ProFTPD is a freeware FTP daemon distributed under the GNU Public License.
It provides a large number of features that have resulted in it being chosen
as the default FTP server on the machines I administer..
The installation of the ProFTPD is controlled by the package subsystem, thus
it is quite easy to install and upgrade when new versions become available.
# umask 0
# gunzip -c proftpd.1.2.0.p10.SPARC.Solaris.2.6.pkg.tgz | /usr/bin/tar -xvvf -
# pkgadd -d. proftpd
# rm -rf proftpd
# cp /bin/true /bin/ftponly
# chmod 755 /bin/ftponly
# /bin/chown root:root /bin/ftponly
# echo "/bin/ftponly" >> /etc/shells
If necessary, create the user ftp with
its home directory on a sufficiently big file system, owned by
ftp, group
ftp, mode
0755. The ftp
user should have /bin/ftponly as its shell.
Below is an annotated copy of a proftpd.conf
file which achieves several outcomes useful to me.
Firstly, the global server configuration:
###########################################
#
# Server Configuration
#
###########################################
ServerName "This is a FTP Server"
ServerType inetd
DefaultServer on
Port 21
Umask 022
MaxInstances 100
User nobody
Group nobody
<Directory /*>
AllowOverwrite on
</Directory>
The above defines the connection message, server mode, (inetd or standalone), port to
listen on, default umask value and the user id and group id to run as. It also allows
people to write/read/list their files by default.
###########################################
#
# FTP only home directories
#
###########################################
<Anonymous /opt/applic/spool>
User foo
Group bar
UserAlias applic-ftp foo
AnonRequirePassword on
DirFakeUser on applicuser
DirFakeGroup on applicgrp
DirFakeMode 0644
<Limit READ WRITE DIRS>
AllowAll
</Limit>
</Anonymous>
The above enables a user to log in as applic-ftp
and be placed directly into the /opt/applic/spool
directory, with the user id of foo and group id
of bar. They login is
applic-ftp but they are required to enter the
password for foo to be authenticated.
The second part of the section shows how to have all files displayed as owned by
applicuser user id and
applicgrp group id, with file permissions
appearing as always being 0644,
irrespective of what they really are. These options may be used for security
reasons, but care must be taken to not trust the ftp output if problems arise
with the real file permissions. If the file modes appear as 0644
but the real modes are 0600 then
strange errors may be encountered. For this and other reasons we wouldn't generally
use the attribute faking commands.
<Anonymous /usr/local/spool/applic/joe>
User joe
Group prod
UserPassword joe afwhf%2gf9gfh
AnonRequirePassword on
<Limit READ WRITE DIRS>
AllowAll
</Limit>
</Anonymous>
This section shows how to have FTP only accounts for users who require them in addition
to their normal application usage. If you include a
UserPassword line with any user id and a
password encrypted with crypt(3) then the
username will be validated with the encrypted password specified. We need to do
this since the user may not have a password in the unix
/etc/shadowfile, but we want to have
them be validated. This might be the case where the shell they run handles the
authentication. There is an issue in that an admin has to manually paste in
the crypted password.
In the above example the user is locked into the
/usr/local/spool/applic/joe directory
with full access to his/her files. They are unable to wander the rest of the system.
To summarize, if you have accounts that have no passwords so users can run an
application but you have, for instance, a maintainer of the application files
then you can give the maintainer the password and only he or she can use the
FTP access.
If you simply had straight out FTP only accounts then it's even simpler, have
/bin/ftponly as their shell and have
a slightly modified version of the above, (no
UserPassword line), and they can
log into the directory and not go anywhere else. The documentation has
examples of other setups. It's worth perservering. (Now what do I mean by that :)
<Anonymous ~ftp>
User ftp
Group ftp
UserAlias anonymous ftp
MaxClients 100
DisplayLogin welcome.msg
DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
This is the anonymous FTP section. It includes directives that tell the FTP server
to accept anonymous as a valid
alternative to the ftp username.
None of the usernames require a valid password to be entered. Writing anywhere
in the ftp directory structure is explicitly denied, although this could be
overwritten for specific directories with a
<Directory> sub-section.
Email To
Send email to proftpd@proftpd.net
Solaris Issues
Each proftpd package requires installation on the Solaris release it
was built on. Only install the correct version for your system.
Click here to read about the 32 bit and 64 bit Solaris 7 and 8 packages.