Some MAN pages recommend making the ~ftp directory owned by ftp.This is a big NO-NO, if you want any type of security on your system.3.Create the directory ~ftp/bin. This directory is owned by root (group e.g. wheel)with permissions 111 (noread, nowrite, execute).4.Copy the program ls into ~ftp/bin. ls is owned by root with permissions 111(noread, nowrite, execute). Any other commands you put in ~ftp/bin should havethe same permissions as well.5.Make the directory ~ftp/etc. This directory is owned by root with permissions 111.6.Create from scratch the files /etc/passwd and /etc/group in ~ftp/etc. These filesshould be mode 444. The passwd file should only contain root, daemon, uucp, andftp. The group file must contain ftp's group. Use your /etc/passwd and /etc/groupfiles as a template for creating passwd and group files going to ~ftp/etc. You mayeven change the user names in this file, they are used only for 'ls' command. Sofor example if all files in your ~ftp/pub/linux hierarchy will be maintained by areal user 'balon' with uid=156 you may putlinux:*:156:120:Kazik Balon::in the ~ftp/etc/passwd file (regardless of his real username). Leave only theseusers who will own files under ftp hierarchy (e.g. root, daemon, ftp...) anddefinitely remove *ALL* passwords by replacing them with '*' so the entry lookslike:root:*:0:0:Ftp maintainer::ftp:*:400:400: Anonymous ftp::For more security, you can just remove ~ftp/etc/passwd and ~ftp/etc/group (theeffect is that ls -l will not show the directories' group names). Wuarchive ftpdaemon (and some others) have some extensions based on the contents of thegroup/passwd files, so read the appropriate documentation.7.Make the directory ~ftp/pub. This directory is owned by you and has the samegroup as ftp with permissions 555. On most systems (like SunOS) you may wantto make this directory 2555, ie. set-group-id, in order to create new files with thesame group ownership.Files are left here for public distribution. All folders inside ~ftp/pub should havethe same permissions as 555.
Neither the home directory (~ftp) nor any directory below it should beowned by ftp! No files should be owned by ftp either. Modern ftp daemonssupport all kinds of useful commands, such as chmod, that allow outsiders toundo your careful permission settings. They also have configuration options likethe following (WuFTP) to disable them: