HOWTO: Setup a Pure-FTPd server with virtual users

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server.

This guide provides instructions for using the virtual user system to manage and control users. By using virtual users, FTP accounts can be administrated without affecting system accounts.

Let's initiate Pure-FTPd's installation by entering the following commands:

Code:
% su
# portsnap fetch update
# cd /usr/ports/ftp/pure-ftpd
# make config
A menu containing Pure-FTPd options will pop-up. In my case, I've opted to leave these options at their defaults.

Code:
# make install clean
# rehash
Having finished the installation process we now move into the configuration stage. We'll start by copying the sample configuration file and set the configuration options:

Code:
# cd /usr/local/etc
# cp pure-ftpd.conf.sample pure-ftpd.conf
# chmod 644 pure-ftpd.conf
The chmod command was run to be able to edit the file (default permissions are set to -r--r--r--).

Code:
# vi pure-ftpd.conf

    VerboseLog yes
    PureDB /usr/local/etc/pureftpd.pdb
    CreateHomeDir yes
The CreateHomeDir option makes adding virtual users more easy by creating a user's home directory upon login (if it doesn't already exist).

We can either import users with system-level accounts (defined in /etc/master.passwd) at once or create new users manually. To import users that already exist on your system into the virtual user database, enter these commands:

Code:
# pure-pwconvert >> /usr/local/etc/pureftpd.passwd
# chmod 600 /usr/local/etc/pureftpd.passwd
# pure-pw mkdb
It should be noted that pure-pwconvert only imports accounts that have shell access. Accounts with the shell set to nologin have to be added manually.

To add users to the Pure-FTPd virtual user database manually, we need to create a system-level account that will be associated with virtual users. Create a new user named vftp like this:

Code:
# pw useradd vftp -s /sbin/nologin -w no -d /usr/home/vftp\
? -c "Virtual FTP user" -m
Having done this we can now add users to the virtual users database using the commands below:

Code:
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb
Replace user with the desired username. With -d flag, the user will be chrooted. If you want to give user access to the whole filesystem, use -D instead of -d.

If you want to add additional users, just repeat the commands above with a different user.

To remove a user:

Code:
# pure-pw userdel user
Now to start Pure-FTPd:

Code:
# /usr/local/etc/rc.d/pure-ftpd onestart
Initiate a FTP connection to test the server:

Code:
% ftp localhost

    Trying 127.0.0.1...
    Connected to localhost.
    220---------- Welcome to Pure-FTPd [TLS] ----------
    220-You are user number 2 of 50 allowed.
    220-Local time is now 13:39. Server port: 21.
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    Name (localhost:username):
Now log in with a user account created as explained above. Commands such as ls, cp, pwd and less work just like in tcsh and bash shells. To quit the FTP session type exit.

To configure Pure-FTPd to start at boot time:

Code:
# echo 'pureftpd_enable="YES"' >> /etc/rc.conf
To restart Pure-FTPd and determine if it is running:

Code:
# /usr/local/etc/rc.d/pure-ftpd restart
# /usr/local/etc/rc.d/pure-ftpd status
Pure-FTPd provides useful features for personal users as well as hosting providers. I've only touched the tip of the iceberg so do take a look at the project's website for the excellent documentation that is available.
 

hirohitosan

Well-Known Member

Reaction score: 3
Messages: 279

Thanks tangram for the HowTo. I followed your instructions and set up a pure-ftpd server. On my computer I have 2 users. I imported users with system-level accounts like you describe, but in fact just one user was imported.
user1 is member of wheel group
user2 is member of user2 group

pure-ftpd imported just user2.
now user2 can connect, but user1 cannot

how can I add user1 to ftp users?
if one of the normal users change his password pure-ftpd change pasw for that user?

thanks
 
OP
tangram

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

Hi hirohitosan,

I don't have access to my FreeBSD system right now. Give a couple of days and I'll get back to you. ;)
 
OP
tangram

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

@ hirohitosan

Are the system account you want to import listed in /etc/master.passwd?

Users are imported from the system to the virtual user database by running:
Code:
# pure-pwconvert >> /usr/local/etc/pureftpd.passwd
# chmod 600 /usr/local/etc/pureftpd.passwd
# pure-pw mkdb
Do that notice that pure-pwconvert only imports accounts that have shell access. So account that have their shell set to nologin have to be added manually.

If a user changes his password I would assume that you need to update the database, however I haven't tried it myself.
 

Business_Woman

Active Member

Reaction score: 6
Messages: 152

How do you restrict user access of individual users when every user is member of the same system account(s) ftpuser and ftpgroup ?
 
OP
tangram

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

I'm not sure I follow your question...

You add the users you want by:

Code:
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb
 

pablo

Member

Reaction score: 2
Messages: 32

Business_Woman said:
How do you restrict user access of individual users when every user is member of the same system account(s) ftpuser and ftpgroup ?
You may add (uncomment) in /usr/local/etc/pure-ftpd.conf next line
Code:
ChrootEveryone              yes
to limit users his home direcotory.
You can add (uncomment) line
Code:
TrustedGID                    100
to allow user with id<100 (for example, root) access to all file system (but, IMHO, would't do it by security reason).
To see currently connected user pure-ftpwho usable.
Also, port /usr/ports/www/usermanager (apache + php + mysql) usable for manage tonns of users.
 

Business_Woman

Active Member

Reaction score: 6
Messages: 152

tangram said:
I'm not sure I follow your question...

