User Accounts - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
By default the anonymous user cannot write to any directories.
Caution
If enabling anonymous access to an FTP server, be aware of where sensitive data is
stored.
43.2.6.2.1. Anonymous Upload
To allow anonymous users to upload files, it is recommended that a write-only directory be created
within /var/ftp/pub/.
To do this, type the following command:
mkdir /var/ftp/pub/upload
Next, change the permissions so that anonymous users cannot view the contents of the directory:
chmod 730 /var/ftp/pub/upload
A long format listing of the directory should look like this:
drwx-wx--- 2 root
Warning
Administrators who allow anonymous users to read and write in directories often find that
their servers become a repository of stolen software.
Additionally, under vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file:
anon_upload_enable=YES

43.2.6.3. User Accounts

Because FTP transmits unencrypted usernames and passwords over insecure networks for
authentication, it is a good idea to deny system users access to the server from their user accounts.
To disable all user accounts in vsftpd, add the following directive to /etc/vsftpd/vsftpd.conf:
local_enable=NO
43.2.6.3.1. Restricting User Accounts
To disable FTP access for specific accounts or specific groups of accounts, such as the root user and
those with sudo privileges, the easiest way is to use a PAM list file as described in
"Disabling Root Using
632
ftp 4096 Feb 13 20:05 upload
PAM". The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.
Section 43.1.4.2.4,