FTP (File Transfer Protocol) is one of the first protocols of the Internet (RFC 959 was issued in 1985!). It was used to distribute files before the Web was even born (the HTTP protocol was created in 1990, and formally defined in its 1.0 version by RFC 1945, issued in 1996).
This protocol allows both file uploads and file downloads; for this reason, it is still widely used to deploy updates to a website hosted by one's Internet service provider (or any other entity hosting websites). In these cases, secure access is enforced with a user identifier and password; on successful authentication, the FTP server grants read-write access to that user's home directory.
Other FTP servers are mainly used to distribute files for public downloading; Debian packages are a good example. The contents of these servers is fetched from other, geographically remote, servers; it is then made available to less distant users. This means that client authentication is not required; as a consequence, this operating mode is known as “anonymous FTP”. To be perfectly correct, the clients do authenticate with the anonymous
username; the password is often, by convention, the user's email address, but the server ignores it.
Many FTP servers are available in Debian (ftpd, proftpd, wu-ftpd and so on). The Falcot Corp administrators picked vsftpd because they only use the FTP server to distribute a few files (including a Debian package repository); since they don't need advanced features, they chose to focus on the security aspects.
Installing the package creates an ftp
system user. This account is always used for anonymous FTP connections, and its home directory (/home/ftp/
) is the root of the tree made available to users connecting to this service. The default configuration (in /etc/vsftpd.conf
) is very restrictive: it only allows read-only anonymous access (since the write_enable
and anon_upload_enable
options are disabled), and local users cannot connect with their usual username and password and access their own files (local_enable
option). However, this default configuration is well-suited to the needs at Falcot Corp.