new FTP Server: BetaFTPD

Stuff that has yet to be sorted into a category.
Message
Author
User avatar
Nathan F
Posts: 1764
Joined: Wed 08 Jun 2005, 14:45
Location: Wadsworth, OH (occasionally home)
Contact:

#21 Post by Nathan F »

Papaschtroumpf-meant no offense. I know it works "as-is" as an unleashed. I only meant it would be great to include in the "official" unleashed package and to have it appear in the menu when you open the pupget installer.

One final (hopefully) word of caution to anyone who does use this on a computer connected to the internet. If you do make a new user and give them acces to their own home directory, you are essentially creating another user for your computer. In other words unless you take other security precautions they will be able to view and download any file on your computer, although they will not have permission to alter anything outside of their own home directory. Still, think long and hard before you give anyone this kind of access to your data.

That said, this program opens up many possibilities for file transfer on a network, making it easier to communicate with Windows boxes and many other possibilities. I will be using it quite happily.

User avatar
Nathan F
Posts: 1764
Joined: Wed 08 Jun 2005, 14:45
Location: Wadsworth, OH (occasionally home)
Contact:

#22 Post by Nathan F »

Ok. Sorry about the sheer number of posts. In reference to my last post, if you open the root directory and change permissions of each directory to PRIVATE< OWNER ACCESS ONLY you can successfully keep any new users that you add out of the rest of your filesystem. You also have to do the same after going up one more level past root. Just dont do it to /root/ itself, or they won't be able to access their own directory. Don't forget all of the hidden files and directories. At least it works so far for me, anyhow. Since you are already running Puppy as root, this should not effect how your system runs. I'm still relatively green, however, so please someone correct me if I've given any bad advice here.

Nathan

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#23 Post by papaschtroumpf »

This is actually not normal, I'm not sure why the designers of betaftpd made it that way. It seems that root_dir is set to "/" for any pasworded user. It should be possible to limit each user to his/her own directory (I think that's already done for the anonymous user), I'll take a look at the code again.

You do bring a good point about the fact that we created a real user, not just an FTP user though: if you were to allow SSH access for example, that user could log in using SSH.
Admittedly you should somewhat trust a user to create an account for them on your computer, but you shouldn;t have to trust them that much.

I think a possible solution for that would be to change their shell to either a "sorry no shell" or at least a restricted shell (see http://www.opensource.apple.com/darwins ... bash/RBASH for a description of a restricted shell). I don't know if ash has a restricted shell but bash does, so you could make a script called /bin/rbash:

#!/bin/shell
bash --restricted

and specify the shell when you create your user or manuall edit the last field for that user in /etc/passwd from "/bin/sh" to "/bin/rbash"

and the user would be able to log in but not to get outside og his home directory. Unfortunately that doesn't seem to extend the protection to betaftpd, probably because it has got its own mechanism to change directories and the server runs as root, not as the user so it has access to everything.

I'll think about it and see what I can do. I don't want to modify betaftpd too much from its original state, but I do want something that is not too insecure.
Mandriva LE 2005 user and puppy newbie

User avatar
Nathan F
Posts: 1764
Joined: Wed 08 Jun 2005, 14:45
Location: Wadsworth, OH (occasionally home)
Contact:

#24 Post by Nathan F »

Papaschtroumpf-No issues with anonymous so far. Seems that yes, it does limit anonymous users to their own directory. I don't think you should do too much more to it, either. I just wanted people to be aware of the possible limitations of what can or can't be done with the program. I'm pretty sure this has gone further than you expected already, and I geuss you could say I've been a bit of a nag. I feel pretty secure with what you have now, though.

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#25 Post by papaschtroumpf »

I hate the idea of letting users have acces to the entire machine. some FTP servers run "chrooted" for that very reason.

Try the attached betaftpd (put it in /usr/sbin and overwrite the old one there) and let me know what you think. All users should now behave jsut like the "ftp" user, so user "bob" only has access to /root/bob/ and below.

I would still recommened to have users createed for ftp only to be assigned a restricted shell like I describe above, even though it doesn't impact FTP behavior.

Hopefully this is the last build, I'll be leaving for vacation in a few days and won't be back before August. If it works, I'll make yet another PupGet (we're up to rev 4!)

