# HOWTO: Setup a Pure-FTPd server with virtual users



## tangram (Nov 26, 2008)

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server.

This guide provides instructions for using the virtual user system to manage and control users. By using virtual users, FTP accounts can be administrated without affecting system accounts.

Let's initiate Pure-FTPd's installation by entering the following commands:


```
% su
# portsnap fetch update
# cd /usr/ports/ftp/pure-ftpd
# make config
```

A menu containing Pure-FTPd options will pop-up. In my case, I've opted to leave these options at their defaults.


```
# make install clean
# rehash
```

Having finished the installation process we now move into the configuration stage. We'll start by copying the sample configuration file and set the configuration options:


```
# cd /usr/local/etc
# cp pure-ftpd.conf.sample pure-ftpd.conf
# chmod 644 pure-ftpd.conf
```

The _chmod_ command was run to be able to edit the file (default permissions are set to -r--r--r--).


```
# vi pure-ftpd.conf

    VerboseLog yes
    PureDB /usr/local/etc/pureftpd.pdb
    CreateHomeDir yes
```

The _CreateHomeDir_ option makes adding virtual users more easy by creating a user's home directory upon login (if it doesn't already exist).

We can either import users with system-level accounts (defined in _/etc/master.passwd_) at once or create new users manually. To import users that already exist on your system into the virtual user database, enter these commands:


```
# pure-pwconvert >> /usr/local/etc/pureftpd.passwd
# chmod 600 /usr/local/etc/pureftpd.passwd
# pure-pw mkdb
```

It should be noted that _pure-pwconvert_ only imports accounts that have shell access. Accounts with the shell set to _nologin_ have to be added manually.

To add users to the Pure-FTPd virtual user database manually, we need to create a system-level account that will be associated with virtual users. Create a new user named _vftp_ like this:


```
# pw useradd vftp -s /sbin/nologin -w no -d /usr/home/vftp\
? -c "Virtual FTP user" -m
```

Having done this we can now add users to the virtual users database using the commands below:


```
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb
```

Replace _user_ with the desired username. With _-d_ flag, the user will be chrooted. If you want to give user access to the whole filesystem, use _-D_ instead of _-d_.

If you want to add additional users, just repeat the commands above with a different user.

To remove a user:


```
# pure-pw userdel user
```

Now to start Pure-FTPd:


```
# /usr/local/etc/rc.d/pure-ftpd onestart
```

Initiate a FTP connection to test the server:


```
% ftp localhost

    Trying 127.0.0.1...
    Connected to localhost.
    220---------- Welcome to Pure-FTPd [TLS] ----------
    220-You are user number 2 of 50 allowed.
    220-Local time is now 13:39. Server port: 21.
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    Name (localhost:username):
```

Now log in with a user account created as explained above. Commands such as _ls_, _cp_, _pwd_ and _less_ work just like in tcsh and bash shells. To quit the FTP session type _exit_.

To configure Pure-FTPd to start at boot time:


```
# echo 'pureftpd_enable="YES"' >> /etc/rc.conf
```

To restart Pure-FTPd and determine if it is running:


```
# /usr/local/etc/rc.d/pure-ftpd restart
# /usr/local/etc/rc.d/pure-ftpd status
```

Pure-FTPd provides useful features for personal users as well as hosting providers. I've only touched the tip of the iceberg so do take a look at the project's website for the excellent documentation that is available.


----------



## rajarshi (Dec 3, 2008)

Also see: http://machiel.generaal.net/index.php?subject=pureftpd&language=eng


----------



## hirohitosan (Feb 4, 2009)

Thanks tangram for the HowTo. I followed your instructions and set up a pure-ftpd server. On my computer I have 2 users. I imported users with system-level accounts like you describe, but in fact just one user was imported.
user1 is member of wheel group
user2 is member of user2 group

pure-ftpd imported just user2.
now user2 can connect, but user1 cannot

how can I add user1 to ftp users?
if one of the normal users change his password pure-ftpd change pasw for that user?

thanks


----------



## tangram (Feb 5, 2009)

Hi hirohitosan,

I don't have access to my FreeBSD system right now. Give a couple of days and I'll get back to you.


