FTP Server for individual client spaces

Steve Bertrand steve at ibctech.ca
Fri Jul 10 14:30:13 UTC 2009

RS Wood wrote:
> I run a small engineering company* that exchanges large files (CAD,
> etc.) with clients, and I want to keep the docs off my email server by
> setting up a stand alone FTP server where each client can upload and
> download its relevant files.  As such, my own users/employees should be
> able to reach every client’s FTP space but each client should only be
> able to reach his own.  As my users finish a doc, they place it in that
> client’s FTP directory and the client can log in and get it.  As such,
> I don’t want any form of unauthenticated FTP.
> I’ve tried different combinations of group names and directory
> permissions without success, but chrooting users doesn’t seem to solve
> my problem either, and my two favorite BSD books – Tiemann et. al.
> (Unleashed) and Lucas (Absolute) take the same approach the man pages
> do, in my opinion, which guides you either into an all anonymous system,
> or a system suitable for organizations such as software distributors in
> which clients/users authenticate but then all access the same directory
> (/pub for example).  I could use some help conceptualizing this.
> Is the solution ftpchroot?  

It works for us, for the users who still need FTP access:

# cp /sbin/nologin /sbin/ftp-only
# echo "/sbin/ftp-only" >> /etc/shells

# adduser

homedir == /ftp/username
shell   == /sbin/ftp-only

I then:

# cd /ftp/username
# rm -r .*

# echo "username" >> /etc/ftpchroot

Now, you can create staff accounts in the same way, but set their home
directory as /ftp. They'll be able to traverse the entire FTP tree from
there. Just ensure that the /ftp directory structure is owned by a group
that your staff accounts are in, and that all of the sub directories are
modded with appropriate permissions.

> If so, it’s not clear how I can chroot
> each potential client into his own directory, as my understanding is
> that all chrooted users wind up at the same place (like /var/ftp/pub). 
> Or is the solution that each client gets access to his own home
> directory; 

Yes, each to their own home dir.

> if so, how do I ensure my staff has access to each client’s
> home directory?  

I'm assuming that your staff will be using FTP as well. Simply assign
their home directory to the root FTP directory.

> Lastly, I’ve also been reading up on PureFTP, which
> seems to have some advanced configuration potential (including LDAP
> authentication, something else that interests me) but it’s not clear
> that using an alternative product is indicated here.
> This seems like something other organizations must have dealt with, so I
> must be missing something fundamental.  Can someone point me in the
> right direction?
> Finally, I’m aware FTP has inherent security liabilities as passwords
> cross the net in clear text, but I’m not convinced casual users on
> Windows boxes will be able to manage fun stuff like SSH connections or
> alternative software, like SCP.  

Provide them a link to a client software that uses SFTP. I use WinSCP
(portable), which defaults to SFTP, and provides the server, username
and password fields as soon as it is launched.

Hope I didn't miss anything ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3233 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090710/8403b1df/smime.bin

More information about the freebsd-questions mailing list