                        HOW TO SETUP AN SECURE FTP SERVER
                 NOTE: The following instructions are applicable
               for Solaris 2.x (2.8, 2.7, 2.6, 2.5.1, 2.5, 2.4) only.
                 2nd NOTE: This setup is for WUARCHIVE-ftp 2.4.2
              beta15 - beta18 VRseries (wu-ftpd), 2.5.x, 2.6.x (wu-ftpd),
                    as well as the vendor's version (Solaris).

IMPORTANT NOTE!!!!!!!!!!!!!!!!!!!
You can run in.ftpd as a stand-alone daemon by adding the "-S"
option.  An rc script is provided with this distribution.  The rc script
filename is "/etc/init.d/wuftpd".  To execute the script type at the
command prompt as root "/etc/init.d/wuftpd start".  To shutdown the
wu-ftpd daemon type "/etc/init.d/wuftpd stop".  Before you use the
stand-alone daemon you must put a "#" in front of the "ftpd" line
within the "/etc/inetd.conf" file.  Send a SIGHUP to inetd in order
for inetd to re-read its configuration file.

1. Add usr "ftp" to the "/etc/passwd" file.
   NOTE: If the user name appears in the file "ftpusers", ftp access is denied.
2. Create an "ftp" home directory owned by "root" that cannot be written to by
   anyone.
3. Create a "bin" directory under the "ftp" home directory that is owned by
   "root", and that cannot be written to by anyone.  The "ls" program should
   be placed in this directory and changed to mode 111 (excute-only).  Also
   for "wu-ftpd" copy GNU's version of "tar" (gtar) , "compress", "gzip", and
   "gunzip" into the "bin" directory under the "ftp" home directory.  This
   is necessary for wu-ftp to compress and uncompress zipped files (*.Z, *.gz).
4. Create an "etc" directory in the "ftp" home directory that is owned by root,
   and that cannot be written to by anyone. Create special "passwd", "group",
   and "shadow" files in this directory and change the mode of both files
   to 444 (read-only).
5. Create a "pub" directory in the "ftp" home directory that is owned by root
   and is mode 755 (read, and execute).  This is the only directory
   where anonymous "ftp" users can store files.  If you don't want to allow
   remote users to store files on your server, change the mode of this directory
   to 444 (read-only).

wu-ftpd authenticates users according to four rules:

a. The user name must be in the password data base, /etc/passwd, and have a
   password that is not null.  A password must always be provided by the
   client before any file operations may be performed.
b. If the user name appears in the file /etc/ftpusers, ftp access is denied.
c. ftp access is denied if the user's shell (from /etc/passwd) is not listed
   in the file /etc/shells.  If the file /etc/shells does not exist, then the
   user's shell must be one of the following:
		/usr/bin/sh  /usr/bin/csh /usr/bin/ksh
		/usr/bin/jsh /bin/sh      /bin/csh	/sbin/bash
		/bin/ksh     /bin/jsh     /sbin/sh	/bin/bash
		/sbin/jsh    /usr/bin/bash   /usr/local/bin/bash
		/usr/bin/tcsh   /usr/local/bin/tcsh
d. If the user name is "anonymous" or "ftp", an entry for the user name ftp
   must be present in the password and shadow files.  The user is then
   allowed to log in by specifying any password by convention this is given
   as the user's e-mail address (such as user@host.Sun.COM).  Do not specify
   a valid shell in the password entry of the ftp user, and do not give it a
   valid password (use NP in the encrypted password field of the shadow file).

IMPORTANT NOTE: The anonymous FTP root directory (~ftp) and its subdirectories 
should not be owned by the ftp account or be in the same group as
the ftp account.  This is a common configuration problem.  If any of 
these directories are owned by ftp or are in the same group as the 
ftp account and are not write protected, an intruder will be able to 
add files (such as a .rhosts file) or modify other files.  Many sites
find it acceptable to use the root account.  Making the ftp root 
directory and its subdirectories owned by root, part of the system 
group, and protected so that only root has write permission will help 
to keep your anonymous FTP service secure.

