The kwuftpd Handbook
Copyright © 2000 Jonathan Singer
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
kwuftpd is a KDE front-end to editing wu-ftpd's ftpaccess files.
Table of Contents
Introduction
UNIX® operating systems are perhaps best known for their role in running servers. It can be difficult, however, for users to configure the files necessary to manage those services. At the same time, many distributors overcompensate for that difficulty by shipping systems that default to dangerously open configurations.
kwuftpd is a KDE front-end to editing wu-ftpd's ftpaccess files. kwuftpd was originally written for BeroFTPD 1.2.1 and has been adapted to the version of wu-ftpd 2.6.1 found in Red Hat® Linux® 7.0. If you are using a newer version of wu-ftpd with more features, you'll have to update your kwuftpd (or edit ftpaccess by hand) to make use of them.
Warning
kwuftpd is still beta; you should make a backup copy of your ftpaccess file before editing it with kwuftpd.
kwuftpd was written by Bernhard Rosenkraenzer <bero@redhat.com> and is (c) 2000 Red Hat®, Inc.
Beyond the usual disclaimers that come with software (“We take no responsibility for anything bad that might happen.”), it should be pointed out that kwuftpd controls the ability of users to connect to your system and add, delete and modify files. Some things to keep in mind:
kwuftpd makes it easier to establish a secure server -- it does not guarantee it. There is a wealth of books, web sites and courses on network security and administrators should take advantage of them.
Examples given in this documentation are intended to show the operation of kwuftpd. They are not security recommendations and should not be treated as such.
Be sure to back up the /etc/ftpaccess file before modifying it with kwuftpd.
Basic FTP setup
kwuftpd is only valuable on a system with a working FTP server. Setting up a server is beyond the scope of this document, but in a nutshell:
Procedure 2.1.
wu-ftpd or a similar FTP server must be installed. The anonftp package can also be helpful to enable anonymous FTP.
The /etc/inetd.conf file should contain a line like:
# ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
Uncomment the line by removing the # from the start of the line. If your system shipped with the line uncommented, treat it as a warning sign and comment out other services that you do not want. Restart /etc/inetd.conf. (Entering /etc/rc.d/init.d/inet restart at the command-line works on Red Hat® and similar systems.)
Using kwuftpd
To launch kwuftpd, select System->FTPD Editor from the KDE menu. Or type kwuftpd at the command-line. The standard Qt™ and KDE command-line options are available, and are displayed by typing kwuftpd --all.
About FTP accounts
kwuftpd often asks the user to distinguish between three types of users:
- Anonymous
For use by anyone who can connect to the server, these users log in as ftp or anonymous and submit their email address as the password.
- Guest
Users with FTP accounts in /etc/ftpusers but not full accounts on the system.
- Real
Users with accounts on the system.
Menu Commands
- File->Load /etc/ftpaccess
Open /etc/ftpaccess, the standard wu-ftpd configuration file, for editing.
- File->Load Other File
Open a different file for editing. Useful if you want to experiment with a different file before committing your changes to /etc/ftpaccess.
- File->Save /etc/ftpaccess
Save changes to /etc/ftpaccess.
- File->Save Other File
Save changes to a file to be specified.
- File->Quit
Close kwuftpd.
- Help->Contents... (F1)
Invokes the KDE Help system starting at the kwuftpd help pages. (this document).
- Help->What's This? (Shift+F1)
Changes the mouse cursor to a combination arrow and question mark. Clicking on items within kwuftpd will open a help window (if one exists for the particular item) explaining the item's function.
- Help->Report Bug...
Opens the Bug report dialog where you can report a bug or request a “wishlist” feature.
- Help->About kwuftpd
This will display version and author information.
- Help->About KDE
This displays the KDE version and other basic information.
User Classes
The User Classes Panel
This panel allows you to create user classes for certain IP addresses or blocks of addresses and to control the privileges of those classes. For example, this enables you to allow anonymous or guest users greater than normal permissions when they log in from certain machines.
To create a new class, hit the Add Class button and, in the resulting dialog box, enter the name of the new class, the privilege levels that can belong to the class (more on this below) and the IP address for that class. A * character can be used to define a block of addresses. (For example, 127.0.0.*includes all local users.) When done, hit OK.
Back in the User Classes panel, you can select a class and modify its description and behavior. The IP address can be modified. The class can be defined to include anonymous, guest and/or real users from that address. Checking the Autogroup to box causes logins in the class to be assigned to the selected group and given its privileges.
The right side of the panel allows classes to be assigned limits on the number of simultaneous logins during specified times. You can also specify the message to be shown when the user limit is exceeded.
In the screenshot, real users logging in from 127.0.0.* are autogrouped to “jsinger” and only one user in that class is allowed at any time.
Directories
The Directories Panel
This panel allows you to specify the root directory for anonymous and guest users. (Real users see the real filesystem.) It also allows you to specify the password and shadow password files to be used. If no file is specified, the system file will be used by default.
In the screenshot, anonymous users see a filesystem rooted at /home/ftp/pub, while guest users have default access. Special FTP password files are used in place of the system files.
Security
The Security Panel
This panel allows you to specify various security options. The Noretrieves window allows certain files or directories to be blocked from downloading. Hit the Add button and select the file to be blocked. Select an entry and hit Remove to take the file off the list.
Number of allowed failed logins causes connections to be closed after the specified number of login failures.
Checking Permit SITE GROUP allows users to change the group they belong to with the SITE GROUP command.
Permission to use the chmod, delete, overwrite, rename and umask commands can be extended or denied to anonymous, guest and/or real users.
