ProFTPD - Customized FTP server instance

From NAS-Central Buffalo - The Linkstation Wiki

Revision as of 16:09, 28 August 2006

This article Originally by mindbender. at Linkstationwiki.org It is presently being reworked by shryke at globalmessageexchange dot de.

The FTP deamons

The Linkstation comes with two different FTP Server deamons:

# WU-FTPD which has come to ages and will not be discussed here.
# PROFTPD which is the one we are going to use, because it is has a nice user-management 
   and an intuitive way of handling access restrictions.

The deeper sense of delivering two deamons escapes me, for PROFTPD is perfectly capable of handling anonymous access. But in the stock version, WU-FTPD is used for handling this task, anyway.

Stock Proftpd v1.2.9 on LS 2 (MIPSel)

There is a script file to start wu-ftpd or proftpd (depending on whether you choose anonymous or user-based FTP).
This file resides here: /etc/init.d/ftpd and gets called during boot sequence via symlink S92ftpd in rc2.d.
This script calls /usr/sbin/proftpd and the configuration file to customize the behavior of the deamon is /etc/proftpd.conf .

Configure PROFTPD

Directory Structure

Here is a sample configuration:

Motivation:
We want to set up a simple server to allow for our friends to download 
some files we prepared for them and also give them the opportunity to upload
whatever they want.

• /mnt/hda/ftp is the root directory of our ftp server.
  • /mnt/hda/ftp/pub (here you put the files they can download)
  • /mnt/hda/ftp/incoming (here they can upload whatever they want)

To set the rights for the directories, you edit the proftpd.conf.

vi /etc/proftpd.conf

WARNING!!! Any changes you make here will be reset by the linkstation´s stock software at reboot ! To make your changes last, please look into chapter Make your changes permanent

 ServerName              LinkStation
 ServerType              standalone
 DefaultServer           on
 ServerIdent             off
 
 AuthPAMAuthoritative    on
 AuthPAMConfig           ftp
 
 Port                    21
 Umask                   000
 TimesGMT                off
 UseReverseDNS           off
 IdentLookups            off
 MaxInstances            100
 User                    nobody
 Group                   nogroup
 RootLogin               off
 DefaultRoot             /mnt/hda/ftp
 DefaultTransferMode     binary
 TimeoutIdle             900
 TimeoutLogin            120 
 
 ScoreboardFile          /var/log/scoreboardfile 
 
 AllowStoreRestart       on
 AllowRetrieveRestart    on
 AllowOverwrite          on 
 
 SocketOptions rcvBuf    131070
 SocketOptions sndBuf    131070
 
 <Limit SITE_CHMOD>
   DenyAll
 </Limit> 
 
 <Directory /mnt/hda/ftp>
   <Limit WRITE>
     DenyAll
   </Limit>
 </Directory>
 
 <Directory /mnt/hda/ftp/incoming>
   <Limit WRITE>
     AllowAll
   </Limit>
   <Limit DELE RMD>
     DenyAll
   </Limit>
 </Directory>
 
 <Directory /mnt/hda/ftp/pub>
   <Limit ALL>
     AllowAll
   </Limit>
 
   <Limit WRITE>
     DenyAll
   </Limit>
 </Directory>

In the subdir pub there is no write access and in the subdir incoming anybody can upload anything, but they cannot delete files or remove directories. Users are being caged into the chroot environment and can´t escape '/mnt/hda/ftp

Vitual users

by mindbender. at Linkstationwiki.org

As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file (I wanted to assign different priviledges to virtual users).

The rest is really up to what you want to do with the new server, proftpd is very flexible. I really enjoyed the granularity on access priviledges on a user basis and the possibility to create "virtual users" (ftp users without the need of a full account on the linkstation).

Authentication with "virtual users" (non-system users)

I added these to my config file

AuthPAMAuthoritative off
AuthPAMConfig ftp 
AuthGroupFile /etc/ftp2ndgroup
AuthUserFile /etc/ftp2ndpasswd

What happens then is that, if the user has an "regular account" on the linkstation (i.e. the user is in the usual /etc/passwd file and the group is in the /etc/group file) then he/she can login with the linkstation login password.

So you dont have to duplicate your own user account. If the user is not in /etc/passwd then the file /etc/ftp2ndpasswd is looked. The format is exactly the same as /etc/passwd but you have to use fake id number that wont overlap with the ones in the normal passwd file.

To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command. In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shell.

Make your changes permanent

You probably want to make your configuration changes permanent, so you need to keep the linkstation from rewriting the file /etc/proftpd.conf . If you do this, you lose the simplicity of the ftp server configuration by web-interface, but you gain full control of the ftp server on your linkstation.

To achieve this, the file /etc/init.d/mkshare.sh needs to be edited. Only the 5 lines below

#       echo "FTP configration file generating..."

need to be commented out.

 vi /etc/init.d/mkshare.sh

#generate configuration files
if [ -x /bin/mkcode ]; then
       echo "Netatalk configration file generating..."
       /bin/mkcode -a > /dev/null
       /bin/nkf -sEO /etc/atalk/AppleVolumes.default /tmp/AppleVolumes
       mv -f /tmp/AppleVolumes /etc/atalk/AppleVolumes.default

       echo "Samba configration file generating..."
       /bin/mkcode -s > /dev/null
       /bin/nkf -sEO /etc/samba/smb.conf /tmp/smb.conf
       mv -f /tmp/smb.conf /etc/samba/smb.conf

#       echo "FTP configration file generating..."
#       /bin/mkcode -f > /dev/null
#       /bin/nkf -sEO /etc/wu-ftpd/ftpaccess /tmp/ftpaccess
#       mv -f /tmp/ftpaccess /etc/wu-ftpd/ftpaccess
#       /bin/nkf -sEO /etc/proftpd.conf /tmp/proftpd.conf
#       mv -f /tmp/proftpd.conf /etc/proftpd.conf
fi

Now you can edit /etc/proftpd.conf and it will actually stay that way.