.
ftp> 221 Goodbye.

After enabling anonymous login:

$ ftp localhost
Connected to my.host.org.
220 my.host.org FTP server (Version wu-2.6.2(1) Fri Jul 27 12:19:39 UTC 2007) ready.
Name (localhost:tong): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user anonymous@my.host.org !
230-
230-The local time is: Sat Mar  1 04:07:04 2008
230-
230-This is an experimental FTP server.  If have any unusual problems,
230-please report them via e-mail to <root@my.host.org>.
230-
230-
230 Guest login ok, access restrictions apply.

Files created under /home/ftp:

$ cd /home/ftp
$ find .
.
./bin
./bin/ls
./bin/tar
./bin/zip
./bin/gzip
./dev
./dev/null
./etc
./etc/group
./etc/passwd
./etc/pathmsg
./lib
./lib/libacl.so.1
./lib/libattr.so.1
./lib/libselinux.so.1
./lib/libsepol.so.1
./lib/ld-linux.so.2
./lib/libdl.so.2
./lib/libpthread.so.0
./lib/libc.so.6
./lib/librt.so.1
./pub
./welcome.msg

documented on: 2008-02-29

Debian Lenny anonymous ftp upload setup 

Example: File ftpaccess
# Debian default wu-ftpd `ftpaccess' configuration file, derived from
# the `ftpaccess.heavy' example in wu-ftpd sources.
# For more options/commands see ftpaccess(5) and /usr/share/doc/wu-ftpd/*.

# E-mail address of the FTP admin, can be accessed via the %E in messages.
#email ftpadmin@misconfigured.host

# == Loggings & Messages

# Which UIDs and GIDs may, and which may not use the FTP service.
#deny-uid %-99
#deny-gid %-99
#allow-uid ftp ftpadmin
#allow-gid ftp ftpadmin

# Password verification for the anonymous FTP user.
#               <none|trivial|rfc822>  [<enforce|warn>]
passwd-check    rfc822  enforce

# Maximum number of retries after login failures, before disconnecting.
#loginfails 5

# Can users see anything else but their home directory
#restricted-uid lamer
#unrestricted-gid ftpadmin

# Allow use of private file for SITE GROUP and SITE GPASS?
#private        no

# What kind of greeting to give. Default: full
#greeting <full|brief|terse|text somemessage>

# The file wu-ftpd will check to see if the server is going to be shut down.
# If shutmsg exists, don't allow logins
# (use ftpshut to generate it)
shutdown /etc/wu-ftpd/shutmsg

# Maximum connection time in minutes
#limit-time anonymous 30

# Banner to show immediately on connect.
#banner /etc/wu-ftpd/welcome.msg

# Deny access to specified hosts, with message.
#deny   *.microsoft.com                 /etc/wu-ftpd/msg.deny
#deny   /etc/wu-ftpd/denied.hosts       /etc/wu-ftpd/msg.deny
# !nameserved means hosts that can't be resolved.
#deny   !nameserved     /etc/wu-ftpd/msg.nodns

# Various DNS related options.
#dns refuse_mismatch <filename> [override]
#dns refuse_no_reverse <filename> [override]
#dns resolveroptions [options]

# == Account setup

# Class name    typelist                addresses
#class  local   real,guest,anonymous    *.my.domain 192.168.0.0
#class  remote  real,guest,anonymous    *
#class   all    real,guest,anonymous    *

# Only allow anonymous users -- no other classes defined
class   anonftp anonymous               *

# Limit who     how many        date/time       message file
#limit  local   20      Any                     /etc/wu-ftpd/msg.toomany
#limit  remote  100     SaSu|Any1800-0600       /etc/wu-ftpd/msg.toomany
#limit   all    10      Any                     /etc/wu-ftpd/msg.toomany

limit   anonftp 2       Any                     /etc/wu-ftpd/msg.toomany
#file-limit      total   8

# The files that wu-ftpd will recognize as must-be-read, and display them.
message /welcome.msg            login
message .message                cwd=*

