# ftpd



## xer (May 11, 2009)

hello to any1

just asking if ftpd service on FreeBSD has a config file

i use it a lot, it is a good service, but, if i need to "limit" users to browse just on ~ (home dir) i cannot find a solution 'cause i dunno if does exist a config file for the ftpd service 

(as for example proftpd does)

any help please?
xer


----------



## SirDice (May 11, 2009)

xer said:
			
		

> just asking if ftpd service on FreeBSD has a config file
> 
> i use it a lot, it is a good service, but, if i need to "limit" users to browse just on ~ (home dir) i cannot find a solution 'cause i dunno if does exist a config file for the ftpd service
> 
> (as for example proftpd does)



Nope, see ftpd(8).


----------



## xer (May 11, 2009)

SirDice said:
			
		

> Nope, see ftpd(8).



jeez i knew.. i thought was a forgotten feature.
pity
thanx a lot
xer


----------



## anomie (May 11, 2009)

xer said:
			
		

> ... i need to "limit" users to browse just on ~ (home dir)...



You may have already discovered this in the manpages, but all you need to do is add the user to be chrooted to /etc/ftpchroot.


----------



## xer (May 11, 2009)

anomie said:
			
		

> You may have already discovered this in the manpages, but all you need to do is add the user to be chrooted to /etc/ftpchroot.



oh, yes, thank you for remind me and for leave a trace on the forum, i did read it and i also i did some configurations about it, it works very well! 

but i tought that there was some others features as virtual users and so on.. that's why i asked if exist about ftpd.config

anyway it is a good service too, i use it a lot :e
thanx


----------



## xer (May 11, 2009)

xer said:
			
		

> oh, yes, thank you for remind me and for leave a trace on the forum, i did read it and i also i did some configurations about it, it works very well!
> 
> but i tought that there was some others features as virtual users and so on.. that's why i asked if exist about ftpd.config
> 
> ...


but... ftpd.conf does exist!

i found this:
http://www.freebsd.org/cgi/man.cgi?query=ftpd.conf&sektion=5&apropos=0&manpath=FreeBSD+7.2-RELEASE

but no examples on shares.... that's what i was looking for..
i have a 7.1 i'm going to make freebsd-update to see if share will be update


----------



## xer (May 11, 2009)

xer said:
			
		

> but... ftpd.conf does exist!
> 
> i found this:
> http://www.freebsd.org/cgi/man.cgi?query=ftpd.conf&sektion=5&apropos=0&manpath=FreeBSD+7.2-RELEASE
> ...



aw.. men.. this is totally absurd 
http://www.nabble.com/docs-133468:-...pd.conf,-which-does-not-exist-td22935157.html

how can is possible?
where i can find an example of it?
i don't wanna use NETBSD version ... :-(


----------



## DutchDaemon (May 11, 2009)

ftpd.conf(5)?


----------



## xer (May 12, 2009)

DutchDaemon said:
			
		

> ftpd.conf(5)?



yes, that is what i found, i wonder why there is not examples about, so, i made one of them using man (5) but for a new bee?

i'm still wonder why even for latest 7.2-RELEASE this bug is still present...


----------



## edhunter (May 12, 2009)

I had issues before with the default ftpd (/usr/libexec/ftpd), it doesnt respect ftpd.conf
http://www.freebsd.org/cgi/query-pr.cgi?pr=i386/128225

So in the base there is another ftpd daemon - lukemftpd (netbsd ftp server daemon) it respects all conf files - ftpd.conf, ftpchroot, ftpusers, login.conf, also in homedir .login_conf

I use it insted of default ftpd and so far i havent any problems with it.


----------



## xer (May 12, 2009)

edhunter said:
			
		

> I had issues before with the default ftpd (/usr/libexec/ftpd), it doesnt respect ftpd.conf
> http://www.freebsd.org/cgi/query-pr.cgi?pr=i386/128225
> 
> So in the base there is another ftpd daemon - lukemftpd (netbsd ftp server daemon) it respects all conf files - ftpd.conf, ftpchroot, ftpusers, login.conf, also in homedir .login_conf
> ...



mmm... i had like to use a "base" service, proftpd works very well but_is_not_freebsd_base

i had like to use bandwidth control, so.. if ftpd does not "see" ftpd.conf.. this is a pity
anyway, instead ftpd, better to use pureftp or proftp...
but i still hope that ftpd will be revised soon.
thank you
xer


----------



## edhunter (May 12, 2009)

I was about to use proftpd, because it is very "configurable", but a friend of mine with better skills adviced me - better not use proftp, because of some security issues (I think they are already fixed). He told me about pure-ftpd and on one of my machines I tried it - its good - it has bandwith throttling and chrooting (little tricky).


