20. Major Servers
Major servers are the programs that provide content or services to users or other programs.
20.1 Apache-2.4.55
Introduction to Apache HTTPD
The Apache HTTPD package contains an open-source HTTP server. It is useful for creating local intranet web sites or running huge web serving operations.
This package is known to build and work properly using an LFS 11.3 platform.
Package Information
-
Download (HTTP): https://archive.apache.org/dist/httpd/httpd-2.4.55.tar.bz2
-
Download MD5 sum: b6a8b9d8741db43cf5b4dd8e9bdb0ce7
-
Download size: 7.1 MB
-
Estimated disk space required: 87 MB
-
Estimated build time: 0.3 SBU (Using parallelism=4)
Additional Downloads
Apache HTTPD Dependencies
Required
Apr-Util-1.6.3 and pcre2-10.42
Optional
Brotli-1.0.9, Berkeley DB-5.3.28, Doxygen-1.9.6, libxml2-2.10.3, Lua-5.4.4, Lynx-2.8.9rel.1 or Links-2.28 or ELinks, nghttp2-1.52.0, OpenLDAP-2.6.4 (Apr-Util-1.6.3 needs to be installed with ldap support), rsync-3.2.7, and Distcache
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/apache
Installation of Apache HTTPD
For security reasons, running the server as an unprivileged user and group is strongly encouraged. Create the following group and user using the following commands as root:
groupadd -g 25 apache &&
useradd -c "Apache Server" -d /srv/www -g apache \
-s /bin/false -u 25 apache
Build and install Apache HTTPD by running the following commands:
patch -Np1 -i ../httpd-2.4.55-blfs_layout-1.patch &&
sed '/dir.*CFG_PREFIX/s@^@#@' -i support/apxs.in &&
sed -e '/HTTPD_ROOT/s:${ap_prefix}:/etc/httpd:' \
-e '/SERVER_CONFIG_FILE/s:${rel_sysconfdir}/::' \
-e '/AP_TYPES_CONFIG_FILE/s:${rel_sysconfdir}/::' \
-i configure &&
./configure --enable-authnz-fcgi \
--enable-layout=BLFS \
--enable-mods-shared="all cgi" \
--enable-mpms-shared=all \
--enable-suexec=shared \
--with-apr=/usr/bin/apr-1-config \
--with-apr-util=/usr/bin/apu-1-config \
--with-suexec-bin=/usr/lib/httpd/suexec \
--with-suexec-caller=apache \
--with-suexec-docroot=/srv/www \
--with-suexec-logfile=/var/log/httpd/suexec.log \
--with-suexec-uidmin=100 \
--with-suexec-userdir=public_html &&
make
This package does not come with a test suite.
Now, as the root user:
make install &&
mv -v /usr/sbin/suexec /usr/lib/httpd/suexec &&
chgrp apache /usr/lib/httpd/suexec &&
chmod 4754 /usr/lib/httpd/suexec &&
chown -v -R apache:apache /srv/www
Command Explanations
sed ‘/dir.*CFG_PREFIX/s@^@#@’…: Forces the apxs utility to use absolute pathnames for modules, when instructed to do so.
--enable-authnz-fcgi: Build FastCGI authorizer-based authentication and authorization (mod_authnz_fcgi.so fast CGI module).
--enable-mods-shared="all cgi": The modules should be compiled and used as Dynamic Shared Objects (DSOs) so they can be included and excluded from the server using the run-time configuration directives.
--enable-mpms-shared=all: This switch ensures that all MPM (Multi Processing Modules) are built as Dynamic Shared Objects (DSOs), so the user can choose which one to use at runtime.
--enable-suexec: This switch enables building of the Apache suEXEC module which can be used to allow users to run CGI and SSI scripts under user IDs different from the user ID of the calling web server.
--with-suexec-*: These switches control suEXEC module behavior, such as default document root, minimal UID that can be used to run the script under the suEXEC. Please note that with minimal UID 100, you can’t run CGI or SSI scripts under suEXEC as the apache user.
