1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
|
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Microsoft FrontPage 2.0">
<title>Configuring ProFTPD - FAQ</title>
</head>
<body bgcolor="#E7E4D8">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr>
<td width="33%" bgcolor="#0000FF"><!--webbot bot="ImageMap" circle=" (90,21) 21 reference.html" circle=" (30,21) 21 download.html" src="images/next-prev.gif" border="0" width="121" height="45" startspan --><MAP NAME="FrontPageMap"><AREA SHAPE="CIRCLE" COORDS="90, 21, 21" HREF="reference.html"><AREA SHAPE="CIRCLE" COORDS="30, 21, 21" HREF="download.html"></MAP><a href="_vti_bin/shtml.exe/configuration.html/map"><img ismap usemap="#FrontPageMap" border="0" height="45" src="images/next-prev.gif" width="121"></a><!--webbot bot="ImageMap" endspan i-checksum="52116" --></td>
<td align="center" width="33%" bgcolor="#0000FF"><img src="images/proftpd-blue.gif" width="210" height="43"></td>
<td align="right" width="34%" bgcolor="#0000FF"><img src="images/button-configuration.gif" width="215" height="41"></td>
</tr>
<tr>
<td align="center" colspan="3" width="33%" bgcolor="#000000"><font color="#00FFFF" size="3" face="Arial"><em><strong>- Professional FTP Daemon -</strong></em></font></td>
</tr>
</table>
<p><br>
</p>
<table border="0" cellpadding="2" cellspacing="0" width="100%">
<tr>
<td align="center" colspan="2" bgcolor="#000000"><font color="#00FFFF" size="3" face="Arial"><em><strong>Configuration
- Frequently Asked Questions</strong></em></font></td>
</tr>
<tr>
<td><img src="images/q.gif" width="38" height="30"></td>
<td width="100%"><strong>ProFTPD doesn't seem to work, I
start it but it doesn't show up in a `</strong><code>ps</code><strong>'.
What's wrong?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>It could be many things, possibly something like not
running proftpd as root (it needs to be run as root
initially, but will switch to a non-privileged user).
Regardless, proftpd logs all errors via the standard
syslog mechanism. You need to check your system logs in
order to determine what the problem is.</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>My syslog has errors in it such as
"inet_create_connection() failed: Operation not
permitted".<br>
I use the shadow password suite. Users cannot login to
ProFTPD.</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>You aren't starting proftpd as root, or you have
inetd configured to run proftpd as a user other than
root. The proftpd daemon must be started as root in order
to bind to tcp ports lower than 1024, or to open your
shadow password file when authenticating users. The
daemon switches uid/gids to the user and group specified
by the <a href="reference.html#User">User</a>/<a href="reference.html#Group">Group</a> directives during
normal operation, so a `<code>ps</code>' will show it
running as the user you specified.</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>When I try to start proftpd from the command
line, all I see is "Fatal: Socket operation on
non-socket", and proftpd does not start.</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>You have proftpd configured to run in inetd mode
instead of standalone. In this mode, proftpd expects that
it will be run from the inetd super-server, which implies
that stdin/stdout will be sockets instead of terminals.