Edit: had to create a tarball for the forum to let me upload it.
Attachments
betaftpd.tar.gz
users contained within their home directory with this build. this is just the ftpd file, place it in /usr/sbin. release candidate for version 4
(17.3 KiB) Downloaded 1023 times

User avatar
Nathan F
Posts: 1764
Joined: Wed 08 Jun 2005, 14:45
Location: Wadsworth, OH (occasionally home)
Contact:

#26 Post by Nathan F »

Just tried it, and it seems to be a go. My test user can still go up to the next directory levels, but can't peer inside anything. I don't think there are any adverse effects. Will let you know more if I find anything else, but I don't ecpect to.

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#27 Post by papaschtroumpf »

Nathan F wrote:Just tried it, and it seems to be a go. My test user can still go up to the next directory levels, but can't peer inside anything.
I'm not sure what that means? how do you go to the next directory levels adn what happens if you can't peer inside it?
How did you test it? I get a "no such directory" or something like that when I try to CD out of the home directory with the cygwin FTP client and I get back to the previous browser page when I try to go up using Internet Explorer.
Mandriva LE 2005 user and puppy newbie

User avatar
Nathan F
Posts: 1764
Joined: Wed 08 Jun 2005, 14:45
Location: Wadsworth, OH (occasionally home)
Contact:

#28 Post by Nathan F »

To tell you the truth, I think it was user error on my part. I think I did something wrong when I went to overwrite the file the first time. I just deleted the old one and replaced it with the new one and now I'm getting the same results you mentioned. Simple, dumb mistake on my part. It was still keeping me out of those directories because of the permissions changes that I had made earlier. Now it won't let me out of the home directory at all, which is exactly what we want. Sorry about the confusion.

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#29 Post by papaschtroumpf »

I'll make the new behavior a command line option so that betaftpd behaves exactly like a "stock" one when called without options, and package it up.
That's probably all I'll do to it for a while. I don't want to spend much more time on it and it does what I want it to do. (or close enough given its small size)
Mandriva LE 2005 user and puppy newbie

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#30 Post by Flash »

Let me know if and when you think it's ready for the index. (It would be nice if someone who understands the program would write an overview describing what the program might be used for, and, briefly, how to go about installing and configuring it.)

Thanks, guys, for all your hard work. :)

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#31 Post by papaschtroumpf »

Here's the current betaftpd.txt file that show up as a "man page"
I added a section that shows how it can be used.
If someone want to take it and make an HTML version, with a couple of screenshots (you could reuse the one on the top of this thread) I would be grateful, but I don't want to deal with it now.

I don't have a spellchecker isntalled on puppy yet, and I'm a poor typist, so I'd appreciate i if you guys can proof the text below so that I can correct it before I make what I hope is the final release.

Code: Select all

	     **** BetaFTPD 0.0.pre17-pup-4 for puppy linux ****
 
Overview:
=========

BetaFTPD is a single-threaded FTP daemon.

The single-threadedness makes it faster than most other FTP daemons (contrary
to common belief), and makes it extremely light on memory. Although it lacks
a few functions (which you probably won't miss).
Version 0.0.18pre17 is more stable than the latest official release (0.0.7)

Homepage: http://betaftpd.sourceforge.net/
Original by Steinar H. Gunderson <sgunderson@bigfoot.com>
Port to puppy linux, download-only mode and Control Center by papaschtroumpf.

Use of *any* FTP Server can present a security risk if your computer is
open to the Internet. Use at your own risk.



Usage:
======

(if you are new to FTP, you may want to scroll down to the "Why an FTP Server?"
tutorial section below)

The original BetaFTPD has no command line options. To keep the program small, all 
options were built-in at compile time. This modified version has one optional 
command line argument to restrict anonymous ftp to download only, and one to
restrict FTP access to each users' home directory.

In its simplest form, just run the betaftpd executable to start the server. It
will run as a daemon and run in the background.

puppy linux includes a BetaFTPD Control Center available in the menu for most
Windows Managers (under Networking). You can also start the control center
manually by running the betaftpd-cc script.

The BetaFTPD Control Center allows you to:
- see the current server status
- start / stop the server
- enable / disable Anonymous FTP access
- change full or download-only Anonymous access
- enable / disable logging of file transfers
- view this help file

You can access the shared directories with any FTP client or most modern
browsers (Windows Explorer, Firefox, ...), most of them through drag and drop.

