Anonymous FTP server
This article was written by Kim Scarborough <firstname.lastname@example.org>. Reviewers include Nik Clayton, Crist J. Clark, and Yonatan Bokovza.Although much of the purpose of anonymous FTP has been rendered obsolete by HTTP, it still has one advantage: allowing anonymous uploads. [Ed. note: see also upload files via http.]
Often, people want to give me files too large to send through e-mail, so I’d like them to be able to upload them to my FreeBSD box without having to give them accounts. Anonymous FTP is the natural solution, but setting it up to allow uploads yet still be reasonably secure takes care.
Warning: the method outlined below requires the use of SUIDDIR. This can be a security risk if used carelessly.
I believe that the setup below takes sufficient precautions that it won’t be a problem. But do be aware.
NOTE: FreeBSD’s ftpd now supports the -o option to
create a write-only FTP site. This makes the FTP daemon deny all
downloads, irrespective of the file permissions. To check if your ftpd
includes this option, see
and look for that option. If it does, then we recommend that you use it
as a second layer of defense.
Step 1: Set up a new partitionThe first danger to be considered when setting up anonymous FTP uploads is the possibility of people filling up your drive. CERT advises that the upload directory be on a dedicated drive; I think a dedicated partition will suffice just as well. Either way, this will ensure that the important system partitions will not be filled.
Carve out a separate partition that will just be for uploads. The size is up to you, but I would recommend 750MB, which will leave enough room in case somebody wants to upload an ISO. Don’t worry about mounting it yet; we’ll do that in a minute. Actually creating a partition is beyond the scope of this article. It is recommended that you read Chapter 12 of The FreeBSD Handbook for more information. Either that or you can use quotas to limit the space used by the ftp daemon.
Step 2: Add the FTP userYour FreeBSD system may already contain an entry in the password file for the ftp daemon. Recent versions of FreeBSD include such an entry. If so, you can skip this step. You’ll need to create a user that anonymous FTP uploads and downloads will execute as. If you chose to allow anonymous FTP when you first installed FreeBSD, you’ll already have it; otherwise, you’ll need to create it. In either case, run vipw and make sure the entry looks like this:
ftp:*:14:14:ftp:0:0:Mr. Anonymous FTP:/home/ftp:/nonexistent
man hier indicates that the ftp home directory should be
/var/spool/ftp. This location can be acheived via symlinks which
would allow the physical directory to exist elsewhere. For example, if you set the home
directory via vipw to be
/var/spool/ftp, you could put
the actual files in
/ftp/home (or whatever locationyou choose).
Then you would create a symbolic link with this sequence of commands:
ln -s /path/to/real/files ftp
Let’s go over that vipw entry (also see the man page for
First is the user name; to allow anonymous ftp you have to create a user named ftp.
is customary but it can be whatever you want. Make sure the
password is set to “*”, which ensures no password will work; Setting “*” as the password is a good idea
for all accounts that don’t need passwords. You should create a new group called
ftp too, and choose a unique UID and GID.
The home directory should be set to wherever you’re going to set up the anonymous
FTP file hierarchy;
/home/ftp is generally a good choice. Finally, make sure the shell is set
Never give an account a shell unless it needs it.
Step 3: Set up the directory structureNow we set up the directories people will see when FTP’ing in. Create the directory you set as ftp’s‘s home directory; here we’re using
/home/ftp. Inside that directory, create the following directories:
Here are the commands to set up those directories in the ftp user’s home directory.
# cd ~ftp
# mkdir pub
# mkdir incoming
# mkdir etc
We will deal with directory permissions in Step 5
Step 4: Set up /etc/fstab and recompile the kernelTo keep people from being able to delete other people’s uploaded files, we’ll need SUIDDIR (explained in more detail below). We have to do two things to mount a file system SUIDDIR. First, let’s edit
/etc/fstab. Put in this line:
Substitute the device of the partition you created in step 1. The SUIDDIR option must be specified at mount time for it to work. See the man pages/dev/ad2s2f /home/ftp/incoming ufs rw,SUIDDIR 2 2
mount(8)for more information. Next, we need to enable SUIDDIR in the kernel. Add this option to your kernel configuration file:
Then configure, compile, install, and reboot to a new kernel.
Step 5: Setting permissionsWhen your system comes back up, do this:
[Ed. note: It was recomended by one reviewer that we not usechown -R root:wheel /home/ftp cd /home/ftp chmod 755 etc pub chown nobody incoming chmod 5777 incoming
nobodyas the owner. I have yet to establish if using
ftpas the owner would be secure.
The directories should now look like this:
drwxr-xr-x 4 root wheel 512 Nov 10 00:42 . drwxr-xr-x 14 root wheel 512 Oct 20 14:58 .. drwxr-xr-x 2 root wheel 512 Nov 10 00:44 etc drwsrwxrwt 2 nobody wheel 512 Nov 10 00:45 incoming drwxr-xr-x 2 root wheel 512 Nov 25 00:44 pub
You may have noticed there’s no
/bin. Pre-4.x versions of FreeBSD required a
/bin/ls in the anonymous
chroot for directory listings to work. This is no longer needed, so don’t worry about it if you’re running 4.x.
