Noticed some errors in the FAQ and in mailings (mainly with bigcrypt, NOT
BICRYPT) so I thought I would send out an update.
Subject: SUMMARY: Wu-ftp, Digital Unix, Enhanced C2 Security
Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced C2 security,
For compiling wu-ftp, make the following changes :
Add these lines to ./src/config/config.osf :
#define SecureWare
#include <sys/secdefines.h>
#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>
*** NOTE: prot.h might complain about not being able to find acl.h
Edit prot.h to have the full path to acl.h
(/usr/sys/include/sys/acl.h)
*** NOTICE: This change will probably not survive OS upgrades...
MAKE NOTE IN SYSTEM LOG!!!
and add the following to ./src/makefiles/Makefile.osf
LIBES = -lsupport -lsecurity -laud
And change all occurences of crypt() to bigcrypt(). (**not bicrypt**)
(found in ftpd.c and private.c)
This change is needed to support passwords over 8 characters.
If not supporting Anonymous ftp, you are done!
FOR ANONYMOUS FTP:
1) Use the addgrp command to add a new group to the /etc/group file.
Call the group anonftp.
2) Add a user ftp using adduser, or the X-Window User interface
(/usr/bin/X11/dxaccounts).
***NOTE*** You can not edit the passwd file directly under C2
enhanced security. It has something to do with the
security database initialization.
This user should belong to group anonftp ONLY. The home directory
points to the area which will be served anonymously.
IMPORTANT:
* Login SHELL for the Anonymous FTP account should be
/dev/null or /bin/false
* The password doesn't really matter, but to be safe, just
let the system choose one. (No one should be logging in
with the account, and won't once you disable it)
* Either with dxaccounts, or usermod, LOCK the account
to disable logins.. Under normal security you could just
put a * in the password file and deny logins, when running
C2, the only way I found how to do this was locking it
down.
3) Create the ftp home directory, the goto the home directory you
created above, and change the ownership to root and non-writable
by anyone.
4) Create a bin directory under the ftp home, owner root, not writable
by anyone.
5) Copy the ls program to bin. Note: copy the /sbin/ls (the statically
linked version, not /usr/bin/ls). chmod this file to 111.
6) Create an etc directory, owner root, not writable by anyone.
7) Create a pub directory, owner root, chmod 755.
8) In ftp_home/etc you need a group file and a passwd file:
The passwd and group files for the ~ftp/etc directory should only
contain minimal information. DO NOT COPY YOUR REAL PASSWD and GROUP
files to this directory, as it exposes sensitive information about
your system.
A good start would be the following for passwd:
ftp:*:500:1:Anonymous FTP:/users/ftp:/bin/false
bin:*:2::/bin/false
root:*:0:3::/:/bin/flase
For group:
users:*:1:
bin:*:2:
other:*:3:
anonftp:*:100
chmod 444 on passwd and group in ~ftp/etc
9) In ftp_home/etc create a directory sia, then chmod 555 sia
Copy into this directory /etc/sia/matrix.conf and
/etc/sia/siainitgood.
cd ~ftp/etc/sia
chmod 444 matrix.conf
chmod 400 siainitgood
--------------------------------------------
Here are some recommended permissions under ~ftp:
file owner mode
---------------
~ftp root 555
~ftp/bin root 555
~ftp/bin/ls root 111
~ftp/etc root 555
~ftp/etc/passwd root 444
~ftp/etc/group root 444
~ftp/pub root 755
That should do it..
Mike Downs
downs_at_titan.ksc.nasa.gov
Received on Mon Mar 10 1997 - 14:50:56 NZDT