by
Date: Thu, 12 Feb 1998 04:41:17 -0500 (EST)
Subject: wu-ftpd configuration questions
Hi all. I have a working installation of wuftpd-beta16 and there are a
few questions I had about configuring it. This is mostly under a Linux
system, but Solaris needs to be considered as well, but that shouldn't be
a problem, since these are primarily configuration questions.
1. How exactly do I use the 'class' directive? The example from the
stock configuration is:
class local real,guest *.domain 0.0.0.0
which I interpret to mean the host must have a DNS entry in order to
connect. Correct? And 0.0.0.0 would be the default address perhaps? What
classifies a user as a remote user, versus a local user? Some internal
users don't have reverse DNS entries, yet I don't want to allow anyone
from the outside to access the machine that doesn't have a reverse DNS
entry. Is this possible?
2. There may eventually be as many as 500 users on this machine, all in
the guestgroup. Is there any concept of multiple guestgroups? I was
thinking it might be beneficial to have a format similiar to /etc/group,
if for nothing else than to be descriptive.. Also, I'll have to check how
the guestgroup string length limit is set...
3. I'd also like real users to be able to ftp to the box. I'm concerned,
though, that someone might use a real account to compromise the box. How
can I put some sort of restrictions on real user usage? Perhaps from
specific IP/domains?
4. I'd like to implement password aging. Do we still use chage for that?
What if we're not using shadow, but rather pam? Any tips on some sort of
pre-change warning system?
5. Regarding the 'upload' directive. I found it is necessary to
specify a user/group name in order to take advantage of the permissions
and dirs/nodirs feature. I'm using the umask setting in inetd.conf
currently.
Many of the directories are shared by multiple people, and are owned by
root, and a group name of all the users in that particular group. sgid is
also set on the directory.
So my problem is I can't restrict some groups from creating directories,
while allowing others to be able to do so. I would have to list the home
directory for each group in /etc/ftpaccess, which could eventually lead to
more than 500 entries. How much coding change would be necessary, if any,
to do something like:
# format: <home> <path> <write> <owner> <group> <perms> <dirs|nodirs>
upload /home/ftp /home/* yes * * 0444 dirs
or some other format to signify 'everyone' that writes to that directory
is allowed to create directories with 0444 permissons? It would simply use
the existing operating system permissions already specified for that
particular directory. I hope that's clear.
Thanks,
Dave Wreski