… /usr/lib/httpd/suexec: These commands put suexec wrapper into proper location, since it is not meant to be run directly. They also adjust proper permissions of the binary, making it setgid apache.
chown -R apache:apache /srv/www: By default, the installation process installs files (documentation, error messages, default icons, etc.) with the ownership of the user that extracted the files from the tar file. If you want to change the ownership to another user, you should do so at this point. The only requirement is that the document directories need to be accessible by the httpd process with (r-x) permissions and files need to be readable (r–) by the apache user.
Configuring Apache
Config Files
/etc/httpd/httpd.conf and /etc/httpd/extra/*
Configuration Information
See file:///usr/share/httpd/manual/configuring.html for detailed instructions on customising your Apache HTTP server configuration file.
Systemd Unit
If you want the Apache server to start automatically when the system is booted, install the httpd.service unit included in the blfs-systemd-units-20220720 package:
make install-httpd
Contents
Installed Programs: ab, apachectl, apxs, checkgid, dbmmanage, fcgistarter, htcacheclean, htdbm, htdigest, htpasswd, httpd, httxt2dbm, logresolve, and rotatelogs
Installed Libraries: Several libraries under /usr/lib/httpd/modules/
Installed Directories: /etc/httpd, /srv/www, /usr/include/httpd, /usr/lib/httpd, /usr/share/httpd, /var/log/httpd, and /var/run/httpd
Short Descriptions
ab is a tool for benchmarking your Apache HTTP server.
apachectl is a front end to the Apache HTTP server which is designed to help the administrator control the functioning of the Apache httpd daemon.
apxs is a tool for building and installing extension modules for the Apache HTTP server.
checkgid is a program that checks whether it can setgid to the group specified. This is to see if it is a valid group for Apache2 to use at runtime. If the user (should be run as superuser) is in that group, or can setgid to it, it will return 0.
dbmmanage is used to create and update the DBM format files used to store usernames and passwords for basic authentication of HTTP users.
fcgistarter is a tool to start a FastCGI program.
htcacheclean is used to clean up the disk cache.
htdbm is used to manipulate the DBM password databases.
htdigest is used to create and update the flat-files used to store usernames, realms and passwords for digest authentication of HTTP users.
htpasswd is used to create and update the flat-files used to store usernames and passwords for basic authentication of HTTP users.
httpd is the Apache HTTP server program.
httxt2dbm is used to generate DBM files from text, for use in RewriteMap.
logresolve is a post-processing program to resolve IP-addresses in Apache’s access log files.
rotatelogs is a simple program for use in conjunction with Apache’s piped log file feature.
suexec allows users to run CGI and SSI applications as a different user.
20.2 BIND-9.18.12
Introduction to BIND
The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the BIND Utilities-9.18.12.
This package is known to build and work properly using an LFS 11.3 platform.
Package Information
-
Download (HTTP): https://ftp.isc.org/isc/bind9/9.18.12/bind-9.18.12.tar.xz
-
Download (FTP): ftp://ftp.isc.org/isc/bind9/9.18.12/bind-9.18.12.tar.xz
-
Download MD5 sum: 101a5d919a8d7da1ae98f36e36d1dc9f
-
Download size: 5.2 MB
-
Estimated disk space required: 143 MB (26 MB installed)
-
Estimated build time: 0.4 SBU (with parallelism=4; about 40 minutes somewhat processor independent, to run the complete test suite)
BIND Dependencies
Required
Recommended
JSON-C-0.16 and libcap-2.67 with PAM
Optional
cURL-7.88.1, libidn2-2.3.4, libxml2-2.10.3, lmdb-0.9.29, MIT Kerberos V5-1.20.1, pytest-7.2.1, sphinx-6.1.3 (required to build documentation), cmocka, geoip, w3m
Optional database backends
Berkeley DB-5.3.28, MariaDB-10.6.12 or MySQL, OpenLDAP-2.6.4, PostgreSQL-15.2, and unixODBC-2.3.11
Optional (to run the test suite)
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/bind
Installation of BIND
Install BIND by running the following commands:
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/share/man \
--disable-static &&
make
Issue the following commands to run the complete suite of tests. First, as the root user, set up some test interfaces:
Note
If IPv6 is not enabled in the kernel, there will be several error messages: “RTNETLINK answers: Operation not permitted”. These messages do not affect the tests.
