FTP login types 

From Guest HOWTO http://www.wu-ftpd.org/HOWTO/guest.HOWTO

There are three kinds of FTP logins that wu-ftpd provides:

  1. anonymous FTP

  2. real FTP

  3. guest FTP

Anonymous FTP is well known; one logs in with the username 'anonymous' and an email type password.

Real FTP is when someone logs in with a real username and password and has access to the entire disk structure. This form of access can be extremely dangerous to system security and should be avoided unless absolutely necessary and well controlled.

Guest FTP is a form of real FTP; one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. This is much safer, and it is a useful way for remote clients to maintain their Web accounts.

RH7.2 anonymous ftp upload setup 

init 

cd /
ln -s /var/ftp
cd /ftp
mkdir -p incoming/tong
chown ftp:crew -R incoming
cd /opt
md conf/ftp

Steps 

cd /opt/conf/ftp
cat ftpaccess* > /etc/ftpaccess
cp welcome.msg /ftp/etc/
chown ftp /ftp/etc/welcome.msg
Tip !! 
ncftpput -d -v localhost /incoming ~/s/docs/file.sample.bin
ncftpput -d -v localhost /incoming/tong ~/s/docs/file.sample.bin

Trying history 

Use abs dir 

$ ll /ftp
/ftp -> /var/ftp

in ftpaccess:

upload  /ftp    /incoming       yes
upload  /var/ftp    /incoming       yes

Upload will only work if the 2nd line is added.

ftpaccess 

This is the finial text version of ftpaccess. I'll use the kwuftpd to configure it from now on.

Note that kwuftpd 0.2.0 has some obvious bugs:

# This file controls the behavior of the wu-ftpd
# ftp server.
#
# If you're looking for a graphical frontend to
# editing it, try kwuftpd from the kdeadmin
# package.

# == Account setup

#only allow anonymous users -- no other classes defined
class anonftp anonymous *
autogroup crew anonftp

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-
allow-uid ftp
allow-gid ftp

#anonymous-root /var/ftp
defumask        0644
defumask        0660    anonftp

# The ftpchroot group doesn't exist by default, this
# entry is just supplied as an example.
# To chroot a user, modify the line below or create
# the ftpchroot group and add the user to it.
#
# You will need to setup the required applications
# and libraries in the root directory (set using
# guest-root).
#
# Look at the anonftp package for the files you'll need.
guestgroup ftpchroot


# == Messages & loggings

greeting        full
banner          /opt/conf/ftp/banner.msg

# Messages displayed to the user upon login/cd
message         /opt/conf/ftp/welcome.msg       login
message         .message                cwd=*

# Notify the users of README files at login and when
# changing to a different directory
readme  README*    login
readme  README*    cwd=*

# Turn on logging to /var/log/xferlog
log     transfers       anonymous,guest,real    inbound,outbound
log     security        anonymous,real

# == Settings

email   root@sunny

#fast cd and aliasing for the same reason
alias   inc:    /incoming
cdpath  /pub/installs
cdpath  /pub
cdpath  /incoming
cdpath  /

# == file transmission

# Allow on-the-fly compression and tarring
compress        yes             all
tar             yes             all

# file operations control
# Prevent anonymous users (and partially guest users)
# from executing dangerous commands
chmod           no              guest,anonymous
umask           no              anonymous,guest
delete          no              anonymous
overwrite       no              anonymous
rename          no              anonymous

# == Limitations

# If /etc/shutmsg exists, don't allow logins
# see ftpshut man page
shutdown        /opt/conf/ftp/shutdown.msg

# Ask users to use their email address as anonymous password
passwd-check    rfc822  enforce
#loginfails 3  # no need for anonymous users

#what is allowed in paths
#path-filter    anonymous       /opt/conf/ftp/path.msg  ^[-A-Za-z0-9_\./ ]*$    ^\.     ^-

noretrieve .notar

#number of users restriction with message shown when too many
limit   anonftp 4       Any     /opt/conf/ftp/toomany.msg
limit           5       Any     /opt/conf/ftp/toomany.msg

file-limit      total   8
private         no

# == upload control
upload  /var/ftp        *               no
upload  /var/ftp    /incoming       yes     ftp     crew    0664    nodirs
upload  /var/ftp    incoming/*      yes     ftp     crew    0664    dirs    0750
upload  /var/ftp    incoming/*/*    yes     ftp     crew    0664    nodirs

upload  /var/ftp        /private/*/incoming     yes * crew 0640 dirs    0750

#prevent anon users to GET files from incoming, a good idea to prevent some
#people from using your ftp server to store their own stuff, pics, warez etc.
#ideas from <ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO>[]

noretrieve /var/ftp/incoming

help 

shutdown 

Running command ftpshut will create a file that the server will use to determine when to shutdown. Once the shutdown has occured, the server will continue to refuse connections until this file is removed. The location of this file is specified by the shutdown stanza in the ftpaccess file.

RH8.0 anonymous ftp upload setup 

anonymous access off 

echo ftp >> /etc/ftpusers

anonymous access on 

Remove the last line just added.