As a result, socket operations will fail and the above
error will be printed. If you wish to run proftpd from
the shell, in standalone mode, you'll need to modify your
proftpd.conf configuration file and add or edit the <a href="reference.html#ServerType">ServerType</a> directive
to read:<br>
<br>
<a href="reference.html#ServerType">ServerType standalone</a></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>I'm having problems with FTP clients behind
firewalls, they cannot seem to get directory listings or
transfer files. I've checked and it seems that proftpd
isn't using port 20 as the source port for it's data
connections; can this be changed?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td><strong>There is a known security problem with ALL
unix FTP daemons</strong>, which requires the daemon to
retain root privileges even after a client has fully
authenticated. In proftpd versions 1.0.x, we chose to
ignore RFC959's port 20 requirements in the interests of
security. Unfortunately, over time, it became obvious
that this was a bad idea. Until the RFC is
"fixed", this problem will continue to plague
unix FTP servers.<br>
<br>
In proftpd versions 1.1.x and higher, we chose to go the
"standard" route, retaining root at all times,
allowing the daemon to bind to port 20 and be completely
RFC959 compliant. The security issue remains, however the
code is carefully structured to handle this in as secure
a fashion as possible.<br>
<br>
You have two options for working around this problem:<br>
<br>
1. Upgrade to proftpd 1.1.x (development versions).<br>
<br>
2. Have your FTP clients use passive mode. Passive mode
data connections originate from the client, and thus do
not experience this "port 20" problem.</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>I cannot get Anonymous FTP to work. I've
tried all the sample configuration files, however no
matter what I try, every time I attempt to login to
proftpd as 'ftp' or 'anonymous' I get "550 Login
incorrect.".</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>Check the following first:<br>
<br>
1. Make sure the user/group you specified inside the <a href="reference.html#Anonymous"><Anonymous></a>
block actually exists. This must be a real user and
group, as it is used to control whom the daemon runs as
and authenticates as.<br>
<br>
2. If <a href="reference.html#RequireValidShell">RequireValidShell</a>
is not specifically turned off, make sure that your
"ftp user" (as specified by the <a href="reference.html#User">User</a> directive inside an
<Anonymous> block), has a valid shell listed in
/etc/shells. If you do not wish to give the user a valid
shell, you can always use "RequireValidShell
off" to disable this check.<br>
<br>
3. If <a href="reference.html#UseFtpUsers">UseFtpUsers</a>
is not specifically turned off, make sure that your
"ftp user" is <strong>not</strong> listed in
/etc/ftpusers.<br>
<br>
If all else fails, you should check your syslog. When
authentication fails for any reason, proftpd uses the
syslog mechanism to log the reason for failure; using the
AUTH (or AUTHPRIV) facility. If you need further
assistance, you can send email, including related syslog
entries and your configuration file, to the proftpd
mailing list at: <a href="mailto:proftpd-l@evcom.net">proftpd-l@evcom.net</a>.</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>What should I add or remove from my
/etc/inetd.conf in order to run proftpd from the inetd
super-server?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>Find the line in /etc/inetd.conf that looks something
like this:<br>
<code>ftp stream tcp nowait root in.ftpd in.ftpd</code><br>
<br>
Replace it with:<br>
<code>ftp stream tcp nowait root in.proftpd in.proftpd</code><br>
<br>
Then, find your inetd process in the process listing and
send it the SIGHUP signal so that it will rehash and
reconfigure itself. Example (<strong>do not type the
following literally, as pid 189 will most likely NOT be
your inetd process</strong>):<br>
<code>kill -1 189</code></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>Can I use tcp-wrappers with proftpd?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>Sure. Although ProFTPD has built-in IP access control
(see the <a href="reference.html#Deny">Deny</a> and <a href="reference.html#Allow">Allow</a> directives), many
admins choose to consolidate IP access control in one
place via in.tcpd. Just configure proftpd to run from
inetd as any other tcp-wrapper wrapped daemon does:<br>
<code>ftp stream tcp nowait root in.tcpd in.proftpd</code></td>
</tr>
<tr>
<td valign="top"> </td>
<td> </td>
</tr>
<tr>
<td><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How do I add another anonymous login or guest
account?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>You should look in the sample-configurations/
directory from your distribution tarball. Basically,
you'll need to create another user on your system for the
guest/anonymous ftp login. For security reasons, it's
very important that you make sure the user account either
has a password or has an "unmatchable"
password. The root directory of the guest/anonymous
account doesn't have to be the user's directory, but it
makes sense to do so. After you have created the account,
put something like the following in your
/etc/proftpd.conf file (assuming the new user/group name
is private/private):<br>
<br>
<<code>Anonymous ~private><br>
