[HOWTO] Install pure-ftpd

[gatorparrots]

Apple's decision to switch ftp daemons from ftpd in 10.1 to lukemftpd in 10.2 is of questionable merit. Their lack of updated documentation to reflect that decision is truly lamentable. Most users upgrading from 10.1.x are left hobbled or with malfunctioning ftp servers (especially in regards to ftpchroot functionality), with no changes in the man pages to help them configure their new ftp daemon.

Rather than remaining in that state, I elected to replace the built-in ftp server with pure-ftpd, a robust and feature-rich ftp server that also boasts no root exploits.

The first step is to download and unpack the source. First, change directories to wherever you keep you downloads or source code:
cd /downloads
curl -O ftp://ftp.pureftpd.org/pub/pure-ftpd...-1.0.14.tar.gz
tar xzf pure-ftpd-1.0.14.tar.gz
cd pure-ftpd-1.0.14/
./configure --with-everything --with-virtualchroot --without-banner --without-humor
(This will configure a 'big server' with a plethora of options, including throttling, ratios, ftpwho, quotas, but will leave off the guady initial banner and the sprinkling of colorful banter in the error messages, etc.)
sudo make install-strip

At this point you will need to choose which server type you desire, as pure-ftpd can run in either standalone or xinetd mode:

Standalone Mode
You can run the server in standalone mode with this command:
sudo /usr/local/sbin/pure-ftpd &
or if you desire, use command line switches to configure the server at runtime:
sudo /usr/local/sbin/pure-ftpd -A -E -p 40000:50000 -c 5 -C 1 -I 5 -T 25 -u 1 &

The command line switches I have chosen tell the server the following:
-A chroots everyone
-E only allows authenticated users; anonymous users disallowed
-p 40000:50000 specifies the port range for passive connections
-c 5 specifies the number of clients
-C 1 specifies the number of connections per IP address
-I 5 changes the idle timeout; default 15 minutes seems excessive
-T 25 throttles the bandwidth to 25KB/sec per user
Many other switches are available. See the documentation for a complete list.

To get the standalone server to launch automagically at startup, you would have to write a Startup Item:
http://www.macfora.com/forums/showth...&threadid=6314

xinetd Mode
(As always, before editing a system level file, it is wise to create a backup first.)
cd /etc/xinetd.d/
sudo -s
cp ftp ftp.default
pico ftp

Modify the server and server_args lines as folows:

Code:

service ftp
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/local/sbin/pure-ftpd
        server_args     = -A -E -p 40000:50000 -c 5 -C 1 -I 5 -T 25 -u 1
        groups          = yes
        flags           = REUSE
}

Restart xinetd to affect the changes:
kill -HUP `cat /var/run/xinetd.pid`
exit

Test to confirm that it is working:
ftp 0

If you get something like this:

Code:

[gatorparrots:] gator% ftp 0
Connected to 0.
220-FTP server ready.
220 This is a private system - No anonymous login
Name (0:gator):

Congratulations! Your new FTP server is working as advertised. To enable the chroot to a single directory, simply assign your ftp users' home directories to your ftp root directory via NetInfo (and possibly put them in a dedicated ftp user group for added flexibility). Otherwise, the individual users will be chrooted to their /Users/username home directory.

[coolgrafix]

I'm considering installing pure-fptd based on your recommendations and my own frustration. I'd like an exit strategy, though. What would be involved in getting rid of pure-ftpd if it's installed as you describe in the post above?

[gatorparrots]

Uninstall instructions
To remove pure-ftp from active use, you would have to simply change the xinetd configuration back to its delivered state:

cd /etc/xinetd.d/
sudo mv ftp.default ftp
sudo kill -HUP `cat /var/run/xinetd.pid`

To fully remove pure-ftpd from your system,
cd to the unpacked source directory, then:
./configure
make uninstall

[cabbage]

wu-ftpd is the FTP Server on 10.2. Most people have been recomending ProFTP. Here is an excellent article on how to set that up.

http://afp548.com/Articles/Jaguar/proftpd.html

[coolgrafix]

G. Peretz: You are the man. =)

Cabbage: I think you may be referring to the FTP daemon included with Mac OS X Server 10.2, though I'm not sure. The daemon included with my Mac OS X 10.2.3 (non-server) is lukemftpd which, while I'm sure it's a great piece of work in and of itself, isn't properly documented or implimented as far as I can tell.

It's almost like Apple never expected anyone to try to use lukemftpd for a real-world application. It's amazing that it's been this way since, I assume, Jaguar was first released. I mean, who would ship an FTP server (admitedly turned off by default) that allows every user who logs in complete access to the hard drive? Am I missing something?

[coolgrafix]

Ok, so it seems that the Sharing preference panel FTP Access button simply toggles the "disable" line in /etc/xinetd.d/ftp file as follows:

FTP service off, line would read...

disable = yes

or FTP service on, line would read...

disable = no

So, no matter what FTP daemon is actually being used, you could still, as an admin user, start or stop the service from the Sharing preference panel.

Is this about right?

[gatorparrots]

Sounds right (on both points).

You can also have two configurations in your /etc/xinetd.d directory and cp the new one into place. For example, I have a "throttled" configuration and an "unthrottled" configuration of the ftp file. To toggle it, I run one of the simple shell scripts below that copies the appropriate file in place and then restarts xinetd. (This is very handy if I need very fast intra-office FTP access: I can quickly turn off the throttled default).

Code:

#!/bin/sh
# this script will change xinetd pure-ftpd configurations from throttled to unthrottled
sudo cp -f /etc/xinetd.d/#ftp.unthrottle /etc/xinetd.d/ftp
sudo kill -HUP `cat /var/run/xinetd.pid`

#!/bin/sh
# this script will change xinetd pure-ftpd configurations from unthrottled to throttled
sudo cp -f /etc/xinetd.d/#ftp.throttle /etc/xinetd.d/ftp
sudo kill -HUP `cat /var/run/xinetd.pid`

[coolgrafix]

Would also just add that in gatorparrots original HOWTO here, the instruction...

kill -HUP `cat /var/run/xinetd.pid`

...is only necessary (or possible, for that matter) if an FTP server is currently active (turned on in Sharing Preferences. I had the FTP service off, and was stumped for the longest time why I couldnt execute this command. Duh. =)