Difference between revisions of "ProFTPD - Customized FTP server instance"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
(Make your changes permanent)
 
(19 intermediate revisions by 8 users not shown)
Line 3: Line 3:
 
Originally by mindbender.
 
Originally by mindbender.
 
at Linkstationwiki.org
 
at Linkstationwiki.org
 +
It is presently being reworked by shryke at globalmessageexchange dot de.
 
</small></font>''<br>
 
</small></font>''<br>
'''PAGE UNDER CONSTRUCTION!'''
 
  
'''TODO:'''
+
== The FTP deamons ==
* '''check everything in the posts if it works'''
+
DONE! it works like a charm...
+
  
* '''make a step by step tutorial'''
+
The Linkstation comes with two different [http://en.wikipedia.org/wiki/Ftp FTP] Server deamons:
and add some sample configs, so using proftpd gets easier and users get more understanding for the most important parts of config file (with virtual users....i think most user would like to have virtual users rather than authentication over PAM = over System users)
+
# [http://en.wikipedia.org/wiki/Wu-ftpd WU-FTPD] which has come to ages and will not be discussed here.
 +
# [http://en.wikipedia.org/wiki/Proftpd PROFTPD] which is the one we are going to use, because it is has a nice user-management
 +
    and an intuitive way of handling access restrictions.
  
* '''make the tutorial idiot proof (so user only have to care about the ftp-shares-config-part)'''
+
The deeper sense of delivering two deamons escapes me, for PROFTPD is perfectly capable of handling anonymous access. But in the stock version, WU-FTPD is used for handling this task, anyway.
+
  
If you know it better -> plz change!
+
=== Stock Proftpd v1.2.9 on LS 2 (MIPSel)===
 +
There is a script file to start wu-ftpd or proftpd (depending on whether you choose anonymous or user-based FTP).<br/>
 +
This file resides here: '''/etc/init.d/ftpd''' and gets called during boot sequence via symlink '''S92ftpd''' in '''rc2.d'''.<br/>
 +
This script calls '''/usr/sbin/proftpd''' and the configuration file to customize the behavior of the deamon is '''/etc/proftpd.conf''' .
  
'''This information is based on the forum posts of casachi:'''
+
== Configure PROFTPD ==
  
----
+
=== Directory Structure ===
 
+
{{Postit|PPC based boxes have a different path for /dev/hda3!|While the [[LS2]] uses ''/mnt/hda'' as a mount point fot the big data partition ''dev/hda3'', all ppc-based boxes ([[LS1]],[[HG]],[[HS]]) use ''/mnt/'' instead. This article was rewritten for the [[LS2]], ''if you want to do the modification on a ppc-based box always use /mnt/ instead of /mnt/hda/''}}
+
Here is a sample configuration:
== INSTALLATION ==
+
  '''Motivation:'''
 
+
  We want to set up a simple server to allow for our friends to download
=== Stock Proftpd v1.2.9 ===
+
  some files we prepared for them and also give them the opportunity to upload
 
+
  whatever they want.
 
+
 
+
{{Postit| Enabling the stock-config afterwards | I don't know what happens exactly, but i think that there will be problems by two instances of proFtpd trying to run on the same port }}
+
 
+
* '''Disable your default ftp-server over the webinterface'''
+
 
+
* '''Create a new startup file /etc/init.d/ftpd2nd and copy the the text below into it.'''
+
 
+
Note the command ''/usr/sbin/proftpd -c /etc/proftpd2nd.conf'' specifying the alternate config file.
+
 