Here’s why we did it that way. First, it’s a bad idea to make anything owned by ftp; that would mean that the anonymous
user would essentially own all those files/directories and might possibly be able to change things around. The man page
ftpd(8) says that
/pub should be owned by ftp, but I disagree
(and so does CERT).
/pub need to be readable by everybody and
writable only by root, for obvious reasons. The interesting case is
/incoming. We want everyone to be able to write to it, and we also want them to be able to list
the contents of the
directory (so they can ensure that their files uploaded). We don’t want them to be able to delete files that other
people have uploaded in there, however. To prevent this, we’ve done two things:
- We’ve made the directory SUIDDIR and owned by nobody. Normally, files uploaded to the incoming directory will be owned by ftp, regardless of the ownership of the directory. This means that anybody who comes along later can delete the files, since they are also the user ftp. Making the directory SUIDDIR will ensure that the files are owned by the directory owner, in this case nobody.
We’ve set the “sticky bit”, which prevents users from deleting
other users’ files in a directory, even if everyone has write permission
to the directory. In this case, the sticky bit prevents user ftp from
deleting the files which are now owned by user nobody. See also
We set the above items using
chmod. Here’s how we determined the mode:
- 4000 for SUIDDIR
- 1000 for sticky bit
- 777 to set the directory +rwx for everyone
Add those values up and you get 5777.
Read the man page for
chmod(1) for more information.
/incoming is not owned by root.
You never want to make a SUIDDIR owned by root because then anyone
can create root-owned files, which is a Bad Thing (actually, FreeBSD won’t let you do this anyway, but it’s bad practice
to depend on the OS to protect you from poor decisions).
We might want to put a couple of files in
/etc. These are not mandatory; in fact,
/etc directory itself is not
required. But it will make things look a little nicer if you add them.
ftpmotdis a banner that will be displayed after login. I have some ASCII art in mine from Joan Stark’s site. It looks nice in a browser.
You also might want to generate a
pwd.dbfile from a password file. The only purpose of this is to make directory listings show usernames rather than UIDs. Similarly, you may want to create a
groupfile to substitute group names for GIDs.
Do not use the system
Here’s the password file I created:
As you can see, the user names in our little password file don’t have to have anything to do with what user names really correspond with those UIDs. In my case, I made it so root-owned files will appear as being owned by default and files owned by nobody will show up with an owner of ftp (just to keep it confusing). To convert this input file into a
pwd.dbfile, run this command:
pwd_mkdb -d /home/ftp/etc passwd
This will delete
/home/ftp/etc. You can delete everything except
pwd.db. Now, just create a
Again, name the group whatever you like.
Step 6: Edit /etc/login.confOne extremely crucial thing I haven’t discussed before about anonymous FTP uploads: it is imperative that the anonymous user not be allowed to download files from
/incoming. Otherwise, your site will be used as a warez drop. And it will be found. Warez kiddies have scripts scanning thousands of IPs looking for FTP sites, and then checking if they can upload and download anonymously when they find one. If your site allows this, it will be announced on IRC when it is discovered and your bandwidth will skyrocket until you figure out what’s going on and fix it.
The permissions of a newly-created file are set by the user’s umask. The default umask for users under FreeBSD is 022, which means that files will be created 644 and directories 755. We want the files that the anonymous FTP user creates to be 640, so that once they’re uploaded, they can’t be downloaded (since the SUIDDIR changes the ownership). So the umask for ftp needs to be 027.
This is why we gave the ftp user its own login class in step 2. We can now change the umask for just that user.
Add this line to
Run the command:
to rebuild it, and we’re set. Now the uploaded files will be mode 640 (directories will be created mode 750, which makes them rather useless, but that’s a small downside to this setup). Since they won’t belong to ftp, they can’t be read, but they will show up in directory listings. This will stop the warez kiddies from using your site as a dropbox, since there’s no point in uploading giant files if they can’t subsequently be downloaded. You will still get occasional files that their scripts upload for testing, but these will be fairly small. Just keep an eye on it so you can clear these out.cap_mkdb /etc/login.conf
Step 7: Restart ftpdNow all we have to do is restart ftpd with logging enabled. The line in
/etc/inetd.confshould look like this:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -lS
WARNING: If your ftpd includes the
you should include the
-o option above.
That’s the same as the default except for the “S” at the end, which will log anonymous transfers to
You may also wish to include the A option to restrict FTP to only anonymous users if you don’t want
regular users using ftp (I force mine to use sftp instead).
Now send a HUP single to (
inetd by issuing the command
killall -HUP inetd), and you should be done.