1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
3
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
4
<!ENTITY % globalent SYSTEM "../../libs/global.ent">
6
<!ENTITY % gnome-menus-C SYSTEM "../../libs/gnome-menus-C.ent">
8
<!ENTITY % xinclude SYSTEM "../../libs/xinclude.mod">
10
<!ENTITY language "&EnglishAmerican;">
12
<chapter id="file-servers" status="review">
13
<title>File Servers</title>
16
If you have more than one computer on a single network. At some point you will probably
17
need to share files between them. In this section we cover installing and configuring
21
<sect1 id="ftp-server" status="review">
22
<title>FTP Server</title>
25
File Transfer Protocol (FTP) is a TCP protocol for uploading and downloading
26
files between computers. FTP works on a client/server model. The server component is
27
called an <emphasis>FTP daemon</emphasis>. It continuously listens for FTP requests
28
from remote clients. When a request is received, it manages the login and sets up
29
the connection. For the duration of the session it executes any of commands sent by
33
<para>Access to an FTP server can be managed in two ways:</para>
35
<itemizedlist spacing="compact">
37
<para>Anonymous</para>
40
<para>Authenticated</para>
44
In the Anonymous mode, remote clients can access the FTP server by using the
45
default user account called "anonymous" or "ftp" and
46
sending an email address as the password. In the Authenticated mode a user must
47
have an account and a password. User access to the FTP server directories and files is
48
dependent on the permissions defined for the account used at login. As a general
49
rule, the FTP daemon will hide the root directory of the FTP server and change it to
50
the FTP Home directory. This hides the rest of the file system from remote
54
<sect2 id="vsftpd-ftp-server-installation" status="review">
55
<title>vsftpd - FTP Server Installation</title>
58
vsftpd is an FTP daemon available in
59
Ubuntu. It is easy to install, set up, and
60
maintain. To install <application>vsftpd</application> you
61
can run the following command:
65
<command>sudo apt-get install vsftpd</command>
70
<sect2 id="vsftpd-anonymous-configuration" status="review">
71
<title>Anonymous FTP Configuration</title>
74
By default <application>vsftpd</application> is configured
75
to only allow anonymous download. During installation a
76
<emphasis>ftp</emphasis> user is created with a home directory
77
of <filename>/home/ftp</filename>. This is the default FTP directory.
81
If you wish to change this location, to <filename>/srv/ftp</filename>
82
for example, simply create a directory in another location and
83
change the <emphasis>ftp</emphasis> user's home directory:
87
<command>sudo mkdir /srv/ftp</command>
88
<command>sudo usermod -d /srv/ftp ftp</command>
92
After making the change restart <application>vsftpd</application>:
96
<command>sudo /etc/init.d/vsftpd restart</command>
100
Finally, copy any files and directories you would like to make available
101
through anonymous FTP to <filename>/srv/ftp</filename>.
105
<sect2 id="vsftpd-userauth-configuration" status="review">
106
<title>User Authenticated FTP Configuration</title>
109
To configure <application>vsftpd</application> to authenticate
110
system users and allow them to upload files edit
111
<filename>/etc/vsftpd.conf</filename>:
120
Now restart <application>vsftpd</application>:
124
<command>sudo /etc/init.d/vsftpd restart</command>
128
Now when system users login to FTP they will start in their
129
<emphasis>home</emphasis> directories where they can download,
130
upload, create directories, etc.
134
Similarly, by default, the anonymous users are not
135
allowed to upload files to FTP server. To change
136
this setting, you should uncomment the following
137
line, and restart <application>vsftpd</application>:
141
anon_upload_enable=YES
146
Enabling anonymous FTP upload can be an extreme security risk. It is best to not enable
147
anonymous upload on servers accessed directly from the Internet.
152
The configuration file consists of many
153
configuration parameters. The information about
154
each parameter is available in the configuration
155
file. Alternatively, you can refer to the man
156
page, <command>man 5 vsftpd.conf</command> for
157
details of each parameter.