Here is an example of an anonymous FTP directory setup:

	drwxr-xr-x  7   root    sys  512 Mar 1       15:17 ./
	drwxr-xr-x 25   root    sys  512 Jan 4       11:30 ../
	drwxr-xr-x  2   root    sys  512 Dec 20      15:43 bin/
	drwxr-xr-x  2   root    sys  512 Mar 12      16:23 etc/
	drwxr-xr-x 10   root    sys  512 Jun 5       10:54 pub/

Files and libraries, especially those used by the FTP daemon and
those in ~ftp/bin and ~ftp/etc, should have the same protections
as these directories.  They should not be owned by ftp or be in the 
same group as the ftp account; and they should be write protected.

THE FOLLOWING EXAMPLES SHOW EACH OF THESE STEPS.  First, create the "ftp"
home directory and the required subdirectories.  In our example, we create
the "ftp" directory under the "/export" directory:

	# mkdir -p /export/ftp
	# cd /export/ftp
	# pwd (should show /export/ftp)
	# mkdir bin etc pub

Then copy "ls" to /export/ftp/bin, and set the correct permissions:

	# cp /usr/bin/ls /export/ftp/bin
	# chmod 00111 /export/ftp/bin/ls

Copy "gzip", "gtar", "ls", "tar", "pipe", "compress", "cksum", and "md5sum" to
/export/ftp/bin, and set the correct permissions:

	# cp /usr/local/wu-ftpd-2.6.0/bin/gzip /export/ftp/bin
	# chmod 00111 /export/ftp/bin/gzip
	# cp /usr/local/wu-ftpd-2.6.0/bin/gtar /export/ftp/bin
	# chmod 00111 /export/ftp/bin/gtar
	# cp /usr/local/wu-ftpd-2.6.0/bin/tar /export/ftp/bin
	# chmod 00111 /export/ftp/bin/tar
	# cp /usr/local/wu-ftpd-2.6.0/bin/ls /export/ftp/bin
	# chmod 00111 /export/ftp/bin/ls
	# cp /usr/local/wu-ftpd-2.6.0/bin/pipe /export/ftp/bin
	# chmod 00111 /export/ftp/bin/pipe
	# cp /usr/local/wu-ftpd-2.6.0/bin/compress /export/ftp/bin
	# chmod 00111 /export/ftp/bin/compress
	# cp /usr/local/wu-ftpd-2.6.0/bin/cksum /export/ftp/bin
	# chmod 00111 /export/ftp/bin/cksum
	# cp /usr/local/wu-ftpd-2.6.0/bin/md5sum /export/ftp/bin
	# chmod 00111 /export/ftp/bin/md5sum

Create a "hard link" for "gunzip" to "gzip and "uncompress" to "compress":

	# ln /export/ftp/bin/gzip /export/ftp/bin/gunzip
	# ln /export/ftp/bin/compress /export/ftp/bin/uncompress

NOTE: IF YOU DON'T HAVE "gzip" or "gtar" you can grab the source code from
GNU's main ftp site "prep.ai.mit.edu" under "/pub/gnu", or you can copy the
above files from the "/usr/local/wu-ftpd-2.6.0/bin" directory.

Create a group that will only be used by anonymous "ftp", a group that has no
other members.  In our example we create a group called "anonymous".  An entry
for this new group is added to the "/etc/group" file, and a file named
"/export/ftp/etc/group" is created that contains only this single entry:

	anonymous::30000:

If you're installing the ftp server on a Solaris system you can use the
"groupadd" command:

	# groupadd -g 30000 anonymous

Create a user account "ftp" by placing an entry for that user in the file
"/etc/passwd".  Also create a file named "/export/ftp/etc/passwd" that contains
only the "ftp" entry.  Here's the entry that was used in this file:

	ftp:x:30000:30000:Anonymous FTP:/export/ftp:/bin/true

After modifying "/etc/passwd" type "pwconv".  A line will be created within
the "/etc/shadow" file for encryption of user "ftp".  Place a "NP" within
the encryption field.  For example if the original line looks like this:

	ftp::10234::::::

place "NP" between the first 2 colons.  Now the line should look like this:

	ftp:NP:10234::::::

Replace the field "10234" with "6445".  Now the line should look like this:

	ftp:NP:6445::::::

Now create the "/export/ftp/etc/passwd" and add the "ftp" entry only.
Modify the ftp line so that it is different than the line placed within
"/etc/passwd".  Add a root line within "/export/ftp/etc/passwd".  Add a
bogus user that will be maintained by "~ftp/pub/*".  The three lines should look
like the following:

	root:x:0:0:FTP Maintainer::
	agent007:x:20000:20000:Auteria Wally Winzer Jr.::
	ftp:x:30000:30000:Anonymous FTP::

Create "/export/ftp/etc/shadow" and add the "ftp", "root", and
"agent007" entry only.  The line should look exactly like the "ftp" line:

	root:NP:6445::::::
	agent007:NP:6445::::::
	ftp:NP:6445::::::

Copy "/etc/netconfig" to "/export/ftp/etc".

Make the directory "/export/ftp/etc/default".

Copy "/etc/default/init" to "/export/ftp/etc/default".

These examples use a GID of 30000 and a UID of 30000.  These are only examples;
pick a UID and GID that aren't used for anything else on your system.

A "cat" of the newly created "/export/ftp/etc/passwd", "/export/ftp/etc/group",
"/export/ftp/etc/netconfig", and "/export/ftp/etc/shadow" files shows
the following:

    # cat /export/ftp/etc/passwd
    root:x:0:0:FTP Maintainer::
    agent007:x:20000:20000:Auteria Wally Winzer Jr.::
    ftp:x:30000:30000:Anonymous FTP::
    # cat /export/ftp/etc/group
    root::0:
    filekeeper::20000:
    anonymous::30000:
    # cat /export/ftp/etc/netconfig
    udp        tpi_clts      v     inet    udp    /dev/udp        -
    tcp        tpi_cots_ord  v     inet    tcp    /dev/tcp        -
    rawip      tpi_raw       -     inet    -      /dev/rawip      -
    ticlts     tpi_clts      v    loopback -      /dev/ticlts     straddr.so
    ticotsord  tpi_cots_ord  v    loopback -      /dev/ticotsord  straddr.so
    ticots     tpi_cots      v    loopback -      /dev/ticots     straddr.so
    # cat /export/ftp/etc/shadow
    root:NP:6445::::::
    agent007:NP:6445::::::
    ftp:NP:6445::::::
    # cat /export/ftp/etc/default/init
    # @(#)init.dfl 1.2 92/11/26
    #
    # This file is /etc/default/init.  /etc/TIMEZONE is a symlink to this file.
    # This file looks like a shell script, but it is not.  To maintain
    # compatibility with old versions of /etc/TIMEZONE, some shell constructs
    # (i.e., export commands) are allowed in this file, but are ignored.
    #
    # Lines of this file should be of the form VAR=value, where VAR is one of
    # TZ, LANG, or any of the LC_* environment variables.
    #
    TZ=US/Pacific

After the edits are complete, set all three files to mode 444:

	# chmod 444 /export/ftp/etc/passwd
	# chmod 444 /export/ftp/etc/group
	# chmod 444 /export/ftp/etc/netconfig
	# chmod 444 /export/ftp/etc/shadow
	# chmod 444 /export/ftp/etc/default/init
	# chmod 111 /export/ftp/etc/default

Set the correct ownership and mode for each of the directories:

	# cd /export/ftp
	# pwd (should show /export/ftp)
NOTE: make the "pub" directory 2555, ie. set-group-id, in order to create new
files with the same group ownership:
	# chmod 2555 pub
	# chmod 111 bin
	# chmod 111 etc
	# chown root *
	# chgrp root *
	# chown root .
	# chgrp root .
	# chmod 755 .

