HOWTO: Setup a Pure-FTPd server with virtual users

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server.

This guide provides instructions for using the virtual user system to manage and control users. By using virtual users, FTP accounts can be administrated without affecting system accounts.

Let's initiate Pure-FTPd's installation by entering the following commands:

Code:
% su
# portsnap fetch update
# cd /usr/ports/ftp/pure-ftpd
# make config

A menu containing Pure-FTPd options will pop-up. In my case, I've opted to leave these options at their defaults.

Code:
# make install clean
# rehash

Having finished the installation process we now move into the configuration stage. We'll start by copying the sample configuration file and set the configuration options:

Code:
# cd /usr/local/etc
# cp pure-ftpd.conf.sample pure-ftpd.conf
# chmod 644 pure-ftpd.conf

The chmod command was run to be able to edit the file (default permissions are set to -r--r--r--).

Code:
# vi pure-ftpd.conf

    VerboseLog yes
    PureDB /usr/local/etc/pureftpd.pdb
    CreateHomeDir yes

The CreateHomeDir option makes adding virtual users more easy by creating a user's home directory upon login (if it doesn't already exist).

We can either import users with system-level accounts (defined in /etc/master.passwd) at once or create new users manually. To import users that already exist on your system into the virtual user database, enter these commands:

Code:
# pure-pwconvert >> /usr/local/etc/pureftpd.passwd
# chmod 600 /usr/local/etc/pureftpd.passwd
# pure-pw mkdb

It should be noted that pure-pwconvert only imports accounts that have shell access. Accounts with the shell set to nologin have to be added manually.

To add users to the Pure-FTPd virtual user database manually, we need to create a system-level account that will be associated with virtual users. Create a new user named vftp like this:

Code:
# pw useradd vftp -s /sbin/nologin -w no -d /usr/home/vftp\
? -c "Virtual FTP user" -m

Having done this we can now add users to the virtual users database using the commands below:

Code:
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb

Replace user with the desired username. With -d flag, the user will be chrooted. If you want to give user access to the whole filesystem, use -D instead of -d.

If you want to add additional users, just repeat the commands above with a different user.

To remove a user:

Code:
# pure-pw userdel user

Now to start Pure-FTPd:

Code:
# /usr/local/etc/rc.d/pure-ftpd onestart

Initiate a FTP connection to test the server:

Code:
% ftp localhost

    Trying 127.0.0.1...
    Connected to localhost.
    220---------- Welcome to Pure-FTPd [TLS] ----------
    220-You are user number 2 of 50 allowed.
    220-Local time is now 13:39. Server port: 21.
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    Name (localhost:username):

Now log in with a user account created as explained above. Commands such as ls, cp, pwd and less work just like in tcsh and bash shells. To quit the FTP session type exit.

To configure Pure-FTPd to start at boot time:

Code:
# echo 'pureftpd_enable="YES"' >> /etc/rc.conf

To restart Pure-FTPd and determine if it is running:

Code:
# /usr/local/etc/rc.d/pure-ftpd restart
# /usr/local/etc/rc.d/pure-ftpd status

Pure-FTPd provides useful features for personal users as well as hosting providers. I've only touched the tip of the iceberg so do take a look at the project's website for the excellent documentation that is available.
 
Thanks tangram for the HowTo. I followed your instructions and set up a pure-ftpd server. On my computer I have 2 users. I imported users with system-level accounts like you describe, but in fact just one user was imported.
user1 is member of wheel group
user2 is member of user2 group

pure-ftpd imported just user2.
now user2 can connect, but user1 cannot

how can I add user1 to ftp users?
if one of the normal users change his password pure-ftpd change pasw for that user?

thanks
 
Hi hirohitosan,

I don't have access to my FreeBSD system right now. Give a couple of days and I'll get back to you. ;)
 
@ hirohitosan

Are the system account you want to import listed in /etc/master.passwd?

Users are imported from the system to the virtual user database by running:
Code:
# pure-pwconvert >> /usr/local/etc/pureftpd.passwd
# chmod 600 /usr/local/etc/pureftpd.passwd
# pure-pw mkdb

Do that notice that pure-pwconvert only imports accounts that have shell access. So account that have their shell set to nologin have to be added manually.

If a user changes his password I would assume that you need to update the database, however I haven't tried it myself.
 
I'm not sure I follow your question...

You add the users you want by:

Code:
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb
 
Business_Woman said:
How do you restrict user access of individual users when every user is member of the same system account(s) ftpuser and ftpgroup ?
You may add (uncomment) in /usr/local/etc/pure-ftpd.conf next line
Code:
ChrootEveryone              yes
to limit users his home direcotory.
You can add (uncomment) line
Code:
TrustedGID                    100
to allow user with id<100 (for example, root) access to all file system (but, IMHO, would't do it by security reason).
To see currently connected user pure-ftpwho usable.
Also, port /usr/ports/www/usermanager (apache + php + mysql) usable for manage tonns of users.
 
tangram said:
I'm not sure I follow your question...

