Hi

can I set up

* a secure ftp for somebody (not a current user on the system)
* for 2 different directories on Ubuntu
* inside public_html?

I don't want to give the user pure ssh account right now.

Any other upload,download,delete file secure way is good too. nginx is available not apache2.

Thank you

R.

pure_ftpd? Fast, small footprint, TLS (-Y 3).

looks goooood

but I haven't found how I can configure it to my needs

I can give the new (virtual) user home directory but the main reason I am doing this exercise is to give him rw access to

- /srv/www/domain1.com and

- /srv/www/domain2.com

I guess I shouldn't touch the current permission.

So I am lost what to do.

Thank you

R.

Oh, you probably need to read readme (http://download.pureftpd.org/pub/pure-ftpd/doc/README). Simply you need to create database file and instruct purefptd to use it. Look for -l option and virtual users section.

While configuration files (well, pure_ftpd doesn't have config file, just command line options) can be intimidating, documentation is well written and you should be OK with it.

If you don't want to bother using a ftp server try something like this http://adamsworld.name/chrootjailv5.php

well I read the doc and was confused. So I asked at pure-ftp mailing list and looks like that is impossible or very hard to achieve what I need to.

If you know how to set it up could you share?

Just to clarify ....

I want to

- serurely
- grant rw permissions
- to few directories (web server home dir) where the current permissions are www-data:www-data. I am not sure if I can modify these permissions and still get nginx work properly.

I can create directory structure for this exercise as pure-ftp needs.

Thank you

R.

It's not that hard, maybe you get little confused.

Here's my command line argument list: -S 127.0.0.1,21 -p 49152:50174 -B -l mysql:/etc/pure-ftpd/mysql.conf -u 2000 -0 -4 -A -E -H -U 137:027 -Y 3 Pretty self explanatory ... well maybe not but it is documented. You want to change -S to address you use, -u is minimum allowed UID, -U is umask (file:dir), -Y 3 is TLS, -l is authentication. Others are not too important. I use MySQL, I trust pure-ftpd can work with berkdb as well.

My /etc/pure-ftpd/mysql.conf:

MYSQLSocket                     /var/run/mysqld/mysqld.sock
MYSQLUser               Pure-FTPd
MYSQLPassword           *******
MYSQLDatabase           *******
MYSQLCrypt              MD5
MySQLTransactions       On

MYSQLGetPW              SELECT `password` FROM `ftp_users` WHERE `user` = '\L'
MYSQLGetDir             SELECT `directory` FROM `ftp_users` WHERE `user` = '\L'
MYSQLGetUID             SELECT `uid` FROM `ftp_users` WHERE `user` = '\L'
MYSQLGetGID             SELECT `gid` FROM `ftp_users` WHERE `user` = '\L'

And table itself looks like this:

CREATE TABLE ftp_users (
  `user` varchar(32) COLLATE utf8_bin NOT NULL,
  `password` varchar(80) COLLATE utf8_bin DEFAULT NULL,
  `directory` varchar(64) COLLATE utf8_bin NOT NULL,
  uid varchar(32) COLLATE utf8_bin NOT NULL,
  gid varchar(32) COLLATE utf8_bin NOT NULL,
  PRIMARY KEY (`user`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;

When you set this up, you can create FTP users with UID/GID you choose for them accessing directory of your choice and they are forced to use TLS encryption.

Sorry for half-cooked guide but I am too busy to make it step-by-step. So take this as simple hints what you need to do.

I read your post in mailing list and maybe it is me who get confused. In standard way, Pure-FTPd will allow you to browse directory recursively - thus if you grant access to /var/www, user gets access to all subdirectories (given their uid:gid have proper r/w permissions). This is usually desirable and normal.

However if you do wish to have whole /var/www with www-data:www-data permissions and you do want to grant user /var/www/jack and you don't want to give him access to /var/www/jack/keepout, then it's not gonna be that simple.

well, let's say I have 20 web sites on my linode and I want to give this kind of access to somebody for only 3 of them and then to give access to somebody else for another (different) 5 sites or so.

It seems to me that Pure-FTPd and linux ACL is the way... I need to investigave ACL more ...

Thank you for your help

R

PS diiiky

Still, you don't need to mess with ACL (for something that can be done without them).

Let's say we have these sites (all www-data:www-data)
/var/www/jacksite.net
/var/www/jacknewsite.com
/var/www/john.com
/var/www/johnoldies.com
/var/www/someotherguyssite.br
/var/www/sharenshare.ru

And these users: jack, john, carlos.

So, given my configuration above, I would insert following lines to the database:
INSERT INTO ftp_users VALUES
('jack', MD5('jackpass'), '/var/www/jacksite.net', 'www-data', 'www-data'),
('jack', MD5('jackpass'), '/var/www/jacknewsite.net', 'www-data', 'www-data'),
('jack', MD5('jackpass'), '/var/www/sharenshare.ru', 'www-data', 'www-data'),
('john', MD5('johnpass'), '/var/www/john.com', 'www-data', 'www-data'),
('john', MD5('johnpass'), '/var/www/johnoldies.com', 'www-data', 'www-data'),
('john', MD5('johnpass'), '/var/www/sharenshare.ru', 'www-data', 'www-data'),
('carlos', MD5('carlospass'), '/var/www/someotherguyssite.br', 'www-data', 'www-data')

I believe it is exactly what you need. It can be done without redundancy but you can play with that later (as well as with getting rid of one-user-running-it-approach).

It looks like what I need ... I have to try to implement it and hopefully one day I can even understand it

Thank you

R

- do I have to compile pure-FTPd to enable mySQL connectio and ssl?

- could the user later on change his password by himself?

Thank you

R.

What distro? On Gentoo there is USE flag that enables MySQL support. Can imagine that others have it precompiled.

FTP protocol doesn't have means to change password and neither FTPd has one. You need to provide it by yourself issuing update to user table (UPDATE ftp_users SET password = MD5('pass') WHERE user = 'jonny'). It is up to you whether or how you would implement it.

Ubuntu

I thought that I cannot let user to change their password. Just wanted to be sure.

Thank you

what is better

FTP-over-SSL or
FTP-over-SSH?

or it really doesn't matter in my case?

Thank you

R.