Purpose

Last but not least, please feel free to duplicate this information in any way, shape or form you choose as long as credit is given where credit is due.

Table of Contents

• Additional Reading
• Compiling wu-ftpd
• Recommended
• Procedure
• Installation
• Configuring wu-ftpd
• General
• Logging
• Anonymous User Setup
• Guestgroup User Setup
• Tips and Tricks (not completed)
• Tracing the libs needed by dynamic "ls"
• Building a static version of "ls"
• Allowing guestgroup users to change their password
• Reporting Tools (not completed)
• Acknowledgements
• Main Page

Additional Reading

• WU-FTPD Resource Center
• Official wu-ftpd FAQ
• Solaris FAQ
• Guestgroup How-To Document.
• wu-ftpd Mailing List Archives

---

Compiling wu-ftpd

Recommended:

• gcc v.2.7.2 or greater (ftp://opcom.sun.ca/pub/freeware/)
• wu-ftpd v.2.4.2 beta 17 or newer (ftp://ftp.academ.com/pub/wu-ftpd/private/)

Procedure:

#define SPT_TYPE  SPT_NONE

If you do not have the Sun "cc" compiler installed (that is, you have gcc or something else installed), you will need to either munge the two Makefile.sol files that come with the distribution OR set up /usr/bin/ccs/cc to point to your gcc binary.

Makefile.sol Files Workaround

CC = cc

(or combine steps 1 and 2 and make CC = gcc in the Makefile.sol files)

3. Make sure gcc is in your $PATH

Symbolical Link Workaround

ln -s /<where the gcc is>/gcc /<where you want the link>/cc

   ln -s /opt/GCC2721/gcc /usr/ccs/bin/cc

3. Avoid having /usr/ucb in your $PATH (if that's where the cc script is which tries to run the non-present BSD compatible C compiler).

[Thanks to: "Stig Isaksson" <Stig.Isaksson@dal.lu.se> (5/27/98)]

At this point, you're ready to build the distribution. From the top level of the source directory created (ie, /usr/local/src/wu-ftpd-2.4.2-beta-17) run:

./build sol

The build output should look something like this:

make args are : 
make opts are : 

Linking Makefiles. 

Making support library. 
gcc -g -DDEBUG -c fnmatch.c 
gcc -g -DDEBUG -c strcasestr.c 
gcc -g -DDEBUG -c strsep.c 
gcc -g -DDEBUG -c authuser.c 
gcc -g -DDEBUG -c vsnprintf.c 
rm -f libsupport.a 
ar cq libsupport.a fnmatch.o strcasestr.o strsep.o authuser.o vsnprintf.o 
touch libsupport.a 

Making ftpd. 
gcc -g -DDEBUG -I.. -I../support -L../support -c ftpd.c 
yacc ftpcmd.y 
mv y.tab.c ftpcmd.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c ftpcmd.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c glob.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c logwtmp.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c popen.c 
sh newvers.sh 
gcc -g -DDEBUG -I.. -I../support -L../support -c vers.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c access.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c extensions.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c realpath.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c acl.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c private.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c authenticate.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c conversions.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c hostacc.c 
gcc -g -DDEBUG -I.. -I../support -L../support -c sigfix.c 
gcc -g -DDEBUG -I.. -I../support -L../support -o ftpd ftpd.o ftpcmd.o glob.o log 
wtmp.o popen.o vers.o access.o extensions.o realpath.o acl.o private.o authenti 
cate.o conversions.o hostacc.o sigfix.o -lsupport -lsocket -lnsl -lgen 

Making ftpcount. 
gcc -g -DDEBUG -I.. -I../support -L../support -o ftpcount ftpcount.c vers.o -lsu 
pport -lsocket -lnsl -lgen 

Making ftpshut. 
gcc -g -DDEBUG -I.. -I../support -L../support -o ftpshut ftpshut.c vers.o -lsupp 
ort -lsocket -lnsl -lgen 

Making ckconfig. 
gcc -g -DDEBUG -I.. -I../support -L../support -o ckconfig ckconfig.c 

Links to executables are in bin directory: 
bin/ftpd: 137354 + 9600 + 19684 = 166638 
bin/ftpcount: 7674 + 720 + 864 = 9258 
bin/ftpshut: 6532 + 568 + 344 = 7444 
bin/ftpwho: 7674 + 720 + 864 = 9258 
bin/ckconfig: 3984 + 316 + 332 = 4632 
Done

