ftp upload 的预设权限

sorlo

solaris 8 中的 in.ftpd ...
可以设定 upload 的预设是 write only 吗?
谢谢

bencyber

# man in.ftpd
Reformatting page.  Please Wait... done

Maintenance Commands                                  in.ftpd(1M)

NAME
     in.ftpd, ftpd - file transfer protocol server

SYNOPSIS
     in.ftpd [ -dl ]  [ -t timeout ]

DESCRIPTION
     in.ftpd is the Internet  File  Transfer  Protocol  (  FTP  )
     server process. The server is invoked by the Internet daemon
     inetd(1M) each time a connection to  the  FTP  service  (see
     services(4)) is made.

OPTIONS
     -d    Debugging information is logged to the system log dae-
           mon syslogd(1M).

     -l    Each FTP session is logged to the  system  log  daemon
           syslogd(1M).

     -t timeout
           Set the inactivity timeout period to timeout  seconds.
           The  FTP server will timeout an inactive session after
           15 minutes.

  Requests
     The  FTP  server  currently  supports  the   following   FTP
     requests; case is not distinguished.

     ABOR  abort previous command

     ACCT  specify account (ignored)

     ALLO  allocate storage (vacuously)

     APPE  append to a file

     CDUP  change to parent of current working directory

     CWD   change working directory

     DELE  delete a file

     HELP  give help information

     LIST  give list files in a directory (ls -lg)

     MKD   make a directory

     MODE  specify data transfer mode

     NLST  give name list of files in directory (ls)

SunOS 5.8            Last change: 8 Dec 1999                    1

Maintenance Commands                                  in.ftpd(1M)

     NOOP  do nothing

     PASS  specify password

     PASV  prepare for server-to-server transfer

     EPSV  extended passive command request

     LPSV  long passive command request

     PORT  specify data connection port

     EPRT  specify extended address for the transport connection

     LPRT  specify "long" address for the transport connection

     PWD   print the current working directory

     QUIT  terminate session

     RETR  retrieve a file

     RMD   remove a directory

     RNFR  specify rename-from file name

     RNTO  specify rename-to file name

     STOR  store a file

     STOU  store a file with a unique name

     STRU  specify data transfer structure

     TYPE  specify data transfer type

     USER  specify user name

     XCUP  change to parent of current working directory

     XCWD  change working directory

     XMKD  make a directory

     XPWD  print the current working directory

     XRMD  remove a directory

     The remaining FTP requests specified in RFC 959  are  recog-
     nized, but not implemented.

SunOS 5.8            Last change: 8 Dec 1999                    2

Maintenance Commands                                  in.ftpd(1M)

     The FTP server will abort an active file transfer only  when
     the ABOR command is preceded by a Telnet "Interrupt Process"
     (IP) signal and a Telnet "Synch" signal in the command  Tel-
     net  stream, as described in RFC 959.in.ftpd interprets file
     names according to the "globbing" conventions used by sh(1).
     This  allows users to utilize the  metacharacters: * ? [ ] {
     } ~ in.ftpd's umask (which it uses to  create  files  during
     PUT operations) may be adjusted by adding the line

          UMASK=nnn

     to  /etc/default/ftpd.

     The banner returned by in.ftpd in the parenthetical  portion
     of  its  greeting is configurable. The default is equivalent
     to "`uname -sr`" and will be used if no  banner  is  set  in
     /etc/default/ftpd. To set the banner, add a line of the form

     BANNER="..."

     to  /etc/default/ftpd.  Nonempty banner strings are  fed  to
     shells for evaluation.

     The default banner may also be obtained by

     BANNER="`uname -s` `uname -r`"

     and no banner will be printed if  /etc/default/ftpd contains

     BANNER="

     in.ftpd authenticates users according to four rules.

     First, the user name must be  in  the  password  data  base,
     /etc/passwd,  and have a password that is not  NULL. A pass-
     word must always be provided by the client before  any  file
     operations  may  be performed. The PAM framework (see  SECU-
     RITY below) is used to verify that the correct password  was
     entered.

     Second, if the user name appears in the file  /etc/ftpusers,
     ftp   access  is  denied.  The  default  list  of  users  in
     /etc/ftpusers includes all of the accounts in passwd(4). See
     ftpusers(4).

     Third, ftp access is denied if the user's  shell  is  not  a
     shell listed in getusershell(3C).

     Fourth, if the user name is "anonymous" or "ftp",  an  entry
     for  the  user  name ftp must be present in the password and
     shadow files.  The  user  is  then  allowed  to  log  in  by

SunOS 5.8            Last change: 8 Dec 1999                    3

Maintenance Commands                                  in.ftpd(1M)

     specifying any password - by convention this is given as the
     user's e-mail address (such as  user@host.Sun.COM).  Do  not
     specify a valid shell in the password entry of the ftp user,
     and do not give it a valid password (use NP in the encrypted
     password field of the shadow file).