----------



## Nokobon (Jun 24, 2009)

Hello,
I know the thread is old but I got a similar problem with ftpd.

Is there still really no way ftpd can use the ftpd.conf-file?

My problem is, that I want to chroot ftp users to a specific directory, e.g. to a subdirectory of his home directory.
I know about the ftpchroot-file and used it so far, but it only restricts the user to his home directory.
So i tried to use ftpd.conf with the following entry:

```
chroot all /%d/ftp
```

So as I can't use ftpd.conf to chroot a user like this, is there any other way with ftpd?


----------



## xer (Jun 24, 2009)

well, my answer is VERY "quick" so take it under your responsability ;-)

if you want chroot a FTP you can change the path on /etc/passwd
as follow:
xer:*:1001:0:xer:/YOUR_PATH_HERE:/bin/sh

and yes, for my concern, i think that best way is to use "pure_ftp" even for a better "virtual users"

nor as you can see in this thread, you can use /etc/ftpchroot
http://forums.freebsd.org/showpost.php?p=23271&postcount=5

hope it help


----------



## Nokobon (Jun 25, 2009)

Thanks for your quick suggestions.



			
				xer said:
			
		

> if you want chroot a FTP you can change the path on /etc/passwd
> as follow:
> xer:*:1001:0:xer:/YOUR_PATH_HERE:/bin/sh


So, you mean I just should change the users home directory to the desired directory and chroot the user with ftpchroot to it?
Well that's possible but not optimal I think.
The reason I wanted to restrict the ftp user to another directory unlike the actual home directory is that I don't want him to see all these configuration files.
Or does a chrooted directory have to contain files like .cshrc or is it possible to use a completely empty folder?


----------



## DutchDaemon (Jun 25, 2009)

Nokobon said:
			
		

> So i tried to use ftpd.conf with the following entry:
> 
> ```
> chroot all /%d/ftp
> ```



Could you try

```
%d/ftp
```
instead?


----------



## Nokobon (Jun 25, 2009)

DutchDaemon said:
			
		

> Could you try
> 
> ```
> %d/ftp
> ...


I already tried that before.
But ftpd demon does not respect ftpd.conf.

Nevertheless thanks for your suggestion...


----------



## DutchDaemon (Jun 25, 2009)

You do know this?


```
/etc/ftpchroot
     The file /etc/ftpchroot is used to determine [I]which users will have their
     session's root directory changed[/I] (using chroot(2)), either to the direc-
     tory specified in the ftpd.conf(5) chroot directive (if set), or to the
     home directory of the user.  If the file does not exist, the root direc-
     tory change is not performed.
```


----------



## Nokobon (Jun 25, 2009)

Yes, I know...
As I said I use ftpchroot so far.

But it does not respect ftpd.conf and with ftpchroot alone it's only possible to restrict the user to it's home directory, not to an arbitrary folder.


----------



## xer (Jun 25, 2009)

Nokobon said:
			
		

> Yes, I know...
> As I said I use ftpchroot so far.
> 
> But it does not respect ftpd.conf and with ftpchroot alone it's only possible to restrict the user to it's home directory, not to an arbitrary folder.



I'm totally disagree about what you wrote, sorry.
Did you made some tests?

Well, i'll do it for you.
Let's talk about FreeBSD 7.1-RELEASE

```
labs# cat /etc/passwd
(cutted text)
xer:*:1001:0:'xer':/home/xer:/bin/sh
```
as you can see, i just leaved passwd with home dir


```
labs# cat /etc/ftpchroot
xer /usr/home/xer/bubu
```
As you can see, i did restrict the user "xer" to see JUST
the "bubu" dir inside his home dir and with nothing inside.

Let's try a test with what you want, a DIR not inside HOME


```
labs# pwd
/
labs# mkdir bubu
labs# cd /bubu
labs# pwd
labs# /bubu
labs# touch for_my_friend
labs# ls -la
total 4
drwxr-xr-x   2 root  wheel  512 Jun 25 14:46 .
drwxr-xr-x  20 root  wheel  512 Jun 25 14:46 ..
-rw-r--r--   1 root  wheel    0 Jun 25 14:48 for_my_friend
labs# cd ..
labs# ee /etc/ftpchroot
(make the right modifies example "xer /bubu/)
so "USER" "dir_chrooted"

labs# cat /etc/ftpchroot
labs# xer /bubu
```

As you can see dir "bubu" is on main root and not inside
home dir

Try to make an ftp connection you can see just that dir and
home dir is untouched:

```
User: xer
331 Password required for xer.
Password:
230 User xer logged in, access restrictions apply.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 4
drwxr-xr-x  2 0  0  512 Jun 25 14:46 .
drwxr-xr-x  2 0  0  512 Jun 25 14:46 ..
-rw-r--r--  1 0  0    0 Jun 25 14:48 for_my_friend
226 Transfer complete.
ftp: 142 bytes received in 0,00secons 142000,00Kbyte/sec)
ftp>
```
As you can see it show the "content" of /bubu and not of /usr/home/xer/bubu

This look as a reasonable solution?
I think yes, it works.


