Table of Contents for
Running Linux, 5th Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Running Linux, 5th Edition by Matt Welsh Published by O'Reilly Media, Inc., 2005
  1. Cover
  2. Running Linux, 5th Edition
  3. Preface
  4. Organization of This Book
  5. Conventions Used in This Book
  6. Using Code Examples
  7. How to Contact Us
  8. Safari® Enabled
  9. Acknowledgments
  10. I. Enjoying and Being Productive on Linux
  11. 1. Introduction to Linux
  12. 1.1. About This Book
  13. 1.2. Who’s Using Linux?
  14. 1.3. System Features
  15. 1.4. About Linux’s Copyright
  16. 1.5. Open Source and the Philosophy of Linux
  17. 1.6. Sources of Linux Information
  18. 1.7. Getting Help
  19. 2. Preinstallation and Installation
  20. 2.1. Distributions of Linux
  21. 2.2. Preparing to Install Linux
  22. 2.3. Post-Installation Procedures
  23. 2.4. Running into Trouble
  24. 3. Desktop Environments
  25. 3.1. Why Use a Graphical Desktop?
  26. 3.2. The K Desktop Environment
  27. 3.3. KDE Applications
  28. 3.4. The GNOME Desktop Environment
  29. 3.5. GNOME Applications
  30. 4. Basic Unix Commands and Concepts
  31. 4.1. Logging In
  32. 4.2. Setting a Password
  33. 4.3. Virtual Consoles
  34. 4.4. Popular Commands
  35. 4.5. Shells
  36. 4.6. Useful Keys and How to Get Them to Work
  37. 4.7. Typing Shortcuts
  38. 4.8. Filename Expansion
  39. 4.9. Saving Your Output
  40. 4.10. What Is a Command?
  41. 4.11. Putting a Command in the Background
  42. 4.12. Remote Logins and Command Execution
  43. 4.13. Manual Pages
  44. 4.14. Startup Files
  45. 4.15. Important Directories
  46. 4.16. Basic Text Editing
  47. 4.17. Advanced Shells and Shell Scripting
  48. 5. Web Browsers and Instant Messaging
  49. 5.1. The World Wide Web
  50. 5.2. Instant Messaging
  51. 6. Electronic Mail Clients
  52. 6.1. Using KMail
  53. 6.2. Using Mozilla Mail & News
  54. 6.3. Getting the Mail to Your Computer with fetchmail
  55. 6.4. OpenPGP Encryption with GnuPG
  56. 7. Games
  57. 7.1. Gaming
  58. 7.2. Quake III
  59. 7.3. Return to Castle Wolfenstein
  60. 7.4. Unreal Tournament 2004
  61. 7.5. Emulators
  62. 7.6. Frozen Bubble
  63. 7.7. Tux Racer
  64. 8. Office Suites and Personal Productivity
  65. 8.1. Using OpenOffice
  66. 8.2. KOffice
  67. 8.3. Other Word Processors
  68. 8.4. Synching PDAs
  69. 8.5. Groupware
  70. 8.6. Managing Your Finances
  71. 9. Multimedia
  72. 9.1. Multimedia Concepts
  73. 9.2. Kernel and Driver Issues
  74. 9.3. Embedded and Other Multimedia Devices
  75. 9.4. Desktop Environments
  76. 9.5. Windows Compatibility
  77. 9.6. Multimedia Applications
  78. 9.7. Multimedia Toolkits and Development Environments
  79. 9.8. Solutions to Common Problems
  80. 9.9. References
  81. II. System Administration
  82. 10. System Administration Basics
  83. 10.1. Maintaining the System
  84. 10.2. Managing Filesystems
  85. 10.3. Managing Swap Space
  86. 10.4. The /proc Filesystem
  87. 10.5. Device Files
  88. 10.6. Scheduling Recurring Jobs Using cron
  89. 10.7. Executing Jobs Once
  90. 10.8. Managing System Logs
  91. 10.9. Processes
  92. 10.10. Programs That Serve You
  93. 11. Managing Users, Groups, and Permissions
  94. 11.1. Managing User Accounts
  95. 11.2. File Ownership and Permissions