The file transfer log is in /var/log/xferlog and is in the following format:
date xfer_time peer_address xfer_size filename b _ iN/oUT a owner ftp 0 *



Shared directories:
===================

All user can have access to their own home directory by logging in with their
puppy linux username and password. Note the following limitations however:
- for security reasons root cannot log in as an FTP user
- for security reasons users with a blank password cannot log in
- for security reasons the special user "ftp" does not have shell access

If you create a user for FTP access only, it is recommended that you don't
grant that user shell access for improved security. This can be done by
passing the -s /usr/bin/deny_sh option to add user as follows:

     adduser -h /root/ftphomes/user -r /usr/bin/deny_sh user

In addition to user directories, the home directory of special user "ftp" 
is shared to all anonymous users. That "ftp" user can be activated through
the Control Center.

Upload is allowed in all shared directories, allowing two way transfer of files.
However the Control Center has an option to disallow upload/delete for
anonymous users.
For added security, users only have FTP access to their own home directory.

Note that betaftpd support a "non-root" mode, and you may find references to it
if you look for it on the Internet. Support for it is somehwat experimental
and has been disabled in the puppy build. The Control Center requires that the 
FTP server be ran by the root user.



Why an FTP server?
==================

FTP is one of the oldest and most common way for transferring files over the
Internet. An FTP client connects to a server and can request and sometimes 
upload files to the server. There are many kinds of FTP clients. Some are
command line base, requiring you to know shell-like FTP commands, others have
a nice graphical interface, others are "transparent": you drag and drop files
between a browser and a lcoal folder wihtout knowing that you are actually 
doing an FTP transfer. Internet Explorer in Windows and Konqueror on linux 
have very good drag and dropp FTP implementations.
You need a user and password to log into an FTP server, however some servers
have a "special" user called "anonymous" that doesn't have a password. The 
server will prompt you for a password but you can enter anything, although 
net etiquette often dictate that you should enter your email address.

BetaFTPD can be used in a variety of ways:

1) User specific access:
For example you want to share files with a friend halfway accross the world,
but those files are too big to email: you can create an account for your friend
on your puppy machine as follows:
   adduser -h /root/friend friend
you will be prompted for a password for user "friend" (you could call him Bob,
Mom or Fido), and when the process completes, you will have a /root/friend 
directory. Put the files that you intend to share with him in that directory.
Start BetaFTPD (or more precisely the Control Center) from the start menu and
click "Start FTP server". If you don't want anonymous access (see below) make
sure that you click on the "Disable Anon" button.
Your friend can then type "ftp://xxx.xxx.xxx.xxx" in his browser or his 
favorite FTP client, where xxx.xxx.xxx.xxx is the Internet address of your
computer and log in with the user name "friend" and the password you assigned
to it. (If you are beind a broadband router you will need to configure it to
allow port 21 and possibly forward it to the puppy machine. How to do this is
outside of the scope of this document).
Note that your friend can also upload files to /root/friend.
Unless you want your friend to have shell access also, it is recommended that
you create the account with the -r /usr/sbin.deny_sh (see "Shared Directories")

2) Access for everyone
Let's say that you're a budding music composer, or artist or programmer and 
want to share the fruit of your labor with the rest of the world: you can't
create a user account for every person in the world! What you need to do is
allow anonymous access to your server: simply click "Enable Anon".
A new window appears prompting you for the password for the anonymous (or 
"ftp") user. Once the user is created, the files in /root/ftp will be shared
to anyone that cares to look! The BetaFTPD offers to open a rox window to
let you see the contents of that folder, just in case you want to check.

Pay close attention to the status of the anonymous access shown in the Control 
Center: if it says "FULL Anonymous FTP access is available for /root/ftp" it
means that not only anyone can log in and download your files, but anyone can
also log in and upload wahtever they feel like. This is dangerous! you could
end up unknowingly hosting pornographic or copyrighted material placed there
by one of the anonymous users for other anonymous users to retrieve.
What you want to do to prevent this (believe me, you do) is change anonymous
access to only allow downloading by pressing the "Download-only" button.

You may even want to press the "Enable Log" button to get a log of each transfer
in and out of your machine. Press the "View Xfer log" button to see the log. The
first line shows you what its format is (or see "Usage" above).

