I just clicked the wrong button in a support ticket and closed it instead of refreshing the page. :rolleyes: Since the prob was solved already I figured instead of opening a new support ticket I'll post my last question here...

What are guest users in wuftpd on a RedHat 7.3 server (Webmin)? Unix users and anonymous users are clear, but there's a 3rd category, guest, and I'm curious what it is.

FTP Guest User Setup for Red Hat Linux
FAQ Maintainer, Red Hat, Inc.


--------------------------------------------------------------------------------
This document shows the basic steps needed to configure guest user ftp for Red Hat Linux 6.x and 7.x systems.
--------------------------------------------------------------------------------

1. Configuring Guest FTP Access
1.1 Preface
``Red Hat Tips'' are documentation meant to help Red Hat users with specific tasks. Some of these documents are for new users, some are for advanced users. Hopefully each document will also be of help for both new and advanced users. If you have contributions to make, please send them to faq-maintainer@redhat.com. If you have changes that need to be made to individual Tips, send them to the author of that document or the faq-maintainer@redhat.com address if one is not specified.

1.2 Introduction
Guest FTP access is a useful way of allowing users to have file transfer access to specific areas of a site (the root directory of their web site, for example). Some of the steps are similar to virtual FTP setup but the focus of this document is just the guest user setup.

1.3 Software Installation
First of all, make certain that both the wu-ftpd package and the anonftp packages are installed on the system. The versions installed should at minimum match those below:


wu-ftpd-2.5.0-5.6.0
anonftp-2.8-1

Checking to see if they are installed can be done with the following command:


rpm -qa | egrep '(wu-ftpd|anonftp)'

If the packages are not installed, they can be installed from the Red Hat Linux installation cd, as the root user:


mount /mnt/cdrom
cd /mnt/cdrom/RedHat/RPMS/
rpm -ivh wu-ftpd* anonftp*
cd
umount /mnt/cdrom


1.4 Create the guest user account

Create the guest user account. The account is created like a normal user would be.


/usr/sbin/useradd theguest

set up the password for the guest user:


/usr/bin/passwd theguest

theguest
theguest


1.5 Stop telnet access

Stop telnet access

edit /etc/shells and add "/bin/true" to the end if it is not already there. Then:


/usr/bin/chsh theguest

when prompted, enter:


/bin/true

Now edit /etc/passwd and add "/./" to the user's home directory entry. So if /etc/passwd contains:


theguest:x:2855:2857::/home/mrfrog:/bin/true

change it to:


theguest:x:2855:2857::/home/mrfrog/./:/bin/true

This step can be skipped by using the -d option to useradd to specify the user's home directory. This can also be useful if the ftp root is in another location. Likewise, using chsh can also be skipped by using the -s option.


/usr/sbin/useradd -d /var/ftp/virtual/mrfrog/./ -s /bin/true theguest


1.6 Setting up the guest users home directory

Copy the anonftp files to the guest user's home dir.


cp -a ~ftp/lib ~theguest
cp -a ~ftp/bin ~theguest
cp -a ~ftp/etc ~theguest

or


tar cvf - * | ( cd ~theguest ; tar xvf -)

will do it too.


1.7 Editing the user-specific passwd and group files

Update the theguest/etc/passwd and theguest/etc/group files

Edit theguest/etc/passwd file and remove the line for the FTP user. Append the exact password line for "theguest" from /etc/passwd. But remove theguest's password and replace it with a "*" to make it invalid. For example:


theguest:x:2855:2857::/home/mrfrog/./:/bin/true

will be changed and appended to theguest/etc/passwd as:


theguest:*:2855:2857::/home/mrfrog/./:/bin/true


Now modify theguest/etc/group file and add the theguest line found in /etc/group. Delete the ftp group from theguest/etc/group as well.


1.8 Setting directory and file permission

chown theguest's home directory and chmod the directories and files according to the following examples:


chown theguest.theguest ~theguest

chmod 750 ~theguest

chown -R root.root ~theguest/etc ~theguest/bin ~theguest/lib

cd ~theguest
chmod -R 555 *

cd etc
chmod 444 *


1.9 Edit /etc/ftpaccess for guest user permissions

Add the following to the end of /etc/ftpaccess


guestgroup theguest

Whether or not theguest can delete, overwrite, or rename files will depend on the settings in /etc/ftpoaccess. The default settings are:


chmod no guest,anonymous
delete no guest,anonymous
overwrite no guest,anonymous
rename no guest,anonymous

which prohibit the guest accounts from performing chmod, delete, overwrite or rename operations. To allow these operations, the "guest" will have to be removed from the default typelist, like so:


chmod no anonymous
delete no anonymous
overwrite no anonymous
rename no anonymous


1.10 Further notes

To Anon or Not to Anon:

Finally, if anon FTP access isn't desired, the anonftp package can be uninstalled. The guest access will still be present and the guest user's lib, etc. and bin directories will be preserved.


rpm -e anonftp

By removing the anonftp package, anyone that expects to ftp into the system will need to be either a regular user or an ftp guest user.

Symlinked directories or files:

A common oops with guest ftp accounts is to try and allow access to other areas of the system with symlinks. But because Anonymous ftp operates in a chroot environment where a particular directory becomes the root or / directory (in the example here, /var/ftp/domains/mrfrog is now the root directory for theguest), this means there is no access to filesystems outside of the anonymous ftp area. This is why there is a copy of various libraries in ftp/lib and binaries such as ls in the ftp/bin directory.

You might have to copy your files to somewhere under ftp, set up another account, or not use the chrooted environment for the users that need access to files eleswhere.

/etc/ftpaccess:

ftpaccess has many more options that can be used to control ftp user access. Read the man page for more information.

Location of the ftp root:

In Red Hat 7, the location for the ftp root was changed from /home/ftp to /var/ftp.

killing directory listings:

By chmod'ing the /lib and /bin directories to 111 the users will not be able to see any files that are in the directories. This may be useful for some secured systems.

1.11 Other Resources

The WU-FTPD Development Group: http://www.wu-ftpd.org/
The Landfield Group wu-ftpd Resource Center: http://www.landfield.com/wu-ftpd/
The Red Hat FTP Setup Tips: http://www.redhat.com/support/docs/tips/FTP-Setup-Tips/FTP-Setup-Tips.html.