I suggest you to make some good tests, if you need some help any more, ask again.
xer


----------



## DutchDaemon (Jun 25, 2009)

xer said:
			
		

> ```
> labs# cat /etc/ftpchroot
> xer /usr/home/xer/bubu
> ```



Where did you get this from? It's not documented anywhere, as far as I can see.


----------



## xer (Jun 25, 2009)

DutchDaemon said:
			
		

> Where did you get this from? It's not documented anywhere, as far as I can see.



What? About bubu?
 joking..

well, i started this thread, so i went around and around on google and i found this:

http://leaf.dragonflybsd.org/cgi/web-man?command=ftpchroot&section=5

it works, dragonfly is freebsd!

ftpd.conf as you know, it is impossible to get on FreeBSD, also i did found it on a OpenBSD CVS, but it is not fully working.

Anyway, it seems that "ftpd" on freebsd has been abandoned, so far ftpd.conf, so i use pure ftpd (on a production machine)


----------



## DutchDaemon (Jun 25, 2009)

Well, it sucks to high heaven that this isn't documented in ftpchroot(5) on FreeBSD. Would have saved a lot of people a lot of trouble. *If* it works for *standard FreeBSD ftp*, that is.

And I'm happy to say that it works (for /usr/libexec/ftpd). Quite an oversight for a FreeBSD man page!


----------



## DutchDaemon (Jun 25, 2009)

Well, this is interesting! There is a correct man file for ftpchroot, but it's only in the source tree...

[cmd=]man /usr/src/libexec/ftpd/ftpchroot.5[/cmd] (it's *six* years old!)

I tracked it down thanks to a PR filed back in 2006! I've filed another PR, linking the problem in this thread (and its solution) and the old PR. Hope the abominable documentation for ftpd will be revised from scratch soon.

P.S., there's also [cmd=]man /usr/src/libexec/ftpd/ftpd.8[/cmd]. Haven't checked it against ftpd(8).


----------



## xer (Jun 25, 2009)

from:
http://www.freebsd.org/cgi/man.cgi?query=ftpchroot&sektion=5&apropos=0&manpath=FreeBSD+7.2-RELEASE

this part explain a little bit:

-------------

/etc/ftpchroot
     The file /etc/ftpchroot is used to determine which users will have their
     session's root directory changed (using chroot(2)), either to the direc-
     tory specified in the ftpd.conf(5) chroot directive (if set), or to the
     home directory of the user.  If the file does not exist, the root direc-
     tory change is not performed.

     The syntax is similar to ftpusers, except that the class argument is
     ignored.  If there's a positive match, the session's root directory is
     changed.  No further comparisons are attempted after the first successful
     match.  This syntax is backward-compatible with the old syntax.
-------------

but its a little bit.. i does not explain too much

better dragonfly..
i wonder why, FreeBSD FTP server service is not expanded...
i think that will be a good service more usable..

why i must install pureftpd or proftpd?
btw, i use pure 'cause i don't trhust inetd/ftpd service that came with FreeBSD... :r


----------



## DutchDaemon (Jun 25, 2009)

There's absolutely no mention whatsoever of the second field in /etc/ftpchroot being used as the new chroot directory.


----------



## Nokobon (Jun 25, 2009)

xer said:
			
		

> Is the man-page going to be revised?





			
				DutchDaemon said:
			
		

> I don't know, all I can do is report the problem (again ..).



(Sorry, managed to confuse edit and quote buttons again ... says DutchDaemon ..)


----------



## xer (Jun 25, 2009)

Nokobon said:
			
		

> so I thought I have to use the chroot option in ftpd.conf, which did not work.



Nokobon, just a question, were did you get ftpd.conf? If i'm not in error, this file DON'T came with FreeBSD installation...

I'm in error?


----------



## xer (Jun 25, 2009)

DutchDaemon said:
			
		

> There's absolutely no mention whatsoever of the second field in /etc/ftpchroot being used as the new chroot directory.



Yes.. they wrote.. here:

---
The syntax is similar to ftpusers, except that the class argumen...
...

It's very clear.. :r
Maybe just ONLY for them!