----------



## tangram (Feb 10, 2009)

@ hirohitosan

Are the system account you want to import listed in /etc/master.passwd?

Users are imported from the system to the virtual user database by running:

```
# pure-pwconvert >> /usr/local/etc/pureftpd.passwd
# chmod 600 /usr/local/etc/pureftpd.passwd
# pure-pw mkdb
```

Do that notice that pure-pwconvert only imports accounts that have shell access. So account that have their shell set to nologin have to be added manually.

If a user changes his password I would assume that you need to update the database, however I haven't tried it myself.


----------



## Business_Woman (Apr 15, 2009)

How do you restrict user access of individual users when every user is member of the same system account(s) ftpuser and ftpgroup ?


----------



## tangram (Apr 15, 2009)

I'm not sure I follow your question...

You add the users you want by:


```
# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user
# pure-pw mkdb
```


----------



## pablo (Apr 15, 2009)

Business_Woman said:
			
		

> How do you restrict user access of individual users when every user is member of the same system account(s) ftpuser and ftpgroup ?


  You may add (uncomment) in /usr/local/etc/pure-ftpd.conf next line

```
ChrootEveryone              yes
```
to limit users his home direcotory.
You can add (uncomment) line

```
TrustedGID                    100
```
to allow user with id<100 (for example, root) access to all file system (but, IMHO, would't do it by security reason).
To see currently connected user pure-ftpwho usable.
Also, port /usr/ports/www/usermanager (apache + php + mysql) usable for manage tonns of users.


----------



## Business_Woman (Apr 15, 2009)

tangram said:
			
		

> I'm not sure I follow your question...
> 
> You add the users you want by:
> 
> ...



Yes, lets say you add user Bob. Now Bob will be member of the system accounts ftpuser and ftpgroup(following the pure-ftpd tutorial) when Bob uploads a file, the owner of that file will be the system account ftpuser and *not* the virtual user Bob.


----------



## tangram (Apr 15, 2009)

In the HowTo I didn't refer any *ftpuser* or *ftpgroup* groups. It only mentions the creation of a system-level account that is then will be used to associate virtual users.

So assuming that you have a bob user that is part of the bob group (by default FreeBSD assign the user's own name as his primary group name), running:


```
# pure-pw useradd bob -u vftp -g vftp -d /usr/home/vftp/bob
# pure-pw mkdb
```

will add bob to the *vftp* Pure-FTPd virtual user database.

An file upload by bob will typically send the file to [cmd=]/home/bob/[/cmd] and permissions such as:


```
-rw-r--r--  1 bob  bob  1131291 Apr 15 22:31 random-file
```

So yeah, the file owner will be bob and his primary group, in this case bob. The owner is the system account user bob.

Useful [cmd=]pure-pw[/cmd] commands are:
[cmd=]useradd[/cmd] adds a virtual users to the /usr/local/etc/pureftpd.passwd file
[cmd=]userdel[/cmd] to delete virtual users
[cmd=]show[/cmd] outuputs info on a specific user
[cmd=]list[/cmd] shows a list of users in /usr/local/etc/pureftpd.passwd


----------



## Business_Woman (Apr 16, 2009)

So then essentially, every file uploaded by an vftp user will have the same owner and group?


----------



## tangram (Apr 17, 2009)

If bob, john and peter are added to the vftp Pure-FTPd virtual user database.

An file upload by john will typically send the file to [cmd=]/home/john/[/cmd] and permissions such as:


```
-rw-r--r--  1 john  john  1131291 Apr 15 22:31 random-file
```

An file upload by peter will typically send the file to  [cmd=]/home/peter/[/cmd] and permissions such as:


```
-rw-r--r--  1 peter  peter  1131291 Apr 15 22:31 random-file
```


----------



## plamaiziere (Apr 17, 2009)

Business_Woman said:
			
		

> So then essentially, every file uploaded by an vftp user will have the same owner and group?



Yes.
(edit): I do not have the same setup, I use only one system account and the virtual users are chrooted in their own sub-directories.