bin/tests/system/ifconfig.sh up
The test suite may indicate some skipped tests depending on what configuration options are used. Some tests are marked “UNTESTED” or do even fail if Net-DNS-1.36 is not installed. To run the tests, as an unprivileged user, execute:
make -k check
Again as root, clean up the test interfaces:
bin/tests/system/ifconfig.sh down
Finally, install the package as the root user:
make install
Command Explanations
--sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc.
--with-libidn2: This parameter enables the IDNA2008 (Internationalized Domain Names in Applications) support.
--enable-fetchlimit: Use this option if you want to be able to limit the rate of recursive client queries. This may be useful on servers which receive a large number of queries.
--disable-linux-caps: BIND can also be built without capability support by using this option, at the cost of some loss of security.
--with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}: Use one (or more) of those options to add Dynamically Loadable Zones support. For more information refer to bind-dlz.sourceforge.net.
--disable-static: This switch prevents installation of static versions of the libraries.
Configuring BIND
Config files
named.conf, root.hints, 127.0.0, rndc.conf, and resolv.conf
Configuration Information
BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user’s HOME directory.
Create the unprivileged user and group named:
groupadd -g 20 named &&
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &&
install -d -m770 -o named -g named /srv/named
Set up some files, directories and devices needed by BIND:
mkdir -p /srv/named &&
cd /srv/named &&
mkdir -p dev etc/named/{slave,pz} usr/lib/engines var/run/named &&
mknod /srv/named/dev/null c 1 3 &&
mknod /srv/named/dev/urandom c 1 9 &&
chmod 666 /srv/named/dev/{null,urandom} &&
cp /etc/localtime etc
The rndc.conf file contains information for controlling named operations with the rndc utility. Generate a key for use in the named.conf and rndc.conf with the rndc-confgen command:
rndc-confgen -a -b 512 -t /srv/named
Complete the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys:
cat >> /srv/named/etc/named.conf << "EOF"
options {
directory "/etc/named";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
};
zone "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
};
// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
channel default_syslog {
syslog daemon; // send to syslog's daemon
// facility
severity info; // only send priority info
// and higher
};
channel default_debug {
file "named.run"; // write to named.run in
// the working directory
// Note: stderr is used instead
// of "named.run"
// if the server is started
// with the '-f' option.
severity dynamic; // log at the server's
// current debug level
};
channel default_stderr {
stderr; // writes to stderr
severity info; // only send priority info
// and higher
};
channel null {
null; // toss anything sent to
// this channel
};
};
EOF
Create a zone file with the following contents:
cat > /srv/named/etc/named/pz/127.0.0 << "EOF"
$TTL 3D
@ IN SOA ns.local.domain. hostmaster.local.domain. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ns.local.domain.
1 PTR localhost.
EOF
Create the root.hints file with the following commands:
Note
Caution must be used to ensure there are no leading spaces in this file.
cat > /srv/named/etc/named/root.hints << "EOF"
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
A.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 6D IN A 199.9.14.201
B.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:200::b
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
C.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2::c
D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13
D.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2d::d
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
E.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:a8::e
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
F.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
G.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:12::d0d
H.ROOT-SERVERS.NET. 6D IN A 198.97.190.53
H.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:1::53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
I.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fe::53
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
J.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
K.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
L.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:9f::42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
M.ROOT-SERVERS.NET. 6D IN AAAA 2001:dc3::35
EOF
The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from https://www.internic.net/domain/named.root. For details, consult the “BIND 9 Administrator Reference Manual”.