+
  vi /etc/init.d/ftpd2nd
+
 
+
----
+
 
+
#!/bin/sh
+
#
+
# ftpd - startup script for ftpd
+
# This goes in /etiiic/init.d and gets run at boot-time.
+
#
+
# chkconfig 2 92 92
+
#
+
#. /etc/timezone
+
. /etc/melco/ftpstatus > /dev/null 2>&1
+
PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
tag=linkstation
+
facility=user.info
+
if ! [ -x /usr/sbin/proftpd ]; then
+
exit 0
+
fi
+
start()
+
{
+
# delete shutdown message
+
if [ -f /etc/shutmsg ] ; then
+
rm -f /etc/shutmsg
+
fi
+
echo "Start services: proftpd2nd"
+
/usr/sbin/proftpd -c /etc/proftpd2nd.conf
+
logger -t ${tag} -p ${facility} -i 'Started proftpd2nd'
+
}
+
stop()
+
{
+
echo "Stop services: proftpd2nd"
+
  /sbin/start-stop-daemon --stop --quiet --exec /usr/sbin/proftpd
+
logger -t ${tag} -p ${facility} -i 'Stopped proftpd2nd'
+
}
+
case "$1" in
+
start)
+
start
+
;;
+
stop)
+
stop
+
;;
+
restart)
+
stop
+
sleep 1
+
start
+
;;
+
*)
+
echo "usage: $0 { start | stop | restart}" >&2
+
  exit 1
+
  ;;
+
  esac
+
exit 0
+
 
+
----
+
  
* '''Link this startup file to the 0, 2 and 6 Runlevel (startup & shutdown)'''
+
*'''/mnt/hda/ftp''' is the root directory of our ftp server.
 +
**'''/mnt/hda/ftp/pub''' (here you put the files they can download)
 +
**'''/mnt/hda/ftp/incoming''' (here they can upload whatever they want)
  
ln -s /etc/init.d/ftpd2nd /etc/rc.d/rc0.d/K92ftpd2nd
+
To set the rights for the directories, you edit the '''proftpd.conf'''.
ln -s /etc/init.d/ftpd2nd /etc/rc.d/rc2.d/S92ftpd2nd
+
ln -s /etc/init.d/ftpd2nd /etc/rc.d/rc6.d/K92ftpd2nd
+
  
* '''Now your proFTPd is ready for customizing. move to the configuration part'''
+
vi /etc/proftpd.conf
 +
<blockquote>
 +
'''WARNING!!!'''
 +
Any changes you make here will be reset by the linkstation´s stock software at reboot !
 +
To make your changes last, please look into chapter [http://nas-central.org/index.php?title=ProFTPD_-_Customized_FTP_server_instance&action=submit#Make_your_changes_permanent Make your changes permanent]
 +
</blockquote>
 +
<pre>
 +
ServerName              LinkStation
 +
ServerType              standalone
 +
DefaultServer          on
 +
ServerIdent            off
 
   
 
   
----
+
AuthPAMAuthoritative    on
'''READY TILL HERE by mindbender'''
+
AuthPAMConfig          ftp
 +
 +
Port                    21
 +
Umask                  000
 +
TimesGMT                off
 +
UseReverseDNS          off
 +
IdentLookups            off
 +
MaxInstances            100
 +
User                    nobody
 +
Group                  nogroup
 +
RootLogin              off
 +
DefaultRoot            /mnt/hda/ftp
 +
DefaultTransferMode    binary
 +
TimeoutIdle            900
 +
TimeoutLogin            120
 +
 +
ScoreboardFile          /var/log/scoreboardfile
 +
 +
AllowStoreRestart      on
 +
AllowRetrieveRestart    on
 +
AllowOverwrite          on
 +
 +
SocketOptions rcvBuf    131070
 +
SocketOptions sndBuf    131070
 +
 +
<Limit SITE_CHMOD>
 +
  DenyAll
 +
</Limit>
 +
 +
<Directory /mnt/hda/ftp>
 +
  <Limit WRITE>
 +
    DenyAll
 +
  </Limit>
 +
</Directory>
 +
 +
<Directory /mnt/hda/ftp/incoming>
 +
  <Limit WRITE>
 +
    AllowAll
 +
  </Limit>
 +
  <Limit DELE RMD>
 +
    DenyAll
 +
  </Limit>
 +
</Directory>
 +
 +
<Directory /mnt/hda/ftp/pub>
 +
  <Limit ALL>
 +
    AllowAll
 +
  </Limit>
 +
 +
  <Limit WRITE>
 +
    DenyAll
 +
  </Limit>
 +
</Directory>
 +
</pre>
  
