FTP Justification

(Archivist's note: These mailing list excepts aim to highlight the oft-forgotten functional advantages of the anonymous variant of ftp over available alternative protocols from a user/sysadmin perspective. What it does not cover is the severe protocol misdesign aspects of the protocol, that create some problems at a network engineering level, especially for firewalling. Those poor-design issues are admirably covered at a page by 'greycat' here: http://mywiki.wooledge.org/FtpMustDie)

From: rick@linuxmafia.com
Date: Tue, 22 Jan 2002 16:55:34 -0800
To: sulug-discuss@lists.Stanford.EDU
Subject: Re: Hacking warning
User-Agent: Mutt/1.3.24i

Quoting Ted Unangst (tedu@stanford.edu):

> How about a Web server? There's several lightweight servers that can
> be setup in minutes. And they're all read-only anonymous.

I believe I have a bunch of them towards the end of http://linuxmafia.com/~rick/faq/warez.html#djb .

Most httpds don't show the symlink attribute or other special attributes. So, while ftp://ftp.debian.org/debian/dists/ makes clear which directories are symlinks, http://ftp.debian.org/debian/dists/ doesn't. (thttpd reportedly does show symlink info.)

That's the biggest thing I miss on typical httpd output compared to an ftpd. The others are (1) complete filesizes (not rounded), which can be crucial for telling at a glance whether the remote file differs from your local copy, and (2) rights masks.

The point being that there's information lossage in eliminating the ftp view of a file tree. Whether that information matters is of course situation-dependent.

One minor point (but since I'm here...):

Small http clients capable of doing recursive gets don't yet ship on the general run of consumer operating systems. (wget noted in passing.) It would have been impossible to install Debian-m68k on my Mac IIci without my *ix box's ftpd, because of tools I had to pull down onto the LAN directly onto the IIci's small HFS/MacOS partition. I didn't have wget or lftp or lynx or scp at that point, and retrieving a big honking graphical MacOS Web browser would have been a bit absurd.

Cheers,   "This is mad, egotistical, sick, twisted, and stretches the bounds of
Rick Moen   good taste right off the tongue, past the uvula, and down around 
rick@linuxmafia.com      the duodenum.  It has other merits, but that should 
           indicate positive interest."  -- The Cube, http://www.forum3000.org/

From rick Tue Jan 22 16:09:20 2002
Date: Tue, 22 Jan 2002 16:09:20 -0800
To: sulug-discuss@lists.Stanford.EDU
Subject: Re: Hacking warning
User-Agent: Mutt/1.3.24i

Quoting Russ Allbery (eagle@windlord.stanford.edu):

> Which one would you recommend for a pure, anonymous-only, read-only ftp
> server?

vs-ftpd and pure-ftpd.

I'm currently using vs-ftpd to meet exactly those requirements, and have been impressed. My mentioning pure-ftpd is based on third-party comments: I've used its troll-ftpd ancestor, and found it at the time generally fine, except for lacking a couple of things that are reportedly now fixed in the pure-ftpd fork.

True paranoics are probably still running Ranum's aftpd on *BSD. ;->

My recollection's hazy about which ftpds are absolutely read-only, as in lacking write access at the system level. But possibly the notes in my listing will help with that.

From rick Fri Dec 21 22:07:10 2001
Date: Fri, 21 Dec 2001 22:07:10 -0800
To: ilug@Linux.ie
Subject: Re: [ILUG] FTP Server on Red Hat 7.1
User-Agent: Mutt/1.3.22i

begin Hunt, Bryan quotation:

> In fact, why use ftp at all?

In the area of files made available to the public:

1. http is nice but its sessions tend to die (fail) a lot.
2. http daemons configured to give full details in directory listings are vanishingly rare. There's no indication of whether a directory is a symlink or a regular directory. Look at ftp://ftp.debian.org/debian/dists/ using ncftp (or lftp, etc.). Now, look at http://http.us.debian.org/dists/ (the same file tree) using a Web browser. Which are symlinks? Likewise, http://http.us.debian.org/dists/sid/ shows only rounded-off filesizes. ftp://ftp.debian.org/debian/dists/sid/ in ncftp / lftp / etc. gives exact filesizes.
3. Multiple recursive gets/puts using ftp is fast, easy, and reliable. Closest http alternative is wget (or lftp), which is nice but not quite as nice.

For those reasons, I make http://linuxmafia.com/ also available as ftp://linuxmafia.com/ using vs-ftpd (mostly for the /pub directory.)

I also have rsyncd running. Public rsync servers are very cool.

4. If you're working from maintenance floppies, the basic ftp client is small enough to be present as a crucial recovery tool. Using any OS. And is routinely available. wget for http isn't as available, and is *ix-only (I think).

(2011 note: The reference to maintenance floppies seems awfully quaint, now, but remember when I was writing. If you were attempting to install a Linux or BSD distribution onto a Motorola m68k-based Macintosh, executable sizes for required MacOS utilities were a serious concern, and you often did indeed end up using floppies. Also, it should be noted that a compact wget utility for Win32 now does exist.)

In general, people who condemn ftp because they have experience only with brain-dead distributions still bundling security-disaster-prone wu-ftpd in the 21st century are drawing the wrong conclusion. See also:


> If you want to connect to your box from Windows and hate the Windows
> command line (who wouldn't?), there are several free graphical scp
> clients.

Detailed in http://linuxmafia.com/ssh/

Of course, scp or sftp should always be used for non-anonymous file transfers (except maybe if it's a non-shell account, but there still are other risks).

Chris Samuel also points out that ftp'ing groups of files can end up being about seven times faster than HTTP.