Create or modify resolv.conf to use the new name server with the following commands:
Note
Replace <yourdomain.com> with your own valid domain name.
cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search <yourdomain.com>
nameserver 127.0.0.1
EOF
Set permissions on the chroot jail with the following command:
chown -R named:named /srv/named
Systemd Unit
To start the DNS server at boot, install the named.service unit included in the blfs-systemd-units-20220720 package:
make install-named
Now start BIND with the following command:
systemctl start named
Testing BIND
Test out the new BIND 9 installation. First query the local host address with dig:
dig -x 127.0.0.1
Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:
dig www.linuxfromscratch.org &&
dig www.linuxfromscratch.org
You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual (see below) for further configuration options.
Administrator Reference Manual (ARM)
The ARM documentation (do not confuse with the processor architecture) is included in the source package. The documentation is in .rst format which means, it can be converted in human readable formats if sphinx-6.1.3 is installed.
When BIND is set up, especially when to operate in a real live scenario, it is highly recommended to consult the ARM documentation. ISC provides an updated set of excellent documentation along with every release so it can be easily viewed and/or downloaded – so there is no excuse to not read the docs. The formats ISC provides are PDF, epub and html at https://downloads.isc.org/isc/bind9/9.18.12/doc/arm/.
Contents
Installed Programs: arpaname, ddns-confgen, delv, dig, dnssec-cds, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-keymgr, dnssec-revoke, dnssec-settime, dnssec-signzone, dnssec-verify, host, mdig, named, named-checkconf, named-checkzone, named-compilezone (symlink), named-journalprint, named-nzd2nzf, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen, and tsig-keygen (symlink)
Installed Libraries: libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so, libisccfg.so, and libns.so
Installed Directories: /usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,ns,pk11,pkcs11}, /usr/lib/named, /usr/lib/python3.11/site-packages/isc, and /srv/named
Short Descriptions
arpaname translates IP addresses to the corresponding ARPA names.
ddns-confgen generates a key for use by nsupdate and named.
delv is a new debugging tool that is a successor to dig.
dig interrogates DNS servers.
dnssec-cds changes DS records for a child zone based on CDS/CDNSKEY.
dnssec-checkds is a DNSSEC delegation consistency checking tool.
dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage.
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR).
dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files.
dnssec-keyfromlabel gets keys with the given label from a cryptography hardware device and builds key files for DNSSEC.
dnssec-keygen is a key generator for secure DNS.
dnssec-keymgr ensures correct DNSKEY coverage based on a defined policy.
dnssec-revoke sets the REVOKED bit on a DNSSEC key.
dnssec-settime sets the key timing metadata for a DNSSEC key.
dnssec-signzone generates signed versions of zone files.
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
host is a utility for DNS lookups.
mdig is a version of dig that allows multiple queries at once.
named is the name server daemon.
named-checkconf checks the syntax of named.conf files.
named-checkzone checks zone file validity.
named-compilezone is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format.
named-journalprint prints the zone journal in human-readable form.
named-rrchecker reads an individual DNS resource record from standard input and checks if it is syntactically correct.
named-nzd2nzf converts an NZD database to NZF text format.
nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters.
nslookup is a program used to query Internet domain nameservers.
nsupdate is used to submit DNS update requests.
rndc controls the operation of BIND.
rndc-confgen generates rndc.conf files.
tsig-keygen is a symlink to ddns-confgen.
20.3 ProFTPD-1.3.8
Introduction to ProFTPD
The ProFTPD package contains a secure and highly configurable FTP daemon. This is useful for serving large file archives over a network.
This package is known to build and work properly using an LFS 11.3 platform.
Package Information
-
Download (HTTP): https://github.com/proftpd/proftpd/archive/v1.3.8/proftpd-1.3.8.tar.gz
-
Download (FTP): ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.8.tar.gz
-
Download MD5 sum: eafdca17287bec7b6e8d88aaeba0f6aa
-
Download size: 18.8 MB
-
Estimated disk space required: 66 MB
-
Estimated build time: 0.3 SBU
ProFTPD Dependencies
Optional
libcap-2.67 with PAM, libssh2-1.10.0, Linux-PAM-1.5.2, MariaDB-10.6.12 or MySQL, PCRE-8.45, PostgreSQL-15.2, and Net::SSH2
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/proftpd
Installation of ProFTPD
For security reasons, you should install ProFTPD using an unprivileged user and group. As the root user:
groupadd -g 46 proftpd &&
useradd -c proftpd -d /srv/ftp -g proftpd \
-s /usr/bin/proftpdshell -u 46 proftpd &&
install -v -d -m775 -o proftpd -g proftpd /srv/ftp &&
ln -v -s /usr/bin/false /usr/bin/proftpdshell &&
echo /usr/bin/proftpdshell >> /etc/shells
Install ProFTPD as an unprivileged user by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/run &&
make
This packages does not come with a usable test suite.