AnonRequirePassword off<br>
User private<br>
Group private<br>
RequireValidShell off<br>
<Directory *><br>
<Limit WRITE><br>
DenyAll<br>
</Limit><br>
</Directory><br>
</Anonymous></code><br>
<br>
This will allow ftp clients to login to your site with
the username 'private' and their e-mail address as a
password. You can change the <a href="reference.html#AnonRequirePassword">AnonRequirePassword</a>
directive to "on" if you want clients to be
forced to transmit the correct password for the 'private'
account. This sample configuration allows clients to
change into, list and read all directories, but denies
write access of any kind.</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How do I allow uploads to a specific
directory in a secure fashion? I don't want users
downloading or creating sub-directories in it.</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>The following snippet from a sample configuration
file illustrates how to protect an "upload"
directory in such a fashion (which is a very good idea if
you don't want people using your site for
"warez"):<br>
<br>
<code><Anonymous /home/ftp></code><blockquote>
<p><code>User ftp<br>
Group ftp<br>
UserAlias anonymous ftp<br>
<br>
<Directory *></code></p>
<blockquote>
<p><code><Limit WRITE><br>
DenyAll<br>
</Limit></code></p>
</blockquote>
<p><code></Directory><br>
<br>
<Directory incoming></code></p>
<blockquote>
<p><code><Limit STOR><br>
AllowAll<br>
</Limit><br>
<Limit READ><br>
DenyAll<br>
</Limit></code></p>
</blockquote>
<p><code></Directory></code></p>
</blockquote>
<p><code></Anonymous></code></p>
<p>This denies all write operations to the anonymous root
directory and sub-directories, except
"incoming/" where the permissions are reversed
and the client can store but not read. If you used
<Limit WRITE> instead of <Limit STOR> on
<Directory incoming>, ftp clients would be allowed
to perform all write operations to the sub-dir, including
deleting, renaming and creating directories.</p>
</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How can I hide a directory from anonymous
clients. I only want clients getting in to it if they
know the exact name.</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>Use the <a href="reference.html#HideUser">HideUser</a>
or <a href="#HideGroup">HideGroup</a> directive in
combination with the proper user/group ownership on the
directive. For example, if you have the follow directory
in your anonymous ftp directory tree:<br>
<br>
<code>drwxrwxr-x 3 ftp staff 6144 Apr 21 16:40 private<br>
</code><br>
You can use a directive such as "HideGroup
staff" to hide the private directory from a
directory listing. Example:<br>
<br>
<code><Anonymous ~ftp><br>
...<br>
<Directory Private><br>
HideGroup staff<br>
</Directory><br>
...<br>
</Anonymous></code></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>File/Directory hiding isn't working for me! I
can still see the file or directory when performing an
anonymous FTP?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>You need to make sure that the group you are hiding
isn't the anonymous ftp user's primary group, or <a href="reference.html#HideGroup">HideGroup</a> won't
apply.</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>I have a hidden directory, but I want to
prevent users from accessing it altogether. How can I do
this?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>You can either change the permissions on the
directory to prevent the anonymous FTP user from
accessing it, or if you want to make it appear completely
invisible (as though there is no such directory), use the
<a href="reference.html#IgnoreHidden">IgnoreHidden</a>
directive inside a <Limit> block for one or more
commands that you want to completely ignore the hidden
directory entries (ignore = act as if the directory entry
does not exist).</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How do I setup a virtual FTP server?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>First off, have you read the documentation that came
with the server? If not, do so now. If you still have
questions, read on:<br>
<br>
You'll need to configure your host to be able to handle
multiple IP addresses. This is often called
"aliasing", and can generally be configured
through an IP alias or dummy interface. You need to read
your operating system documentation to figure out how to
do this. Once your have the host configured to accept the
additional IP address that you wish to offer a virtual
FTP server on, use the <VirtualHost> configuration
directive to create the virtual server:<br>
<br>
<code><VirtualHost 10.0.0.1><br>
ServerName "My virtual FTP server"<br>
</VirtualHost></code><br>
<br>
You can add additional directive blocks into the
<VirtualHost> block in order to create
anonymous/guest logins and the like which are only
available on the virtual host.</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>I don't want to let my normal FTP users into
my virtual FTP servers using their usernames/passwords. I
only want anonymous FTP to work for a virtual server. How
can I do this?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>Use a <Limit LOGIN> block to deny access at the
top-level of the virtual host, then use <Limit
LOGIN> again in your <Anonymous> block to allow
access to the anonymous login. This permits logins to a
virtual anonymous server, but denies to everything else.