NOTE----NOTE----NOTE----NOTE----NOTE----NOTE----NOTE----NOTE----NOTE----NOTE----
*** Neither the home directory (~ftp) nor any directory below it should be
owned by ftp!  No files should be owned by ftp either.  Modern ftp daemons
support all kinds of useful commands, such as chmod, that allow outsiders to
undo your careful permission settings.  They also have configuration options
like the following (WuFTP) to disable them:

(NOTE: ENTRY OF "ftpaccess" for WuFTP)
# all the following default to "yes" for everybody
delete          no      guest,anonymous         # delete permission?
overwrite       no      guest,anonymous         # overwrite permission?
rename          no      guest,anonymous         # rename permission?
chmod           no      anonymous               # chmod permission?
umask           no      anonymous               # umask permission?

IMPORTANT SECURITY NOTE:
If you wish to have a place for anonymous users to leave files, create
the directory ~ftp/pub/incoming.  This directory is owned by root with
permissions 733.  Do a 'chmod +t ~ftp/pub/incoming'.  The ftp daemon will
normally not allow an anonymous user to overwrite an existing file, but a
normal user of the system would be able to delete anything.  By setting the
mode to '1733' you prevent this from happening.  In wuftpd you may configure
the daemon to create new files with permissions '600' owned by root or any
other user.  Many times, incoming directories are abused by exchanging pirated
and pornographic material.  Abusers often create hidden directories there for
this purpose.  Making the incoming directory unreadable by anonymous ftp helps
to some extent.  With ordinary ftp severs there is no way to prevent
directories being created in incoming. The WUarchive ftp server can limit
uploads to certain directories and can restrict characters used in file names
like this:

(NOTE: ENTRY OF "ftpaccess" for WuFTP)
# specify the upload directory information
upload  /export/ftp  *       no
upload  /export/ftp  /incoming       yes     ftp     anonymous   0600    nodirs

# path filters...
path-filter  anonymous  /usr/local/etc/msgs/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
path-filter  guest      /usr/local/etc/msgs/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-

If you have wuftpd you may want to add some ftp extensions like
compression/decompression 'on the fly' or creation of tar files for the
directory hierarchies.  Get the appropriate sources (gzip, gnutar, compress),
compile them and link statically, put in the ~ftp/bin directory and edit the
appropriate file containing the definitions of the allowed conversions.
/usr/bin/tar is already statically-linked.  You may wish to use gnu tar
anyway:

[NOTE: Copy the program "pipe" from "usr/local/wu-ftpd-2.6.0/bin"
       into "~ftp/bin".  This is needed for piping two commands into one.]
(SAMPLE "fileconversions")
#strip prefix:strip postfix:addon prefix:addon postfix:external command:
#types:options:description
 :.Z:  :  :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
 :-z:  :  :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
 :  :  :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
 :  :  :.tar:/bin/tar cf - %s:T_REG|T_DIR:O_TAR:TAR
 :  :  :.tar.Z:/bin/pipe /bin/tar cf - %s | /bin/compress -c:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
 :  :  :.tar:/bin/gtar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
 :  :  :.tar.Z:/bin/gtar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
 :  :  :.tar.gz:/bin/gtar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP

touch /var/mail/ftp
chmod 600 /var/mail/ftp

For most UNIX systems, the installation is complete.  But if you have a Sun
system, a few more steps are necessary.  The dynamic linking used in
Sun OS/Solaris 5.x requires that the "ftp" home directory contains:

1. The runtime linker
2. The Shared C Library
3. /dev/zero, /dev/tcp, /dev/udp, /dev/ticotsord, /dev/null, /dev/ticlts,
   and /dev/ticots
4. zoneinfo files