# The files that wu-ftpd will recognize as should-be-read, and warn about them.
readme  README*    login
readme  README*    cwd=*

# == Download control

# Whether to use compression.
compress        yes             local remote all
tar             yes             local remote all

# Logging of actions.
#log commands  anonymous,guest,real
#log security
#log syslog
log transfers anonymous,guest,real inbound,outbound

# These files are marked unretrievable
noretrieve relative /etc
noretrieve core

# The directory to which anonymous FTP user will chroot to.
# Note: if you change this {add,rm}ftpuser may stop functioning.
#anonymous-root /home/ftp

# Some permissions for the anonymous FTP user.
# All the following default to "yes" for everybody
rename          no      anonymous               # rename permission?
delete          no      anonymous               # delete permission?
overwrite       no      anonymous               # overwrite permission?
chmod           no      anonymous               # chmod permission?
umask           no      anonymous               # umask permission?

# What can a filename contain (this /etc is under the anonymous-FTP root)
path-filter     anonymous       /etc/pathmsg  ^[-+A-Za-z0-9_.]*$  ^\.  ^-

# Shortcuts for anonymous FTP incoming (note: the ':' isn't obligatory)
alias   drop:           /dropbox
cdpath  /pub

# == Upload control

# Anonymous uploading is only meant for users from the 'crew' group
#
# - use nonstandard upload directory name and location to curb ftp spams.
# - each 'crew' member have their own directories already created under dropbox
# - ftp client can only create directories under the above designated areas.
# - all uploaded files can only be accessible to the 'crew' group
# - uploaded files/directories can not be ftp-downloaded
# - the 'crew' members should move out the uploaded files after they log in

# Anonymous FTP directories upload settings
#       anon-ftp-root   path            allow?  owner   group   mode    dirs?   <d_mode>
upload  /home/ftp        *              no
upload  /home/ftp       /dropbox        yes     ftp     crew    0660    nodirs
upload  /home/ftp       /dropbox/*      yes     ftp     crew    0660    dirs    0770
upload  /home/ftp       /dropbox/*/*    yes     ftp     crew    0660    dirs    0770
upload  /home/ftp       /dropbox/*/*/*  yes     ftp     crew    0660    dirs    0770
noretrieve relative     /dropbox
noretrieve .notar

defumask        0660    anonftp

test 

cd /tmp
ncftpput -d -v localhost /dropbox /export/archives/docs/samples/file.sample.bin; ncftpget -v localhost . /dropbox/file.sample.bin; dir /home/ftp/dropbox/file.sample.bin; rm -v /home/ftp/dropbox/file.sample.bin

documented on: 2008-03-01

Debian Lenny ftp daemon port numbers configuration 

# change the connection ftp data/ctrl port to 62020/62021
echo 'WU_OPTIONS="$WU_OPTIONS -p 62021"' > /etc/default/wu-ftpd
/etc/init.d/wu-ftpd restart
$ ps | grep ftpd:
root     10022     1  0 21:47 ?        00:00:00 ftpd: accepting connections on port 62021
$ ftp localhost 62021
Connected to my.host.org.
220 my.host.org FTP server (Version wu-2.6.2(1) Fri Jul 27 12:19:39 UTC 2007) ready.

documented on: 2008-03-03

svrs:ftp configuration 

invocation 

If the -l option is specified, each ftp session is logged in the syslog.

If the -a option is specified, the use of the ftpaccess(5) configuration file is enabled.

If the -i option is specified, files received by the ftpd(8) server will be logged to the xferlog(5). The -i option is overridden by the use of the ftpaccess(5) file.

Port 

Taken from:

Testing on a different port number than ftp:21 http://www.wu-ftpd.org/wu-ftpd-faq.html#IDX38

This can be done from the command line or with a special definition in /etc/services / /etc/inetd.conf. For command-line, look up -P and -p in the ftpaccess(5) manpage.