----------



## Business_Woman (Apr 17, 2009)

okay. I would like to have several virtual users that had one shared directory, that everyone could access and then their own home directory in which only the owner had rw permissions. How would you accomplish that?


----------



## pablo (Apr 18, 2009)

You can create one shared directory and symlinked it to every user's home directory. So, nobody can access files from other home directory and all users have (rw) access to "some_shared" directory.
  It's would you like?


----------



## Business_Woman (Apr 18, 2009)

That might just work


----------



## edhunter (Apr 22, 2009)

@Business_Womant
There is umask directive in pure-ftpd.conf

```
# File creation mask. <umask for files>:<umask for dirs> .
Umask                       113:002
## default was 133:022
```

This way uploaded files/directories will be rw for every user in the group.


Generally I would like to two more comments about chrooting:
PureFTPd by default uses "virtual-chroot" - this means that if there are symlinks leading outside of chroot - user could escape. I had this problem, and i solved it by removing line "--with-virtualchroot" from the Makefile before doing make install.
The second one is that there is a way to use per-user chroot, by adding "/./" to the homedir of the user. This is documented in pureftpd man pages. I am using this strategy for my users (not ChrootEveryone and TrustedGID)


----------



## Business_Woman (Apr 22, 2009)

tangram said:
			
		

> In the HowTo I didn't refer any *ftpuser* or *ftpgroup* groups. It only mentions the creation of a system-level account that is then will be used to associate virtual users.
> 
> So assuming that you have a bob user that is part of the bob group (by default FreeBSD assign the user's own name as his primary group name), running:
> 
> ...


This is my problem the owner of the file uploaded by Bob is vsftp for me, and not Bob :\


----------



## tangram (Apr 22, 2009)

Did you follow the steps in this tutorial or customized things? I've tested and an upload by bob ends up with bob's permissions.


----------



## Business_Woman (Apr 28, 2009)

Hi,

I think it is strange as well, i have done this before and it has always worked out nicely.


----------



## blue_addler (Jun 4, 2009)

*Local Etc is not here*

What if i doen have etc folder on my local?
Please help where i can have that...


----------



## tangram (Jun 4, 2009)

Did you follow the steps in the HOWTO?


----------



## DEViATIO (Nov 23, 2009)

*users with one shared directory*

hi,can somebody write small fast step-by-step howto(i have read this tutorial but dont know how to set up rights for users and folders + shared folders for all users) , i am lost:

perhaps somethink more difficult in this ftpserver:



-> one shared upload folder for all users(can upload)
*delete (yes/no) (how to set up max MB ? )


->shared download folder (can download only)

->own folder to upload/download files (how to set max MB of the folder?)



*create admin user(he can everythink)


----------



## Kazuki (Jan 22, 2010)

Hi,

I have a problem.
I connect with my user, but I can't upload and download a file.
How to configure this right ?

Thanks


----------



## tangram (Jan 25, 2010)

What's exactly the problem? Logs, errors, configs would help troubleshooting.

Btw did you follow the HOWTO and came across an issue or is it just a generic Pure-FTPd problem? If it Pure-FTPd related better post in the appropriate forum section.


----------



## Orhe (May 3, 2010)

Hi,
i have some error message. When pure-ftpd starting "Unable to find the 'ftp' account" and when try to connect "Unable to read the indexed puredb file...". Where did i go wrong?


----------



## tangram (May 3, 2010)

Did you follow the howto or deviate from it?


----------



## Orhe (May 3, 2010)

Yes i followed all the instructions from howto.


----------



## Orhe (May 3, 2010)

I create ftp account and now it's ok for starting. But only when connect to server get message "Unable to read the indexed puredb file..."


----------



## tangram (May 4, 2010)

Run 
	
	



```
ls -l /usr/local/etc/pureftpd.pdb
```
 and post the output.

Btw, to create the ftp account did you use:

```
# pure-pw useradd randomnewuser -u vftp -g vftp -d /usr/home/vftp/randomnewuser
# pure-pw mkdb
```


----------



## Orhe (May 4, 2010)

For ls -l /usr/local/etc/pureftpd.pdb


```
-rw-------  1 root  wheel  2188 May  2 13:21 /usr/local/etc/pureftpd.pdb
```

Trying with your command and some else but the message is the same.


