Creating an anonymous directory structure in the HFS

The sample shell script, ftpandir.scp, creates an anonymous directory structure for you, containing required and optional structures. Or, a superuser can create the anonymous directory structure.

In this section, the steps a superuser would follow to create an anonymous HFS directory structure are outlined. For the following steps, assume that the RACF user ID that is used when an anonymous user logs in is called GUEST, that the HOME directory in that user's OMVS segment in RACF is /u/guest, and that FTP.DATA contains a statement similar to this: ANONYMOUS GUEST

  1. Create a bin subdirectory in the anonymous root containing the executables ls and sh. This is a required directory. ls can be copied from the standard directory. sh is part of the standard MVS search order, so you need only create an empty file with the sticky bit.
    The following example shows how to create ls and sh in the user GUEST's home directory:
    ===> cd /u/guest
    ===> mkdir bin
    ===> chmod 711 bin
    ===> cd bin
    ===> cp /bin/ls ls
    ===> chmod 711 ls
    ===> touch sh
    ===> chmod 711 sh
    ===> chmod +t sh
    

    An ls -al command should give the following results. Owner and group attributes may be different in your system.
    # ls -al
    total 280
    drwx--x--x 2 USER22 0 8192   Sep 21 17:39 .
    drwx--x--x 7 USER22 0 8192   Nov 1  14:44 ..
    -rwx--x--x 1 USER22 0 126976 Sep 21 17:39 ls
    -rwx--x--t 1 USER22 0 0      Sep 21 17:39 sh
    

  2. Create a usr/sbin subdirectory of the anonymous root containing the executable file ftpdns. This is a required subdirectory. The file ftpdns can be empty with the sticky bin on. The following example is for anonymous user GUEST:
    ===> cd /u/guest
    ===> mkdir usr
    ===> chmod 711 usr
    ===> cd usr
    ===> mkdir sbin
    ===> chmod 711 sbin
    ===> cd sbin
    ===> touch ftpdns
    ===> chmod 711 ftpdns
    ===> chmod +t ftpdns
    

    If you do not configure the subdirectories, bin and usr/sbin, and their contents correctly, the FTP server will not be able to accept anonymous logins and message EZYFT731 will be displayed.

  3. Create a dev subdirectory within the anonymous root. This is a required subdirectory. A null file is created in this directory and used during the open of syslog.
    The following example is for anonymous user GUEST:
    ===> cd /u/guest
    ===> mkdir dev
    ===> chmod 711 usr
    

    If you do not have the dev subdirectory, syslog might not open correctly. Messages such as EZA2830I will not be logged out correctly.

  4. Set up the public directory structure. This is a required directory. This is the directory structure into which you place files that can be downloaded by the anonymous FTP user. It does not have to be named pub; it can be any name you choose. A general convention for anonymous FTP sites is to call it pub:
    ===> cd /u/guest
    ===> mkdir pub
    ===> cd pub
    

    If you want to structure the files you allow to be accessed, you can create multiple subdirectories underneath this directory. For simplicity, assume a single level directory, the pub directory. Into this directory you copy the files you want to allow the anonymous user to download:
    ===> cp /x/y/z/prodinfo1.txt prodinfo1.txt
    ===> cp /x/y/z/prodinfo2.txt prodinfo2.txt
    ===> cd ..
    

    Make sure that the permission bits are set correctly by using the following shell command when executed in the /u/guest directory. This will set the permission bits of all files in the pub directory and its subdirectories to 755:
    ===> chmod -R 755 pub
    

    If your system does not require an incoming or extract directory, the system is configured for anonymous FTP. An ls -al command of the pub directory should give the following results:
    drwxr-xr-x 3 IBMUSER SYS1 8192 May 13 21:15 .
    drwxr-xr-x 6 IBMUSER SYS1 8192 May 20 14:51 ..
    -rwxr-xr-x 1 IBMUSER SYS1 12   May 11 12:41 prodinfo1.txt
    -rwxr-xr-x 1 IBMUSER SYS1 12   May 11 12:41 prodinfo2.txt
    

  5. Set up an incoming directory (optional). If you want anonymous users to be able to upload files to your FTP server, you need some additional setup. The objective is to allow an anonymous user to upload a file, but not to allow another anonymous user to download or even be aware of the existence of the file until after an administrative user has verified that the content of the file is acceptable. You do not want your FTP server site to become a store-and-forward site for files of questionable ethical content. Positioned at the /u/guest directory, a superuser issues the following shell command:
    ===> cd /u/guest
    ===> mkdir incoming
    ===> chmod 733 incoming
    

    It does not have to be named incoming; it can be any name you choose. A general convention for anonymous FTP sites is to call it incoming. The 733 permission bits means that a non-superuser cannot list the content of the incoming directory, but can write a file to it. Because the FTP server enforces a UMASK of 777 when an anonymous user logs in, these files will be written with permission bits 000, which means that they cannot be accessed by the anonymous user or by any other user except a superuser. An FTP client user can normally change the UMASK via a SITE UMASK command or the user can change the permission bits of files they own through a SITE CHMOD command.
    If you define restricted access for anonymous users (ANONYMOUSLEVEL=3), you can use the HFS permissions on the File access and permissions panel to set the permission bits of any directory of file created by an anonymous user If you do allow anonymous users to store files on your FTP server, you should ensure that the directory into which these files are stored is in an HFS that can fill up without impacting other work on your z/OS system. The best way to do that is to allocate the /u/guest/incoming directory in its own HFS data set. If an anonymous user uploads large amounts of data to the incoming directory, only this separate HFS will be filled up. Filling this separate HFS will prevent other anonymous users from storing new files on the server, but will not affect other functions on your system. At a minimum, you should make sure that the incoming directory is not in the same HFS as your /tmp directory.

  6. Set up the extract directory (optional). If you need to make files available to certain anonymous users, but not to everyone, you can create a directory that cannot be listed, but files in it can be downloaded if the anonymous user knows the name of the file. Positioned at the /u/guest directory, a superuser issues the following shell commands:
    ===> cd /u/guest
    ===> mkdir extract
    ===> chmod 711 extract
    

    It does not have to be named extract; it can be any name you choose. A general convention for anonymous FTP sites is to call it extract. A superuser can then copy files into this directory, ensure they have permissions of 755, inform the intended anonymous user of the file name, and that user can then log on as anonymous and retrieve the file.
    An ls -al command at the /u/guest location should give the following result, if you created all four subdirectories:
    drwxr-xr-x 6 IBMUSER SYS1 8192 May 20 14:51 .
    dr-xr-xr-x 6 IBMUSER SYS1 0    Jun 10 15:43 ..
    drwx--x--x 2 IBMUSER SYS1 8192 May 11 12:44 bin
    drwx--x--x 3 IBMUSER SYS1 8192 May 11 13:39 extract
    drwx-wx-wx 3 IBMUSER SYS1 8192 May 25 09:35 incoming
    drwxr-xr-x 3 IBMUSER SYS1 8192 May 13 21:15 pub