'''Installation should be complete and your ftp-server should be running automaticaly if you reboot the linkstation....the rest is only configuration ;p'''
+
In the subdir '''pub''' there is no write access and in the subdir '''incoming''' anybody can upload anything, but they cannot delete files or remove directories.
 +
Users are being caged into the chroot environment and can´t escape '''/mnt/hda/ftp'''
  
=== TODO: ===
+
=== Virtual users ===
 +
{{Template:Articles}}''<font color=red><small>
 +
by casachi at Linkstationwiki.org
 +
</small></font>''<br>
  
* transform the casachis forum posts for the configuration into a step-by-step-tutorial
 
 
* add some basic sample-configs for virtual users
 
 
 
----
 
 
 
== CONFIGURATION ==
 
  
 
As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file  (I wanted to assign different priviledges to virtual users).
 
As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file  (I wanted to assign different priviledges to virtual users).
 
 
To start with you can just create /etc/proftpd2nd.conf as a copy of /etc/proftpd.conf so the new instance of proftpd should behave exactly as the original one
 
(the original one must not be running, otherwise they would conflict on the use of port 21).
 
 
Then you can start changing /etc/proftpd2nd.conf to your liking, I would suggest modifying the following
 
 
ScoreboardFile /var/log/scoreboardfile2nd
 
PidFile /var/run/proftp2nd.pid
 
TransferLog /var/log/xferlog2nd
 
 
 
So the new instance and the old one would use different files for log/pid/vardata.
 
  
 
The rest is really up to what you want to do with the new server, proftpd is very flexible. I really enjoyed the granularity on access priviledges on a user basis and the possibility to create "virtual users" (ftp users without the need of a full account on the linkstation).  
 
The rest is really up to what you want to do with the new server, proftpd is very flexible. I really enjoyed the granularity on access priviledges on a user basis and the possibility to create "virtual users" (ftp users without the need of a full account on the linkstation).  
Line 145: Line 127:
  
  
What happens then is that, if the user has an "regular account" on the linkstation (i.e. the user is in the usual
+
What happens then is that, if the user has a "regular account" on the linkstation (i.e. the user is in the usual
 
/etc/passwd file and the group is in the /etc/group file) then he/she can login with the linkstation login password.  
 
/etc/passwd file and the group is in the /etc/group file) then he/she can login with the linkstation login password.  
 +
 
So you dont have to duplicate your own user account.  
 
So you dont have to duplicate your own user account.  
If the user is not in /etc/passwd then the file /etc/ftp2ndpasswd is looked.
+
If the user is not in /etc/passwd then the file /etc/ftp2ndpasswd is looked up.
The format is exactly the same as /etc/passwd but you have to use fake id number that wont overlap with the ones in the normal passwd file.
+
The format is exactly the same as /etc/passwd but you have to use fake id number that won´t overlap with the ones in the normal passwd file.
 +
 
 
To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command.
 
To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command.
In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shell.  
+
In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shells.
  
'''Something else: the logfile'''
+
== Making your changes permanent (LS-CHL-V2) ==
 +
See here: http://forum.buffalo.nas-central.org/viewtopic.php?f=39&t=20436
  
You might want to add /var/log/xferlog2nd to the list of files that are log-rotated.
+
== Make your changes permanent ==
You can do that by creating a file /etc/logrotate.d/proftp2nd with content:
+
(No longer current)
  