     For anonymous ftp users, in.ftpd takes special  measures  to
     restrict the client's access privileges. The server performs
     a chroot(2) command to the home directory of the "ftp" user.
     In  order that system security is not breached, it is recom-
     mended that the "ftp" subtree be constructed with care;  the
     following rules are suggested.

     ~ftp  Make the home directory owned by root  and  unwritable
           by anyone.

     ~ftp/bin
           Make this directory owned by the superuser and unwrit-
           able   by  anyone.   Make  this  a  symbolic  link  to
           ~ftp/usr/bin The program ls(1) must be present to sup-
           port the list commands.  This program should have mode
           111.

     ~ftp/usr/lib
           Make this directory owned by the superuser and unwrit-
           able  by  anyone.  Copy the following shared libraries
           from /usr/lib into this directory:

                     ld.so.1*

                     libc.so.1*

                     libdl.so.1*

                     libmp.so.2*

                     libnsl.so.1*

                     libsocket.so.1*

                     nss_compat.so.1*

                     nss_dns.so.1*

                     nss_files.so.1*

                     nss_nis.so.1*

                     nss_nisplus.so.1*

                     nss_xfn.so.1*

SunOS 5.8            Last change: 8 Dec 1999                    4

Maintenance Commands                                  in.ftpd(1M)

                     straddr.so*

                     straddr.so.2*

     ~ftp/etc
           Make this directory owned by the superuser and unwrit-
           able  by  anyone.   Copies  of  the  files  passwd(4),
           group(4), and netconfig(4) must  be  present  for  the
           ls(1) command to work properly.  These files should be
           mode 444.

     ~ftp/pub
           Make this directory mode 755 and owned by root.  Users
           should then place files which are to be accessible via
           the anonymous account in this directory.

     ~ftp/dev
           Make this directory owned by the superuser and unwrit-
           able  by  anyone.   First perform ls -lL on the device
           files listed below to determine their major and  minor
           numbers,  then use mknod to create them in this direc-
           tory.

                     /dev/zero

                     /dev/tcp

                     /dev/udp

                     /dev/ticotsord

           Set the read and write mode on these nodes to 666   so
           that passive
            ftp will not fail with "permission denied" errors.

     ~ftp/usr/share/lib/zoneinfo
           Make  this  directory  mode  555  and  owned  by   the
           superuser.       Copy      its      contents      from
           /usr/share/lib/zoneinfo.  This  enables   ls   -l   to
           display time and date stamps correctly.

SECURITY
     in.ftpd uses pam(3PAM) for authentication,  account  manage-
     ment, and session management. The  PAM configuration policy,
     listed through /etc/pam.conf, specifies  the  module  to  be
     used  for  in.ftpd.  Here  is  a  partial pam.conf file with
     entries for the in.ftpd command using the  UNIX  authentica-
     tion, account management, and session management module.

     ftp      auth           required       /usr/lib/security/pam_unix.so.1
     ftp      account        required       /usr/lib/security/pam_unix.so.1
     ftp      session        required       /usr/lib/security/pam_unix.so.1

SunOS 5.8            Last change: 8 Dec 1999                    5

Maintenance Commands                                  in.ftpd(1M)

     If there are no  entries  for  the  ftp  service,  then  the
     entries  for the "other" service will be used. Unlike login,
     passwd, and other commands, the ftp protocol will only  sup-
     port  a single password. Using multiple modules will prevent
     in.ftpd from working properly.

USAGE
     The in.ftpd command is IPv6-enabled. See ip6(7P).

EXAMPLES
     Example 1: Setting Up An Anonymous Ftp

     To set up anonymous ftp, add  the  following  entry  to  the
     /etc/passwd file. In this example, /export/ftp was chosen to
     be the anonymous ftp area, and the shell is the non-existent
     file  /nosuchshell.  This  prevents users from logging in as
     the ftp user.

     ftp:30000:30000:Anonymous FTP:/export/ftp:/nosuchshell

     Add the following entry to the   /etc/shadow file:

     ftp:NP:6445::::::

     The following shell script sets up the anonymous  ftp  area.
     It presumes that names are resolved using NIS.

