[HOWTO] Install pure-ftpd

gatorparrots

~departed~
Apple's decision to switch ftp daemons from ftpd in 10.1 to lukemftpd in 10.2 is of questionable merit. Their lack of updated documentation to reflect that decision is truly lamentable. Most users upgrading from 10.1.x are left hobbled or with malfunctioning ftp servers (especially in regards to ftpchroot functionality), with no changes in the man pages to help them configure their new ftp daemon.

Rather than remaining in that state, I elected to replace the built-in ftp server with pure-ftpd, a robust and feature-rich ftp server that also boasts no root exploits.

The first step is to download and unpack the source. First, change directories to wherever you keep you downloads or source code:
cd /downloads
curl -O ftp://ftp.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.14.tar.gz
tar xzf pure-ftpd-1.0.14.tar.gz
cd pure-ftpd-1.0.14/
./configure --with-everything --with-virtualchroot --without-banner --without-humor

(This will configure a 'big server' with a plethora of options, including throttling, ratios, ftpwho, quotas, but will leave off the guady initial banner and the sprinkling of colorful banter in the error messages, etc.)
sudo make install-strip

At this point you will need to choose which server type you desire, as pure-ftpd can run in either standalone or xinetd mode:

Standalone Mode
You can run the server in standalone mode with this command:
sudo /usr/local/sbin/pure-ftpd &
or if you desire, use command line switches to configure the server at runtime:
sudo /usr/local/sbin/pure-ftpd -A -E -p 40000:50000 -c 5 -C 1 -I 5 -T 25 -u 1 &

The command line switches I have chosen tell the server the following:
-A chroots everyone
-E only allows authenticated users; anonymous users disallowed
-p 40000:50000 specifies the port range for passive connections
-c 5 specifies the number of clients
-C 1 specifies the number of connections per IP address
-I 5 changes the idle timeout; default 15 minutes seems excessive
-T 25 throttles the bandwidth to 25KB/sec per user
Many other switches are available. See the documentation for a complete list.

To get the standalone server to launch automagically at startup, you would have to write a Startup Item:
http://www.macfora.com/forums/showthread.php?s=&threadid=6314

xinetd Mode
(As always, before editing a system level file, it is wise to create a backup first.)
cd /etc/xinetd.d/
sudo -s
cp ftp ftp.default
pico ftp


Modify the server and server_args lines as folows:
Code:
service ftp
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/local/sbin/pure-ftpd
        server_args     = -A -E -p 40000:50000 -c 5 -C 1 -I 5 -T 25 -u 1
        groups          = yes
        flags           = REUSE
}
Restart xinetd to affect the changes:
kill -HUP `cat /var/run/xinetd.pid`
exit


Test to confirm that it is working:
ftp 0

If you get something like this:
Code:
[gatorparrots:] gator% ftp 0
Connected to 0.
220-FTP server ready.
220 This is a private system - No anonymous login
Name (0:gator):
Congratulations! Your new FTP server is working as advertised. To enable the chroot to a single directory, simply assign your ftp users' home directories to your ftp root directory via NetInfo (and possibly put them in a dedicated ftp user group for added flexibility). Otherwise, the individual users will be chrooted to their /Users/username home directory.
 
I'm considering installing pure-fptd based on your recommendations and my own frustration. I'd like an exit strategy, though. What would be involved in getting rid of pure-ftpd if it's installed as you describe in the post above?
 
Uninstall instructions
To remove pure-ftp from active use, you would have to simply change the xinetd configuration back to its delivered state:

cd /etc/xinetd.d/
sudo mv ftp.default ftp
sudo kill -HUP `cat /var/run/xinetd.pid`


To fully remove pure-ftpd from your system,
cd to the unpacked source directory, then:
./configure
make uninstall
 
G. Peretz: You are the man. =)

Cabbage: I think you may be referring to the FTP daemon included with Mac OS X Server 10.2, though I'm not sure. The daemon included with my Mac OS X 10.2.3 (non-server) is lukemftpd which, while I'm sure it's a great piece of work in and of itself, isn't properly documented or implimented as far as I can tell.