 +
You probably want to make your configuration changes permanent, so you need to keep the linkstation from rewriting the file '''/etc/proftpd.conf''' .
 +
If you do this, you lose the simplicity of the ftp server configuration by web-interface, but you gain full control of the ftp server on your linkstation.
 +
 +
To achieve this, the file '''/etc/init.d/mkshare.sh''' needs to be edited.
 +
Only the 5 lines below
 +
#      echo "FTP configration file generating..."
 +
need to be commented out.
 +
 +
  vi /etc/init.d/mkshare.sh
 +
 +
----
 +
#generate configuration files
 +
if [ -x /bin/mkcode ]; then
 +
        echo "Netatalk configration file generating..."
 +
        /bin/mkcode -a > /dev/null
 +
        /bin/nkf -sEO /etc/atalk/AppleVolumes.default /tmp/AppleVolumes
 +
        mv -f /tmp/AppleVolumes /etc/atalk/AppleVolumes.default
 +
 +
        echo "Samba configration file generating..."
 +
        /bin/mkcode -s > /dev/null
 +
        /bin/nkf -sEO /etc/samba/smb.conf /tmp/smb.conf
 +
        mv -f /tmp/smb.conf /etc/samba/smb.conf
 +
 +
#      echo "FTP configration file generating..."
 +
#      /bin/mkcode -f > /dev/null
 +
#      /bin/nkf -sEO /etc/wu-ftpd/ftpaccess /tmp/ftpaccess
 +
#      mv -f /tmp/ftpaccess /etc/wu-ftpd/ftpaccess
 +
#      /bin/nkf -sEO /etc/proftpd.conf /tmp/proftpd.conf
 +
#      mv -f /tmp/proftpd.conf /etc/proftpd.conf
 +
fi
 +
 +
Now you can edit '''/etc/proftpd.conf''' and it will actually stay that way.
  
/var/log/xferlog2nd {
 
missingok
 
notifempty
 
vpostrotate
 
/usr/local/bin/kill -HUP `cat /var/run/proftp2nd.pid 2>/dev/null` 
 
2>/dev/null || true
 
endscript
 
}
 
  
  
 
[[Category:General]]
 
[[Category:General]]
 
[[Category:Howto]]
 
[[Category:Howto]]
 
 
[[Category:Software]]
 
[[Category:Software]]

Latest revision as of 15:04, 11 December 2010

This article Originally by mindbender. at Linkstationwiki.org It is presently being reworked by shryke at globalmessageexchange dot de.

Contents

The FTP deamons

The Linkstation comes with two different FTP Server deamons:

# WU-FTPD which has come to ages and will not be discussed here.
# PROFTPD which is the one we are going to use, because it is has a nice user-management 
   and an intuitive way of handling access restrictions.

The deeper sense of delivering two deamons escapes me, for PROFTPD is perfectly capable of handling anonymous access. But in the stock version, WU-FTPD is used for handling this task, anyway.

Stock Proftpd v1.2.9 on LS 2 (MIPSel)

There is a script file to start wu-ftpd or proftpd (depending on whether you choose anonymous or user-based FTP).
This file resides here: /etc/init.d/ftpd and gets called during boot sequence via symlink S92ftpd in rc2.d.
This script calls /usr/sbin/proftpd and the configuration file to customize the behavior of the deamon is /etc/proftpd.conf .

Configure PROFTPD

Directory Structure

PPC based boxes have a different path for /dev/hda3!
Bar.png
While the LS2 uses /mnt/hda as a mount point fot the big data partition dev/hda3, all ppc-based boxes (LS1,HG,HS) use /mnt/ instead. This article was rewritten for the LS2, if you want to do the modification on a ppc-based box always use /mnt/ instead of /mnt/hda/


Here is a sample configuration:

Motivation:
We want to set up a simple server to allow for our friends to download 
some files we prepared for them and also give them the opportunity to upload
whatever they want.
  • /mnt/hda/ftp is the root directory of our ftp server.
    • /mnt/hda/ftp/pub (here you put the files they can download)
    • /mnt/hda/ftp/incoming (here they can upload whatever they want)

To set the rights for the directories, you edit the proftpd.conf.

vi /etc/proftpd.conf
WARNING!!! Any changes you make here will be reset by the linkstation´s stock software at reboot ! To make your changes last, please look into chapter Make your changes permanent
 ServerName              LinkStation
 ServerType              standalone
 DefaultServer           on
 ServerIdent             off
 
 AuthPAMAuthoritative    on
 AuthPAMConfig           ftp
 
 Port                    21
 Umask                   000
 TimesGMT                off
 UseReverseDNS           off
 IdentLookups            off
 MaxInstances            100
 User                    nobody
 Group                   nogroup
 RootLogin               off
 DefaultRoot             /mnt/hda/ftp
 DefaultTransferMode     binary
 TimeoutIdle             900
 TimeoutLogin            120 
 