Example:<br>
<br>
<code>...<br>
<VirtualHost 10.0.0.1><br>
ServerName "My virtual FTP server"<br>
<Limit LOGIN><br>
DenyAll<br>
</Limit><br>
<Anonymous /usr/local/private><br>
User private<br>
Group private<br>
<Limit LOGIN><br>
AllowAll<br>
</Limit><br>
...<br>
</Anonymous><br>
</VirtualHost></code></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>Can I run an FTP server on another port
besides the standard ftp port (21) without running a
separate copy of ProFTPD?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>Yes. Use a <a href="reference.html#VirtualHost"><VirtualHost></a>
block with your machine's FQDN (Fully Qualified Domain
Name) or IP address, and a <a href="reference.html#Port">Port</a>
directive inside the <VirtualHost> block. For
example, if your host is named
"myhost.mydomain.com" and you want to run an
additional FTP server on port 2001, you would:<br>
<br>
...<br>
<code><VirtualHost myhost.mydomain.com><br>
Port 2001<br>
...<br>
</VirtualHost></code></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How does <Limit LOGIN> work, and where
should I use it?</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>The <Limit LOGIN> directive is used to control
connection or login access to a particular context (the
directive block which contains it). When a client
initially connects to proftpd, the daemon searches the
configuration tree for <Limit LOGIN> directives,
and attached parameters (such as Allow, Deny, etc). If it
determines that there is no possible way for the client
to ever be allowed to login, such as a "Deny
from" matching the client's source address, without
an overriding "Allow from" at a lower level,
the client is disconnected without being offered the
opportunity to transmit a user and password. However, if
it is possible for the client to be allowed a login,
proftpd continues as per normal, allowing the client to
login only if the proper <Limit LOGIN> applies.
Normally, <Limit> directive blocks are allowed in
the server config, <a href="reference.html"><VirtualHost></a>,
<a href="reference.html#Anonymous"><Anonymous></a>
and <a href="reference.html#Directory"><Directory></a>
contexts. However, <Limit LOGIN> should not be used
in a <Directory> context, as clients do not
connect/login to a directory (and thus it is
meaningless).<br>
<br>
By way of example, the following configuration snippit
illustrates a <Limit LOGIN> deny which will cause
any incoming connections from the 10.1.1.x subnet to be
immediately disconnected, without a welcome message:<br>
<br>
<code>...<br>
<Limit LOGIN><br>
Order deny,allow<br>
Deny from 10.1.1.<br>
Allow from all<br>
</Limit><br>
...</code><br>
<br>
Next, an example of a configuration using <Limit
LOGIN> that will not immediately disconnect an
incoming client, but will return "Login
invalid" for all login attempts except anonymous.<br>
<br>
<code>...<br>
<Limit LOGIN><br>
DenyAll<br>
</Limit><br>
<Anonymous ~ftp><br>
...<br>
<Limit LOGIN><br>
AllowAll<br>
</Limit><br>
...</code></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How can I limit one or more user sessions to
a particular directory tree? (chroot jail)</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td valign="top">You can use an <a href="reference.html#anonymous"><Anonymous></a>
directive context block, possibly in combination with a <a href="reference.html#userpassword">UserPassword</a>/<a href="reference.html#anonrequirepassword">AnonRequirePassword</a>
directive. If you wish to jail an entire group (or
groups) of users, you can use the <a href="reference.html#defaultroot">DefaultRoot</a>
directive (<strong>available only in 0.99.0pl7 and above</strong>).
DefaultRoot lets you specify a root jailed directory (or
'~' for the user's home directory), and an optional
group-expression argument which can be used to control
which groups of users the jail will be applied to. For
example:<br>
<br>
<code>...<br>
<VirtualHost myhost.mynet.foo><br>
DefaultRoot ~<br>
...<br>
</VirtualHost></code><br>
<br>
This creates a configuration where all users who log into
myhost.mynet.foo are jailed into their home directories
(cannot chdir into a higher level directory).
