Difference between revisions of "ProFTPD - Customized FTP server instance"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
Line 3: Line 3:
 
Originally by mindbender.
 
Originally by mindbender.
 
at Linkstationwiki.org
 
at Linkstationwiki.org
It is presently being reworked by shryke.
+
It is presently being reworked by shryke at globalmessageexchange dot de.
 
</small></font>''<br>
 
</small></font>''<br>
  
== Linkstation 2 (MIPSEL)==
+
== The FTP deamons ==
  
=== Stock Proftpd v1.2.9 ===
+
The Linkstation comes with two different [http://en.wikipedia.org/wiki/Ftp FTP] Server deamons:
The Linkstation comes with two different [[FTP]] Server deamons.
+
# [http://en.wikipedia.org/wiki/Wu-ftpd WU-FTPD] which has come to ages and will not be discussed here.
 +
# [http://en.wikipedia.org/wiki/Proftpd PROFTPD] which is the one we are going to use, because it is has a nice user-management
 +
    and an intuitive way of handling access restrictions.
  
There is a script file to start wu-ftpd or proftpd (depending on whether you choose anonymous or user-based FTP).
+
The deeper sense of delivering two deamons escapes me, for PROFTPD is perfectly capable of handling anonymous access. But in the stock version, WU-FTPD is used for handling this task, anyway.
This file resides here: /etc/init.d/ftpd and gets called during boot via symlink S92ftpd in rc2.d
+
  
 +
=== Stock Proftpd v1.2.9 on LS 2 (MIPSel)===
 +
There is a script file to start wu-ftpd or proftpd (depending on whether you choose anonymous or user-based FTP).<br/>
 +
This file resides here: '''/etc/init.d/ftpd''' and gets called during boot sequence via symlink '''S92ftpd''' in '''rc2.d'''.<br/>
 +
This script calls '''/usr/sbin/proftpd''' and the configuration file to customize the behavior of the deamon is '''/etc/proftpd.conf''' .
  
 +
== Configure PROFTPD ==
  
If you want to make your configuration changes permanent, you need to keep the linkstation from rewriting the file '''/etc/proftpd.conf'''
+
=== Directory Structure ===
 +
Here is a sample configuration:
 +
'''Motivation:'''
 +
We want to set up a simple server to allow for our friends to download
 +
some files we prepared for them and also give them the opportunity to upload
 +
whatever they want.
  
To achieve this, the file '''/etc/init.d/mkshare.sh''' needs to be edited.
+
*'''/mnt/hda/ftp''' is the root directory of our ftp server.
Only the 5 lines below
+
**'''/mnt/hda/ftp/pub''' (here you put the files they can download)
#      echo "FTP configration file generating..."
+
**'''/mnt/hda/ftp/incoming''' (here they can upload whatever they want)
need to be commented out.
+
  
  vi /etc/init.d/mkshare.sh
+
To set the rights for the directories, you edit the '''proftpd.conf'''.
  
----
+
  vi /etc/proftpd.conf
  #generate configuration files
+
<blockquote>
if [ -x /bin/mkcode ]; then
+
'''WARNING!!!'''
        echo "Netatalk configration file generating..."
+
Any changes you make here will be reset by the linkstation´s stock software at reboot !
        /bin/mkcode -a > /dev/null
+
To make your changes last, please look into chapter [http://linkstationwiki.net/index.php?title=ProFTPD_-_Customized_FTP_server_instance&action=submit#Make_your_changes_permanent Make your changes permanent]
        /bin/nkf -sEO /etc/atalk/AppleVolumes.default /tmp/AppleVolumes
+
</blockquote>
        mv -f /tmp/AppleVolumes /etc/atalk/AppleVolumes.default
+
<pre>
 +
ServerName              LinkStation
 +
ServerType              standalone
 +
DefaultServer          on
 +
ServerIdent            off
 
   
 
   
        echo "Samba configration file generating..."
+
AuthPAMAuthoritative    on
        /bin/mkcode -s > /dev/null
+
AuthPAMConfig          ftp
        /bin/nkf -sEO /etc/samba/smb.conf /tmp/smb.conf
+
        mv -f /tmp/smb.conf /etc/samba/smb.conf
+
 
   
 
   
  #      echo "FTP configration file generating..."
+
  Port                    21
  #      /bin/mkcode -f > /dev/null
+
  Umask                  000
  #       /bin/nkf -sEO /etc/wu-ftpd/ftpaccess /tmp/ftpaccess
+
TimesGMT                off
  #      mv -f /tmp/ftpaccess /etc/wu-ftpd/ftpaccess
+
UseReverseDNS          off
  #      /bin/nkf -sEO /etc/proftpd.conf /tmp/proftpd.conf
+
IdentLookups            off
  #      mv -f /tmp/proftpd.conf /etc/proftpd.conf
+
MaxInstances            100
  fi
+
User                    nobody
 +
Group                  nogroup
 +
RootLogin              off
 +
DefaultRoot            /mnt/hda/ftp
 +
DefaultTransferMode    binary
 +
TimeoutIdle            900
 +
TimeoutLogin            120
 +
 +
ScoreboardFile          /var/log/scoreboardfile
 +
 +
  AllowStoreRestart       on
 +
AllowRetrieveRestart    on
 +
AllowOverwrite          on
 +
 +
SocketOptions rcvBuf    131070
 +
SocketOptions sndBuf    131070
 +
 +
<Limit SITE_CHMOD>
 +
  DenyAll
 +
</Limit>
 +
 +
<Directory /mnt/hda/ftp>
 +
  <Limit WRITE>
 +
    DenyAll
 +
  </Limit>
 +
</Directory>
 +
   