  96. 11.3. Changing the Owner, Group, and Permissions
  97. 12. Installing, Updating, and Compiling Programs
  98. 12.1. Upgrading Software
  99. 12.2. General Upgrade Procedure
  100. 12.3. Automated and Bulk Upgrades
  101. 12.4. Upgrading Software Not Provided in Packages
  102. 12.5. Archive and Compression Utilities
  103. 13. Networking
  104. 13.1. Networking with TCP/IP
  105. 13.2. Dial-Up PPP
  106. 13.3. PPP over ISDN
  107. 13.4. ADSL
  108. 13.5. Cable Modems
  109. 13.6. Network Diagnostics Tools
  110. 14. Printing
  111. 14.1. Printing
  112. 14.2. Managing Print Services
  113. 15. File Sharing
  114. 15.1. Sharing Files with Windows Systems (Samba)
  115. 15.2. NFS Configuration and NIS
  116. 16. The X Window System
  117. 16.1. A History of X
  118. 16.2. X Concepts
  119. 16.3. Hardware Requirements
  120. 16.4. Installing X.org
  121. 16.5. Configuring X.org
  122. 16.6. Running X
  123. 16.7. Running into Trouble
  124. 16.8. X and 3D
  125. 17. System Start and Shutdown
  126. 17.1. Booting the System
  127. 17.2. System Startup and Initialization
  128. 17.3. Single-User Mode
  129. 17.4. Shutting Down the System
  130. 17.5. A Graphical Runlevel Editor: KSysV
  131. 18. Configuring and Building the Kernel
  132. 18.1. Building a New Kernel
  133. 18.2. Loadable Device Drivers
  134. 18.3. Loading Modules Automatically
  135. 19. Text Editing
  136. 19.1. Editing Files Using vi
  137. 19.2. The (X)Emacs Editor
  138. 20. Text Processing
  139. 20.1. TeX and LaTeX
  140. 20.2. XML and DocBook
  141. 20.3. groff
  142. 20.4. Texinfo
  143. III. Programming
  144. 21. Programming Tools
  145. 21.1. Programming with gcc
  146. 21.2. Makefiles
  147. 21.3. Debugging with gdb
  148. 21.4. Useful Utilities for C Programmers
  149. 21.5. Using Perl
  150. 21.6. Java
  151. 21.7. Python
  152. 21.8. Other Languages
  153. 21.9. Introduction to OpenGL Programming
  154. 21.10. Integrated Development Environments
  155. 22. Running a Web Server
  156. 22.1. Configuring Your Own Web Server
  157. 23. Transporting and Handling Email Messages
  158. 23.1. The Postfix MTA
  159. 23.2. Procmail
  160. 23.3. Filtering Spam
  161. 24. Running an FTP Server
  162. 24.1. Introduction
  163. 24.2. Compiling and Installing
  164. 24.3. Running ProFTPD
  165. 24.4. Configuration
  166. IV. Network Services
  167. 25. Running Web Applications with MySQL and PHP
  168. 25.1. MySQL
  169. 25.2. PHP
  170. 25.3. The LAMP Server in Action
  171. 26. Running a Secure System
  172. 26.1. A Perspective on System Security
  173. 26.2. Initial Steps in Setting Up a Secure System
  174. 26.3. TCP Wrapper Configuration
  175. 26.4. Firewalls: Filtering IP Packets
  176. 26.5. SELinux
  177. 27. Backup and Recovery
  178. 27.1. Making Backups
  179. 27.2. What to Do in an Emergency
  180. 28. Heterogeneous Networking and Running Windows Programs
  181. 28.1. Sharing Partitions
  182. 28.2. Emulation and Virtual Operating Systems
  183. 28.3. Remote Desktop Access to Windows Programs
  184. 28.4. FreeNX: Linux as a Remote Desktop Server
  185. A. Sources of Linux Information
  186. A.1. Linux Documentation Project
  187. A.2. FTP Sites
  188. A.3. World Wide Web Sites
  189. About the Authors
  190. Colophon
  191. Copyright