To set up with special definitions, add 2 ports with consecutive numbers in /etc/services, and then start WU-FTPD on these ports. Add to /etc/services something like :

ftptest         4021/tcp        #command port
ftptest-data    4020/tcp        #data port

Then start WU-FTPD from /etc/inetd.conf like :

ftptest stream tcp nowait root /usr/etc/in.ftpd in.ftpd

The key is the name 'ftptest' which associates the port assignment in the /etc/services file to that in the inetd.conf file.

Make certain the choice of ports in /etc/services (4021 and 4020 above) are from the local use list and don't conflict with other port assignments (see RFC1700, ASSIGNED NUMBERS). One important subtlety. The data port is not really derived from the data port declaration in the /etc/services file. The FTP specification (RFC765) states the data port is defined as one less than the command port. However, including the data port declaration in the /etc/services file prevents it from being accidentally assigned to something else.

anonymous ftp 

http://www.wu-ftpd.org/HOWTO/upload.configuration.HOWTO

If your /etc/passwd file does not contain an entry for the user 'ftp' your site will not allow anonymous FTP. In addition, if the usernames 'ftp' or 'anonymous' appear in the /etc/ftpusers file, anonymous FTP will not be allowed.

Messages 

Messages like

message                /etc/welcome.msg        login

are from root of ftp directory, not from root of file system!

cd /etc
lns /home/ftp/etc ftp

But banner is from root of file system, not from root of ftp directory!

banner         /home/ftp/msg/banner.msg

login greeting 

Symptom 

The greeting message no longer shows.

Conclusion 

Anonymous users have diferent banners, etc. http://www.wu-ftpd.org/wu-ftpd-faq.html#IDX45

When the anonymous user is logged in, bannerfiles are opened relative to the root of the anonymous user. Keep this in mind. It can be usefull to have 2 sets of banners or use links.

% dir /etc/ftpaccess
lrwxrwxrwx    1 root     root           23 Aug 10 03:01 /etc/ftpaccess -> /home/ftp/msg/ftpaccess
% cd /home/ftp/msg
% dir
-rw-------    1 ftp      ftp            72 Aug 10 01:31 banner.msg
-rw-------    1 ftp      ftp          1787 Aug 10 03:06 ftpaccess
-rw-------    1 ftp      ftp            23 Aug  9 23:44 path.msg
-rw-------    1 ftp      ftp            47 Mar 14 14:50 shutdown.msg
-rw-------    1 ftp      ftp            44 Oct 31  2000 toomany.msg
-rw-------    1 ftp      ftp           203 Aug 10 02:28 welcome.msg

— have to be owned by ftp. chown to bin:bin won't work any more.

Analysis / Reason 

( echo user anonymous y@e.ca; echo cd win; echo cd inc:; echo cd tong; echo put file.sample.bin; echo bye; ) | ftp -vin localhost
message                /etc/ftp/welcome.msg    login
$ fpv /etc/ftp/welcome.msg
-rw-r--r--    1 ftp      ftp           202 Mar 14 17:57 /etc/ftp/welcome.msg
lrwxrwxrwx    1 root     root           15 Aug 10 00:07 /etc/ftp -> ../home/ftp/etc/
drwxr-xr-x   36 root     root         4096 Aug 10 01:41 /etc/
% dirdir /home/ftp/etc/
d--x--x--x    2 ftp      ftp          4096 Aug 10 01:31 ../home/ftp/etc//
% chmod 755 /home/ftp/etc/
% dirdir /home/ftp/etc/
drwxr-xr-x    2 ftp      ftp          4096 Aug 10 01:31 ../home/ftp/etc//
lns /home/ftp/etc ftp
lns /export/home/ftp/etc ftp

— the same

Move all messages back to /etc/ftp.

cp /etc/ftp/welcome.msg /etc

and then

message                /etc/welcome.msg        login
#message               /etc/ftp/welcome.msg    login
message                /etc/welcome.msg        login
message                .message                cwd=*
message                /etc/ftp/welcome.msg    cwd=*

Nothing above can make it shown.