Installation

./build install

-mv -f ${BINDIR}/in.ftpd ${BINDIR}/in.ftpd-old
${INSTALL} -c -o bin -g bin -m 755 bin/ftpd ${BINDIR}/in.ftpd
${INSTALL} -c -o bin -g bin -m 755 doc/ftpd.8 ${MANDIR}/man1m/in.ftpd.1m

---

Configuring wu-ftpd

General

If you wish to replace the existing ftpd service on port 21, edit the existing ftp entry in the /etc/inetd.conf file to reference the wuftpd executable installed. For example:

ftp  stream  tcp  nowait  root  /usr/sbin/ftpd  ftpd -laio

wuftp      4001/tcp      # command port to test wu-ftpd

wuftp-data 4000/tcp      # data port to test wu-ftpd

Next, add the appropriate entry to the /etc/inetd.conf file, the key part being to reference the same service name as is in the /etc/services file:

wuftp  stream  tcp  nowait  root  /usr/sbin/ftpd  ftpd -laio

Since in this example the -a option is being used, an ftpaccess file must be placed in /etc. A good working sample is provided with the wu-ftpd distribution in doc/examples. This file can be copied right into /etc or wherever specified in src/pathnames.h. See the man page for ftpacces for complete details.

At this point in the set up, you should be able to ftp to the host as a real user. Run bin/ckconfig from the distribution to verify your set up at this point.

Logging

daemon.info      /var/adm/messages 
daemon.notice    /var/adm/messages 
daemon.debug     /var/adm/messages

[Thanks to: "Roger A. Hanke" <rah@lynxhub.ho.att.com> (2/3/97)]

Anonymous User Setup

1. ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config
2. ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_abuses
3. ftp://sunsite.unc.edu/pub/sun-info/sun-faq/FAQs/SettingUpSecureFTP.faq

• Create a user account "ftp"; this account should not have a real shell login and the home directory should use the correct syntax for "chroot". For example:

ftp:x:30000:30000:Anonymous FTP:/home/ftp/./:/bin/false

• Make sure to use a non-shell program for the shell, ie, "/bin/false" so the ftp account does not have shell access to the host.
  
  
• Create the /etc/shells file to have the following entries plus whatever you used above:
• /usr/bin/sh
• /usr/bin/csh
• /usr/bin/ksh
• /usr/bin/jsh
• /bin/sh
• /bin/csh
• /bin/ksh
• /bin/jsh
• /sbin/sh
• /sbin/jsh
• /usr/local/bin/bash
• /bin/false
  
  
• Set up the directories in the root ftp diretory , ~ftp (or /home/ftp in this example):

    dr-xr-xr-x  7 root system 512 Mar  1 15:17 ./ 
    drwxr-xr-x 25 root system 512 Jan  4 11:30 ../ 
    d--x--x--x  2 root system 512 Dec 20 15:43 bin/ 
    d--x--x--x  2 root system 512 Dec 20 15:43 dev/ 
    d--x--x--x  2 root system 512 Mar 12 16:23 etc/
    drwx-wx-wt 10 root system 512 Jun  5 10:54 incoming/
    drwxr-xr-x 10 root system 512 Jun  5 10:54 pub/
    d--x--x--x 10 root system 512 Jun  5 10:54 usr/

• In the ~ftp/bin directory:

---x--x--x   1 root     other      13612 Feb  5 15:26 ls*

Note: if you use the dynamically linked version of ls (from /usr/bin/ls) you will need to make sure that ~ftp/usr/lib has all the necessary libraries for "dir" to work correctly. See below for complete details on ~ftp/usr/lib or the section on how to build a static version of "ls". 


• In the ~ftp/etc directory:

-r-xr-xr-x  1 root     system       462 Feb  5 15:33 TIMEZONE* 
-r--r--r--  1 root     system       471 Feb  4 16:30 group 
-r--r--r--  1 root     system      1064 Jan 28 17:14 netconfig 
-r--r--r--  1 root     system      1748 Feb 10 15:44 passwd

• Note: the files ~ftp/etc/passwd and ~ftp/etc/group should contain minimal information. These files are only provided for use by the "dir" command so that the proper user and group names show up instead of the uid and gid numbers. These files should not contain any "real user" information in them. The TIMEZONE and netconf files are also necessary for the "dir" command to output the correct date/time stamp of the files.
  
  
• In the ~ftp/dev directory:

crw-rw-rw-   1 root     other     13,  2 Jan 29 15:01 null 
crw-rw-rw-   1 root     other     11, 42 Jan 28 17:17 tcp 
crw-rw-rw-   1 root     other    105,  1 Jan 28 17:17 ticotsord 
crw-rw-rw-   1 root     other     11, 41 Jan 28 17:18 udp 
crw-rw-rw-   1 root     other     13, 12 Jan 28 17:18 zero

Note: you can perform an "ls -lL" in /dev to verify the correct major and minor numbers for your system and then use "mknod" to create these files in ~ftp/dev. (It may not be necessary to include /dev/null).