Configuration

Getting Started

Both the RPM and tarball installations provide a default configuration with a readonly anonymous FTP area and full regular access to users on the system. This is a good starting point if all you want is to offer anonymous FTP access.

The configuration file for ProFTPD is /etc/proftpd.conf or $prefix/etc/proftpd.conf if installed from source. The anonymous FTP users are chroot()ed into the home directory of the FTP user, often something like /srv/ftp/.

proftpd.conf contains a number of configuration directives. A reference of all directives can be found at http://www.proftpd.org/docs/directives/configuration_full.html. The configuration file is divided up into a number of contexts, each dealing with its own aspect of ProFTPD:

Main server

The part of the configuration file that is not inside any other context. This is used for global server settings and is typically found at the beginning of the file.

<Anonymous>

This context is used for configuration details for an anonymous FTP server. By default, ProFTPD will allow anonymous access without a password and chroot() to the FTP directory.

<Directory>

This context is used to specify configuration details on a per-directory basis. This is typically used to limit or give access.

<Limit>

This context is used to control access to FTP commands and groups of FTP commands based on which user is trying to use them.

<Global>

This context is used with virtual hosting (i.e., having ProFTPD serving on multiple interfaces with different configurations). Directives in this context are used as if they were in the main server context, with the exception that they can be overridden by any <VirtualHost> context.

<VirtualHost>

With <VirtualHost> contexts it is possible to create independent sets of configurations for different network interfaces and ports.

The following sections present two example configurations for ProFTPD: a basic Unix FTP server setup and a more advanced one in which ProFTPD is using its own user database.

Basic Configuration

The example configuration provides us with both an anonymous access area and access to the whole filesystem for regular users:

ServerName      "ProFTPD Default Installation"
ServerType      standalone

ServerName specifies the banner text that the user sees when accessing the server. ServerType can be either standalone or inetd and specifies whether ProFTPD is listening for incoming connections by itself or is being run from (x)inetd.

DefaultServer                   on
Port                            21

DefaultServer on means that our server configuration applies to all interfaces of the host, and Port specifies the port ProFTPD is listening to (port 21 is the standard FTP port):

Umask                           022
MaxInstances                    30
User                            nobody
Group                           nogroup
AllowOverwrite                  on
<Limit SITE_CHMOD>
DenyAll
</Limit>

Umask is equivalent to the umask setting in the shell. MaxInstances is the upper limit on concurrent ProFTPD child processes; this limits the number of simultaneous users to 30. User and Group specify the user and group ProFTPD will run under when not doing privileged operations or running with the privileges of an authenticated user. AllowOverwrite on means that users are allowed to overwrite writable files. The <Limit> section blocks everybody from using the site chmod command.

<Anonymous ~ftp>
User                          ftp
Group                         ftp
UserAlias                     anonymous ftp
MaxClients                    10
DisplayLogin                  welcome.msg
DisplayFirstChdir             .message
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>

This part of the configuration file sets up a read-only anonymous FTP in the FTP user’s home directory (often /srv/ftp) running as user ftp, with a maximum of 10 simultaneous users. DisplayLogin welcome.msg will display the contents of the file welcome.msg as the login banner, and DisplayFirstChdir .message will display the contents of the file .message in the current directory when the user first cds into it.

Advanced Configuration

Here we look at a more complex setup in which the users allowed to log in to the FTP server are not taken from the regular Unix user database, but instead from a passwd file exclusive to ProFTPD. In addition, we provide limited anonymous access.

The proftpd.conf file looks like this:

ServerName                        "Acme ftp server"
ServerType                        standalone
DefaultServer                     on
ServerIdent on                    "FTP Server ready."
UseReverseDNS                     off
IdentLookups                      off
DeferWelcome                      on
Port                              21
MaxInstances                      30
User                              ftp
Group                             nogroup
Umask                             022

<Limit LOGIN>
   Order Deny,Allow
   AllowGroup ftpusers
</Limit>

AuthPAM off
AuthUserFile /etc/proftpd.passwd
AuthGroupFile /etc/proftpd.group
RequireValidShell off
DefaultRoot ~
DirFakeUser on ~
DirFakeGroup on ~

DisplayLogin                     welcome.msg
DisplayFirstChdir                .message

TransferLog        /var/log/xferlog

ScoreboardFile /var/lib/proftpd/scoreFile

<Directory />
  AllowOverwrite                on
</Directory>

<Anonymous /srv/ftp/anonymous>
  User                           ftp
  Group                          ftp
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                        anonymous ftp
  # Limit the maximum number of anonymous logins
  MaxClients                     15
  <Limit LOGIN>
    AllowAll
  </Limit>
  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
  TransferRate RETR 40.0:1024
</Anonymous>

<Directory /srv/ftp/joe/upload>
  <Limit WRITE STOR DEL>
        AllowAll
  </Limit>
</Directory>

Let us first have a look at how users are handled. FTP is an old protocol that sends passwords unencrypted over the wire, so it is desirable to separate users with “real” accounts from users with FTP-only accounts. To do this, we use two configuration directives,

AuthUserFile /etc/proftpd.passwd
AuthGroupFile /etc/proftpd.group

to point ProFTPD at alternative passwd and group files. The format is the same as the regular Linux /etc/passwd and /etc/group files. The contents of /etc/proftpd.passwd for testing purposes are as follows:

joe:$1$KdLsLL1G$LNGq21xp9l/4vhF/l/0N1.:20000:20000:Joe User:/srv/ftp/joe:

