ProFTPD - Customized FTP server instance
Originally by mindbender.
It is presently being reworked by shryke at globalmessageexchange dot de.
The FTP deamons
The Linkstation comes with two different FTP Server deamons:
# WU-FTPD which has come to ages and will not be discussed here. # PROFTPD which is the one we are going to use, because it is has a nice user-management and an intuitive way of handling access restrictions.
The deeper sense of delivering two deamons escapes me, for PROFTPD is perfectly capable of handling anonymous access. But in the stock version, WU-FTPD is used for handling this task, anyway.
Stock Proftpd v1.2.9 on LS 2 (MIPSel)
There is a script file to start wu-ftpd or proftpd (depending on whether you choose anonymous or user-based FTP).
This file resides here: /etc/init.d/ftpd and gets called during boot sequence via symlink S92ftpd in rc2.d.
This script calls /usr/sbin/proftpd and the configuration file to customize the behavior of the deamon is /etc/proftpd.conf .
Here is a sample configuration:
Motivation: We want to set up a simple server to allow for our friends to download some files we prepared for them and also give them the opportunity to upload whatever they want.
- /mnt/hda/ftp is the root directory of our ftp server.
- /mnt/hda/ftp/pub (here you put the files they can download)
- /mnt/hda/ftp/incoming (here they can upload whatever they want)
To set the rights for the directories, you edit the proftpd.conf.
WARNING!!! Any changes you make here will be reset by the linkstation´s stock software at reboot ! To make your changes last, please look into chapter Make your changes permanent
ServerName LinkStation ServerType standalone DefaultServer on ServerIdent off AuthPAMAuthoritative on AuthPAMConfig ftp Port 21 Umask 000 TimesGMT off UseReverseDNS off IdentLookups off MaxInstances 100 User nobody Group nogroup RootLogin off DefaultRoot /mnt/hda/ftp DefaultTransferMode binary TimeoutIdle 900 TimeoutLogin 120 ScoreboardFile /var/log/scoreboardfile AllowStoreRestart on AllowRetrieveRestart on AllowOverwrite on SocketOptions rcvBuf 131070 SocketOptions sndBuf 131070 <Limit SITE_CHMOD> DenyAll </Limit> <Directory /mnt/hda/ftp> <Limit WRITE> DenyAll </Limit> </Directory> <Directory /mnt/hda/ftp/incoming> <Limit WRITE> AllowAll </Limit> <Limit DELE RMD> DenyAll </Limit> </Directory> <Directory /mnt/hda/ftp/pub> <Limit ALL> AllowAll </Limit> <Limit WRITE> DenyAll </Limit> </Directory>
In the subdir pub there is no write access and in the subdir incoming anybody can upload anything, but they cannot delete files or remove directories. Users are being caged into the chroot environment and can´t escape /mnt/hda/ftp
As documentation I looked into http://www.proftpd.org/docs/ mainly to look what I needed for the config file (I wanted to assign different priviledges to virtual users).
The rest is really up to what you want to do with the new server, proftpd is very flexible. I really enjoyed the granularity on access priviledges on a user basis and the possibility to create "virtual users" (ftp users without the need of a full account on the linkstation).
Authentication with "virtual users" (non-system users)
I added these to my config file
AuthPAMAuthoritative off AuthPAMConfig ftp AuthGroupFile /etc/ftp2ndgroup AuthUserFile /etc/ftp2ndpasswd
What happens then is that, if the user has an "regular account" on the linkstation (i.e. the user is in the usual /etc/passwd file and the group is in the /etc/group file) then he/she can login with the linkstation login password.
So you dont have to duplicate your own user account. If the user is not in /etc/passwd then the file /etc/ftp2ndpasswd is looked. The format is exactly the same as /etc/passwd but you have to use fake id number that wont overlap with the ones in the normal passwd file.
To generate password hashes needed in /etc/passwd, you can use the "htpasswd -n username" command. In some cases it might be needed for the home directory and the shell indicated in /etc/ftp2ndpasswd do actually point to existing directories and shell.
Make your changes permanent
You probably want to make your configuration changes permanent, so you need to keep the linkstation from rewriting the file /etc/proftpd.conf . If you do this, you lose the simplicity of the ftp server configuration by web-interface, but you gain full control of the ftp server on your linkstation.
To achieve this, the file /etc/init.d/mkshare.sh needs to be edited. Only the 5 lines below
# echo "FTP configration file generating..."
need to be commented out.
#generate configuration files if [ -x /bin/mkcode ]; then echo "Netatalk configration file generating..." /bin/mkcode -a > /dev/null /bin/nkf -sEO /etc/atalk/AppleVolumes.default /tmp/AppleVolumes mv -f /tmp/AppleVolumes /etc/atalk/AppleVolumes.default echo "Samba configration file generating..." /bin/mkcode -s > /dev/null /bin/nkf -sEO /etc/samba/smb.conf /tmp/smb.conf mv -f /tmp/smb.conf /etc/samba/smb.conf # echo "FTP configration file generating..." # /bin/mkcode -f > /dev/null # /bin/nkf -sEO /etc/wu-ftpd/ftpaccess /tmp/ftpaccess # mv -f /tmp/ftpaccess /etc/wu-ftpd/ftpaccess # /bin/nkf -sEO /etc/proftpd.conf /tmp/proftpd.conf # mv -f /tmp/proftpd.conf /etc/proftpd.conf fi
Now you can edit /etc/proftpd.conf and it will actually stay that way.