Reason: msg should be in the root of ftp directory.
Tip !! 
$ ftp -vin
ftp> open localhost
Connected to localhost.
220-    *******************
220-    * Tong's FTP site *
220-    *******************
220-
220 sunny FTP server (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
ftp> user anonymous a@b.ca
331 Guest login ok, send your complete e-mail address as password.
230-
230-Hi, anonymous from localhost, Welcome to Tong's FTP site.
230-You are now in sunny/ at local time Fri Aug 10 03:18:50 2001
230-There are currently 1 of maximum 4 user logged on to this site.
230-Enjoy yourself here and feel free to contact me at root@sunny.
230-
230 Guest login ok, access restrictions apply.
ftp> cd inc:
250-                         *** GO AWAY ***
250- ...
250 CWD command successful.
ftp> bye
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 894 bytes in 0 transfers.
221-Thank you for using the FTP service on sunny.
221 Goodbye.

shutdown can be at both places 

shutdown /msg/shutdown.msg 
% grep '/msg/' /tmp/strace.out
8278  stat("/msg/shutdown.msg", 0xbfffd8c8) = -1 ENOENT (No such file or directory)
8278  open("/home/ftp/msg/banner.msg", O_RDONLY) = 5
8278  stat("/msg/shutdown.msg", 0xbfffc398) = -1 ENOENT (No such file or directory)
8278  stat("/msg/shutdown.msg", 0xbfffc398) = -1 ENOENT (No such file or directory)
8278  stat("/msg/shutdown.msg", 0xbfffc398) = -1 ENOENT (No such file or directory)
8278  open("/msg/welcome.msg", O_RDONLY) = 9
8278  stat("/msg/shutdown.msg", {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
8278  open("/msg/shutdown.msg", O_RDONLY) = 9
8278  stat("/msg/shutdown.msg", {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
8278  stat("/msg/shutdown.msg", {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
shutdown /home/ftp/msg/shutdown.msg 
% grep '/msg/' /tmp/strace.out
8284  stat("/home/ftp/msg/shutdown.msg", {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
8284  open("/home/ftp/msg/shutdown.msg", O_RDONLY) = 5
8284  open("/home/ftp/msg/banner.msg", O_RDONLY) = 5
8284  stat("/home/ftp/msg/shutdown.msg", {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
8284  stat("/home/ftp/msg/shutdown.msg", {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
8284  stat("/home/ftp/msg/shutdown.msg", {st_mode=S_IFREG|0644, st_size=47, ...}) = 0
8284  open("/msg/welcome.msg", O_RDONLY) = 9
8284  stat("/home/ftp/msg/shutdown.msg", 0xbfffbf74) = -1 ENOENT (No such file or directory)
8284  stat("/home/ftp/msg/shutdown.msg", 0xbfffc398) = -1 ENOENT (No such file or directory)
8284  stat("/home/ftp/msg/shutdown.msg", 0xbfffc398) = -1 ENOENT (No such file or directory)

So, within ftp is opened later, thus better

upload control 

Actions 

Settings 

upload    /home/ftp    /incoming       yes ftp crew 0660
upload    /home/ftp    /incoming/*     yes ftp crew 0660 nodirs
noretrieve /home/ftp/incoming

or

upload    relative /incoming *         yes ftp
noretrieve     relative        /incoming

Help sources 

man ftpaccess /usr/doc/wu-ftpd-2.6.0/HOWTO/upload.configuration.HOWTO ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO

Help Info 

Finally, before we get into allowing uploads, one last thing. Whether you allow on-the-fly tar'ing of directories or not, you should make sure an end-run cannot be made and the incoming area downloaded using tar. To do so, create the special file '.notar' in both the FTP directory and the incoming area:

touch /home/ftp/.notar
chmod 0 /home/ftp/.notar
touch /home/ftp/incoming/.notar
chmod 0 /home/ftp/incoming/.notar

The zero-length .notar file can confuse some web clients and FTP proxies, so let's mark it unretrievable.

noretrieve .notar

upload  [absolute|relative]  [class=<classname>]... [-] <root-dir>
<dirglob>           <yes|no> <owner> <group> <mode> ["dirs"|"nodirs"]
[<d_mode>]