Tip !! 
ncftpput -d -v -p a@b.ca localhost /pub/dropbox ~/s/docs/file.sample.bin
ncftpput -d -v -p a@b.ca localhost /pub/dropbox/tong ~/s/docs/file.sample.bin
!!

Notes 

Test log 

manual confirm 
$ touch abc

$ ftp localhost
Connected to localhost (127.0.0.1).
220-
220-    *******************
220-    * Tong's FTP site *
220-    *******************
220-
220 xpt FTP server (Version wu-2.6.2-8) ready.
Name (localhost:tong): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
530-The response '' is not valid
530-Please use your e-mail address as your password
530-   for example: joe@localhost.localdomain
530 Login incorrect.
Login failed.

Password:
230-
230- Hi, ftp from xpt, Welcome to Tong's FTP site.
230- You are now in xpt/ at local time Thu Dec 12 02:00:35 2002
230- There are currently 1 of maximum 2 user logged on to this site.
230- Enjoy yourself here and feel free to contact me at root@sunny.
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> put abc
local: abc remote: abc
227 Entering Passive Mode (127,0,0,1,246,90)
553 abc: Permission denied on server. (Upload)

ftp> cd pub
250 CWD command successful.
ftp> put abc
local: abc remote: abc
227 Entering Passive Mode (127,0,0,1,85,167)
553 abc: Permission denied on server. (Upload)
ftp> mkdir ttt
550 ttt: Permission denied on server. (Upload dirs)

ftp> cd dropbox
250 CWD command successful.
ftp> mkdir ttt
550 ttt: Permission denied on server. (Upload dirs)
ftp> put abc
local: abc remote: abc
227 Entering Passive Mode (127,0,0,1,128,160)
150 Opening BINARY mode data connection for abc.
226 Transfer complete.

ftp> cd tong
250 CWD command successful.
ftp> put abc
local: abc remote: abc
227 Entering Passive Mode (127,0,0,1,131,91)
150 Opening BINARY mode data connection for abc.
226 Transfer complete.
ftp> mkdir ttt
257 "/pub/dropbox/tong/ttt" new directory created.
ftp> cd ttt
250 CWD command successful.
ftp> mkdir ttt
257 "/pub/dropbox/tong/ttt/ttt" new directory created.
ftp> mkdir ttt
521 "/pub/dropbox/tong/ttt/ttt" directory exists
ftp> put abc
local: abc remote: abc
227 Entering Passive Mode (127,0,0,1,138,151)
150 Opening BINARY mode data connection for abc.
226 Transfer complete.

ftp> cd ttt
250 CWD command successful.
ftp> put abc
local: abc remote: abc
227 Entering Passive Mode (127,0,0,1,13,55)
150 Opening BINARY mode data connection for abc.
226 Transfer complete.
ftp> mkdir ttt
550 ttt: Permission denied on server. (Upload dirs)

ftp> 221-You have transferred 0 bytes in 4 files.
221-Total traffic for this session was 1895 bytes in 4 transfers.
221-Thank you for using the FTP service on xpt.
221 Goodbye.
ncftpput 
$ ncftpput -d -v -p a@b.com localhost /pub/dropbox ~/s/docs/file.sample.bin
LibNcFTP 3.1.3 (March 4, 2002) compiled for linux-x86
Uname: Linux|xpt|2.4.18-14|#1 Wed Sep 4 12:13:11 EDT 2002|i686
 Glibc: 2.2.93 (development)
220:     *******************
         * Tong's FTP site *
         *******************

     xpt FTP server (Version wu-2.6.2-8) ready.
Connected to localhost.
 Cmd: USER anonymous
331: Guest login ok, send your complete e-mail address as password.
 Cmd: PASS a@b.com
230:
     Hi, anonymous from xpt, Welcome to Tong's FTP site.
     You are now in xpt/ at local time Thu Dec 12 01:50:55 2002
     There are currently 1 of maximum 2 user logged on to this site.
     Enjoy yourself here and feel free to contact me at root@sunny.

     Guest login ok, access restrictions apply.
 Cmd: PWD
257: "/" is current directory.
Logged in to localhost as anonymous.
 Cmd: FEAT
500: 'FEAT': command not understood.
 Cmd: HELP SITE
214: The following SITE commands are implemented.
        UMASK           HELP            GROUPS
        IDLE            ALIAS           CHECKMETHOD
        CHMOD           CDPATH          CHECKSUM
     Direct comments to root@sunny.
 Cmd: CLNT NcFTPPut 3.1.3 linux-x86
500: 'CLNT NcFTPPut 3.1.3 linux-x86': command not understood.
 Cmd: CWD /pub/dropbox
250: CWD command successful.
 Cmd: TYPE I
200: Type set to I.
 Cmd: SIZE file.sample.bin
550: file.sample.bin: not a plain file.
 Cmd: EPSV
229: Entering Extended Passive Mode (|||57141|)
 Cmd: STOR file.sample.bin
150: Opening BINARY mode data connection for file.sample.bin.
.../tong/s/docs/file.sample.bin:   ETA:   0:00  512.00/512.00 B   452.90 kB/s  226: Transfer complete.
/home/tong/s/docs/file.sample.bin:                     512.00 B    17.94 kB/s
 Cmd: MDTM 20000122192224 file.sample.bin
550: 20000122192224 file.sample.bin: No such file or directory.
 Cmd: QUIT
221: You have transferred 512 bytes in 1 files.
     Total traffic for this session was 1870 bytes in 1 transfers.
     Thank you for using the FTP service on xpt.
     Goodbye.
limit 
$ ftp localhost
Connected to localhost (127.0.0.1).
220-
220-    *******************
220-    * Tong's FTP site *
220-    *******************
220-
220 xpt FTP server (Version wu-2.6.2-8) ready.
Name (localhost:tong): ftp
331 Guest login ok, send your complete e-mail address as password.
Password:
530- Sorry, too many ftp connetions.
530- There are already 2 of maximum 2 user logged on to this site.
530- Please try again later.
530 Login incorrect.
Login failed.
ftp> 221 Goodbye.

