Create a bin directory under the ftp home directory that is owned by root and that cannot be written to by anyone. The ls program should be placed in this directory and changed to execute−only mode 111: mkdir usrftpbin It is already owned by root chmod 555 usrftpbin cp binls usrftpbin chmod 111 usrftpbinls 4. Create an etc directory under the ftp home directory that is owned by root, and that cannot be written to by anyone. Create special passwd and group files in this directory with a single entry equal to the entry added to etcpasswd and etc group files, and change the mode of both files to read−only mode 444: mkdir usrftpetc It is already owned by root chmod 555 usrftpetc cat etcpasswd | grep ftp: usrftpetcpasswd cat etcgroup | grep anonymous: usrftpetcgroup chmod 444 usrftpetcpasswd usrftpetcgroup 5. Create a pub directory under the ftp home directory that is owned by ftp and that is corresponding in mode, depending on which rights will be granted to anonymous users. Here, the read−only mode 444 is assumed: mkdir usrftppub chown ftp usrftppub chgrp anonymous usrftppub chmod 444 usrftppub 6. Check the ownership, mode, and contents of all newly created directories and files. 7. For most UNIX systems, the installation is complete upon completion of the listed steps, but some UNIX flavors might require some additional procedures. Once the system is ready, files for public use can be copied into the usrftppub directory. They should not be owned by ftp to prevent overwriting of the files by remote anonymous users, and their mode must be set to 644 or 444. At the end, a thorough test of the installed anonymous ftp service is recommended to ensure that the ftp server provides the desired service without providing additional undesired ones. Anonymous ftp is a potential security risk, and it should be installed carefully and properly.

21.1.3 Finger

By default, finger displays information about each logged−in user, including login name, full name, terminal name, idle time, login time, and location tty for users logged in locally, hostname for users logged in remotely, if known. Idle time is in minutes if it is a single integer, hours and minutes if a : is present, or days and hours if a d is present. The format of the finger command is: finger [options] name… where the available options are: −m Match arguments only on user name not first or last name −l Force long output format −s Force short output format 507 terminal, and login time are printed −i Force idle output format, which is similar to short format except that only the login name, terminal, login time, and idle time are printed −b Suppress printing the users home directory and shell in a long format printout −f Suppress printing the header that is normally printed in a non−long format printout −w Suppress printing the full name in a short format printout −h Suppress printing of the .project file in a long format printout −p Suppress printing of the .plan file in a long format printout When one or more name arguments are given, more detailed information is given for each name specified, whether they are logged in or not. A name may be a first or last name or an account name. Information is presented in a multiline format, and includes in addition to the information mentioned above: The users home directory and login shell • The time they logged in if they are currently logged in, or the time they last logged in if they are not, as well as the terminal or host from which they logged in and, if a terminal, the comment field in etcttytab for that terminal • The last time they received mail, and the last time they read their mail • Any plan contained in the file .plan in the users home directory • Any project on which they are working described in the file .project also in that directory • If a name argument contains an at−sign, , then a connection is attempted to the machine named after the at−sign, and the remote finger daemon is queried. The data returned by that daemon is printed. The main drawback, and the reason that finger is often disabled, is the security risk it carries. Why expose information about users on your system to potential intruders? Users accounts are main targets for every intruder, who will first try to catch a user account, and then work on switching to some high privileged user to root, if possible. There is one special situation when the use of finger could be extremely valuable. When user dial−in access is provided, as with PPP, an IP address is dynamically assigned to the users machine; the same users machine can be identified by a different IP address at a different time. On the other side, some applications are strictly based on the known IP address of the session participants; for example, X windowing requires the IP address of the X server to launch a specified application properly. Obviously, for the application to succeed, the IP address assigned to the logged−in user must be known. finger could help in this case. When a user logs into the host, the dynamically assigned IP address identifies the users originated logical machine please note that this logical machine is mapped through the dial−in connection into the real machine. By finger−ing a specified user, the information about the assigned IP address will be displayed, and this is what an application needs for successful completion. A relatively simple script could be made and used for the purpose of extracting the dynamically assigned IP address and passing this address to the application for its use. This should be made clear in the following example. The user bjl dialed in and logged into the specific host with the intent of launching an X−based application on the users PC that emulates an X terminal. The user was authenticated by the remote access server rashost, which dynamically assigns one of the 16 available IP addresses to the authenticated dial−in connection; the IP address is in the range: rashost01 − rashost16, with an 508 The finger command on the host shows only the relevant lines are presented: finger Login Name TTY Idle When Where bjl B.J.L. pts10 3 Sat 14:29 rashost08.example.net ..... Keeping this command output in mind, the following script will extract the assigned DNS record it is equivalent to an IP address of the established dial−in connection, and launch the desired X−based application xnb on the users PC. cat xnb2pc binksh −p This script starts XNB session at the user PC Once the user connects via modem, and upon a successful authentication, an ip address is assigned to the established dial−in connection this address varies among different connections. To launch an XNB session the DISPLAY variable must be defined appropriately. The other requirement is a running Xterminal client on PC for example Exceed This line extracts corresponding DNS record; it cleans everything in the line in front of the DNS record, as well as all trailling spaces CONN = finger | grep rashost | grep bjl | sed −n 1p | sed s..rashostrashostg | sed s g export DISPLAY = {CONN}:0.0 The DISPLAY variable is specified Everything seems to be ready for the XNB launch usrxnbpathbinxnb −display DISPLAY

21.2 Host Connectivity

In a network, the essential condition is that the connectivity between hosts must be provided. It is obvious that without full host connectivity, none of the network applications can be accomplished. A break in the host connectivity is a very common cause for network application failure. Checking the host connectivity is also the most frequent, and usually the first step, in tracing problems related with network applications. UNIX provides a certain number of applicable commands for this purpose; two of them are ping and traceroute.

21.2.1 The ping Command

The ping command tests whether a remote host can be reached from the system where ping was activated. This simple function is extremely useful for testing network connections, and in determining whether further testing should be done. If ping shows that packets can travel to the remote host and back, the problem you seek to identify might be in the upper protocol layers; if packets cannot make the round−trip, lower protocol layers are probably at fault. The basic format of the ping command some variations are possible on different flavors is: ping hostname [packetsize] [count] 509