Sunday, February 26, 2017

Simple OpenBSD File Server

These days, when people think of a file server, they assume that it must support Windows CIFS (a.k.a. SMB or Samba).  A few grizzled sysadmins know that NFS would be much, much simpler to set up and almost nobody would consider using FTP.

Well, that is too bad, since for many situations, anonymous FTP is best and it works purrfectly on my little OpenBSD netbook.

FTP is a very simple protocol, it only talks when it has to and is completely quiet otherwise.  It has none of the chattyness and incessant 'CACA' packets of CIFS.  It is extremely easy to set up and has native support in all operating systems.  Even Windows can do anonymous FTP transparently and can map a FTP server to a drive letter, thus enabling any program to connect to the server directly.

Some will speak up and say that FTP is insecure.  Well, yes, but so is NFS and CIFS.  The difference is that FTP doesn't even pretend to be secure.   The joke is that nowadays, since script kiddies are unfamiliar with FTP, it is more resistant to ransomware than CIFS.  BTW, don't use FTP with password authentication - the passwords are sent in the clear making it quite useless.

The Samba manual is about 2 inches thick, while the configuration file for a FTP server is only about a dozen lines.  Need I say more?

Consider that if a network file system is insecure, then it means that any naughty user can read/write/modify anything.  Samba has oodles of configuration features to control access.  These features are useless.  They only work with honest users who won't give you any trouble anyway and do nothing against naughty users.  All that these fancy features do, is make the system hard to set up and maintain!

When you have a home or office with ten or twenty users, who just need a centralized place to store data that can be regularly backed up and you don't want to waste any time managing it, then an anonymous FTP server could be ideal, since you don't have to waste any time with accounts, passwords and access controls.

Set it and forget it - KISS.

Configuration Frustrations

I installed vsftpd using pkg_add:
# pkg_add vsftpd

Simple as that.

In Linux, the package manager is different for each distribution, otherwise, it is the same idea.

Example Configuration File:
$ cat /etc/vsftpd.conf
ftpd_banner=VsFTPd. Cool, eh?

The problem with setting up a FTP server is that the configuration for the server also depends on the local file system access restrictions (Ditto for Samba and NFS).

In an attempt to frustrate a hacker I run the server as an unprivileged user _ftp and make the directory tree owned by a different unprivileged user called ftp.  Ensure that these two users do not have a login shell.  Use /usr/sbin/false instead of bash or ksh.  You can run the script adduser to make these accounts if required.

The chown_upload_mode=0664 is a relatively new parameter. All the other older guides on the web don't show this option and this is the main reason why I wrote this guide.

When you specify:

Then this does nothing, so I set it to 0000 as a reminder:

and you instead need:

That took me a long while to figure out.


Directories and Permissions

I made a tree /ftp/pub/data like this:
# mkdir -p /ftp/ftp  
# mkdir -p /ftp/pub/data
# chown root:ftp /ftp/pub/data
# chmod 1777 /ftp/pub/data

That makes the data directory owned by root:ftp and sticky so that new files will inherit that ownership, irrespective of who uploaded the files, thus ensuring that anyone can download them again.

Test, Test, Test

Run the server in one console and log in from another console and transfer little test files.  Then log in from another computer and repeat. 
# vsftpd

$ touch test1
$ touch test2
$ ftp localhost
Login: anonymous
Password: [Enter]
ftp> put test1
ftp> get test1

On BSD, see what is going on with tail - same idea, but a different log system on Linux though:
$ tail -f /var/log/vsftpd.log

It may take a while to work out the fat finger kinks.

Windows Mapping

Use the easy connect wizard in the Windows file browser (File, Map Network Drive, Map as Drive, Connect to a website..., Next, Choose...) to connect to the server using a URL like which will create a shortcut in the left pane which then works like any other network file share.

After installing a 128GB SD card for storage, I now have a little WiFi connected 'NAS' which is normally sleeping peacefully and when I need it, all I need to do is flip open its lid and wait about 5 seconds for it to wake up.

For questions, go to

-. --- / .-- .. -. -.. --- .-- ... --..-- / -. --- / -.-. .-. -.--

La voila!


1 comment:

On topic comments are welcome. Junk will be deleted.