Configuring Lukem FTP
Setting up the native FTP service (FreeBSD 5.2)
Posted 07.02.2005 | Updated 23.05.2006 | Contributed by Brad Robinson & Andy Mallett


Lukemftpd is what many users affectionately call the enhanced FTP server in NetBSD. The `lukem' comes from the account name of the NetBSD developer who wrote most of the enhancements, Luke Mewburn (lukem@netbsd.org).

This package is a `port' of the NetBSD FTP server to other systems and comes standard with FreeBSD. Although it's installed automatically, it must be configured before use.

There's no need to separately install Lukem, it's installed as part of FreeBSD even if you don't select "Anonymous FTP Server".

To enable Lukem, vi /etc/inetd.conf and uncheck the following line..

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l


Stop inetd by killing the process first (ps  -aux to get ps id and then kill -9 pid) and then restart inetd with inetd -wW or reboot the system.

Enable inetd through rc.conf if necessary. Sometimes it is enabled by default depending on the FreeBSD version you are using. Add inetd_enable="YES" to rc.conf.

Configuration

To set up anonymous access, create a user named ftp with the adduser command. Use a null password (or a random one) and a 'null' shell (don't want people logging in with this username do we..!?)

Creating the FTP User

You will find a new directory named ftp in /home. This is the anonymous ftp user's home. All anon users will be jailed into this directory after logging in. Create public or download directories here, optionally.

Now, unfortunately the system such as it is allows any user with a logon id, FTP access to potentially any part of the directory tree. Bit of a glaring security omission, methinks. To redress this unpleasant situation,

Normal users can be 'jailed' to their /home directories by adding their name to the /etc/ftpchroot file, which can be created in vi. This file also has the path to the directory in which the user is to be 'jailed'. This means that users can be restricted to their own home directories. From the ftpchroot man page..

The order of records in ftpchroot is important because the first match will be used. Fields on each line are separated by tabs or spaces.

The first field specifies a user or group name. If it is prefixed by an @ sign, it specifies a group name; the line will match each user who is a member of this group. As a special case, a single `@' in this field will match any user. A username is specified otherwise.

The optional second field describes the directory for the user or each member of the group to be locked up in using chroot(2). Be it omitted, the user's login directory will be used. If it is not an absolute path- name, then it will be relative to the user's login directory. If it con- tains the /./ separator, ftpd(8) will treat its left-hand side as the name of the directory to do chroot(2) to, and its right-hand side to change the current directory to afterwards.

EXAMPLES These lines in ftpchroot will lock up the user ``webuser'' and each member of the group ``hostee'' in their respective login directories:

webuser
@hostee

And this line will tell ftpd(8) to lock up the user ``joe'' in /var/spool/ftp and then to change the current directory to /joe, which is relative to the session's new root:

joe /var/spool/ftp/./joe

And finally the following line will lock up every user connecting through FTP in his respective ~/public_html, thus lowering possible impact on the system from intrinsic insecurity of FTP:

@   public_html


To lock down FTP access to only the anonymous user, add the -A switch in inetd.conf to the ftpd binary..

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -A



- B&A.