Anonymous users are expected to supply their email address as a password. The degree of enforcement can be controlled.
- No
There is no checking of the given password.
- trivial
The password must contain an @ character.
- RFC822
The password must be in the form of a valid address.
If the Enforce box is checked, logins failing the test will be denied; otherwise a warning will be issued.
In the screenshot, the /bin and /sbin directories and the /etc/passwd file are blocked from downloads. Connections are dropped after 5 failures, SITE GROUP is forbidden, commands are forbidden to anonymous users and allowed for guest and real accounts. Anonymous users submitting non-RFC-compliant email addresses are warned.
Messages
The Messages Panel
This panel allows you to specify messages to be shown to the logged-in user.
Select a file for the banner to be displayed on connection (before login). Some extremely old FTP clients may be confused by a banner.
The hostname can be specified. This will be reported to the user upon login, and can also be inserted in other messages (as %L). If no hostname is given, the real hostname will be used.
Similarly, an administrator email address can be defined for insertion in messages (as %E).
Check the boxes to cause messages and READMEs to be shown to the user every time the triggering event (explained below) occurs; otherwise they will only be shown the first time.
Hit the Add Message button to indicate text to be displayed to the user. You will be prompted for the location of the text file, whether it will be displayed on login or on change to a specified directory and whether it will be displayed for all user classes or particular ones.
Similarly, the user can be notified of README files upon login or change to a directory.
In the screenshot, the text in /home/ftp/welcome.txt will be displayed on connection. The hostname camelot and the admin address <jsinger@leeta.net> will be inserted in messages but no messages or READMEs have been defined yet.
Logging
The Logging Panel
This panel allows you to to control what activities will be logged (to /var/log/xferlog). Anonymous, guest and real users can have different events logged, including issued commands, uploads, downloads and security violations (like login failures).
Checking Redirect log to syslog sends the log entries to the system log instead of the FTP log.
Mail can be sent to the administrator when files are uploaded. The From: address of the mails, the mail server and the administrator's email address can be specified.
In the screenshot, all commands and transfers are logged, as are security violations by real users. Uploads are signalled by a message to “admin” from “Upload Notice” sent through the default mail server.
Ratios
The Ratios Panel
This panel allows you to restrict the usage of anonymous and guest users. Each of these restrictions can be applied to anonymous or guest users.
- Upload/download ratio
For example, setting this to 1:5 requires users to upload 1 megabyte of data for each 5 megabytes downloaded. Setting this to an optimum value is key to your success as an aspiring w4r3z kiddi3.
- Time limit
Allow users to connect for this amount of time.
- Upload limit
Set the maximimum number of bytes that can be uploaded per session.
- Download limit
Set the maximimum number of bytes that can be downloaded per session.
Files and directories can be exempted from upload and download limits.
In the screenshot, ratios are off, anonymous users are allowed 15 minutes and 10 megabytes of downloads per connection.
Uploads
The Uploads Panel
This panel allows you to control where and how users are allowed to upload files. Hit Add to a new rule set, Edit to modify the selected set and Delete to remove the selected set.
Each set applies to users with a specified root directory and effects a specified upload directory. The upload directory may be globbed (for example, /home/ftp/upload/* includes all contents of /home/ftp/upload).
Uploads can be permitted or denied, and the permissions of the created files and their owner and group can be set. The ability to create new directories within the existing directory can be granted or denied.
Virtual Hosts
The Virtual Hosts Panel
The following items can be specified for each address:
- Root directory
What the logged-in user sees as the filesystem root (/).
- Banner
A file whose contents will be displayed to the user upon connection. The file location is relative to the root set above.
- Logfile
Transfers will be logged to this file.
- Passwd file
An alternate password file can be specified. Otherwise the system password file will be used.
- Shadow file
An alternate shadow password file can be specified. Otherwise the system shadow password file will be used.
- Hostname
The hostname displayed upon login and inserted as %L in message files.
- Administrative email
The email address to be inserted as %E in message files.
Anonymous logins can be allowed or denied.
Real users can be allowed or denied access to the virtual server. Specific user can also be allowed or denied access.
In the screeenshot, the virtual host 211.22.55.114 has a filsystem rooted at /home/ftp/virtual on the real system. It uses separate password and shadow password files in /home/ftp, displays the hostname ganesh and the admin address “root” and allows anonymous logins and logins from all real users.
Credits and Licenses
kwuftpd
Application written by Bernhard Rosenkraenzer <bero@redhat.com>, and is copyright 2000 Red Hat®, Inc.
Documentation copyright 2000 by Jonathan Singer <jsinger@leeta.net>.
This documentation is licensed under the terms of the GNU Free Documentation License.
This program is licensed under the terms of the GNU General Public License.
Installation
kwuftpd is part of the KDE project http://www.kde.org/.
kwuftpd can be found in the kdeadmin package on ftp://ftp.kde.org/pub/kde/, the main FTP site of the KDE project.
To obtain kwuftpd separately, it is part of the kdeadmin package, and should be compiled and installed as indicated in the package's main directory. New versions of kdeadmin can be obtained at ftp://ftp.kde.org/pub/.
In order to compile and install kwuftpd on your system, type the following in the base directory of the kwuftpd distribution:
% ./configure % make % make install
Since kwuftpd uses autoconf and automake you should have no trouble compiling it. Should you run into problems please report them to the KDE mailing lists.
You also require an ftpd that can handle the generated ftpaccess files - kwuftpd was written for wu-ftpd 2.6.1 (ftp://ftp.wu-ftpd.org/pub/wu-ftpd/) You can use the files with wu-ftpd 2.5.0 as well, but don't expect all the features to work.