41.4. Setting Up Anonymous FTP
Configuring WU-FTPD to accept anonymous logins is slightly more complex that you would expect, due to its use of the ls command to generate directory listings. So that this command (and others used by server) cannot escape the directory to which anonymous clients are restricted, the server uses the UNIX chroot system call to restrict itself and all programs that it runs to that directory. This means that the root directory must contain all the programs, files, and shared libraries that WU-FTPD and the ls command need to run.
By default, the home directory of the special UNIX user ftp is used as the anonymous FTP root, but different roots can be assigned to different client classes. Whatever directory is chosen, however, must contain a bin subdirectory with the ls, gzip, tar, recompress, cpio, and zcat commands. It must also have a lib subdirectory containing any shared libraries needed by those commands, an etc subdirectory with passwd and group files, and a pub directory in which downloadable files are stored.
As you can imagine, copying all these files into place and making sure that they work is quite tricky. Fortunately, many Linux distributions that include a wu-ftpd package also have a package named anonftp that places all the needed files in the home directory of the ftp user. In most cases, all you need to do is install this package and WU-FTPD will allow clients to log in anonymously.
Regardless of the permissions on the root directory, WU-FTPD will always prevent anonymous clients uploading, renaming, or deleting files. All they will be able to do is download the files that you place in the pub subdirectory for public distribution.
Anonymous logins can be further configured by following these steps:
1. | |
2. | The Anonymous FTP root directories table allows you to specify different root directories to be used for different classes of client. Any existing directories (apart from the default of ~ftp) are listed in the table for editing, and there will always be one empty row for adding a new one. As soon as an entry is added, it will replace the default, so be sure to explicitly add it if you want it to continue working. If you want to add more than one directory, you will need to save and reopen this page so that a new blank row appears. Each row has two fields: Directory In this field you must enter full path to a valid anonymous FTP directory (one that contains etc, bin, lib, and pub subdirectories and all the needed programs). For class From this menu, you must choose a client class that the directory should be used for, assuming that clients in that class log in anonymously. If Any is selected, it will be used for clients not in any other class in this table. See Section 41.5 “Managing User Classes” for details on how to define your own classes. |
3. | When a user logs in to your FTP server anonymously, they must still supply a password even though it is not used for authentication. Typically this password is the user's email address, which can be used to get a rough idea of what domain clients are coming from. For privacy reasons, however, many modern FTP clients and browsers do not send a real email address anymore, logging in instead with a fake one like [email protected]. You can configure WU-FTPD to check the format of anonymous login passwords to make sure that they look like email addresses using the Anonymous FTP password check field on this page. If Default is selected, no checking will be done. If the second option is chosen, however, the level of checking depends on the choice that you make from its menu: Allow anything Any password is allowed, even a blank one (this is the same as the default mode). Must contain @ The password must contain the @ symbol. Must be an RFC882 email address The password must look like a valid email address, with letters and numbers before and after the @. The second menu determines whether the FTP server just warns clients that violate the check (if Warn only is chosen), or blocks them altogether (if Deny login is selected). |
4. | To block certain anonymous passwords altogether (even if they are valid), fill in the Anonymous FTP passwords to deny field with a list of complete or partial email addresses. This can be useful for blocking FTP clients that are configured by default to use a fake address. I recommend against using this feature, however, as it will block a lot of people, especially those using web browsers. |
5. |