It's almost like Apple never expected anyone to try to use lukemftpd for a real-world application. It's amazing that it's been this way since, I assume, Jaguar was first released. I mean, who would ship an FTP server (admitedly turned off by default) that allows every user who logs in complete access to the hard drive? Am I missing something?
 
Ok, so it seems that the Sharing preference panel FTP Access button simply toggles the "disable" line in /etc/xinetd.d/ftp file as follows:

FTP service off, line would read...

disable = yes

or FTP service on, line would read...

disable = no

So, no matter what FTP daemon is actually being used, you could still, as an admin user, start or stop the service from the Sharing preference panel.

Is this about right?
 
Sounds right (on both points).

You can also have two configurations in your /etc/xinetd.d directory and cp the new one into place. For example, I have a "throttled" configuration and an "unthrottled" configuration of the ftp file. To toggle it, I run one of the simple shell scripts below that copies the appropriate file in place and then restarts xinetd. (This is very handy if I need very fast intra-office FTP access: I can quickly turn off the throttled default).
Code:
#!/bin/sh
# this script will change xinetd pure-ftpd configurations from throttled to unthrottled
sudo cp -f /etc/xinetd.d/#ftp.unthrottle /etc/xinetd.d/ftp
sudo kill -HUP `cat /var/run/xinetd.pid`

#!/bin/sh
# this script will change xinetd pure-ftpd configurations from unthrottled to throttled
sudo cp -f /etc/xinetd.d/#ftp.throttle /etc/xinetd.d/ftp
sudo kill -HUP `cat /var/run/xinetd.pid`
 
Would also just add that in gatorparrots original HOWTO here, the instruction...

kill -HUP `cat /var/run/xinetd.pid`

...is only necessary (or possible, for that matter) if an FTP server is currently active (turned on in Sharing Preferences. I had the FTP service off, and was stumped for the longest time why I couldnt execute this command. Duh. =)
 
I'm attempting to use pure-ftpd's virtual users feature. But I'm running into trouble with pure-pw. Specifically, the command can't normally be found by the shell. When I explicitly call it (/usr/local/bin/pure-pw) it does run, so I'm confused and concerned I've whacked my installation somehow that isn't readily apparent.

I tried modifying /etc/profile with no luck, and modifying /etc/rc.common didn't seem to help any, either. So the question is, when using tcsh, what file do I need to edit to change the PATH where it looks for commands?

Feel like I'm missing something obvious here.
 
Hmm, when I executed your suggestion:

sudo -s
echo "source /usr/share/tcsh/examples/rc" >> /etc/csh.cshrc
echo "source /usr/share/tcsh/examples/login" >> /etc/csh.login
echo "source /usr/share/tcsh/examples/logout" >> /etc/csh.logout
exit

...it didn't seem to solve the path problem and seems to have caused a login problem. Transcript follows:

[Brad-Kelleys-Web-Server:~] bradie% sudo -s
Password:
[Brad-Kelleys-Web-Server:~] root# echo "source /usr/share/tcsh/examples/rc" >> /etc/csh.cshrc
[Brad-Kelleys-Web-Server:~] root# echo "source /usr/share/tcsh/examples/login" >> /etc/csh.login
[Brad-Kelleys-Web-Server:~] root# echo "source /usr/share/tcsh/examples/logout" >> /etc/csh.logout
[Brad-Kelleys-Web-Server:~] root# exit
exit
[Brad-Kelleys-Web-Server:~] bradie% pure-pw
pure-pw: Command not found.

Logging out and then back into the server shows this at login:

Last login: Mon Jan 13 13:59:31 2003 from host12-14.disco
Welcome to Darwin!
TERM_PROGRAM: Undefined variable.

