[lug] LAMP FTP setup

Wed Jun 6 19:38:18 MDT 2007

On Wed, 2007-06-06 at 19:24 -0600, dio2002 at indra.com wrote:
> >> 1) question though.. each user directory is still
> >> going to require separate user permissions.  that
> >> essentially means creating a user account for each
> >> user even though the authentication now takes place
> >> via sequre ftp to mysql db versus standard password
> >> tables.  so it looks like regardless of the approach
> >> used, a user account needs to be created right?
> >>
> >> 2) i imagine i can just lock the account or set the
> >> default shell to none for each of those real system
> >> accounts so that those accounts are basically useless
> >> right (safe)?  is that the right approach or am i off
> >> here?
> >
> > I don't have documentation of how we had this set up, but it is entirely
> > possible to have ftp users that do not have an account on the system.  I
> > don't manage any FTP servers anymore (strictly sFTP) but we used ProFTPd
> > and it had this capability.  I believe PureFTPd is the better choice now
> > and has the same features.  Here is a link on setting it up on Debian:
> >
> > http://www.howtoforge.com/pureftpd_mysql_virtual_hosting
> 
> i just found similar links on howtoforge as well.. thanks for hint
> 
> > We had it configured so that ProFTPd created the user's dir on the fly.
> > In other words, from a provisioning standpoint we simply propagated the
> > MySQL db with the user account info (including dir, shell, and quota
> > info) and ProFTPd took care of the rest.  Upon successful authentication
> > to the db, ProFTPD created the user's dir and set the permissions.  We
> > were only dealing with userdir and not separate sites, but I am sure it
> > can be done for separate sites as well.
> 
> so it sounds like what you're saying is that the user directory /
> permissions are not typical SYSTEM user account id / permisions.  they are
> sort of pseudo representations of those same paradigms but managed
> entirely by the proftpd process / server.  right?
> 

Right.  I believe that all the directories will be owned by the same
user and group (pureftp:pureftp for example) and then PureFTPd will
control the access each ftp user has.  As for the system account of
pureftp, it will have an /sbin/ftponly or similar shell so no ftp user
can have shell access.

Also, in retrospect we _were_ running fully independent domains but then
had userdir within each domain.  IIRC the domain was established by a
reverse lookup of the IP the ftp connection came in on so you would need
a separate IP for each domain, though there is probably a way around
this by now.  The benefit is the ability to have a user brad at domain1.com
and another user brad at domain2.com without any conflicts.  It also allows
the user to login with simply 'brad' instead of 'brad at domain1.com' since
basic users sometimes have problems remembering to log in fully
qualified.  Our setup allowed for fully qualified or non-qualified
logins.

Brad Crotchett
brad at bradandkim.net
http://www.bradandkim.net