• In the ~ftp/usr directory:

lrwxrwxrwx  1 root    system        6 Feb  5 15:49 bin -> ../bin/ 
dr-xr-xr-x  4 root    system     1024 Feb  5 15:38 lib/ 
dr-xr-xr-x  3 root    system      512 Feb  5 15:38 share/

• In the ~ftp/usr/lib directory:

-r-xr-xr-x   1 root     system      24576 Jan 30 13:48 ld.so* 
-r-xr-xr-x   1 root     system     137160 Jan 30 13:48 ld.so.1* 
-r-xr-xr-x   1 root     system     662764 Jan 30 13:48 libc.so* 
-r-xr-xr-x   1 root     system     662764 Jan 30 13:48 libc.so.1* 
-r-xr-xr-x   1 root     system       2564 Jan 30 13:48 libdl.so* 
-r-xr-xr-x   1 root     system       2564 Jan 30 13:48 libdl.so.1* 
-r-xr-xr-x   1 root     system      15720 Jan 30 13:48 libintl.so* 
-r-xr-xr-x   1 root     system      15720 Jan 30 13:48 libintl.so.1* 
-r-xr-xr-x   1 root     system      15720 Jan 31 08:50 libmp.so* 
-r-xr-xr-x   1 root     system      15720 Jan 31 08:50 libmp.so.1* 
-r-xr-xr-x   1 root     system     566700 Jan 30 13:48 libnsl.so* 
-r-xr-xr-x   1 root     system     566700 Jan 30 13:48 libnsl.so.1* 
-r-xr-xr-x   1 root     system      68780 Jan 30 13:48 libsocket.so* 
-r-xr-xr-x   1 root     system      68780 Jan 30 13:48 libsocket.so.1* 
-r-xr-xr-x   1 root     system      39932 Jan 30 13:48 libw.so* 
-r-xr-xr-x   1 root     system      39932 Jan 30 13:48 libw.so.1* 
-r-xr-xr-x   1 root     system      10804 Jan 30 13:49 nss_dns.so.1* 
-r-xr-xr-x   1 root     system      21144 Jan 30 13:49 nss_files.so.1* 
-r-xr-xr-x   1 root     system      24404 Jan 30 13:49 nss_nis.so.1* 
-r-xr-xr-x   1 root     system      28844 Jan 30 13:49 nss_nisplus.so.1* 
-r-xr-xr-x   1 root     system       9312 Jan 30 13:49 straddr.so* 
-r-xr-xr-x   1 root     system       9312 Jan 30 13:49 straddr.so.2*

Note: except for ld.so and ld.so.1, the .so version of a library is just a hard link to the .so.1
 

Note: for Solaris 2.6, libmp.so.2 is used instead of libmp.so.1.

Note: there may be changes in the above list between releases of Solaris; in 2.5, libmp.so.1 was not needed but became required in 2.5.1 in order for the command "dir" to properly resolve user and group names. One way to track down any additional library dependencies in future releases is to use "ldd" on all the above files and add any missing libraries to this directory as needed. 



• In the ~ftp/usr/share/lib/zoneinfo directory:

-r--r--r--   1 root     other         57 Feb  5 15:35 GMT-8 
dr-xr-xr-x   2 root     other        512 Feb  5 15:32 US/

and ~ftp/usr/share/lib/zoneinfo/US contains:

-r--r--r--   1 root     other        817 Feb  5 15:32 Pacific

Note: the above is for US/Pacific. If you don't know exactly what needs to be copied over from /usr/share/lib/zoneinfo and you have disk space to spare, you can copy over the entire tree. If you don't have the space to spare, there's always trial and error (copy what you think you need, connect via anonymous ftp and see if the timestamps look correct).


• In the ~ftp/pub directory:

drwxr-sr-x 10 dchap   system      512 Jun  5 10:54 pub/

and this directory is owned by you and have the same group as ftp with permissions 555. You may want to make this directory 2755, ie. set-group-id, so that new files and directories are created with the same group ownership.