 +
<Directory /mnt/hda/ftp/incoming>
 +
  <Limit WRITE>
 +
    AllowAll
 +
  </Limit>
 +
  <Limit DELE RMD>
 +
    DenyAll
 +
  </Limit>
 +
  </Directory>
 +
 +
<Directory /mnt/hda/ftp/pub>
 +
  <Limit ALL>
 +
    AllowAll
 +
  </Limit>
 +
   
 +
  <Limit WRITE>
 +
    DenyAll
 +
  </Limit>
 +
  </Directory>
 +
</pre>
  
Now you can edit '''/etc/proftpd.conf''' and it will actually stay that way.
+
In the subdir '''pub''' there is no write access and in the subdir '''incoming''' anybody can upload anything, but they cannot delete files or remove directories.
 +
Users are being caged into the chroot environment and can´t escape '/mnt/hda/ftp'''
  
If you speak german, [http://www.proftpd.de/Docs.17.0.html here] is a good spot to start your research on how to customize your PROFTPD configuration.
+
=== Vitual users ===
 
+
{{Template:Articles}}''<font color=red><small>
I will add some examples and explanations shortly.
+
by mindbender.
 +
at Linkstationwiki.org
 +
</small></font>''<br>
  
== CONFIGURATION ==
 
  
 
As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file  (I wanted to assign different priviledges to virtual users).
 
As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file  (I wanted to assign different priviledges to virtual users).
Line 77: Line 136:
 
To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command.
 
To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command.
 
In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shell.  
 
In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shell.  
 +
 +
 +
== Make your changes permanent ==
 +
You probably want to make your configuration changes permanent, so you need to keep the linkstation from rewriting the file '''/etc/proftpd.conf''' .
 +
If you do this, you lose the simplicity of the ftp server configuration by web-interface, but you gain full control of the ftp server on your linkstation.
 +
 +
To achieve this, the file '''/etc/init.d/mkshare.sh''' needs to be edited.
 +
Only the 5 lines below
 +
#      echo "FTP configration file generating..."
 +
need to be commented out.
 +
 +
  vi /etc/init.d/mkshare.sh
 +
 +
----
 +
#generate configuration files
 +
if [ -x /bin/mkcode ]; then
 +
        echo "Netatalk configration file generating..."
 +
        /bin/mkcode -a > /dev/null
 +
        /bin/nkf -sEO /etc/atalk/AppleVolumes.default /tmp/AppleVolumes
 +
        mv -f /tmp/AppleVolumes /etc/atalk/AppleVolumes.default
 +
 +
        echo "Samba configration file generating..."
 +
        /bin/mkcode -s > /dev/null
 +
        /bin/nkf -sEO /etc/samba/smb.conf /tmp/smb.conf
 +
        mv -f /tmp/smb.conf /etc/samba/smb.conf
 +
 +
#      echo "FTP configration file generating..."
 +
#      /bin/mkcode -f > /dev/null
 +
#      /bin/nkf -sEO /etc/wu-ftpd/ftpaccess /tmp/ftpaccess
 +
#      mv -f /tmp/ftpaccess /etc/wu-ftpd/ftpaccess
 +
#      /bin/nkf -sEO /etc/proftpd.conf /tmp/proftpd.conf
 +
#      mv -f /tmp/proftpd.conf /etc/proftpd.conf
 +
fi
 +
 +
Now you can edit '''/etc/proftpd.conf''' and it will actually stay that way.
  
 
[[Category:General]]
 
[[Category:General]]
 
[[Category:Howto]]
 
[[Category:Howto]]
 
[[Category:Software]]
 
[[Category:Software]]

Revision as of 16:09, 28 August 2006

This article Originally by mindbender. at Linkstationwiki.org It is presently being reworked by shryke at globalmessageexchange dot de.

Contents

The FTP deamons

The Linkstation comes with two different FTP Server deamons:

# WU-FTPD which has come to ages and will not be discussed here.
# PROFTPD which is the one we are going to use, because it is has a nice user-management 
   and an intuitive way of handling access restrictions.

The deeper sense of delivering two deamons escapes me, for PROFTPD is perfectly capable of handling anonymous access. But in the stock version, WU-FTPD is used for handling this task, anyway.

Stock Proftpd v1.2.9 on LS 2 (MIPSel)

There is a script file to start wu-ftpd or proftpd (depending on whether you choose anonymous or user-based FTP).
This file resides here: /etc/init.d/ftpd and gets called during boot sequence via symlink S92ftpd in rc2.d.
This script calls /usr/sbin/proftpd and the configuration file to customize the behavior of the deamon is /etc/proftpd.conf .