You add the users you want by:

Code:
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb

Yes, lets say you add user Bob. Now Bob will be member of the system accounts ftpuser and ftpgroup(following the pure-ftpd tutorial) when Bob uploads a file, the owner of that file will be the system account ftpuser and not the virtual user Bob.
 
In the HowTo I didn't refer any ftpuser or ftpgroup groups. It only mentions the creation of a system-level account that is then will be used to associate virtual users.

So assuming that you have a bob user that is part of the bob group (by default FreeBSD assign the user's own name as his primary group name), running:

Code:
# pure-pw useradd bob -u vftp -g vftp -d /usr/home/vftp/bob
# pure-pw mkdb

will add bob to the vftp Pure-FTPd virtual user database.

An file upload by bob will typically send the file to [cmd=]/home/bob/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 bob  bob  1131291 Apr 15 22:31 random-file

So yeah, the file owner will be bob and his primary group, in this case bob. The owner is the system account user bob.

Useful [cmd=]pure-pw[/cmd] commands are:
[cmd=]useradd[/cmd] adds a virtual users to the /usr/local/etc/pureftpd.passwd file
[cmd=]userdel[/cmd] to delete virtual users
[cmd=]show[/cmd] outuputs info on a specific user
[cmd=]list[/cmd] shows a list of users in /usr/local/etc/pureftpd.passwd
 
If bob, john and peter are added to the vftp Pure-FTPd virtual user database.

An file upload by john will typically send the file to [cmd=]/home/john/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 john  john  1131291 Apr 15 22:31 random-file

An file upload by peter will typically send the file to [cmd=]/home/peter/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 peter  peter  1131291 Apr 15 22:31 random-file
 
Business_Woman said:
So then essentially, every file uploaded by an vftp user will have the same owner and group?

Yes.
(edit): I do not have the same setup, I use only one system account and the virtual users are chrooted in their own sub-directories.
 
okay. I would like to have several virtual users that had one shared directory, that everyone could access and then their own home directory in which only the owner had rw permissions. How would you accomplish that?
 
You can create one shared directory and symlinked it to every user's home directory. So, nobody can access files from other home directory and all users have (rw) access to "some_shared" directory.
It's would you like?
 
@Business_Womant
There is umask directive in pure-ftpd.conf
Code:
# File creation mask. <umask for files>:<umask for dirs> .
Umask                       113:002
## default was 133:022

This way uploaded files/directories will be rw for every user in the group.


Generally I would like to two more comments about chrooting:
PureFTPd by default uses "virtual-chroot" - this means that if there are symlinks leading outside of chroot - user could escape. I had this problem, and i solved it by removing line "--with-virtualchroot" from the Makefile before doing make install.
The second one is that there is a way to use per-user chroot, by adding "/./" to the homedir of the user. This is documented in pureftpd man pages. I am using this strategy for my users (not ChrootEveryone and TrustedGID)
 
tangram said:
In the HowTo I didn't refer any ftpuser or ftpgroup groups. It only mentions the creation of a system-level account that is then will be used to associate virtual users.

So assuming that you have a bob user that is part of the bob group (by default FreeBSD assign the user's own name as his primary group name), running:

Code:
# pure-pw useradd bob -u vftp -g vftp -d /usr/home/vftp/bob
# pure-pw mkdb

will add bob to the vftp Pure-FTPd virtual user database.

An file upload by bob will typically send the file to [cmd=]/home/bob/[/cmd] and permissions such as:

Code:
-rw-r--r--  1 bob  bob  1131291 Apr 15 22:31 random-file
This is my problem the owner of the file uploaded by Bob is vsftp for me, and not Bob :\
 
Did you follow the steps in this tutorial or customized things? I've tested and an upload by bob ends up with bob's permissions.
 
users with one shared directory

hi,can somebody write small fast step-by-step howto(i have read this tutorial but dont know how to set up rights for users and folders + shared folders for all users) , i am lost:

perhaps somethink more difficult in this ftpserver:



-> one shared upload folder for all users(can upload)
*delete (yes/no) (how to set up max MB ? )


->shared download folder (can download only)

->own folder to upload/download files (how to set max MB of the folder?)



*create admin user(he can everythink)
 
Hi,

I have a problem.
I connect with my user, but I can't upload and download a file.
How to configure this right ?

Thanks
 
What's exactly the problem? Logs, errors, configs would help troubleshooting.

Btw did you follow the HOWTO and came across an issue or is it just a generic Pure-FTPd problem? If it Pure-FTPd related better post in the appropriate forum section.
 
Back
Top