     #!/bin/sh
          # script to setup anonymous ftp area
          #

          # verify you are root
          /usr/bin/id | grep -w 'uid=0' >/dev/null 2>&1
          if [ "$?" != "0" ]; then
             echo
             exit 1
          fi

          # handle the optional command line argument
          case $# in

             # the default location for the anon ftp comes from the passwd file
             0) ftphome="`getent passwd ftp | cut -d: -f6`"
                ;;

             1) if [ "$1" = "start" ]; then
                   ftphome="`getent passwd ftp | cut -d: -f6`"
                else
                   ftphome=$1
                fi
                ;;

SunOS 5.8            Last change: 8 Dec 1999                    6

Maintenance Commands                                  in.ftpd(1M)

             *) echo "Usage: $0 [anon-ftp-root]"
                exit 1
                ;;
          esac

          if [ -z "${ftphome}" ]; then
             echo "$0: ftphome must be non-null"
             exit 2
          fi

          case ${ftphome} in
             /*) # ok
                 ;;

             *) echo "$0: ftphome must be an absolute pathname"
                exit 1
                ;;
          esac

          # This script assumes that ftphome is neither / nor /usr so ...
          if [ -z "${ftphome}" -o "${ftphome}" = "/" -o "${ftphome}" = "/usr" ]; then
             echo "$0: ftphome must be non-null and neither / or /usr"
             exit 2
          fi

          # If ftphome does not exist but parent does, create ftphome
          if [ ! -d ${ftphome} ]; then
              # lack of -p below is intentional
              mkdir ${ftphome}
          fi
          chown root ${ftphome}
          chmod 555 ${ftphome}

          echo Setting up anonymous ftp area ${ftphome}

          # Ensure that the /usr directory exists
          if [ ! -d ${ftphome}/usr ]; then
              mkdir -p ${ftphome}/usr
          fi
          # Now set the ownership and modes to match the man page
          chown root ${ftphome}/usr
          chmod 555 ${ftphome}/usr

          # Ensure that the /usr/bin directory exists
          if [ ! -d ${ftphome}/usr/bin ]; then
              mkdir -p ${ftphome}/usr/bin
          fi
          # Now set the ownership and modes to match the man page
          chown root ${ftphome}/usr/bin
          chmod 555 ${ftphome}/usr/bin

          # this may not be the right thing to do

bencyber

SunOS 5.8            Last change: 8 Dec 1999                    7

Maintenance Commands                                  in.ftpd(1M)

          # but we need the bin -> usr/bin link
          rm -f ${ftphome}/bin
          ln -s usr/bin ${ftphome}/bin

          # Ensure that the /usr/lib and /etc directories exist
          if [ ! -d ${ftphome}/usr/lib ]; then
              mkdir -p ${ftphome}/usr/lib
          fi
          chown root ${ftphome}/usr/lib
          chmod 555 ${ftphome}/usr/lib

          if [ ! -d ${ftphome}/usr/lib/security ]; then
              mkdir -p ${ftphome}/usr/lib/security
          fi
          chown root ${ftphome}/usr/lib/security
          chmod 555 ${ftphome}/usr/lib/security

          if [ ! -d ${ftphome}/etc ]; then
              mkdir -p ${ftphome}/etc
          fi
          chown root ${ftphome}/etc
          chmod 555 ${ftphome}/etc

          # a list of all the commands that should be copied to ${ftphome}/usr/bin
          # /usr/bin/ls is needed at a minimum.
          ftpcmd="
             /usr/bin/ls
          "

          # ${ftphome}/usr/lib needs to have all the libraries needed by the above
          # commands, plus the runtime linker, and some name service libraries

          # to resolve names. We just take all of them here.

          ftplib="`ldd $ftpcmd | nawk '$3 ~ /lib/ { print $3 }' | sort | uniq`"
          ftplib="$ftplib /usr/lib/nss_* /usr/lib/straddr* /usr/lib/libmp.so*"
          ftplib="$ftplib /usr/lib/libnsl.so.1 /usr/lib/libsocket.so.1 /usr/lib/ld.so.1"
          ftplib="`echo $ftplib | tr ' ' '\n' | sort | uniq`"

          cp ${ftplib} ${ftphome}/usr/lib
          chmod 555 ${ftphome}/usr/lib/*

          cp /usr/lib/security/* ${ftphome}/usr/lib/security
          chmod 555 ${ftphome}/usr/lib/security/*

          cp ${ftpcmd} ${ftphome}/usr/bin
          chmod 111 ${ftphome}/usr/bin/*

          # you also might want to have separate minimal versions of passwd and group
          cp /etc/passwd /etc/group /etc/netconfig /etc/pam.conf ${ftphome}/etc
          chmod 444 ${ftphome}/etc/*

SunOS 5.8            Last change: 8 Dec 1999                    8

Maintenance Commands                                  in.ftpd(1M)

          # need /etc/default/init for timezone to be correct
          if [ ! -d ${ftphome}/etc/default ]; then
             mkdir ${ftphome}/etc/default
          fi
          chown root ${ftphome}/etc/default
          chmod 555 ${ftphome}/etc/default
          cp /etc/default/init ${ftphome}/etc/default
          chmod 444 ${ftphome}/etc/default/init