161
<sect2 id="vsftpd-security" status="review">
162
<title>Securing FTP</title>
165
There are options in <filename>/etc/vsftpd.conf</filename> to
166
help make <application>vsftpd</application> more secure. For
167
example users can be limited to their home directories by uncommenting:
171
chroot_local_user=YES
175
You can also limit a specific list of users to just their home directories:
179
chroot_list_enable=YES
180
chroot_list_file=/etc/vsftpd.chroot_list
184
After uncommenting the above options, create a <filename>/etc/vsftpd.chroot_list</filename>
185
containing a list of users one per line. Then restart <application>vsftpd</application>:
189
<command>sudo /etc/init.d/vsftpd restart</command>
193
Also, the <filename>/etc/ftpusers</filename> file is a list of users that
194
are <emphasis>disallowed</emphasis> FTP access. The default list
195
includes root, daemon, nobody, etc. To disable FTP access for additional
196
users simply add them to the list.
200
FTP can also be encrypted using <emphasis>FTPS</emphasis>. Different from <emphasis>SFTP</emphasis>,
201
<emphasis>FTPS</emphasis> is FTP over Secure Socket Layer (SSL). <emphasis>SFTP</emphasis> is a FTP
202
like session over an encrypted <emphasis>SSH</emphasis> connection. A major difference is that users
203
of SFTP need to have a <emphasis>shell</emphasis> account on the system, instead of a
204
<emphasis>nologin</emphasis> shell. Providing all users with a shell may not be ideal for some
205
environments, such as a shared web host.
209
To configure <emphasis>FTPS</emphasis>, edit <filename>/etc/vsftpd.conf</filename> and at the bottom add:
217
Also, notice the certificate and key related options:
221
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
222
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
226
By default these options are set the the certificate and key provided by the <application>ssl-cert</application>
227
package. In a production environment these should be replaced with a certificate and key generated for the specific
228
host. For more information on certificates see <xref linkend="certificates-and-security"/>.
232
Now restart <application>vsftpd</application>, and non-anonymous users will be forced to use
233
<emphasis>FTPS</emphasis>:
237
<command>sudo /etc/init.d/vsftpd restart</command>
241
To allow users with a shell of <filename>/usr/sbin/nologin</filename> access to FTP, but have no shell access,
242
edit <filename>/etc/shells</filename> adding the <emphasis>nologin</emphasis> shell:
246
# /etc/shells: valid login shells
264
This is necessary because, by default <application>vsftpd</application> uses PAM for authentication, and the
265
<filename>/etc/pam.d/vsftpd</filename> configuration file contains:
269
auth required pam_shells.so
273
The <emphasis>shells</emphasis> PAM module restricts access to shells listed in the <filename>/etc/shells</filename>
278
Most popular FTP clients can be configured connect using FTPS. The <application>lftp</application> command line FTP
279
client has the ability to use FTPS as well.
283
<sect2 id="vsftpd-references" status="review">
284
<title>References</title>
289
See the <ulink url="http://vsftpd.beasts.org/vsftpd_conf.html">vsftpd website</ulink> for more information.
294
For detailed <filename>/etc/vsftpd.conf</filename> options see the
295
<ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man5/vsftpd.conf.5.html">vsftpd.conf man page</ulink>.
300
The CodeGurus article <ulink url="http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329">
301
FTPS vs. SFTP: What to Choose</ulink> has useful information contrasting FTPS and SFTP.
309
<sect1 id="network-file-system" status="review">
310
<title>Network File System (NFS)</title>
312
NFS allows a system to share directories and files with others
313
over a network. By using NFS, users and programs can access
314
files on remote systems almost as if they were local files.
