oftpd: a Secure, Modern FTP Dæmon

by Don Marti

FTP dæmons may not get much attention, but what attention they do get is in the form of security advisory after security advisory. There's not much hack value for most people in supporting something as old-school as FTP, so the state of the art has languished—until now. This article will introduce you to Shane Kerr's oftpd, an incredibly simple FTP dæmon that, we think, will start to replace the old, full-featured dæmons currently shipping on (and creating security issues for) Linux distributions everywhere.

Rick Moen, a Linux security guru who is also famous for his ability to install Linux on many obsolete or unusual systems, runs an FTP server mostly as an archive of Linux distributions to install over the network. Boot from floppy, select “Install from FTP” and Bob's your uncle. No need to figure out how to insmod the driver for somebody's ten-year-old 1x CD-ROM drive. (Please, don't everyone go knocking on Rick's door with your VIC-20s and PDP-8s; he gets plenty of challenges from regular installfests and user-group meetings.)

FTP remains useful for three reasons, Rick says. First, FTP provides automatic, informative directory listings, including file modification times, to facilitate mirroring. Second, there's no “index.html” to override a dæmon-generated directory listing in FTP, so it's easy to mirror entire directory trees or grab them with snarf.

Finally, Rick finds that you can get small FTP clients for legacy OSes or special situations where an HTTP client won't fit. For example, Rick used a MacOS FTP client to copy Debian floppies to an old Macintosh with no CD-ROM and insufficient memory for a web browser. People who install a lot of Red Hat or Red Hat-based systems using Kickstart floppies soon find that FTP installs are fast, convenient and let you keep a single software archive up-to-date on the FTP server. You can do the same thing with an NFS (Network File System) install, but FTP is faster.

The qualities people need from an FTP dæmon have changed since the old dæmons were written. First, the days of logging in to an FTP site with a username and password (which get sent in plaintext over the Net) are gone, gone, gone. People are using ssh, scp and other encrypted tools to protect their passwords on the Net when they transfer nonpublic files, so the FTP dæmon no longer needs to authenticate users. Second, performance matters. People aren't just using FTP to get an occasional piece of software or pass along work to colleagues. FTP servers should be prepared to get slammed by many clients all installing an entire Linux distribution at once.

So, the two goals for running a modern FTP server are: for security, simplify both your Policy and FTP dæmon to “anonymous FTP only”, and look for a dæmon that offers good performance. That's what brings us to oftpd.

For security, oftpd runs as a non-root user except for essential setup tasks. It runs “chrooted” to the public FTP directory. These features buy you a lot, security-wise, and an old-fashioned FTP dæmon that allows users to log in with a username and password that can't match it. For simplicity and performance, oftpd itself generates directory listings instead of running ls.

Moving from Old-School FTP to oftpd

The first step in setting up oftpd is to get rid of the old ftp entry in inetd.conf. The FTP dæmon that probably came with your Linux distribution gets run by inetd, while oftpd runs standalone for speed. Just comment out the ftp line with a # at the beginning, so it looks something like this:

# ftp stream  tcp nowait  root /usr/sbin/tcpd in.ftpd -l -a

Now killall -HUP inetd to restart inetd, so that it knows not to respond to connections on the FTP port. If you ftp localhost you should get a Connection refused.

Now, we're ready to move on to oftpd itself. First, the easy part. To compile and install, just unpack the tar file, cd into the resulting directory and use the One True GNU Way (./configure; make; make install). To keep everything in its appropriate, canonical place, supply the bindir argument to the configure script, so that make install will put the oftpd executable in /usr/local/sbin, which is the appropriate directory for locally built dæmons:

sh ./configure --bindir=/usr/local/sbin && make

Then su root and do:

make install
The installation is so generic that the INSTALL document in the version of oftpd I used begins simply, “These are generic installation instructions”. That's a good thing. By the time you read this, there will probably be RPM or deb packages for your favorite distribution, so check there first for an even easier install.

The above compile and install step, as well as the following three steps, will be handled for you if you install oftpd from an RPM or deb package, but you'll have to complete them if you're installing oftpd from source.

Add the oftpd User

One of the most important rules of Linux security is “Don't run anything as root that you don't have to”. oftpd, like Apache and other dæmons, follows this rule by dropping root privilege right after it starts listening on its standard, root-only port. If you're looking at the oftpd source, this is found in src/oftpd.c, where “create our main listener” is followed immediately by “set user to be as inoffensive as possible”. So, you'll be starting oftpd as root, but you'll need to add a user that it can run as afterward. Run adduser or useradd (whichever one your distribution provides) to create a new user called “oftpd”.

Test oftpd by Starting and Stopping It Manually

As root, start oftpd like this:

/usr/local/sbin/oftpd oftpd /home/httpd/html

The two arguments are: first, the user to run as and, second, the FTP directory to use. You can point both Apache and oftpd at the same directory so that all of your content is available either by HTTP or FTP. Substitute your own web server's “DocumentRoot” directory as the second argument. You can always make a separate FTP directory if you want, but this way lets people use HTTP to get files from your server if they're behind a misconfigured firewall that doesn't let FTP connections through.

If oftpd starts without errors, try visiting localhost with your favorite FTP client or ftp://localhost/ with your web browser. You should be able to get a directory listing of your chosen FTP directory. If you do, you're almost done. Have a refreshing beverage. Two bad things can happen with the above command, but they're easy to deal with. If you get an “invalid user name” error, you didn't create the oftpd user correctly. If you specify a nonexistent directory, you won't immediately see an error message, but you won't get a directory listing, and oftpd will log an error using syslog. On my Debian box, syslog puts oftpd's log messages in daemon.log. You can change that by editing /etc/syslogd.conf, but that's another article.

As root, kill oftpd for now with:

killall oftpd
Make an oftpd init Script

Next, you'll need to make an init script to start and stop oftpd. As root, cd into your init.d directory (/etc/rc.d/init.d on Red Hat, /etc/init.d on Debian) and pick out an init script to copy and edit (I like to copy new init scripts from the one for sshd, because it's very simple). Two small features to watch for: oftpd (version 0.2.0) does not currently write a pidfile in /var/run, and the PID of the running process is not the same as the PID of the process you started because oftpd forks when it starts up. So in the “stop” section of your init script, you'll need to take the appropriate steps to kill oftpd by name instead of by PID. On Debian, use the --exec option of start-stop-dæmon (see Listing 1). However, the killproc function on Red Hat will automatically kill by name if it can't find a pidfile.

Listing 1. oftpd init Script for Debian

Welcome Back, Installers of Packages

If you installed a package instead of source, everything up to this point will have been done for you. Check that the init script points oftpd to the appropriate directory, but that's about it. Now, whether you installed from source or from a package, just cd into your init.d directory and do:

./oftpd start

Then check ftp://localhost/ to make sure oftpd is up; use your distribution's runlevel management tool to set oftpd to start automatically when you enter your default runlevel; and ftp to your server from the outside to make sure some firewall weenie hasn't filtered FTP out of your network. Now you have a working, simple FTP server suitable for software archives of all kinds. You can mirror your favorite Linux distribution and invite everyone you know to bring their boxes over for a quick network install.

Resources

oftpd: a Secure, Modern FTP Dæmon
Don Marti is the technical editor for Linux Journal. He can be reached at dmarti@ssc.com.
Load Disqus comments