 ScoreboardFile          /var/log/scoreboardfile 
 
 AllowStoreRestart       on
 AllowRetrieveRestart    on
 AllowOverwrite          on 
 
 SocketOptions rcvBuf    131070
 SocketOptions sndBuf    131070
 
 <Limit SITE_CHMOD>
   DenyAll
 </Limit> 
 
 <Directory /mnt/hda/ftp>
   <Limit WRITE>
     DenyAll
   </Limit>
 </Directory>
 
 <Directory /mnt/hda/ftp/incoming>
   <Limit WRITE>
     AllowAll
   </Limit>
   <Limit DELE RMD>
     DenyAll
   </Limit>
 </Directory>
 
 <Directory /mnt/hda/ftp/pub>
   <Limit ALL>
     AllowAll
   </Limit>
 
   <Limit WRITE>
     DenyAll
   </Limit>
 </Directory>

In the subdir pub there is no write access and in the subdir incoming anybody can upload anything, but they cannot delete files or remove directories. Users are being caged into the chroot environment and can´t escape /mnt/hda/ftp

Virtual users

by casachi at Linkstationwiki.org


As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file (I wanted to assign different priviledges to virtual users).

The rest is really up to what you want to do with the new server, proftpd is very flexible. I really enjoyed the granularity on access priviledges on a user basis and the possibility to create "virtual users" (ftp users without the need of a full account on the linkstation).

Authentication with "virtual users" (non-system users)

I added these to my config file

AuthPAMAuthoritative off
AuthPAMConfig ftp 
AuthGroupFile /etc/ftp2ndgroup
AuthUserFile /etc/ftp2ndpasswd


What happens then is that, if the user has a "regular account" on the linkstation (i.e. the user is in the usual /etc/passwd file and the group is in the /etc/group file) then he/she can login with the linkstation login password.

So you dont have to duplicate your own user account. If the user is not in /etc/passwd then the file /etc/ftp2ndpasswd is looked up. The format is exactly the same as /etc/passwd but you have to use fake id number that won´t overlap with the ones in the normal passwd file.

To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command. In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shells.

Making your changes permanent (LS-CHL-V2)

See here: http://forum.buffalo.nas-central.org/viewtopic.php?f=39&t=20436

Make your changes permanent

(No longer current)

You probably want to make your configuration changes permanent, so you need to keep the linkstation from rewriting the file /etc/proftpd.conf . If you do this, you lose the simplicity of the ftp server configuration by web-interface, but you gain full control of the ftp server on your linkstation.

To achieve this, the file /etc/init.d/mkshare.sh needs to be edited. Only the 5 lines below

#       echo "FTP configration file generating..."

need to be commented out.

 vi /etc/init.d/mkshare.sh

#generate configuration files
if [ -x /bin/mkcode ]; then
       echo "Netatalk configration file generating..."
       /bin/mkcode -a > /dev/null
       /bin/nkf -sEO /etc/atalk/AppleVolumes.default /tmp/AppleVolumes
       mv -f /tmp/AppleVolumes /etc/atalk/AppleVolumes.default

       echo "Samba configration file generating..."
       /bin/mkcode -s > /dev/null
       /bin/nkf -sEO /etc/samba/smb.conf /tmp/smb.conf
       mv -f /tmp/smb.conf /etc/samba/smb.conf

#       echo "FTP configration file generating..."
#       /bin/mkcode -f > /dev/null
#       /bin/nkf -sEO /etc/wu-ftpd/ftpaccess /tmp/ftpaccess
#       mv -f /tmp/ftpaccess /etc/wu-ftpd/ftpaccess
#       /bin/nkf -sEO /etc/proftpd.conf /tmp/proftpd.conf
#       mv -f /tmp/proftpd.conf /etc/proftpd.conf
fi

Now you can edit /etc/proftpd.conf and it will actually stay that way.