Configuring for Anonymous Users

By providing your server with anonymous guest access, you can allow remote clients access to your server without having explicit account privileges already present on the server machine.

Traditionally for UNIX FTP servers, you setup "ftp" as a user account on your system. When FTP client programs connect to your server, they use "anonymous" as the username, and their e-mail address as their password. Typically, after logging in, anonymous users then can access the contents of the ftp user's home directory.

Creating the anonymous FTP user, "ftp"

The first thing to do is ensure that you have an ftp user in your /etc/passwd file. The important thing about that entry is that it gives the server a UID to run as during anonymous logins.

If there is not already an ftp user, add one. The password is not important because no one can really login as a normal user as ftp. If you can, set it so the encrypted password is just a star, because it is impossible for an encrypted password to generate a string containing a star. Here's an ftp entry to illustrate:

Otherwise, make up some impossible-to-guess password for it. The shell should also be set to something other than a real shell, such as /bin/false.

Note: You need the ftp user, and its home directory even if you don't plan to offer anonymous FTP service.
Preparing the Anonymous FTP Area

Create the anonymous FTP hierarchy. Most of the time you will just use the home directory for the ftp user, but you do not have to use that directory. No matter what directory you choose, we will denote the anonymous FTP hierarchy as ~ftp.

The ~ftp directory should not be owned by ftp, but by root and have mode 755 (drwxr-xr-x). Any subdirectories you don't want people removing should not be owned by the ftp user.

That is usually all that NcFTPd requires of the ~ftp hierarchy. Other FTP servers require a ~ftp/bin/ls and a ~ftp/etc/passwd, libraries, etctera, but NcFTPd does not need those.

Copy files and directories you want accessible to the outside world into the anonymous FTP hierarchy. Avoid using symbolic links because the server does a chroot to the ~ftp directory, and if a link points outside of the anonymous tree the link will be invalid.

Configuration File Options

To enable anonymous user logins, you need to have NcFTPd configured so that the option server-type is set to all-users (if you want both anonymous and non-anonymous users) or anonymous-only. Like all options, this should be set appropriately for each domain in the file.

Another option that can be set is ftp-home. The default directory tree that is used when a user logs in anonymously is the ftp user's home directory, but if you have multiple domains in your file you can use this option to have each domain have a different anonymous FTP root, rather than sharing the same directory tree for all domains.

The option a-write-permission option specifies whether anonymous users can create, modify, or delete files in the anonymous FTP area. If this option is enabled, then users will be denied no matter what the permissions on the files and directories are (with one exception, mentioned next). By default, this option is set to no for security reasons, because generally it is a system administration error if anonymous users can make modifications.

Configuration for "incoming" directories

The option a-allow-incoming option enables or disables a special feature called "incoming" directories. These directories serve as drop boxes for anonymous users to place files, and are handled as a special case by NcFTPd. For security reasons, it is desirable to have anonymous users be able to save files into an incoming directory, but not be able to download or delete files from them (otherwise people can use your server as a haven for trading pirated software, music, etcetera).

If you enable this option, create a directory named incoming anywhere in ~ftp (and chmod 777 it) and it will be handled as a dropbox which users can upload into but not download from or modify existing items within. Even though the permissions on your incoming directory are wide open, users are still restricted as noted, however, if you do not want the directory to be listable you can chmod 733 the directory instead.

It is important to note that incoming directories are the lone exception to the protections provided by a-write-permission. This allows you to set a-write-permission=no and only allow uploads to incoming directories. No other modifications will be allowed anywhere else in ~ftp even if you make a mistake and leave a directory or file writable.

Additional Options

There are additional configuration options pertaining directly to anonymous users. These options are usually prefixed with "a-" and are documented with the complete list of configuration options.

back home next