Installing ProFTPd

ProFTPD is a high powered ftp server that can be compiled with a variety of options. It can be installed to authenticate users using MySQL, or to be integrated with other server configurations.

Why ProFTPD?

ProFTPD is fairly well documented and quite versatile. The software uses .ftpaccess files for the ability to control access on a directory basis. It's configuration allows the more flexibility when running behind NAT. Furthermore, configuration closely resemble Apache configuration directives, which makes it easier learn.

What I am providing here is a simple install, that will use PAM (Pluggable Authentication Module) and be instantiated by xinetd. In OS 10.2 and 10.3, this is the method utilized by the default ftpd server (lukemftpd). By using this method, the ftp service can be enabled and disabled by the Sharing Panel in System Preferences.

Download ProFTPD

Find the latest source at http://www.proftpd.org. As of this writing it is proftpd-1.2.10.tar.gz.

From the terminal, run the following commands:

	%  curl -O ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.10.tar.gz
	%  tar xvfz proftpd-1.2.10.tar.gz

This will download the file to the current working directory. The -O flag tells curl to use the remote filename as the local filename. Tar will extract the contents of the file. This should create a directory called proftpd-1.2.10.

Install ProFTPD

Navigate into this directory with the following.

	%  cd ./proftpd-1.2.10

Now configure the install, make the binaries and install. These steps require that you have the Developer tools installed.

	%  ./configure
	%  make
	%  sudo make install

Configure PAM

The default configure on OS X utilizes PAM for authenticating users. ProFTPD looks for a file called ftp in the PAM configuration files, however, OS X names this file ftpd. To rectify the issue run the following commands:

	%  cd /etc/pam.d
	%  sudo cp ftpd ftp

This will duplicate the file with the correct name.

Configure xinetd

OS X uses xinetd for various services, but not all. Basically, xinetd acts as a system safeguard to prevent overload. When someone requests FTP access, xinetd checks to see if the system is not overloaded, and if not, starts up another instance of the server under the specified user on which to run it. Here we will edit the appropriate configuration file.

Xinetd reads the file located in /etc/xinetd.d/ for the appropriate service. It consults this file and responds accordingly.

Make the following changes in the configuration located here: /etc/xinetd.d/ftp.

	service ftp
	{
	    disable = no
	    socket_type     = stream
	    wait            = no
	    user            = root
	#   server          = /usr/libexec/ftpd
	#   server_args     = -l
	    server          = /usr/local/sbin/proftpd
	    groups          = yes
	#   flags           = REUSE IPv6
	}

I have commented out the default configurations so that it is clear on what I've done in the file.

Configure ProFTPD

Edit the configuration file: /usr/local/etc/proftpd.conf. This file contains the server wide configuration, much like httpd.conf. Here is an example that I am using on one of my servers.

	# This is a basic ProFTPD configuration file (rename it to
	# 'proftpd.conf' for actual use.  It establishes a single server
	# and a single anonymous login.  It assumes that you have a user/group
	# "nobody" and "ftp" for normal operation and anon.

	ServerName		"EXAMPLE_NAME"
	ServerType		inetd
	DefaultServer		on

	ServerIdent		on "WELCOME MESSAGE DISPLAYED AT LOGON"
	MasqueradeAddress	FTP.EXAMPLE.COM
	PassivePorts		60000	65535

	# Port 21 is the standard FTP port.
	Port			21

	# Umask 022 is a good standard umask to prevent new dirs and files
	# from being group and world writable.
	Umask			022

	# To prevent DoS attacks, set the maximum number of child processes
	# to 30.  If you need to allow more than 30 concurrent connections
	# at once, simply increase this value.  Note that this ONLY works  
	# in standalone mode, in inetd mode you should use an inetd server
	# that allows you to limit maximum number of processes per service
	# in standalone mode, in inetd mode you should use an inetd server
	# that allows you to limit maximum number of processes per service
	# (such as xinetd).
	MaxInstances		30
	
	# Set the user and group under which the server will run.
	User			root
	Group			wheel
	
	# To cause every FTP user to be "jailed" (chrooted) into their home
	# directory, uncomment this line.
	DefaultRoot ~
	
	PathDenyFilter		"\.ftpaccess$"
	
	# Normally, we want files to be overwriteable.
	<Directory /*>
	  AllowOverwrite	on
	  HideNoAccess		on
	  HideFiles		"(Network Trash Folder|TheVolumeSettingsFolder|Temp$)"
	</Directory>
	
	DisplayLogin                    .welcome

The primary modifications are as follows:

Change ServerName to whatever name you like.

Switch the ServerType setting from standalone to inetd. This is required to be initiated from xinetd.

Modify the user and group settings. When running services with xinetd, they need to be initiated by the system. On OS X this corresponds to root and wheel.

ServerIdent is the message displayed upon login. This can be changed to whatever you like.

MasqueradeAddress is the host.domain.tld returned to the user when connected. If you are behind NAT, this should be set to the common name by which your refer to the server.

PassivePorts sets a rang of ports to listen to when the server is behind NAT. This would require that the router be configured to forward all of the specified ports in that range to the server.

Un-comment the DefaultRoot ~ line. This will bind logins to the home directories of the user ("jailed"). When a user logs in, the top level of the server will be their home folder.

I have removed the Anonymous user access and removed all lines pertaining to this. If you wish to have anonymous access, a user and group should be created in NetInfo as ftp and ftp. The home directory will also need to be created.

I have inserted PathDenyFilter to prevent users from viewing .ftpaccess files, as these control user interaction. These files can be used to control access on a directory by directory basis. PathDenyFilter prevents the server from showing these files to the connected clients.

HideNoAcccess prevents files from being presented that should not be seen by the user. It hides standard unix files that are known to be of issue. HideFiles uses a regular expression to filter out served documents. The example expression filters out four common files on OS X: Network Trash Folder, TheVolumeSettingsFolder, Temporary Items and TemporaryItems.