----------



## tangram (May 4, 2010)

Can you post the output of `# cat /var/log/xferlog`?


----------



## Orhe (May 4, 2010)

For cat /var/log/xferlog all message are same.


```
May  2 13:21:18  newsyslog[611]: logfile first created
May  2 13:24:23  pure-ftpd: (?@192.168.1.21) [INFO] New connection from 192.168.1.21
May  2 13:24:23  pure-ftpd: (?@192.168.1.21) [ERROR] Unable to read the indexed puredb file (or old format detected) - Try pure-pw mkdb
```


----------



## sforsendil (Aug 11, 2010)

hi

I installed pure-ftpd with Mysql in my fedora 12. 
In have the following value in my pure-ftpd.conf file


```
# Cage in every user in his home directory
ChrootEveryone yes
```

It was created the user folders with permission 644.
But i need to change this to 775 at the time of creating the folder.


Any ideas?


----------



## sforsendil (Aug 11, 2010)

tangram said:
			
		

> If bob, john and peter are added to the vftp Pure-FTPd virtual user database.
> 
> An file upload by john will typically send the file to [cmd=]/home/john/[/cmd] and permissions such as:
> 
> ...



I need to change [ rw-r--r-- ] to [ rw-rw--r-- ]  at the time of creating the user's folder. 
can any one help me ?


----------



## anigma (Oct 1, 2010)

How come I can't add users with root uid and gid? Can I somehow change that in the config file?


```
babylonia# pure-pw useradd alen -u alen -g alen -d /usr/home/alen
You must give (non-root) uid and gid
```


----------



## AntLaTech (May 5, 2011)

I have a few questions about pure-ftpd.
1. How can I hide the default directory files on the ftp server?
2. Do you know where I can find the commands to edit my ftp server?


----------



## andi79 (May 21, 2011)

Maybe it's time to connect Pure-FTPD with MySQL and forget about user rights!
http://thecoolserver.blogspot.com/2011/05/connect-pure-ftpd-with-mysql-and-manage.html


----------



## SB (Apr 25, 2012)

All good worked just fine for me, but _I_ have a question: how to set up a single user with two home directories?


----------



## Joseph Jones (Jun 23, 2015)

Hello
I installed FreeBSD 10.1 and started to setup the Pure-FTPD and iI reached a point where iI should add users by using the command `# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user` but when iI press enter iI got this message: 
	
	



```
#pure-pw: Command not found
```
pPlease advise me where is the preoblem.
Thanks.


----------



## junovitch@ (Jun 24, 2015)

Joseph Jones said:


> Hello
> I installed FreeBSD 10.1 and started to setup the Pure-FTPD and iI reached a point where iI should add users by using the command `# pure-pw useradd user -u vftp -g vftp -d /usr/home/vftp/user` but when iI press enter iI got this message:
> 
> 
> ...



I did `pkg install pure-ftpd` followed by `which pure-pw` and found it is /usr/local/bin/pure-pw.  By any chance are you using non-standard shell settings that would exclude /usr/local/bin:/usr/local/sbin from PATH?  What does `echo $PATH` say?

EDIT: Just noticed the comment in your output.  The # just signifies you are at a root shell when you run those commands.  Don't use an explicit `#pure-pw`, use `pure-pw`.


----------



## wisdown (May 16, 2016)

After spend almost 48 hours trying  fix same errors reported here on this thread, I come to share my findings for in future people reading this, do not spend so much time searching the solution.

People getting the error:


```
"Unable to find the 'ftp' account"
```

Is because you have uncommented the Antiwarez without read the requirements (need an ftp account), to fix it:


```
AntiWarez no
```

or


```
# AntiWarez yes
```

For people getting:


```
"ECONNREFUSED - Connection refused by server"
```

Is because you have enabled CallUploadScript to yes and have not setup it, to fix it:


```
CallUploadScript no
```

or


```
# CallUploadScript yes
```

After setup the upload script (example to use antivirus) you can remove the comment tag (#) or change to yes.