• In the ~ftp/incoming directory:

d-wx-wx-wt  5 dchap   staff      1536 Feb 11 22:43 incoming/

• Some final security touches:
• cd ~ftp
• touch .rhosts .forward
• chown root .rhosts .forward
• chgrp system .rhosts .forward
• chmod 400 .rhosts .forward

Guestgroup User Setup

For each guest group user, perform the following steps:

• Create a user account with the following type of entry in the system /etc/passwd file:

author:x:54321:100:Author:/home/web/author/./:/etc/ftp-only

The /home/web/htdocs/author/./ entry for the home directory has the user "author" chroot'ed to /home/web/author when "author" connects via ftp. This means that "author" cannot "cd" or otherwise see any files or directories outside of /home/web/author.

If it is desirable to to have the user cd'ed to another directory after they are connected, the home directory should be specified as:

/home/web/author/./somedir

Note: For each chroot'ed directory, a set of the ~/bin, ~/dev, ~/etc, and ~/usr directories will need to be set up. Use of hard links can alleviate this to some extent. See Anonymous FTP Setup and the rest of this section for complete details.

Note: Alternatively, mutliple users can be chroot'ed to a single directory (ie, /home/web/htdocs) and then Unix file permissions can be used to allow file uploads and directory creation according to those file permissions. In this case, only a single set of directories (~/bin, ~/dev, ~/etc, and ~/usr) would need to be set up. This is not necessarily recommend, just an alternative worth mentioning.



• Create the appropriate group entry in the system /etc/group file:
webauth::100


• Set the password for "author".
  
  
• Set up the ftpaccess file; see doc/exmaples/ftpaccess.heavy for a good example of an ftpaccess file full of configuration options. See the man page for ftpaccess.5 for a complete explanation. Items that you should specifically configure are:
• Add "guest" in the appropriate "class" (site dependent):
class local real,guest,anonymous
• Define the following permissions for "guest" (site dependent); removing "guest" from any of the below entries will give all "guests" that privilege.

    delete    no anonymous,guest # delete permission? 
    overwrite no anonymous,guest # overwrite permission? 
    rename    no anonymous,guest # rename permission? 
    chmod     no anonymous,guest # chmod permission? 
    umask     no anonymous,guest # umask permission?

• Add "webauth" to the guestgroup entry:
guestgroup webauth
Additional guestgroups can be added to the "guestgroup" line, delimited by white space.
• Make sure that the permissions for /home/web/author are set to 755 (or for multiple user access, only group writable by those you want able to upload to the document root directory).
  
  
• Setup the following directories in /home/web/author:
• bin/
• dev/
• etc/
• usr/
  
  
Follow the directions as outlined in the Anonymous User Setup section of this document. Keep these points in mind:
• The author/etc/passwd file should contain only the necessary entries to make the "dir" command output look reasonable (and even that isn't absolutely necessary). The same goes for the author/etc/group file.
• Don't use "real user" groups as entries on the guestgroup line of the /etc/ftpaccess file or real users will have real problems when they connect via ftp.
  
  
• Some final security touches:
• cd /home/web/author
• touch .rhosts .forward
• chown root .rhosts .forward
• chgrp system .rhosts .forward
• chmod 400 .rhosts .forward

Default Permissions of Uploaded Files

Default Permissions of Created Directories

Tips and Tricks

Tracing libraries used by "ls" under anonymous ftp

to see which libraries are being used by "ls" and by "dir"; you may also have to use "ldd" on the libraries accessed by "ls" to ferret out additional dependencies.

Compiling a static version of "ls"

• Get a hold of Emil Isberg's patch; save it (for example) in /usr/local/src as fileutils-3.13_static-ls.patch
• Get a hold of the gnu file utilities (version 3.13 only) and place it (for example) in /usr/local/src
• From /usr/local/src: gunzip fileutils-3.13.tar.gz
• tar xf fileutils-3.13.tar
• cd fileutils-3.13
• ./configure
• cd ..
• patch <fileutils-3.13_static-ls.patch
• cd fileutils-3.13
• make ls
• Copy "ls" to your~ftp/bin directory and there you have it!

Ownership/permissions of directories created by a guestgroup user

Allowing guestgroup users to change their password

---

Reporting Tools

Acknowledgements

• Koos van den Hout (koos@pizza.hvu.nl) keeper of the Official wu-ftpd FAQ.
• Michael Brennan (mbrennen@fni.com) keeper of the Guestgroup How-To document.
• Casper Dik (Casper.Dik@Holland.Sun.COM) keeper of the Solaris FAQ.
• Kent Landfield (kent@landfield.com) for mainting the WWW archive of the wu-ftpd mailing list.
• All wu-ftpd list subscribers (wu-ftpd@wugate.wustl.edu) whose help was invaluable. In particular: Mark Galbraith, Jim Showalter, Jon (no h) S. Stevens, Emil Isberg, Roger A. Hanke, Debra Bartling, and Alvaro Martinez Echevarria.