History 1 

init 

cd /
ln -s /var/ftp
mkdir -p /ftp/pub/dropbox/tong
chown ftp:crew -R /ftp/pub/dropbox

Steps 

cd ~/histories/sys/ftp
cat ftpaccess* > /etc/ftpaccess
 dir !$
mkdir /ftp/etc
rsync -vua *.msg /ftp/etc
 dir !$
chown ftp !$/*.msg
chmod 400 !$
 dir !$
chown ftp /ftp/pub/dropbox

upload dir control 

Solution 

Enable write access to /ftp/incoming to allow user create directories. I.e., directory creation is allowed/done in shell but not in ftp.

Test 

mkdir /tmp/ttt
echo aaa > /tmp/ttt/aa
ncftpput -v localhost /incoming ~/s/docs/file.sample.bin
ncftpput -v localhost /incoming/tmp/ ~/s/docs/file.sample.bin
ncftpput -v localhost /incoming/tong/ ~/s/docs/file.sample.bin
ncftpput -d -v -R localhost /incoming/tong /tmp/ttt
ncftpput -d -v -R localhost /incoming /tmp/ttt
ncftpget ftp://localhost/incoming/aaa
Tip !! 
cd /ftp/incoming
md tmp
..
chown :crew tmp
/ftp/incoming$ dir
total 16
-rw-r--r--    1 root     root            7 Mar 12 14:45 aaa
-rw-rw-r--    1 ftp      crew          512 Mar 12 15:06 file.sample.bin
drwxrwx--x    2 tong     crew         4096 Mar 12 15:09 tmp/
drwxr-xr-x    4 ftp      crew         4096 Mar 12 15:05 tong/
ncftpput -d -v -R localhost /incoming/tmp /tmp/ttt/
Cmd: CWD incoming
250: CWD command successful.
Cmd: CWD tmp
250: CWD command successful.
[...]
Cmd: STOR aa
150: Opening BINARY mode data connection for aa.
/tmp/ttt//aa:                      ETA:   0:00    4.00/  4.00 B     3.73 kB/s  226: Transfer complete.
/tmp/ttt//aa:                                            4.00 B   107.28 B/s

conf file 

in ftpaccess:

upload  /var/ftp    *           no
upload  /var/ftp    /incoming       yes     ftp     crew    0664    nodirs
upload  /var/ftp    /incoming/*     yes     ftp     crew    0664    dirs    0770
upload  /var/ftp    /incoming/*/*   yes     ftp     crew    0664    nodirs
upload  /var/ftp    /private/*/incoming yes * crew 0640 dirs    0750

Meaning: user can create directories in and only in their own directories, one level only.

/incoming 
Cmd: PWD
257: "/incoming" is current directory.
Cmd: CWD ttt
550: ttt: No such file or directory.
Cmd: MKD ttt
550: ttt: Permission denied on server. (Upload dirs)
/incoming/tong 
Cmd: PWD
257: "/incoming/tong" is current directory.
Cmd: CWD ttt
550: ttt: No such file or directory.
Cmd: MKD ttt
257: "/incoming/tong/ttt" new directory created.
Cmd: STOR ttt/aa
553: ttt/aa: Permission denied.

The created directory 

"ncftpput -d -v -R localhost /incoming/tong /tmp/ttt" will yield:

Cmd: MKD ttt
257: "/incoming/tong/ttt" new directory created.
$ ftp localhost
ftp> PWD
257: "/incoming/tong" is current directory.
ftp> mkdir test
257 "/incoming/tong/test" new directory created.
ftp> dir
227 Entering Passive Mode (127,0,0,1,59,49)
150 Opening ASCII mode data connection for directory listing.
total 24
-rw-rw-r--   1 14       600             4 Mar 12 07:20 aa
drwxrwx---   2 root     root         4096 Mar 12 07:22 test
drwxrwx---   2 4095     root         4096 Mar 12 07:21 ttt

Notes:

FTP upload problems!! 

Newsgroups: comp.os.linux.security
> We have a little lan with a Redhat 6.2 server.
> We configured a little firewall.

You will need to setup firewall rules for ports 20 & 21 to get it working properly.

http://www.linux-firewall-tools.com is your friend. This site has a design tool that will build the necessary rules for you.

Luke