Configure PROFTPD

Directory Structure

Here is a sample configuration:

Motivation:
We want to set up a simple server to allow for our friends to download 
some files we prepared for them and also give them the opportunity to upload
whatever they want.
  • /mnt/hda/ftp is the root directory of our ftp server.
    • /mnt/hda/ftp/pub (here you put the files they can download)
    • /mnt/hda/ftp/incoming (here they can upload whatever they want)

To set the rights for the directories, you edit the proftpd.conf.

vi /etc/proftpd.conf
WARNING!!! Any changes you make here will be reset by the linkstation´s stock software at reboot ! To make your changes last, please look into chapter Make your changes permanent
 ServerName              LinkStation
 ServerType              standalone
 DefaultServer           on
 ServerIdent             off
 
 AuthPAMAuthoritative    on
 AuthPAMConfig           ftp
 
 Port                    21
 Umask                   000
 TimesGMT                off
 UseReverseDNS           off
 IdentLookups            off
 MaxInstances            100
 User                    nobody
 Group                   nogroup
 RootLogin               off
 DefaultRoot             /mnt/hda/ftp
 DefaultTransferMode     binary
 TimeoutIdle             900
 TimeoutLogin            120 
 
 ScoreboardFile          /var/log/scoreboardfile 
 
 AllowStoreRestart       on
 AllowRetrieveRestart    on
 AllowOverwrite          on 
 
 SocketOptions rcvBuf    131070
 SocketOptions sndBuf    131070
 
 <Limit SITE_CHMOD>
   DenyAll
 </Limit> 
 
 <Directory /mnt/hda/ftp>
   <Limit WRITE>
     DenyAll
   </Limit>
 </Directory>
 
 <Directory /mnt/hda/ftp/incoming>
   <Limit WRITE>
     AllowAll
   </Limit>
   <Limit DELE RMD>
     DenyAll
   </Limit>
 </Directory>
 
 <Directory /mnt/hda/ftp/pub>
   <Limit ALL>
     AllowAll
   </Limit>
 
   <Limit WRITE>
     DenyAll
   </Limit>
 </Directory>

In the subdir pub there is no write access and in the subdir incoming anybody can upload anything, but they cannot delete files or remove directories. Users are being caged into the chroot environment and can´t escape '/mnt/hda/ftp

Vitual users

by mindbender. at Linkstationwiki.org


As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file (I wanted to assign different priviledges to virtual users).

The rest is really up to what you want to do with the new server, proftpd is very flexible. I really enjoyed the granularity on access priviledges on a user basis and the possibility to create "virtual users" (ftp users without the need of a full account on the linkstation).

Authentication with "virtual users" (non-system users)

I added these to my config file

AuthPAMAuthoritative off
AuthPAMConfig ftp 
AuthGroupFile /etc/ftp2ndgroup
AuthUserFile /etc/ftp2ndpasswd


What happens then is that, if the user has an "regular account" on the linkstation (i.e. the user is in the usual /etc/passwd file and the group is in the /etc/group file) then he/she can login with the linkstation login password.

So you dont have to duplicate your own user account. If the user is not in /etc/passwd then the file /etc/ftp2ndpasswd is looked. The format is exactly the same as /etc/passwd but you have to use fake id number that wont overlap with the ones in the normal passwd file.

To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command. In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shell.


Make your changes permanent

You probably want to make your configuration changes permanent, so you need to keep the linkstation from rewriting the file /etc/proftpd.conf . If you do this, you lose the simplicity of the ftp server configuration by web-interface, but you gain full control of the ftp server on your linkstation.

To achieve this, the file /etc/init.d/mkshare.sh needs to be edited. Only the 5 lines below

#       echo "FTP configration file generating..."

need to be commented out.

 vi /etc/init.d/mkshare.sh

#generate configuration files
if [ -x /bin/mkcode ]; then
       echo "Netatalk configration file generating..."
       /bin/mkcode -a > /dev/null
       /bin/nkf -sEO /etc/atalk/AppleVolumes.default /tmp/AppleVolumes
       mv -f /tmp/AppleVolumes /etc/atalk/AppleVolumes.default

       echo "Samba configration file generating..."
       /bin/mkcode -s > /dev/null
       /bin/nkf -sEO /etc/samba/smb.conf /tmp/smb.conf
       mv -f /tmp/smb.conf /etc/samba/smb.conf

#       echo "FTP configration file generating..."
#       /bin/mkcode -f > /dev/null
#       /bin/nkf -sEO /etc/wu-ftpd/ftpaccess /tmp/ftpaccess
#       mv -f /tmp/ftpaccess /etc/wu-ftpd/ftpaccess
#       /bin/nkf -sEO /etc/proftpd.conf /tmp/proftpd.conf
#       mv -f /tmp/proftpd.conf /etc/proftpd.conf
fi

Now you can edit /etc/proftpd.conf and it will actually stay that way.