Any ideas what went wrong? I'm about to remove those lines we appended. =)
 
You may have to get a new shell to realize the new configuration. Apart from that, you can explicitly add /usr/local/ to your path:
setenv PATH "${PATH}:/usr/local/bin"

And you may want to add these two environmental variables permanently to your ~/.tcshrc or ~/.cshrc file (whichever is appropriate for your configuration):
setenv PATH "${PATH}:/usr/local/bin"
setenv MANPATH "${MANPATH}:/usr/local/man"


Also, judging by your transcript you have discovered the bug in Apple's example tcsh behavior. It can easily remedied by following the solution at this link:
http://www.macfora.com/forums/showthread.php?postid=82510#post82510

And while you're at it, you may as well fix the other terminal configuration problem:
http://www.macfora.com/forums/showthread.php?postid=113174#post113174
 
Hi

I have a 10.2 running lukemftp 1.5

I am trying to set up a ssh tunnel to work with dreamweaver or fetch. I don't want to use clear text password stuff

The ssh tunnel works fine but I get this error trying to put files:

"An FTP error occurred - cannot get remote folder information.
425 possible PASV port theft, cannot open data connection."

1. Would this new pureftpd solve this issue
2. I am keen to install it, but how do you disable lukemftp
3. how can i choose between ProFTPd and pureftpd?

regards
Frederic
 
1. You have to disable PASV mode transfers over the ssh tunnel (regardless of the FTP server daemon you choose). Active mode transfers are preferred, as their port range is controllable: 20-21. Passive transfers can pick any available port above 1024.

2. Disabling lukemftp is easy (and the instructions are included above). To sum it up:
sudo mv /etc/xinetd.d/ftp /etc/xinetd.d/ftp.default
This will move lukemftp aside, allowing you to put a new ftp configuration file in it's place. Restart xinetd to affect the change, either in the System Preferences>File Sharing pane (uncheck FTP access, then check it again with the new ftp configuration file in place) or
kill -1 `cat /var/run/xinetd.pid`

3. It's personal preference. Do you like XML-like configuration files? Use ProFTPd. Do you prefer command line switches for configuration? Use pure-ftpd. I tried ProFTPd but didn't like it. I found its configurations cumbersome and poorly documented. Also, it doesn't boast the security track record that pure-ftpd has. Pure-ftpd has yet to have a root exploit; also, it's fast, effecient, and highly configurable. The two servers share a lot of common features and are robust enough for heavy loads in a production environment, but for me the choice was clearly obvious.
 
thanks

>1. You have to disable PASV mode transfers over the ssh tunnel (regardless of >the FTP server daemon you choose). Active mode transfers are preferred, as their >port range is controllable: 20-21. Passive transfers can pick any available port >>above 1024.

I am new to all that. How do do this. Is it something to be done in the daemon's config file?

Is /etc/xinetd.d/ftp lukemftp's config file?

I have also tried sftp and it seems ok, i can't get it to work with dreamweaver because it's not supported i think.

So i am quite keen to get the ssl tunnel to work

regards
Frederic
 
I think you should fork off your questions about SSH tunneling to a new thread. I would like to keep this thread on topic as much as possible and the SSH tunnel is tangental but a separate topic.

/etc/xinetd.d/ftp is the xinetd services file for ftp. In OS X 10.2, it comes defaulted to using lukemftpd:
Code:
service ftp
{
        disable = yes
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/libexec/ftpd
        server_args     = -l
        groups          = yes
        flags           = REUSE
}
(/usr/libexec/ftpd is really just an alias for lukemftpd). The configuration information under xinetd is the server_args line of this file (see my pure-ftpd example above).
 
hi, i think i am going to take your advice gatorparrot, but when i try to ./configure this is what i get...

[SynapseVR5:~/downloads/pure-ftpd-1.0.13a] bence% ./configure --with-everything --with-virtualchroot --without-banner --without-humor

checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets ${MAKE}... no
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... :
checking for gcc... no
checking for cc... no
checking for cc... no
checking for cl... no
configure: error: no acceptable C compiler found in $PATH


please help me out, thank you

Bence
 
You need to download and install the Developer Tools from Apple in order to compile software. You can register for a free account at connect.apple.com.

Alternately, pureftp.org has a pre-built Mac OS X pkg installer available now (although it is a bit dated):
ftp.pureftpd.org/releases/PureFTP-1.0.10-PPC(OSX).dmg
 
Back
Top