Professional File Transfer with proFTPD - Giving Back (
Page 7 of 11 )
By default, only users with real accounts on
the system are allowed to upload files to the FTP server - and even they are
limited to uploads in their home area. Anonymous users, as demonstrated on the
previous page, do not have the ability to upload files to the server. This is a
fairly reasonable safety precaution if your server is exposed to the public
Internet, because you never know what malicious files might be uploaded to your
server; however, if your FTP server is running on a closed network, you might
want to enable file upload for anonymous users also (perhaps to enable file
sharing between users at different locations).
In order to do this, you
should update the <Anonymous>...</Anonymous> block to look like
this:
# set root directory for anonymous users to /home/ftp
<Anonymous/home/ftp>
# set the user and group for the server process
User ftp
Group ftp
# alias "anonymous" login to "ftp"
UserAlias anonymous ftp
# restrict "anonymous" users from writing data
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
# allow writes to the /home/ftp/incoming directory
# but do not allow reads
<Directory incoming>
<Limit READ WRITE>
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
</Anonymous>
In case you haven't yet figured it out, the <Limit>...</Limit>
block places restrictions on the commands that can be executed by a user, with
the AllowAll and DenyAll directives specifying whether all clients can or cannot
use those commands. For finer-grained control, proFTPD also provides the Allow
and Deny directives, which permit you to set allow/deny rules on the basis of
host or network name, rather than globally for all clients.
Now, create a
directory in "/home/ftp" named "incoming", restart the server and try uploading
a file anonymously into that directory:
$ ftp localhost
Connected to localhost(192.168.3.1).
220 ProFTPD 1.2.8 Server (ProFTPD) [olympus.melonfire.com] Name
(localhost:joe): ftp 331 Anonymous login ok, send your complete email
address as your password.
Password: *******
230 Anonymous access granted, restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,3,1,4,239).
150 Opening ASCII mode data connection for file list
drwxr-xr-x 2 ftp ftp 4096 May 7 08:41 incoming
drwxr-xr-x 3 ftp ftp 4096 Apr 28 06:45 pub
226 Transfer complete.
ftp> cd incoming
250 CWD command successful.
ftp> ls -l
227 Entering Passive Mode (192,168,3,1,4,227).
150 Opening ASCII mode data connection for file list
226 Transfer complete.
ftp> put mbox
local: mbox remote: mbox
227 Entering Passive Mode (192,168,3,1,4,231).
150 Opening BINARY mode data connection for mbox
226 Transfer complete.
9144 bytes sent in 0.00124 secs (7.2e+03 Kbytes/sec)
ftp> ls
227 Entering Passive Mode (192,168,3,1,4,235).
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 9144 May 7 08:41 mbox
226 Transfer complete.
ftp> put mbox
local: mbox remote: mbox
227 Entering Passive Mode (192,168,3,1,4,237).
550 mbox: Overwrite permission denied
ftp> cd /
250 CWD command successful.
ftp> put mbox
local: mbox remote: mbox
227 Entering Passive Mode (192,168,3,1,4,233).
550 mbox: Permission denied
ftp> bye
221 Goodbye.
As you can see, proFTPD now permits uploads, but only into the
"incoming" directory; uploads to any location elsewhere in the anonymous FTP
area will fail. Additionally, anonymous users cannot download files from the
"incoming" directory.
In case you'd like a slightly greater level of
security for your anonymous FTP server, you can force anonymous users to provide
an actual password to gain entry, rather than the default anything-goes email
address. In order to enable this, simply add the
AnonRequirePassword on
line inside the <Anonymous>...</Anonymous> block of your
configuration file, and proFTPD will only allow anonymous access to users who
enter the system password for the "ftp" user.
