• Choose a category
• All
• Classic-Fiction

To test Squid, configure your desktop web browser to use the Squid server as a proxy. This option is usually found in browser’s preferences panel.

22.6 ANONYMOUS FTP SERVER SETUP

FTP is one of the oldest and most basic services on the Internet, yet it continues to be widely used today. Although FTP has a variety of internal uses at a site, the most common use on the Internet is “anonymous FTP,” which lets users that do not have accounts at your site download files you have made available.

FTP is useful for distributing bug fixes, software, document drafts, and the like. Its main advantage over HTTP (for this purpose) is that it allows users to inspect the tree of available materials for themselves and to see the sizes and modification dates of files. You don’t need to write any HTML to point to new files—just drop them into the target zone and you’re done.

To enable anonymous FTP, you create an account for the fake user “ftp”, configure its home directory, and set up the FTP server daemon, ftpd. Because of the public nature of anonymous FTP, it is important to configure it correctly so that sensitive files are not accidentally made available to the whole world.

ftpd is managed by inetd and therefore must have an entry in the /etc/inetd.conf and /etc/services files. When an FTP users logs in anonymously, ftpd executes a chroot system call to make files outside of the ~ftp directory invisible and inaccessible. The enhanced security provided by this precaution is important because ftpd must run setuid to root to manipulate privileged socket ports.

See page 823 for more information about inetd.

To allow anonymous ftp from your site, take the following steps:

• Add the user “ftp” to your regular password file.

• Create subdirectories bin, etc, and pub beneath ~ftp.

• Copy the ls program to the ~ftp/bin directory.

• Copy /etc/passwd and /etc/group to ~ftp/etc.

• Edit the passwd and group files as described below.

• Replace all passwords in ~ftp/etc/passwd with stars.

• Run mkpasswd or pwd_mkdb if your system requires a hashed version of the password database.

• Set the proper permissions on files and directories under ~ftp.

No one needs to log in to the ftp account, so use a star as ftp’s password. It’s also a good idea to specify /bin/false as ftp’s login shell.

Since an anonymous ftp session runs chrooted to ~ftp, the subdirectories bin and etc must provide a copy of all the commands and configuration information needed by ftpd. After the chroot, ~ftp/bin and ~ftp/etc will masquerade as /bin and /etc.

In most cases, ftpd uses only the ls command and skeletal copies of /etc/passwd and /etc/group from ~ftp/etc.

The passwd file under ~ftp should only contain the users root, daemon, and ftp. You must replace the passwords with stars, since this copy of the passwd file will be available to people who use your ftp server. Even if the passwords are encrypted, there is still a risk involved in allowing other people to discover them.4

See page 655 for more information about password security.

For added security, make ~ftp/bin/ls execute-only by setting its mode to 111. This tweak prevents clients from copying away the binary and studying it for weaknesses.

Put the files you want to make available in ~ftp/pub.

If your system uses shared libraries and your ls command is not statically linked, you may need to copy or hard-link extra files into ~ftp to provide a proper execution environment, since the files that contain the shared libraries aren’t normally accessible after a chroot.

Permissions on the various files and directories are quite important. We recommend that permissions be set as shown in Table 22.4.

Table 22.4 Recommended permissions under ~ftp

Solaris requires ls to be put in ~ftp/usr/bin; ~ftp/bin should be a symbolic link to usr/bin (not a symbolic link to ~ftp/usr/bin because the path will be unresolvable after a chroot has occurred). Solaris is a shared library system, and many