Some FTP sites like to live dangerously and allow anonymous users to create directories. I don't recommend this; it cannot be done with absolute safety. If you insist, however, you can at least limit it to a single directory level. For example, replace the upload clause just added with the following:

upload /home/ftp /incoming   yes ftpadmin ftpadmin 0440 dirs 3773
upload /home/ftp /incoming/* yes ftpadmin ftpadmin 0440 nodirs

Directory creation is allowed by default for upload command. To turn it off by default, you must specify a user, group and mode followed by the "nodirs" keyword as the first line where the upload command is used in this file.

Notice one of the problems with allowing directory creation is there is no way to automatically create a '.notar' in the new directory, so a crafty user may be able to make an end-run and download it anyway using on-the-fly tar'ing.

For example, we can deny all uploads the remote guests except to their personal tmp directories:

upload class=remote /home/users/* *      no
upload class=remote /home/users/* /*/tmp yes nodirs
umask 
umask no  anonymous
umask yes real,guest

If, for example, you wanted to disable these commands for guests accessing the server from outside the local network, you could add the following:

chmod no  class=remote
umask no  class=remote

Private dirs 

we'll allow anonymous uploads into all private incoming areas:

upload /home/ftp            /private/*/incoming          yes * * 0640 dirs

The assumption here is Unix shell users have private areas in the anonymous site. Those areas are owned by the appropriate user, and incoming files are to be owned by that user. The wildcard match on directory allows anonymous uploading to any private incoming directory. The wildcard for owning user and group instructs the daemon to set the file's ownership to that of the directory receiving it.

passwd & group for ftp 

Newsgroups: comp.unix.admin
>What's the usage of the files passwd & group in etc under the ftp
>root dir? I haven't find any man pages on that yet.

They're used by the ls command in anonymous FTP to translate numeric uids and groupids to names.

>- Is it the same format as those in /etc?

Yes.

>- Is there any security risk to symbol link those in /etc?

It won't work. Anonymous FTP runs in a chroot environment and can't access anything outside of ~ftp.

If you're using shadow passwords you can simply make a copy of /etc/passwd. But if you're not using shadow passwords, you should first take all the encrypted passwords out of the file. Otherwise, someone could download the file and then run a password cracker over the passwords.

Barry Margolin

passwd & group for ftp 

> > permissions probably aren't a=r.
>
> you mean passwd & group? hmm, yes they are:

in that case the ls you have, in the chroot jail or in the ftpd, doesn't bother performing user or group name lookup.

permission problems 

> but i will still get the "wrong" permission setting when uploading via
> ftp.

You need to convince the ftp daemon on the server to use a different umask, and the ftp daemon does not read your .profile or .login file (since it's not a shell and does not know how to parse shell scripts).

Read the documentation for the ftp daemon. See if you can change the umask, either with an entry in a configuration file or with some special "site" command sent from the ftp client, such as:

site umask 022

or perhaps a chmod command to fix the permissions after an upload:

site chmod o+r file

Ken Pizzini

The default umask used when a real user uploads a file is wrong 

http://www.wu-ftpd.org/wu-ftpd-faq.html#IDX71

The default umask is inherited from inetd. This can be a wrong one. There is a command line parameter -u. Edit the line in inetd.conf to something like ftpd -A -L -l -u077.

ftp times out :-( 

Newsgroups: comp.unix.questions
>My ftp session times out after 15 min. as it is supposed to do.
>So I want to increase that time out period to 2-3 hours - typing:
>in.ftpd -t 9000
>And get the error msg on the console :
>  **Oct 18 16:08:50 september ftpd[4818]:  getpeername
>  (/usr/sbin/in.ftpd):
>  **Socket operation on non-socket
>I'm still timed out after 15 mins
>Any idea what I do wrong ?

You need to edit /etc/inetd.conf and change the "in.ftpd" line.

Then "kill -HUP <pid-of-inetd>" and you're all set.

Casper

documented on: 2000.11.03 Fri 11:06:27