You add the users you want by:

Code:
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb
Yes, lets say you add user Bob. Now Bob will be member of the system accounts ftpuser and ftpgroup(following the pure-ftpd tutorial) when Bob uploads a file, the owner of that file will be the system account ftpuser and not the virtual user Bob.
 
OP
tangram

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

In the HowTo I didn't refer any ftpuser or ftpgroup groups. It only mentions the creation of a system-level account that is then will be used to associate virtual users.

So assuming that you have a bob user that is part of the bob group (by default FreeBSD assign the user's own name as his primary group name), running:

Code:
# pure-pw useradd bob -u vftp -g vftp -d /usr/home/vftp/bob
# pure-pw mkdb
will add bob to the vftp Pure-FTPd virtual user database.

An file upload by bob will typically send the file to [cmd=]/home/bob/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 bob  bob  1131291 Apr 15 22:31 random-file
So yeah, the file owner will be bob and his primary group, in this case bob. The owner is the system account user bob.

Useful [cmd=]pure-pw[/cmd] commands are:
[cmd=]useradd[/cmd] adds a virtual users to the /usr/local/etc/pureftpd.passwd file
[cmd=]userdel[/cmd] to delete virtual users
[cmd=]show[/cmd] outuputs info on a specific user
[cmd=]list[/cmd] shows a list of users in /usr/local/etc/pureftpd.passwd
 

Business_Woman

Active Member

Reaction score: 6
Messages: 152

So then essentially, every file uploaded by an vftp user will have the same owner and group?
 
OP
tangram

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

If bob, john and peter are added to the vftp Pure-FTPd virtual user database.

An file upload by john will typically send the file to [cmd=]/home/john/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 john  john  1131291 Apr 15 22:31 random-file
An file upload by peter will typically send the file to [cmd=]/home/peter/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 peter  peter  1131291 Apr 15 22:31 random-file
 

plamaiziere

Active Member

Reaction score: 40
Messages: 184

Business_Woman said:
So then essentially, every file uploaded by an vftp user will have the same owner and group?
Yes.
(edit): I do not have the same setup, I use only one system account and the virtual users are chrooted in their own sub-directories.
 

Business_Woman

Active Member

Reaction score: 6
Messages: 152

okay. I would like to have several virtual users that had one shared directory, that everyone could access and then their own home directory in which only the owner had rw permissions. How would you accomplish that?
 

pablo

Member

Reaction score: 2
Messages: 32

You can create one shared directory and symlinked it to every user's home directory. So, nobody can access files from other home directory and all users have (rw) access to "some_shared" directory.
It's would you like?
 

edhunter

Member

Reaction score: 10
Messages: 71

@Business_Womant
There is umask directive in pure-ftpd.conf
Code:
# File creation mask. <umask for files>:<umask for dirs> .
Umask                       113:002
## default was 133:022
This way uploaded files/directories will be rw for every user in the group.


Generally I would like to two more comments about chrooting:
PureFTPd by default uses "virtual-chroot" - this means that if there are symlinks leading outside of chroot - user could escape. I had this problem, and i solved it by removing line "--with-virtualchroot" from the Makefile before doing make install.
The second one is that there is a way to use per-user chroot, by adding "/./" to the homedir of the user. This is documented in pureftpd man pages. I am using this strategy for my users (not ChrootEveryone and TrustedGID)
 

Business_Woman

Active Member

Reaction score: 6
Messages: 152

tangram said:
In the HowTo I didn't refer any ftpuser or ftpgroup groups. It only mentions the creation of a system-level account that is then will be used to associate virtual users.

So assuming that you have a bob user that is part of the bob group (by default FreeBSD assign the user's own name as his primary group name), running:

Code:
# pure-pw useradd bob -u vftp -g vftp -d /usr/home/vftp/bob
# pure-pw mkdb
will add bob to the vftp Pure-FTPd virtual user database.

An file upload by bob will typically send the file to [cmd=]/home/bob/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 bob  bob  1131291 Apr 15 22:31 random-file
This is my problem the owner of the file uploaded by Bob is vsftp for me, and not Bob :\
 
OP
tangram

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

Did you follow the steps in this tutorial or customized things? I've tested and an upload by bob ends up with bob's permissions.
 

Business_Woman

Active Member

Reaction score: 6
Messages: 152

Hi,

I think it is strange as well, i have done this before and it has always worked out nicely.
 

DEViATIO

New Member


Messages: 10

users with one shared directory

hi,can somebody write small fast step-by-step howto(i have read this tutorial but dont know how to set up rights for users and folders + shared folders for all users) , i am lost:

perhaps somethink more difficult in this ftpserver:



-> one shared upload folder for all users(can upload)
*delete (yes/no) (how to set up max MB ? )


->shared download folder (can download only)

->own folder to upload/download files (how to set max MB of the folder?)



*create admin user(he can everythink)
 

Kazuki

New Member


Messages: 6

Hi,

I have a problem.
I connect with my user, but I can't upload and download a file.
How to configure this right ?

Thanks
 
OP
tangram

tangram

Aspiring Daemon

Reaction score: 74
Messages: 523

What's exactly the problem? Logs, errors, configs would help troubleshooting.

Btw did you follow the HOWTO and came across an issue or is it just a generic Pure-FTPd problem? If it Pure-FTPd related better post in the appropriate forum section.
 
Top