The password is “qwerty” in cleartext and is hashed using the ftpasswd utility that can be found in the contrib directory in the ProFTPD tarball. /etc/proftpd.group contains only a single line: ftpusers:x:20000: This is used in conjunction with the

<Limit LOGIN>
Order Deny,Allow
AllowGroup ftpusers
</Limit>

section in the configuration file to block regular users from logging in and to allow only members of our special group ftpusers to log in. Notice that this is not the same as the legacy file /etc/ftpusers, which can be used for listing system users who are not allowed to use FTP. The documentation states that the file specified in AuthUserFile replaces the system /etc/passwd file, but this seems not to be the case currently — hence the special group to only allow users listed in our alternative passwd file.

It is possible to have multiple users in /etc/proftpd.passwd with the same Unix numeric user ID. This is useful if you want to provide FTP access for a huge number of users without running out of user IDs. To make files appear to be owned by the currently authenticated user and group, we put in the:

DirFakeUser on ~
DirFakeGroup on ~

directives. This is only for cosmetic purposes to give users the nice fuzzy feeling that they in fact own their files. The ScoreboardFile directive specifies the location of the file used for runtime session information. This file is required for utilities such as ftpwho and ftpcount to work. This completes the main server configuration.

The next part of the config file is a read-only <Anonymous> context for users anonymous and ftp in /srv/ftp/anonymous, with a maximum of 15 concurrent users. There is also a download rate limit specified by the TransferRate RETR 40.0:1024 directive. The numbers mean that the download rate is limited to 40 KB per second for all files larger than 1 KB.

The last context of the config file specifies a writable directory /upload for the user joe. By default nothing is writable for any user because of the <Limit WRITE> directive in the main server context, so user joe is granted the special privilege to be allowed to upload files to his upload directory.

Virtual Hosts

ProFTPD supports virtual hosting via the <VirtualHost> context. The FTP protocol unfortunately does not support host-based virtual hosting, unlike, for example, HTTP, but it is still possible to serve different ports or network interfaces with different configurations. All this will, of course, only work if ProFTPD is run in standalone mode; if run from inetd, the ports and interfaces that are listened to are in the hands of inetd and not ProFTPD.

Let’s look at an example with a few virtual hosts configured:

ServerName         "Acme FTP Server"
ServerType         standalone

### Main server config
# Set the user and group that the server normally runs at.
User               nobody
Group              nogroup
MaxInstances       30

# Global creates a "global" configuration that is shared by the
# main server and all virtualhosts.

<Global>
  # Umask 022 is a good standard umask
  # to prevent new dirs and files
  # from being group and world writable.
  Umask            022
</Global>

### Virtual server running on our internal interface
<VirtualHost 127.0.0.1>
  ServerName  "Acme Internal FTP"
  MaxClients       10
  DeferWelcome     on
  <Limit LOGIN>
    DenyAll
  </Limit>
  <Anonymous /srv/ftp/anonymous-internal>
    User           ftp
    Group          ftp
    AnonRequirePassword  off
    # We want clients to be able to login
    # with "anonymous" as well as "ftp"
    UserAlias      anonymous ftp
    <Limit LOGIN>
      AllowAll
    </Limit>
    # Limit WRITE everywhere in the anonymous chroot
    <Limit WRITE>
      DenyAll
    </Limit>
  </Anonymous>
</VirtualHost>

### Another virtual host on port 4000
<VirtualHost 192.168.1.5>
  ServerName  "Acme Internal FTP upload"
  Port             4000
  MaxClients       10
  MaxLoginAttempts 1
  DeferWelcome     on
  <Limit LOGIN>
    DenyAll
  </Limit>
  <Anonymous /srv/ftp/anonymous-upload>
    User           ftp
    Group          ftp
    AnonRequirePassword  off
    # We want clients to be able to login with
    # "anonymous" as well as "ftp"
    UserAlias      anonymous ftp
    <Limit LOGIN>
      AllowAll
    </Limit>
    # We only allow upload
    <Limit STOR CWD XCWD>
      AllowAll
    </Limit>
    <Limit READ DELE MKD RMD XMKD XRMD>
      DenyAll
    </Limit>
  </Anonymous>
</VirtualHost>

The example is a pretty standard main server that allows Unix users access to the filesystem. The interesting parts are the two <VirtualHost> sections. The first one is an anonymous-only server listening to the localhost (127.0.0.1) interface (not particularly useful, I admit), and the second one is an anonymous-only, write-only server listening to port 4000 on the 192.168.1.5 interface.