Alternatively, you could:<br>
<br>
<code>...<br>
<VirtualHost myhost.mynet.foo><br>
DefaultRoot /u2/public users,!staff<br>
...<br>
</VirtualHost></code><br>
<br>
In this sample, all users who are members of group
'users', but not members of group 'staff' are jailed into
/u2/public. If a user does not meet the group-expression
requirements, they login as per normal (not jailed,
default directory is their home).<br>
<br>
You can use multiple DefaultRoot directives to create
multiple jails inside the same directive context. If two
DefaultRoot directives apply to the same user, proftpd
arbitrarily chooses one (based on how the configuration
file was parsed).</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td><font size="3"><em><strong>The following questions
and answers apply to proftpd version 1.1.3 and later
only! None of these features will work in 1.0.x versions.</strong></em></font></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How do I create anonymous FTP sites for my
users? Creating a separate <Anonymous>
configuration for each user is too difficult.</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>There are two methods of accomplishing this (possibly
more). First, you can create a directory structure inside
your anonymous FTP root directory, creating a single
directory for each user and setting ownership/permissions
as appropriate. Then, either create a symlink from each
user's home directory into the FTP site, or instruct your
users on how to access their directory.<p>The alternate
method (and more versatile) of accomplishing per-user
anonymous FTP is to use <a href="reference.html#AnonymousGroup">AnonymousGroup</a>
in combination with the <a href="reference.html#DefaultRoot">DefaultRoot</a>
directory. You'll probably want to do this inside a <a href="reference.html#VirtualHost"><VirtualHost></a>,
otherwise none of your users will be able to access your
system without being stuck inside their per-user FTP
site. Additionally, you'll want to use a defered <a href="reference.html#Directory"><Directory></a>
block to carefully limit outside access to each user's
site.</p>
<p><strong>Step 1:</strong> Create a new unix group on
your system named `anonftp'. Please each user who will
have per-user anonymous FTP in this group.<br>
<strong>Step 2:</strong> Create an `anon-ftp' and
`anon-ftp/incoming' directory in each user's home
directory.<br>
<strong>Step 3:</strong> Modify your /etc/proftpd.conf
file to look something like this (you'll probably want to
customize this to your needs):</p>
<blockquote>
<p align="left"><code><VirtualHost
my.per-user.virtual.host.address></code></p>
<blockquote>
<p align="left"><code># the next line limits all
logins to this virtualhost, so that only anonftp
users can connect</code></p>
</blockquote>
<blockquote>
<p align="left"><code><Limit LOGIN><br>
DenyGroup !anonftp<br>
</Limit></code></p>
</blockquote>
<blockquote>
<p align="left"><code># limit access to each
user's anon-ftp directory, we want read-only
except on incoming</code></p>
</blockquote>
<blockquote>
<p align="left"><code><Directory
~/anon-ftp></code></p>
</blockquote>
<blockquote>
<blockquote>
<p align="left"><code><Limit WRITE><br>
DenyAll<br>
</Limit></code></p>
</blockquote>
</blockquote>
<blockquote>
<p align="left"><code></Directory></code></p>
</blockquote>
<blockquote>
<p align="left"><code># permit stor access to
each user's anon-ftp/incoming directory, but deny
everything else</code></p>
</blockquote>
<blockquote>
<p align="left"><code><Directory
~/anon-ftp/incoming></code></p>
</blockquote>
<blockquote>
<blockquote>
<p align="left"><code><Limit STOR><br>
AllowAll<br>
</Limit><br>
<br>
<Limit READ WRITE><br>
DenyAll<br>
</Limit></code></p>
</blockquote>
</blockquote>
<blockquote>
<p align="left"><code></Directory></code></p>
</blockquote>
<blockquote>
<p align="left"><code># provide a default root
for all logins to this virtualhost.<br>
DefaultRoot ~/anon-ftp<br>
# Finally, force all logins to be anonymous for
the anonftp group<br>
AnonymousGroup anonftp</code></p>
</blockquote>
<p align="left"><code></VirtualHost></code></p>
</blockquote>
</td>
</tr>
<tr>
<td valign="top"><img src="images/q.gif" width="38" height="30"></td>
<td><strong>How do I create an Anonymous configuration
that runs as a particular user, but still allow the user
to login normally? I don't want to have to use a separate
virtual host.</strong></td>
</tr>
<tr>
<td valign="top"><img src="images/a.gif" width="36" height="30"></td>
<td>You can use the <a href="reference.html#AuthAliasOnly">AuthAliasOnly</a>
directive to control how and where real usernames get
authenticated (as opposed to aliased names, via the <a href="reference.html#UserAlias">UserAlias</a> directive).
Note that it is still impossible to have two identical
aliased names login to different anonymous sites; for
that you would need <a href="reference.html#VirtualHost"><VirtualHost></a>.<p>Example:</p>
<p><code>...<br>
<Anonymous ~jrluser></code></p>
<blockquote>
<p><code>User jrluser<br>
Group jrluser<br>
UserAlias ftp jrluser<br>
UserAlias anonymous jrluser<br>
AuthAliasOnly on<br>
...</code></p>
</blockquote>
<p><code></Anonymous></code></p>
<p>Here, the <a href="reference.html#Anonymous"><Anonymous></a>
configuration for ~jrluser is set to allow alias
authentication only. Thus, if a client attempts to
authenticate as 'jrluser', the anonymous config will be
ignored and the client will be authenticated as if they
were a normal user (typically resulting in `jrluser'
logging in normally). However, if the client uses the
aliased username `ftp' or `anonymous', the anonymous
block is applied.</p>
</td>
</tr>
</table>
</body>
</html>
|