These Sun-specific steps are shown in the following examples.  First create the
directory "/export/ftp/usr/lib, then copy the files "ld.so", "libc.so.*",
"libdl.so*", libintl.so.*", "libw.so.*", "libnsl.so.*", "libsocket.so.*",
"nss_nis.so*", "nss_nisplus.so*", "nss_dns.so*", "nss_files.so*", and
"straddr.so*" into the new directory, and set the file permissions:

	# cd /export/ftp
	# pwd (should show /export/ftp)
	# mkdir -p usr/lib
	# cp /usr/lib/ld.so* usr/lib
	# cp /usr/lib/libc.so.* usr/lib
	# cp /usr/lib/libdl.so.* usr/lib
	# cp /usr/lib/libintl.so.* usr/lib
	# cp /usr/lib/libw.so.* usr/lib
	# cp /usr/lib/libnsl.so.* usr/lib
	# cp /usr/lib/libsocket.so.* usr/lib
	# cp /usr/lib/nss_nis.so* usr/lib
	# cp /usr/lib/nss_nisplus.so* usr/lib
	# cp /usr/lib/nss_dns.so* usr/lib
	# cp /usr/lib/nss_files.so* usr/lib
	# cp /usr/lib/straddr.so* usr/lib
	# cd usr/lib
	# pwd (should show /export/ftp/usr/lib)
	# rm -f ld.so straddr.so
	# ln -s ./ld.so.1 ld.so
	# ln -s ./straddr.so.2 straddr.so
	# chmod 555 *
	# chgrp root *
	# cd ..
	# pwd (should show /export/ftp/usr)
	# chmod 111 lib
	# cd ..
	# pwd (should show /export/ftp)
	# chmod 111 usr

Next, create the "/export/ftp/dev" directory.  Perform ls -lL on the device
files listed below to determine their major and minor numbers, then use mknod
to create them in this directory:

	# cd /export/ftp
	# pwd (should show /export/ftp)
	# mkdir dev
	# chmod 111 dev
	# cd dev
	# pwd (should show /export/ftp/dev)
	# ls -lL /dev/null /dev/zero /dev/tcp /dev/udp /dev/ticotsord \
	/dev/ticlts /dev/ticots
	  (AN EXAMPLE OUTPUT WILL LOOK LIKE THE FOLLOWING:)

	# ls -lL /dev/null /dev/zero /dev/tcp /dev/udp /dev/ticotsord \
        /dev/ticlts /dev/ticots
	crw-rw-rw-   1 root     sys       13,   2 Jun  2 20:28 /dev/null
	crw-rw-rw-   1 root     sys       11,  42 Apr 16  1997 /dev/tcp
	crw-rw-rw-   1 root     sys      105,   2 Aug 20  1997 /dev/ticlts
	crw-rw-rw-   1 root     sys      105,   0 Aug 20  1997 /dev/ticots
	crw-rw-rw-   1 root     sys      105,   1 Aug 20  1997 /dev/ticotsord
	crw-rw-rw-   1 root     sys       11,  41 Apr 16  1997 /dev/udp
	crw-rw-rw-   1 root     sys       13,  12 Apr 16  1997 /dev/zero

	# mknod null c 13 2
	# mknod tcp c 11 42
	# mknod ticlts c 105 2
	# mknod ticots c 105 0
	# mknod ticotsord c 105 1
	# mknod udp c 11 41
	# mknod zero c 13 12
	# chmod 00666 null tcp ticlts ticots ticotsord udp zero
	# chgrp sys null tcp ticlts ticots ticotsord udp zero

Create the directory "/export/ftp/usr/share/lib/zoneinfo".  Make this
directory mode 555 and owned by the super-user.  Copy its contents from
/usr/share/lib/zoneinfo.  This enables ls -l to display time and date
stamps correctly:

	# mkdir -p /export/ftp/usr/share/lib/zoneinfo
	# cd /export/ftp/usr
	# pwd (should show /export/ftp/usr)
	# chgrp sys share
	# chmod 555 share
	# cd share
	# pwd (should show /export/ftp/usr/share)
	# chgrp sys lib
	# chmod 555 lib
	# cd lib
	# pwd (should show /export/ftp/usr/share/lib)
	# chgrp bin zoneinfo
	# chmod 555 zoneinfo
	# cd zoneinfo
	# pwd (should show /export/ftp/usr/share/lib/zoneinfo)
	# cp /usr/share/lib/zoneinfo/* .

