Chapter 18: FTP and World-Wide Web
Anonymous and Restricted FTP

Anonymous FTP

Anonymous FTP is now an accepted method of providing information from the Internet. Logons to it cannot reach any other part of the file structure; they use what is called 'chroot' which means that the anonymous ftp directory appears to the caller to be root (/), and the command

cd ..

cannot go above this directory. It requires an entry in the local /etc/passwd file of the workstation which is to act as the server; usually this is a Solaris system. The /etc/passwd entry for the id 'ftp' points to a directory which contains a mini-operating system; it has subdirectories etc, bin, usr and lib which contain just enough to allow an ftp login, together with one or more 'pub' directories to hold the matter to be accessed. This id is recognised by the ftpd daemon as being an anonymous ftp one, or 'providing guest access'.

We recommend the Washington University public domain FTP server for this, and have set up such servers at many sites. Most have both read-only access ( for items to be fetched from the site) and read-write access ( for items to be deposited at the site). We generally install this if possible with the server on one host and the data areas on another, using the auto.data map to identify them. This allows both data areas to be accessible in write mode within the site, but to be hard-mounted on the server so that the read-only area denies write access from outside. The FTP server code is set up as /nerc/packages/ftp and the /etc/inetd.conf entry for ftpd is set to point to this ( or sometimes to /usr/local/ftp which is a link to it, if the automounter can't be restarted). There is a file called ftpacess which has a good selection of security options, which allow fine control over who owns which directories and where uploading can take place. It is a good plan to have an owner for the ftp data areas who will manage the space; he can assign directories for certain projects and arrange for a temporary area if required which can be cleared at regular intervals.

Detailed instructions and scripts for setting up anonymous ftp can be obtained from the iTSS restricted ftp server at Wallingford.

Restricted FTP

Restricted ftp can be provided in the same way, using the same ftp daemon. Like anonymous ftp it requires an entry in the local /etc/passwd file, which has a special form to indicate restricted ftp. The entry

rftpid:x:1234:1234:Rftp:/local/users/rftpid/./pub

indicates that the ftp entry is at /local/users/rftpid/pub and the preceding dot indicates that it is a 'chroot'ed id, with root at /local/users/rftpid/, not an ordinary id. The directory is set up exactly as for anonymous ftp, with a minimal operating system in etc, usr, bin and lib, and the directory pub containing the matter to be accessed. The /nerc/packages/ftp/ftpaccess file can also control one or more restricted ftp ids.

World Wide Web Servers

Various versions of WWW servers have been installed by different groups of people on UNIX ( and of course at many sites on other architectures as well). The present iTSS offering is the w3c server, on Solaris; this has been provided in kit form by Alan Cox at Swindon and is being implemented where new servers are required or SunOS ones replaced by Solaris. The server is installed as /nerc/packages/www, and one or more data areas attached for different sets of pages, with perhaps different owners. The data areas should ideally be on the same hosts as the Web server, but automounted so that their owners can write to them as /data/fredspages, /data/joespages or whatever. Both internet and intranet pages can be served side by side, with suitable security protections. Be warned: popular Web servers can be heavily loaded and should be on dedicated hosts.
 

Firewalls

On larger sites the external Web server and FTP server will be outside the Firewall.

Back to contents



This page last updated February 18th 1998 by rfcr@itss.nerc.ac.uk