FTP Server for individual client spaces

RS Wood rswood at therandymon.com
Fri Jul 10 14:10:26 UTC 2009

I run a small engineering company* that exchanges large files (CAD,
etc.) with clients, and I want to keep the docs off my email server by
setting up a stand alone FTP server where each client can upload and
download its relevant files.  As such, my own users/employees should be
able to reach every client’s FTP space but each client should only be
able to reach his own.  As my users finish a doc, they place it in that
client’s FTP directory and the client can log in and get it.  As such,
I don’t want any form of unauthenticated FTP.

I’ve tried different combinations of group names and directory
permissions without success, but chrooting users doesn’t seem to solve
my problem either, and my two favorite BSD books – Tiemann et. al.
(Unleashed) and Lucas (Absolute) take the same approach the man pages
do, in my opinion, which guides you either into an all anonymous system,
or a system suitable for organizations such as software distributors in
which clients/users authenticate but then all access the same directory
(/pub for example).  I could use some help conceptualizing this.

Is the solution ftpchroot?  If so, it’s not clear how I can chroot
each potential client into his own directory, as my understanding is
that all chrooted users wind up at the same place (like /var/ftp/pub). 
Or is the solution that each client gets access to his own home
directory; if so, how do I ensure my staff has access to each client’s
home directory?  Lastly, I’ve also been reading up on PureFTP, which
seems to have some advanced configuration potential (including LDAP
authentication, something else that interests me) but it’s not clear
that using an alternative product is indicated here.
This seems like something other organizations must have dealt with, so I
must be missing something fundamental.  Can someone point me in the
right direction?

Finally, I’m aware FTP has inherent security liabilities as passwords
cross the net in clear text, but I’m not convinced casual users on
Windows boxes will be able to manage fun stuff like SSH connections or
alternative software, like SCP.  In my experience, the “modern”
windows user accesses FTP sites using Internet Explorer, which is
tremendously underwhelming.  As such I am choosing a stand alone box on
which no other services are running (mail, X, etc.).  Am I right?  Or is
there some better method that won’t be too complex for the casual
Windows user?

Thanks advance for the pointers.


*Actually, this is all hypothetical, but I’m learning server admin so
I can cross this bridge when the time comes, and having a lot of fun,
naturally, since right now my screw ups don’t count!

More information about the freebsd-questions mailing list