Now, as the root user:
make install &&
install -d -m755 /usr/share/doc/proftpd-1.3.8 &&
cp -Rv doc/* /usr/share/doc/proftpd-1.3.8
Command Explanations
install -v -d -m775 -o proftpd -g proftpd /srv/ftp: Create the home directory for ProFTPD.
ln -v -s /usr/bin/false /usr/bin/proftpdshell: Set the default shell as a link to an invalid shell.
echo /usr/bin/proftpdshell » /etc/shells: Fake a valid shell for compatibility purposes.
Note
The above two commands can be omitted if the following directive is placed in the configuration file:
RequireValidShell off
By default, proftpd will require that users logging in have valid shells. The RequireValidShell directive turns off this requirement. This is only recommended if you are setting up your FTP server exclusively for anonymous downloads.
Note
Support for most of the dependency packages requires using options passed to the configure script. View the output from ./configure –help for complete information about enabling dependency packages.
Configuring ProFTPD
Config Files
/etc/proftpd.conf
Configuration Information
This is a simple, download-only sample configuration. See the ProFTPD documentation in /usr/share/doc/proftpd and consult the website at http://www.proftpd.org/ for example configurations.
cat > /etc/proftpd.conf << "EOF"
# This is a basic ProFTPD configuration file
# It establishes a single server and a single anonymous login.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
MaxInstances 30
# Set the user and group that the server normally runs at.
User proftpd
Group proftpd
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, files should be overwritable.
<Directory /*>
AllowOverwrite on
</Directory>
# A basic anonymous configuration, no upload directories.
<Anonymous ~proftpd>
User proftpd
Group proftpd
# Clients should be able to login with "anonymous" as well as "proftpd"
UserAlias anonymous proftpd
# Limit the maximum number of anonymous logins
MaxClients 10
# 'welcome.msg' should be displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
EOF
Systemd Unit
Install the proftpd.service unit included in the blfs-systemd-units-20220720 package:
make install-proftpd
Contents
Installed Programs: ftpasswd, ftpcount, ftpdctl, ftpmail, ftpquota, ftpscrub, ftpshut, ftptop, ftpwho, in.proftpd (symlink to proftpd), proftpd, and prxs
Installed Libraries: None
Installed Directory: /usr/{include,lib}/proftpd, /usr/share/doc/proftpd-1.3.8, and /srv/ftp
Short Descriptions
proftpd is the FTP daemon.
ftpcount shows the current number of connections.
ftpdctl is used to control the proftpd daemon while it is running.
ftpasswd is a Perl script designed to create and manage AuthUserFiles and AuthGroupFiles of the correct format for proftpd.
ftpmail is a Perl script for sending email based on the proftpd TransferLog.
ftpquota is a Perl script designed to create and manage limits and tally files for the mod_quotatab + mod_quotatab_file module combination for proftpd.
ftpscrub provides a way to scrub the scoreboard file on demand.
ftpshut shuts down all proftpd servers at a given time.
ftptop displays running status on connections.
ftpwho shows current process information for each session.
prxs is a Perl script designed to compile and install third-party modules, from source code, as DSO modules for the installed proftpd.
20.4 vsftpd-3.0.5
Introduction to vsftpd
The vsftpd package contains a very secure and very small FTP daemon. This is useful for serving files over a network.
This package is known to build and work properly using an LFS 11.3 platform.