3) LAN file transfer
The examples above assume that you can and are willing to share part of your
computer over the Internet. There is one safer application that is quite useful:
Since just about every operating system has an FTP client, you can use FTP to
transfer files between multiple computers with different operating systems on 
your home network. This is when allowing "full access" for anonymous users is
OK: some clients can be configured to automatically attempt anonymous access and
you won't be prompted for a user name pr password (the "transparent" clients like
Konqueror and Windows Explorer work that way). You can then drag and drop files
in and out ofthe "repository" in /root/ftp on your puppy machine.

If the other machines on your network are mostly windows machines, you may want
to look at using Samba, the windows "network neighbourhod" protocol, for example
using LinNeighbourhood which is also available for puppy.

 


Under the hood:
===============
For puppy linux, BetaFTPD was compiled with the following options:

--enable-upload so that you can upload files to the server

--enable-xferlog to provide a log of all transfers. If the log file doesn't
exist when the program is started, it will not log anything. That's what
is used in the Control Center to enable and disable logging.

--enable-fork the server runs silently in the background, "daemon-style"

--enable-shadow to support user passwords

In addition the code was modified to add the -restrict option to disallow
anonymous uploads/deletes. Another option, -contain, was added to restrict 
user navigation to their home directories instead of full machine access as
in the orginal server.

These commands are believed to be fully compliant with RFC959 and RFC1123:
PORT, PASV, USER, PASS, CWD, CDUP, QUIT, DELE*, PWD, SYST, NOOP, STOR*, APPE*,
ABOR, RNFR*, RNTO*, MKD*, RMD*, ALLO*, REIN, ACCT, HELP, STAT and MODE.
The * denotes a command that is disabled when -restrict is used.

These commands are not implemented at all: SMNT, STOU and SITE.

Mandriva LE 2005 user and puppy newbie

User avatar
Nathan F
Posts: 1764
Joined: Wed 08 Jun 2005, 14:45
Location: Wadsworth, OH (occasionally home)
Contact:

#32 Post by Nathan F »

I'd be glad to write it up as html. Will put a couple screenshots with it and have it for you sometime tommorrow. Least I can do.

Nathan

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#33 Post by papaschtroumpf »

cool. Either post here or PM me and I'll include it in the tarball with the proper links to bring it up from "man"
Mandriva LE 2005 user and puppy newbie

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#34 Post by BarryK »

papaschtroumpf,
Thanks very for the work you have put into this, it is greatly appreciated, not just by me but by all the other guys on this forum. Just wanted to let you know that.
Have a great holiday!

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#35 Post by Flash »

Nathan F wrote:I'd be glad to write it up as html. Will put a couple screenshots with it and have it for you sometime tommorrow. Least I can do.

Nathan
Excellent idea. Just a suggestion: screenshots don't really need to fill the whole screen to make a good impression. Reduce their size with Mtpaint and they will still look sharp. You can also crop them to eliminate distraction or confusion, making your point clearer.

(If you don't already know how, here's a post with details on resizing images with Mtpaint.)

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#36 Post by papaschtroumpf »

Nathan F. already did it (and did a good job too) and he hosted the files for me to download on ... BeataFTPD :D

I'll package things up sometimes this weekend. (going hiking with the kids right now)
Mandriva LE 2005 user and puppy newbie

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#37 Post by papaschtroumpf »

Latest version uploaded in the top post. Help file is a much improved html file.
Flash, I think this one is now ready for indexing.
Will upload the source in a bit.
Mandriva LE 2005 user and puppy newbie

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#38 Post by Flash »

papaschtroumpf wrote:Latest version uploaded in the top post <snip>
Flash, I think this one is now ready for indexing.
<snip>
Done. The index entry is linked to the first post in this thread. Let me know if you think it should be done differently.
And thanks for taking the trouble to write some documentation.

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#39 Post by papaschtroumpf »

the top post is always getting updated with the latest code and comments.
I alwya do an "update new version" upload so that the download file number doesn't change.
Mandriva LE 2005 user and puppy newbie

User avatar
papaschtroumpf
Posts: 250
Joined: Fri 17 Jun 2005, 04:23

#40 Post by papaschtroumpf »

my apologies to anyone that downloaded since I posted the last version. I didn't test it on a "pristine" system and it appeared to work fine when in fact the help files were broken.
I have uploaded a new version (but still called pup-4, maybe it wasn't that smart) where the help files are fixed. You can now use man or the help button to get help.
sorry about that.

report any further problems here.
Mandriva LE 2005 user and puppy newbie

Post Reply