318
Some of the most notable benefits that NFS can provide are:
323
<para>Local workstations use less disk space because commonly used data
324
can be stored on a single machine and still remain accessible to others
325
over the network.</para>
328
<para>There is no need for users to have separate home directories on
329
every network machine. Home directories could be set up on the NFS
330
server and made available throughout the network.</para>
334
<para>Storage devices such as floppy disks, CDROM drives, and USB
335
Thumb drives can be used by other machines on the network. This may
336
reduce the number of removable media drives throughout the
341
<sect2 id="nfs-installation" status="review">
342
<title>Installation</title>
345
At a terminal prompt enter the following command to install the NFS
350
<command>sudo apt-get install nfs-kernel-server</command>
354
<sect2 id="nfs-configuration" status="review">
355
<title>Configuration</title>
357
You can configure the directories to be exported by adding them to
358
the <filename>/etc/exports</filename> file. For example:
362
/ubuntu *(ro,sync,no_root_squash)
363
/home *(rw,sync,no_root_squash)
368
You can replace * with one of the hostname formats. Make the
369
hostname declaration as specific as possible so unwanted
370
systems cannot access the NFS mount.
374
To start the NFS server, you can run the following command at a terminal prompt:
378
<command>sudo /etc/init.d/nfs-kernel-server start</command>
382
<sect2 id="nfs-client-configuration" status="review">
383
<title>NFS Client Configuration</title>
385
Use the <application>mount</application> command to mount a shared NFS directory from
386
another machine, by typing a command line similar to the following at a terminal prompt:
390
<command>sudo mount example.hostname.com:/ubuntu /local/ubuntu</command>
395
The mount point directory <filename>/local/ubuntu</filename> must
396
exist. There should be no files or subdirectories in the
397
<filename>/local/ubuntu</filename> directory.
402
An alternate way to mount an NFS share from another machine is to
403
add a line to the <filename>/etc/fstab</filename> file. The line must state the
404
hostname of the NFS server, the directory on the server being
405
exported, and the directory on the local machine where the NFS
406
share is to be mounted.
410
The general syntax for the line in <filename>/etc/fstab</filename>
416
example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr
420
If you have trouble mounting an NFS share, make sure the <application>nfs-common</application> package is
421
installed on your client. To install
422
<application>nfs-common</application> enter the following
423
command at the terminal
426
<command>sudo apt-get install nfs-common</command>
430
<sect2 id="nfs-references" status="review">
431
<title>References</title>
432
<para><ulink url="http://nfs.sourceforge.net/">Linux NFS faq</ulink></para>
436
<sect1 id="cups" status="review">
437
<title>CUPS - Print Server</title>
439
The primary mechanism for Ubuntu printing and print services is the
440
<emphasis role="bold">Common UNIX Printing System</emphasis> (CUPS).
441
This printing system is a freely available, portable printing layer
442
which has become the new standard for printing in most Linux
446
CUPS manages print jobs and queues and provides network printing using
447
the standard Internet Printing Protocol (IPP), while offering support
448
for a very large range of printers, from dot-matrix to laser and many
449
in between. CUPS also supports PostScript Printer Description (PPD) and
450
auto-detection of network printers, and features a simple web-based
451
configuration and administration tool.
453
<sect2 id="cups-installation" status="review">
454
<title>Installation</title>
456
To install CUPS on your Ubuntu computer, simply use <application>sudo</application> with the <application>apt-get</application> command and give the packages to install as the first parameter. A complete CUPS install has many package dependencies, but they may all be specified on the same command line. Enter the following at a terminal prompt to install CUPS:
460
<command>sudo apt-get install cupsys</command>
464
Upon authenticating with your user password, the packages should be downloaded
465
and installed without error. Upon the conclusion of installation, the CUPS server
466
will be started automatically.
469
For troubleshooting purposes, you can access CUPS
470
server errors via the error log file at: <filename>/var/log/cups/error_log</filename>.
471
If the error log does not show enough information to troubleshoot any problems you
472
encounter, the verbosity of the CUPS log can be increased by changing the <emphasis
473
role="bold">LogLevel</emphasis> directive in the configuration file (discussed below)
474
to "debug" or even "debug2", which logs everything, from the default of "info". If
475
you make this change, remember to change it back once you've solved your problem, to
476
prevent the log file from becoming overly large.
