FTP server with virtual users on Debian Lenny - قسمت اول

Had to setup an FTP server at work (yuck), guides I found elsewhere didn't do exactly what I was after, so it took some trial and error to achieve the setup I needed.

Objectives:

• Be able to create multiple virtual users without having to create a shell account for every FTP user
• Individually set permissions for each FTP user
• FTP users should by default be locked inside a chroot
• However, need to be able to provide read/write access outside the chroot on exception basis

I used Proftpd on Debian Lenny to achieve the above.

1. Install proftpd
sudo aptitude install proftpd

2. Create home directories for the virtual ftp users (we're just creating two for this example):
sudo mkdir -p /var/ftp/user{1,2}/{read,write}
sudo chown -R proftpd:nogroup /var/ftp/

3. Get the uid and gid of the proftpd user (profptd install script should have created it):
sudo grep ftp /etc/passwd
proftpd:x:109:65534::/var/run/proftpd:/bin/false

4. Create virtual ftp users
sudo ftpasswd --passwd --name=user1 --uid=109 --gid=65534 --home=/var/ftp/user1 --shell=/bin/false --file=/etc/proftpd/passwd
sudo ftpasswd --passwd --name=user2 --uid=109 --gid=65534 --home=/var/ftp/user2 --shell=/bin/false --file=/etc/proftpd/passwd

Note: to change the password for the virtual FTP user, do:
sudo ftpasswd --change-password --passwd --name=user1 --file=/etc/proftpd/passwd

5. Add some directives to proftpd config file:
AuthUserFile            /etc/proftpd/passwd
DefaultRoot             ~
RequireValidShell       off
 
# VALID LOGINS
<Limit LOGIN>
   AllowUser user1
   AllowUser user2
   DenyALL
</Limit>
 
# USER 1
<Directory /var/ftp/user1/read>
    <Limit ALL>
        DenyAll
    </Limit>
    <Limit DIRS READ>
        AllowUser user1
    </Limit>
</Directory>
<Directory /var/ftp/user1/write>
    <Limit ALL>
        DenyAll
    </Limit>
    <Limit DIRS READ WRITE>
        AllowUser user1
    </Limit>
</Directory>
 
# USER 2
<Directory /var/ftp/user2/read>
    <Limit ALL>
        DenyAll
    </Limit>
    <Limit DIRS READ>
        AllowUser user2
    </Limit>
</Directory>
<Directory /var/ftp/user2/write>
    <Limit ALL>
        DenyAll
    </Limit>
    <Limit DIRS READ WRITE>
        AllowUser user2
    </Limit>
</Directory>

6. If you use a firewall, don't forget to open up port 21. If you can get away with it, it's of course best to open it up to a narrowly defined set of IPs.

7. Restart proftpd and you should be able to connect with an FTP client using the credentials for users we setup.

8. For read only file system access outside of the chroot:
mkdir /var/ftp/user1/read/blah
sudo mount --bind -r /path/to/somewhere/ /var/ftp/user1/read/blah/