Package Information
-
Download (HTTP): https://security.appspot.com/downloads/vsftpd-3.0.5.tar.gz
-
Download MD5 sum: efbf362a65bec771bc15ad311f5a982e
-
Download size: 210 KB
-
Estimated disk space required: 1.9 MB
-
Estimated build time: less than 0.1 SBU
vsftpd Dependencies
Required
Recommended
Optional
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/vsftpd
Installation of vsftpd
For security reasons, running vsftpd as an unprivileged user and group is encouraged. Also, a user should be created to map anonymous users. As the root user, create the needed directories, users, and groups with the following commands:
install -v -d -m 0755 /usr/share/vsftpd/empty &&
install -v -d -m 0755 /home/ftp &&
groupadd -g 47 vsftpd &&
groupadd -g 45 ftp &&
useradd -c "vsftpd User" -d /dev/null -g vsftpd -s /bin/false -u 47 vsftpd &&
useradd -c anonymous_user -d /home/ftp -g ftp -s /bin/false -u 45 ftp
Gcc-10 and later flags an error for an implicit type cast. Make it explicit:
sed -e "s/kVSFSysStrOpenUnknown;/(enum EVSFSysUtilOpenMode)&/" -i sysstr.c
Build vsftpd as an unprivileged user using the following command:
make
This package does not come with a test suite.
Once again, become the root user and install vsftpd with the following commands:
install -v -m 755 vsftpd /usr/sbin/vsftpd &&
install -v -m 644 vsftpd.8 /usr/share/man/man8 &&
install -v -m 644 vsftpd.conf.5 /usr/share/man/man5 &&
install -v -m 644 vsftpd.conf /etc
Command Explanations
install -v -d …: This creates the directory that anonymous users will use (/home/ftp) and the directory the daemon will chroot into (/usr/share/vsftpd/empty).
Note
/home/ftp should not be owned by the user vsftpd, or the user ftp.
echo “#define VSF_BUILD_TCPWRAPPERS” »builddefs.h: Use this prior to make to add support for tcpwrappers.
echo “#define VSF_BUILD_SSL” »builddefs.h: Use this prior to make to add support for SSL.
install -v -m …: The Makefile uses non-standard installation paths. These commands install the files in /usr and /etc.
Configuring vsftpd
Config Files
/etc/vsftpd.conf
Configuration Information
vsftpd comes with a basic anonymous-only configuration file that was copied to /etc above. While still as root, this file should be modified because it is now recommended to run vsftpd in standalone mode. Also, you should specify the privilege separation user created above. Finally, you should specify the chroot directory. man vsftpd.conf will give you all the details.
cat >> /etc/vsftpd.conf << "EOF"
background=YES
nopriv_user=vsftpd
secure_chroot_dir=/usr/share/vsftpd/empty
EOF
The vsftpd daemon uses seccomp to improve security by default. But it’s known to cause vsftpd unable to handle ftp LIST command with recent kernel versions. Append a line to /etc/vsftpd.conf (as the root user) to disable seccomp and workaround this issue:
cat >> /etc/vsftpd.conf << "EOF"
seccomp_sandbox=NO
EOF
To enable local logins, append the following to the /etc/vsftpd.conf file (as the root user):
cat >> /etc/vsftpd.conf << "EOF"
local_enable=YES
EOF
In addition, if using Linux-PAM and vsftpd with local user logins, you will need a Linux-PAM configuration file. As the root user, create the /etc/pam.d/vsftpd file, and add the needed configuration changes for Linux-PAM session support using the following commands:
cat > /etc/pam.d/vsftpd << "EOF" &&
# Begin /etc/pam.d/vsftpd
auth required /lib/security/pam_listfile.so item=user sense=deny \
file=/etc/ftpusers \
onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-account
session include system-session
EOF
cat >> /etc/vsftpd.conf << "EOF"
session_support=YES
pam_service_name=vsftpd
EOF
Systemd Unit
Install the vsftpd.service unit included in the blfs-systemd-units-20220720 package:
make install-vsftpd
Contents
Installed Program: vsftpd
Installed Libraries: None
Installed Directories: /usr/share/vsftpd, /home/ftp
Short Descriptions
vsftpd is the FTP daemon.