          # Copy timezone database
          mkdir -p ${ftphome}/usr/share/lib/zoneinfo
          (cd ${ftphome}/usr/share/lib/zoneinfo
            (cd /usr/share/lib/zoneinfo; find . -print |
             cpio -o) 2>/dev/null | cpio -imdu 2>/dev/null
            find . -print | xargs chmod 555
            find . -print | xargs chown root
          )

          # Ensure that the /dev directory exists
          if [ ! -d ${ftphome}/dev ]; then
              mkdir -p ${ftphome}/dev
          fi

          # make device nodes. ticotsord and udp are necessary for
          # 'ls' to resolve NIS names.

          for device in zero tcp udp ticotsord ticlts
          do
             line=`ls -lL /dev/${device} | sed -e 's/,//'`
             major=`echo $line | awk '{print $5}'`
             minor=`echo $line | awk '{print $6}'`
             rm -f ${ftphome}/dev/${device}
             mknod ${ftphome}/dev/${device} c ${major} ${minor}
          done

         chmod 666 ${ftphome}/dev/*

          ## Now set the ownership and modes
          chown root ${ftphome}/dev
          chmod 555 ${ftphome}/dev

          # uncomment the below if you want a place for people to store things,
          # but beware the security implications
          #if [ ! -d ${ftphome}/pub ]; then
          #   mkdir -p ${ftphome}/pub
          #fi
          #chown root ${ftphome}/pub
          #chmod 1755 ${ftphome}/pub

     After running this script, edit the  files  in  ~ftp/etc  to
     make sure all non-public information is removed.

SunOS 5.8            Last change: 8 Dec 1999                    9

Maintenance Commands                                  in.ftpd(1M)

ATTRIBUTES
     See attributes (5) for descriptions of the following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsu                     |
    |_____________________________|_____________________________|

FILES
     /etc/default/ftpd

     /etc/ftpusers
           file listing users for whom ftp login  privileges  are
           disallowed.

SEE ALSO
     ftp(1), ld.so.1(1),  ls(1),  sh(1),  aset(1M),  inetd(  1M),
     mknod(1M),   syslogd(1M),   chroot(2),  getsockopt(3SOCKET),
     pam(3PAM),  ftpusers(4),  group(4),  inetd.conf(4),  netcon-
     fig(4),   netrc(4),   pam.conf(4),  passwd(4),  services(4),
     attributes(5), pam_unix(5)

     Allman, M., Ostermann, S.,  and  Metz,  C.,  RFC  2428,  FTP
     Extensions for IPv6 and NATs, The Internet Society, 1998.

     Postel, Jon, and Joyce Reynolds,   RFC  959,  File  Transfer
     Protocol  (FTP  ),  Network Information Center, SRI Interna-
     tional, Menlo Park, Calif., October 1985.

     Piscitello, D., RFC 1639, FTP  Operation  Over  Big  Address
     Records (FOOBAR), Network Working Group, June 1994.

DIAGNOSTICS
     in.ftpd logs various errors to syslogd, with a facility code
     of daemon.

  Info Severity
     These messages are logged only if the -l flag is specified.

     FTPD: connection from host at time
           A connection was made to ftpd from the  host  host  at
           the date and time time.

     FTPD: User user timed out after timeout seconds
           at time" 6 The user user was logged out  because  they
           had  not  entered  any commands after timeout seconds;
           the logout occurred at the date and time time.

SunOS 5.8            Last change: 8 Dec 1999                   10

Maintenance Commands                                  in.ftpd(1M)

  Debug Severity
     These messages are logged only if the -d flag is specified.

     FTPD: command: command
           A command line containing command was  read  from  the
           FTP client.

     lost connection
           The FTP client dropped the connection.

     <--- replycode

     <--- replycode-
           A reply was sent to the FTP client with the reply code
           replycode.  The  next  message logged will include the
           message associated with the reply.  If a - follows the
           reply code, the reply is continued on later lines.

NOTES
     The anonymous ftp account is inherently dangerous and should
     be avoided when possible.

     The name service caching daemon /usr/sbin/nscd may interfere
     with  some of the functionality of anonymous ftp. The sublo-
     gin feature does not work unless caching for  passwd is dis-
     abled in /etc/nscd.conf.

     The server must run as the superuser to create sockets  with
     privileged  port numbers.  It maintains an effective user id
     of the logged in user, reverting to the superuser only  when
     binding  addresses  to  sockets. The possible security holes
     have been extensively scrutinized, but are  possibly  incom-
     plete.

     The file /etc/ftpusers, which is now  included  as  part  of
     Solaris,  contains  a  list  of users  who cannot access the
     system; the default list of users in /etc/ftpusers  includes
     all of the accounts in passwd(4).  See ftpusers(4).

SunOS 5.8            Last change: 8 Dec 1999                   11

sorlo

你有看见 man page 有我要的东西吗?
不要随便 copy man page 就算回答, 有答案的话我就不在这里问了~