Originally posted by: SystemAdmin
AIX provides a sample script to configure (minimally) the RISC as an anonymous FTP server. The script is /usr/lpp/tcpip/samples/anon.ftp (AIX 3.2.5) or /usr/samples/tcpip/anon.ftp (AIX 4.1). To configure the RISC as an anonymous FTP server, do the following:
Execute the anon.ftp script. This script will create the ftp and anonymous users. They will have different UIDs but the same home directory. In addition, the script will create five (5) subdirectories (etc, pub, bin, lib, and usr) under the ftp user's home directory, each of which are owned by root (to prevent anonymous ftp users from making any changes). The etc, bin, lib, and usr directories are designed for ftpd's use, and so have world-readable (r) and world-searchable (x) permission only. The pub directory also has world-writeable (w) permission to allow file uploads.
Executing this script is sufficient to provide a minimal FTP server. Now, when a user ftps to the RISC and specifies the anonymous or ftp PAGE user name, the ftpd daemon automatically accepts any password. However, 9 the ftp daemon also automatically executes the chroot command on the ftp OF user's home directory, which restricts an anonymous ftp user to the ftp 21 user's home directory structure. Thus, anonymous ftp users can only access (i.e. cd and ls) a limited directory structure, not the entire directory structure of the machine.
Although the anon.ftp script provides a minimal setup, you may wish to perform some additional configuration.
Remove the ~ftp/.profile that the system created for the ftp user.
Create a passwd and group file in the ftp user's etc directory. This will allow anonymous ftp users to see names instead of numbers for file permissions. The passwd file should look like this (assuming 302 is the
ftp user's UID):
ftp:*:302:1:anonymous ftp user:/u/ftp:/bin/false
root:*:0:0::/:/bin/false
The group file should look like this:
system:*:0:
staff:*:1:
Then, execute the chmod 400 * command (assuming you're in the ~ftp/etc directory).
Enable logging on the ftpd daemon. This will enable you to record the hostname and e-mail address (anonymous password) of anonymous FTP users, as well as which files they upload and download. To enable logging, do the following:
Execute the smit inetdconf command.
Select Change / Show Characteristics of an inetd Subserver.
Select ftp.
Change the Service Program Command Line ARGUMENTS field to read ftpd -l, and then press Enter.
Edit the /etc/syslog.conf file and add the line
daemon.info /tmp/ftp.log
Execute the command touch /tmp/ftp.log
Execute the command kill -1 , where is the PID of the syslogd daemon. This will cause the syslogd daemon to re-read its configuration file.
Create a separate directory for uploads. Execute the following commands (as the root user):
cd ~ftp
mkdir incoming
chmod 777 incoming (to allow uploads)
chmod 555 pub (to protect your outgoing repository from uploads)
For more information on administering an anonymous FTP server, see Managing Internet Information Services by O'Reilly & Associates (ISBN 1-56592-051-1).
Anonymous FTP Configuration with Sublogins
Problem
What is the procedure to set up anonymous ftp with a sublogin account?
Solution
The key is that all the necessary authentication and database files need to reside in /home/ftp/etc or the appropriate subdirectory. If they are anywhere else you will need to either mount them over the appropriate mount point or move them into the appropriate directories. It is no problem to set up a separate filesystem for your sublogin accounts under the anonymous ftp user, but it will not work by just manipulating the /etc/passwd file.
Steps for creating anonymous ftp with secure user
Log in as root
cd /usr/samples/tcpip
./anon.ftp
cd /home/ftp
mkdir home
chmod 755 home
cd /home/ftp/etc
touch passwd
chmod 644 passwd
chown root:security passwd
mkdir objrepos
chmod 775 objrepos
chown root:system objrepos
mkdir security
chmod 750 security
chown root:security security
cd security
touch passwd
chmod 600 passwd
chown root:security passwd
smitty mkuser
User NAME
test User ID []
ADMINISTRATIVE USER? true
Primary GROUP
staff Group SET
staff ADMINISTRATIVE GROUPS []
Another user can SU TO USER? true
SU GROUPS []
HOME directory [/home/test]
passwd test
-> enter new password
cd /home/ftp/etc
vi passwd
-> copy input below from /etc/passwd (note: your UID and GID may be
different on your machine)
ftp:*:226:1::/home/ftp:/usr/bin/ksh
root:!:0:0::/:/bin/ksh
test:!:228:1::/home/test:/usr/bin/ksh
The UIDs above are 226,0,228 and the GIDs above are 1,0,1
vi ./security/passwd
-> copy input from /etc/security/passwd for the "test" user. Do not copy
"ADMCHG" from the Flags line.
vi group
-> add the following two lines:
system:*:0:
staff:*:1:test
mkdir objrepos
cp /etc/objrepos/CuAt ./objrepos
cp /etc/objrepos/CuAt.vc ./objrepos
cp /etc/objrepos/CuDep ./objrepos
cp /etc/objrepos/CuDv ./objrepos
cp /etc/objrepos/CuDvDr ./objrepos
cp /etc/objrepos/CuVPD ./objrepos
cp /etc/objrepos/Pd* ./objrepos
cd ../home
mkdir test
(This will be subuser's new home directory)
chown test:staff test
You should now have ftp sublogin set up on your machine. You can test this by logging in as anonymous. Once logged in, you can log in as the newly created user by typing in user username. Additionally, if you want the home directories to physically reside in a separate filesystem from /home, you can create the appropriate directories in another JFS filesystem. Then make sure the ownership and permissions are the same for the new filesystems as for /home/ftp/home/ and mount the new file system over the appropriate mount point.
-
Shame on customer for still running AIX 5.1
#AIX-Forum