Creating an anonymous directory structure in the HFS
The sample shell script, ftpandir.scp, creates an anonymous directory structure
for you, containing required and optional structures. Or, a superuser can create the
anonymous directory structure.
In this section, the steps a superuser would follow to
create an anonymous HFS directory structure are outlined.
For the following steps, assume that the RACF user ID that is used when an
anonymous user logs in is called GUEST, that the HOME directory in that user's
OMVS segment in RACF is /u/guest, and that FTP.DATA contains a statement
similar to this: ANONYMOUS GUEST
- Create a bin subdirectory in the anonymous root containing the executables ls
and sh. This is a required directory. ls can be copied from the standard
directory. sh is part of the standard MVS search order, so you need only create
an empty file with the sticky bit.
The following example shows how to create ls and sh in the user GUEST's
home directory:
===> cd /u/guest
===> mkdir bin
===> chmod 711 bin
===> cd bin
===> cp /bin/ls ls
===> chmod 711 ls
===> touch sh
===> chmod 711 sh
===> chmod +t sh
An ls -al command should give the following results. Owner and group attributes
may be different in your system.
# ls -al
total 280
drwx--x--x 2 USER22 0 8192 Sep 21 17:39 .
drwx--x--x 7 USER22 0 8192 Nov 1 14:44 ..
-rwx--x--x 1 USER22 0 126976 Sep 21 17:39 ls
-rwx--x--t 1 USER22 0 0 Sep 21 17:39 sh
- Create a usr/sbin subdirectory of the anonymous root containing the executable
file ftpdns. This is a required subdirectory. The file ftpdns can be empty with the
sticky bin on. The following example is for anonymous user GUEST:
===> cd /u/guest
===> mkdir usr
===> chmod 711 usr
===> cd usr
===> mkdir sbin
===> chmod 711 sbin
===> cd sbin
===> touch ftpdns
===> chmod 711 ftpdns
===> chmod +t ftpdns
If you do not configure the subdirectories, bin and usr/sbin, and their contents
correctly, the FTP server will not be able to accept anonymous logins and
message EZYFT731 will be displayed.
- Create a dev subdirectory within the anonymous root. This is a required
subdirectory. A null file is created in this directory and used during the open of
syslog.
The following example is for anonymous user GUEST:
===> cd /u/guest
===> mkdir dev
===> chmod 711 usr
If you do not have the dev subdirectory, syslog might not open correctly.
Messages such as EZA2830I will not be logged out correctly.
- Set up the public directory structure. This is a required directory.
This is the directory structure into which you place files that can be downloaded
by the anonymous FTP user. It does not have to be named pub; it can be any
name you choose. A general convention for anonymous FTP sites is to call it
pub:
===> cd /u/guest
===> mkdir pub
===> cd pub
If you want to structure the files you allow to be accessed, you can create
multiple subdirectories underneath this directory.
For simplicity, assume a single level directory, the pub directory. Into this
directory you copy the files you want to allow the anonymous user to download:
===> cp /x/y/z/prodinfo1.txt prodinfo1.txt
===> cp /x/y/z/prodinfo2.txt prodinfo2.txt
===> cd ..
Make sure that the permission bits are set correctly by using the following shell
command when executed in the /u/guest directory. This will set the permission
bits of all files in the pub directory and its subdirectories to 755:
===> chmod -R 755 pub
If your system does not require an incoming or extract directory, the system is
configured for anonymous FTP. An ls -al command of the pub directory should
give the following results:
drwxr-xr-x 3 IBMUSER SYS1 8192 May 13 21:15 .
drwxr-xr-x 6 IBMUSER SYS1 8192 May 20 14:51 ..
-rwxr-xr-x 1 IBMUSER SYS1 12 May 11 12:41 prodinfo1.txt
-rwxr-xr-x 1 IBMUSER SYS1 12 May 11 12:41 prodinfo2.txt
- Set up an incoming directory (optional).
If you want anonymous users to be able to upload files to your FTP server, you
need some additional setup. The objective is to allow an anonymous user to
upload a file, but not to allow another anonymous user to download or even be
aware of the existence of the file until after an administrative user has verified
that the content of the file is acceptable. You do not want your FTP server site
to become a store-and-forward site for files of questionable ethical content.
Positioned at the /u/guest directory, a superuser issues the following shell
command:
===> cd /u/guest
===> mkdir incoming
===> chmod 733 incoming
It does not have to be named incoming; it can be any name you choose. A
general convention for anonymous FTP sites is to call it incoming.
The 733 permission bits means that a non-superuser cannot list the content of
the incoming directory, but can write a file to it. Because the FTP server
enforces a UMASK of 777 when an anonymous user logs in, these files will be
written with permission bits 000, which means that they cannot be accessed by
the anonymous user or by any other user except a superuser.
An FTP client user can normally change the UMASK via a SITE UMASK
command or the user can change the permission bits of files they own through
a SITE CHMOD command.
If you define restricted access for anonymous users (ANONYMOUSLEVEL=3), you can use the
HFS permissions on the File access and permissions panel to set the permission bits of any
directory of file created by an anonymous user If you do allow anonymous users to
store files on your FTP server, you should ensure that the directory into which these
files are stored is in an HFS that can fill up without impacting other work on your
z/OS system. The best way to do that is to allocate the /u/guest/incoming directory
in its own HFS data set. If an anonymous user uploads large amounts of data to the
incoming directory, only this separate HFS will be filled up. Filling this separate
HFS will prevent other anonymous users from storing new files on the server, but will
not affect other functions on your system. At a minimum, you should make sure that the
incoming directory is not in the same HFS as your /tmp directory.
- Set up the extract directory (optional).
If you need to make files available to certain anonymous users, but not to
everyone, you can create a directory that cannot be listed, but files in it can be
downloaded if the anonymous user knows the name of the file.
Positioned at the /u/guest directory, a superuser issues the following shell
commands:
===> cd /u/guest
===> mkdir extract
===> chmod 711 extract
It does not have to be named extract; it can be any name you choose. A
general convention for anonymous FTP sites is to call it extract.
A superuser can then copy files into this directory, ensure they have
permissions of 755, inform the intended anonymous user of the file name, and
that user can then log on as anonymous and retrieve the file.
An ls -al command at the /u/guest location should give the following result, if
you created all four subdirectories:
drwxr-xr-x 6 IBMUSER SYS1 8192 May 20 14:51 .
dr-xr-xr-x 6 IBMUSER SYS1 0 Jun 10 15:43 ..
drwx--x--x 2 IBMUSER SYS1 8192 May 11 12:44 bin
drwx--x--x 3 IBMUSER SYS1 8192 May 11 13:39 extract
drwx-wx-wx 3 IBMUSER SYS1 8192 May 25 09:35 incoming
drwxr-xr-x 3 IBMUSER SYS1 8192 May 13 21:15 pub