479
<sect2 id="cups-configuration" status="review">
480
<title>Configuration</title>
482
The Common UNIX Printing System server's behavior is configured through the
483
directives contained in the file <filename>/etc/cups/cupsd.conf</filename>.
484
The CUPS configuration file follows the same syntax as the primary configuration
485
file for the Apache HTTP server, so users familiar with editing Apache's
486
configuration file should feel at ease when editing the CUPS configuration
487
file. Some examples of settings you may wish to change initially will be
491
<para>Prior to editing the configuration file, you should make a copy of
492
the original file and protect it from writing, so you will have the original
493
settings as a reference, and to reuse as necessary.
495
<para>Copy the <filename>/etc/cups/cupsd.conf</filename> file and protect it
496
from writing with the following commands, issued at a terminal prompt:
501
<command>sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original</command>
502
<command>sudo chmod a-w /etc/cups/cupsd.conf.original</command>
508
<emphasis role="bold">ServerAdmin</emphasis>: To configure the email
509
address of the designated administrator of the CUPS server, simply
510
edit the <filename>/etc/cups/cupsd.conf</filename> configuration file
511
with your preferred text editor, and modify the <emphasis
512
role="italics">ServerAdmin</emphasis> line accordingly. For example,
513
if you are the Administrator for the CUPS server, and your e-mail
514
address is 'bjoy@somebigco.com', then you would modify the ServerAdmin
515
line to appear as such:
519
ServerAdmin bjoy@somebigco.com
525
For more examples of configuration directives in the CUPS server
526
configuration file, view the associated system manual page by entering the
527
following command at a terminal prompt:
531
<command>man cupsd.conf</command>
536
Whenever you make changes to the <filename>/etc/cups/cupsd.conf</filename> configuration file, you'll need to restart the CUPS server by typing the following command at a terminal prompt:
541
<command>sudo /etc/init.d/cupsys restart</command>
544
<para>Some other configuration for the CUPS server is done in the file <filename>/etc/cups/cups.d/ports.conf</filename>:</para>
548
<emphasis role="bold">Listen</emphasis>: By default on Ubuntu, the CUPS
549
server installation listens only on the loopback interface at IP address
550
<emphasis>127.0.0.1</emphasis>. In order to instruct the
551
CUPS server to listen on an actual network adapter's IP address, you must
552
specify either a hostname, the IP address, or optionally, an IP
553
address/port pairing via the addition of a Listen directive. For example,
554
if your CUPS server resides on a local network at the IP address <emphasis
555
role="italics">192.168.10.250</emphasis> and you'd like to make it
556
accessible to the other systems on this subnetwork, you would edit the
557
<filename>/etc/cups/cupsd.conf</filename> and add a Listen
562
Listen 127.0.0.1:631 # existing loopback Listen
563
Listen /var/run/cups/cups.sock # existing socket Listen
564
Listen 192.168.10.250:631 # Listen on the LAN interface, Port 631 (IPP)
568
In the example above, you may comment out or remove the reference to the
569
Loopback address (127.0.0.1) if you do not wish <application>cupsd
570
</application> to listen on that interface, but would rather have it only
571
listen on the Ethernet interfaces of the Local Area Network (LAN). To enable
572
listening for all network interfaces for which a certain hostname is bound,
573
including the Loopback, you could create a Listen entry for the hostname
574
<emphasis>socrates</emphasis> as such:
578
Listen socrates:631 # Listen on all interfaces for the hostname 'socrates'
581
<para>or by omitting the Listen directive and using <emphasis>Port</emphasis> instead, as in:</para>
584
Port 631 # Listen on port 631 on all interfaces
591
<sect2 id="cups-references" status="review">
592
<title>References</title>
594
<ulink url="http://www.cups.org/">CUPS Website</ulink>