NOTE: FOLLOW THE NEXT SET OF INSTRUCTIONS IF YOU'RE USING Wu-FTP, OTHERWISE
      GO ON TO THE "Setting up wu-ftpd..." SECTION:

<==============================================================================>
Modify the "in.ftpd" line in the "/etc/inetd.conf" file.  Change the location
of the newly installed "wu-ftpd" (in.ftpd) if the location is different than
the vendor's version (/usr/sbin/in.ftpd) [THIS PARTICULAR WUARCHIVE PACKAGE
INSTALLS Wu-FTP IN /usr/local/sbin/in.ftpd].  Change "/usr/sbin/in.ftpd" to
"/usr/local/sbin/in.ftpd".  In the last field change "in.ftpd" to "in.ftpd -a".
The "-a" option is necessary in order for wu-ftpd to read the "ftpaccess" file.
<==============================================================================>

Setting up wu-ftpd -OR- ftpd (vendor's version of Solaris) by hand gives
you the ability to understand and perform manually the necessary steps to
configure and setup the FTP Server.  If you wish to save time you can use
the following shell script that will set up the anonymous ftp area.
It presumes that names are resolved using NIS - This script is only
applicable for Solaris 2.5.1 and 2.6:

------------Cut Here------------
#!/bin/sh
# script to setup anonymous ftp area
#

# verify you are root
/usr/bin/id | grep -w 'uid=0' >/dev/null 2>&1
if [ "$?" != "0" ]; then
        echo \"$0\" must be run as root.
        exit 1
fi

# handle the optional command line argument
case $# in

   # the default location for the anon ftp comes from the passwd file
   0) ftphome="`getent passwd ftp | cut -d: -f6`"
      ;;

   1) if [ "$1" = "start" ]; then
         ftphome="`getent passwd ftp | cut -d: -f6`"
      else
         ftphome=$1
      fi
      ;;

   *) echo "Usage: $0 [anon-ftp-root]"
      exit 1
      ;;
esac

if [ -z "${ftphome}" ]; then
   echo "$0: ftphome must be non-null"
   exit 2
fi

case ${ftphome} in
        /*) # ok
            ;;

        *) echo "$0: ftphome must be an absolute pathname"
           exit 1
           ;;
esac      

# This script assumes that ftphome is neither / nor /usr so ...
if [ -z "${ftphome}" -o "${ftphome}" = "/" -o "
{ftphome}" = "/usr" ]; then
   echo "$0: ftphome must be non-null and neither / or /usr"
   exit 2
fi

# If ftphome does not exist but parent does, create ftphome
if [ ! -d ${ftphome} ]; then
    # lack of -p below is intentional
    mkdir ${ftphome}
fi
echo Setting up anonymous ftp area ${ftphome}

# Ensure that the /usr directory exists
if [ ! -d ${ftphome}/usr ]; then
    mkdir -p ${ftphome}/usr
fi
chown root ${ftphome}
chmod 555 ${ftphome}

# Now set the ownership and modes to match the man page
chown root ${ftphome}/usr
chmod 555 ${ftphome}/usr

# Ensure that the /usr/bin directory exists
if [ ! -d ${ftphome}/usr/bin ]; then
    mkdir -p ${ftphome}/usr/bin
fi
# Now set the ownership and modes to match the man page
chown root ${ftphome}/usr/bin
chmod 555 ${ftphome}/usr/bin