PS.: I know the thread is old, but is on the first page from Google if search for: freebsd pure-ftpd


----------



## vuckuola (Oct 23, 2018)

Dear All,

I want to ask about allow few IP list of pure-ftpd 
/usr/local/etc/pure-ftpd.conf
# IP address/port to listen to (default=all IP addresses, port 21).

  Bind                         0.0.0.0,2134
#  Bind                        116.254.100.33, 2134
#  Bind                         116.254.100.33, 2134

is this the right command?

*im new to the game


----------



## ShelLuser (Oct 23, 2018)

vuckuola said:


> is this the right command?


Impossible to say if you don't tell us what your intention is. Generally speaking: if you are not sure about a setting then just go with the default (note: what you're sharing is not the default on FreeBSD). Usually this means to leave the option commented out.


----------



## vuckuola (Oct 25, 2018)

ShelLuser said:


> Impossible to say if you don't tell us what your intention is. Generally speaking: if you are not sure about a setting then just go with the default (note: what you're sharing is not the default on FreeBSD). Usually this means to leave the option commented out.



sorry for the late respon, my intention is to only allow few IP's of the routers. This FTP for auto config backup router, so only few IP (router) that allow to access, upload, or download from ftp server through pure-ftpd. Now how is the config on the pure-ftpd to only allowing few IP's?

cause im trying to edit the config, but it cant be done, only allow 1 IP to allow
/usr/local/etc/pure-ftpd.conf
# IP address/port to listen to (default=all IP addresses, port 21).

Bind 116.x.x.12,2134
Bind 116.x.x.x13,2134


----------



## ShelLuser (Oct 25, 2018)

vuckuola said:


> my intention is to only allow few IP's of the routers. This FTP for auto config backup router, so only few IP (router) that allow to access, upload, or download from ftp server through pure-ftpd. Now how is the config on the pure-ftpd to only allowing few IP's?


That's not something you can (nor should) configure with pure-ftpd nor any other ftp server; set up a firewall instead and configure it to only allow access to port 21 from a few specific hosts. What you can configure with pure-ftpd is which user accounts are allowed to log on.

The Bind option you tried to use is only meant to actually bind ("assign") the ftp server to a specific IP address; this is only useful if your server has more than one IP address and you don't want the ftp server to be available on all those addresses. Simple example: usually the ftp server would be accessible on your public IP address as well as localhost (127.0.0.1), so setting Bind to 127.0.0.1 would make the server only accessible on the localhost.

Still: you don't even need pure-ftpd to set up an FTP server though. FreeBSD provides one in the base system, ready to use and it'll be a lot easier too. See this link for instructions.

As mentioned; blocking the server from remote hosts needs to be done with a firewall. FreeBSD provides three, so just set up the one you think is best, see this link for information on that. On a personal note I think you can't go wrong with PF. It's relatively easy to set up, well documented and the default firewall of OpenBSD.


----------



## vuckuola (Oct 29, 2018)

ShelLuser said:


> That's not something you can (nor should) configure with pure-ftpd nor any other ftp server; set up a firewall instead and configure it to only allow access to port 21 from a few specific hosts. What you can configure with pure-ftpd is which user accounts are allowed to log on.
> 
> The Bind option you tried to use is only meant to actually bind ("assign") the ftp server to a specific IP address; this is only useful if your server has more than one IP address and you don't want the ftp server to be available on all those addresses. Simple example: usually the ftp server would be accessible on your public IP address as well as localhost (127.0.0.1), so setting Bind to 127.0.0.1 would make the server only accessible on the localhost.
> 
> ...



Thank you so much, it explained everything sir. Which firewall do you think the best on FreeBSD? PF or IPFW?


----------



## SirDice (Oct 29, 2018)

vuckuola said:


> which firewall do you think the best on freebsd? PF or IPFW?


Why don't you try them both and see which one _you_ like?


----------



## fishfox (Jul 23, 2019)

wisdown said:


> After spend almost 48 hours trying  fix same errors reported here on this thread, I come to share my findings for in future people reading this, do not spend so much time searching the solution.
> 
> People getting the error:
> 
> ...



Helped me with the "Unable to find the 'ftp' account" error, thanks.


----------