# this may not be the right thing to do
# but we need the bin -> usr/bin link
rm -f ${ftphome}/bin
ln -s usr/bin ${ftphome}/bin


# Ensure that the /usr/lib and /etc directories exist
if [ ! -d ${ftphome}/usr/lib ]; then
    mkdir -p ${ftphome}/usr/lib
fi
chown root ${ftphome}/usr/lib
chmod 555 ${ftphome}/usr/lib

if [ ! -d ${ftphome}/etc ]; then
    mkdir -p ${ftphome}/etc
fi
chown root ${ftphome}/etc
chmod 555 ${ftphome}/etc

# a list of all the commands that should be copied to ${ftphome}/usr/bin
# /usr/bin/ls is needed at a minimum.
ftpcmd=" 
        /usr/bin/ls
"

# ${ftphome}/usr/lib needs to have all the libraries needed by the above
# commands, plus the runtime linker, and some name service libraries
# to resolve names. We just take all of them here.

ftplib="`ldd $ftpcmd | nawk '$3 ~ /lib/ { print $3 }' | sort | uniq`"
ftplib="$ftplib /usr/lib/nss_* /usr/lib/straddr* /usr/lib/libmp.so*"
ftplib="$ftplib /usr/lib/libnsl.so.1 /usr/lib/libsocket.so.1
/usr/lib/ld.so.1"
ftplib="`echo $ftplib | tr ' ' '\n' | sort | uniq`"

cp ${ftplib} ${ftphome}/usr/lib
chmod 555 ${ftphome}/usr/lib/*

cp ${ftpcmd} ${ftphome}/usr/bin
chmod 111 ${ftphome}/usr/bin/* 

# you also might want to have separate minimal versions of passwd and group
cp /etc/passwd /etc/group /etc/netconfig ${ftphome}/etc
chmod 444 ${ftphome}/etc/*

# need /etc/default/init for timezone to be correct 
if [ ! -d ${ftphome}/etc/default ]; then 
        mkdir ${ftphome}/etc/default 
fi
chown root ${ftphome}/etc/default    
chmod 555 ${ftphome}/etc/default
cp /etc/default/init ${ftphome}/etc/default  
chmod 444 ${ftphome}/etc/default/init 

# Copy timezone database
mkdir -p ${ftphome}/usr/share/lib/zoneinfo
(cd ${ftphome}/usr/share/lib/zoneinfo
(cd /usr/share/lib/zoneinfo; find . -print | cpio -o) 2>/dev/null|cpio -imdu 
2>/dev/null

  find . -print | xargs chmod 555
  find . -print | xargs chown root
)

# Ensure that the /dev directory exists
if [ ! -d ${ftphome}/dev ]; then
    mkdir -p ${ftphome}/dev
fi

# make device nodes. ticotsord and udp are necessary for
# 'ls' to resolve NIS names.

for device in zero tcp udp ticotsord ticlts
do
   line=`ls -lL /dev/${device} | sed -e 's/,//'`
   major=`echo $line | awk '{print $5}'`
   minor=`echo $line | awk '{print $6}'`
   rm -f ${ftphome}/dev/${device}
   mknod ${ftphome}/dev/${device} c ${major} ${minor}
done

chmod 666 ${ftphome}/dev/*

## Now set the ownership and modes
chown root ${ftphome}/dev
chmod 555 ${ftphome}/dev

# uncomment the below if you want a place for people to store things,
# but beware the security implications
if [ ! -d ${ftphome}/pub ]; then
   mkdir -p ${ftphome}/pub
fi
chown ftp ${ftphome}/pub
chmod 1777 ${ftphome}/pub

# added pam libs for 2.6
# mkdir -p ${ftphome}/usr/lib/security
# cp /etc/pam.conf ${ftphome}/etc
# cp /usr/lib/security/pam_unix.so.1 ${ftphome}/usr/lib/security
------------Cut Here------------

AUTERIA "WALLY" WINZER JR.