----------



## DutchDaemon (Jun 25, 2009)

That is not the same ... because ftpusers has nothing in the second field like a path or a directory; just class and directives stuff.


----------



## DutchDaemon (Jun 25, 2009)

xer said:
			
		

> Nokobon, just a question, were did you get ftpd.conf? If i'm not in error, this file DON'T came with FreeBSD installation...
> 
> I'm in error?



There's a man file for it. Note: ftpusers and ftpchroot are also not installed by default, but there are man files for them in the base system, which leads to people installing them and using them according to the man file. And then everything starts to fall apart.


----------



## vivek (Jun 25, 2009)

{pure/vs/pro}ftpd all has virtual user support. No need to create system user account. Personally, I prefer vsftpd. It has amazing set of features and it is really secure and fast ftp server. Turn on SSL and you are good to go. It also support throttling, IP limiting, virtual ftp hosting and much more.


----------



## xer (Jun 25, 2009)

vivek said:
			
		

> {pure/vs/pro}ftpd all has virtual user support. No need to create system user account. Personally, I prefer vsftpd. It has amazing set of features and it is really secure and fast ftp server. Turn on SSL and you are good to go. It also support throttling, IP limiting, virtual ftp hosting and much more.



yep! you got it, i like to manage quote too ;-)

again: i wonder why FreeBSD staff did not expanded native ftpd...


----------



## Nokobon (Jun 25, 2009)

Nokobon said:
			
		

> I don't know, all I can do is report the problem (again ..).



Sorry, but I'm a bit confused now...
Why is my original post deleted and why is there a quote of xer that I originally wrote in that deleted post?
DutchDeamon, did you do that?


----------



## xer (Jun 25, 2009)

we are going on OT aren't?


----------



## DutchDaemon (Jun 25, 2009)

@Nokobon. sorry, even though the Edit button is now red, I still manage to use it instead of the Quote button sometimes.


----------



## Nokobon (Jun 25, 2009)

DutchDaemon said:
			
		

> @Nokobon. sorry, even though the Edit button is now red, I still manage to use it instead of the Quote button sometimes.


Oh, okay...
So I'll try to remember what I wrote in that post:
I said that as in the man-page the option to give a specific dir to ftpchroot isn't mentioned, I thought I have to use ftpd.conf...

Thank you, xer!



			
				vivek said:
			
		

> {pure/vs/pro}ftpd all has virtual user support. No need to create system user account. Personally, I prefer vsftpd. It has amazing set of features and it is really secure and fast ftp server. Turn on SSL and you are good to go. It also support throttling, IP limiting, virtual ftp hosting and much more.


So the standard FreeBSD ftpd is the only one where you have to create system user accounts?
I just use it because in "Absolute FreeBSD" it's the only ftp-demon that is mentioned, but maybe I should use pure ftp or one of the others...



			
				xer said:
			
		

> Nokobon, just a question, were did you get ftpd.conf? If i'm not in error, this file DON'T came with FreeBSD installation...
> 
> I'm in error?



I read in the manual pages about ftpd.conf and it's possibility to chroot a user to an arbitrary directory.
And since the file wasn't at the expected place I created it...


Well I'm not completely happy with the solution with ftpchroot.
Although I can change the root directory with it, I can't use variables like %d.
I tried to chroot a whole group with

```
@ftpusers %d/ftp
```
but that does not work, so it's not an entire alternative to the (theoretical) possibility in ftpd.conf...


----------



## DutchDaemon (Jun 25, 2009)

I don't know it it works, but you could try using $HOME/ftp.


----------



## Nokobon (Jun 25, 2009)

DutchDaemon said:
			
		

> I don't know it it works, but you could try using $HOME/ftp.



Nope...doesn't work.


----------



## vivek (Jun 26, 2009)

Nokobon said:
			
		

> So the standard FreeBSD ftpd is the only one where you have to create system user accounts?
> I just use it because in "Absolute FreeBSD" it's the only ftp-demon that is mentioned, but maybe I should use pure ftp or one of the others...


I guess it is a bit outdated and may be overrated book  the best place to get more info is this forum or mailing list about any good server. Most UNIX experienced sys admins and freebsd developers hang out there.

HTH


----------



## Nokobon (Jun 26, 2009)

Yes, shure...on the forums I learn very much.
But I think Absolute FreeBSD is a great resource for beginner,too.
Maybe without that book I would have give up early...

Nevertheless I'll see If I could get another ftp-daemon soon


----------



## DutchDaemon (Jun 26, 2009)

Nokobon said:
			
		

> Nope...doesn't work.



Well, then I guess you'll have to script it 


```
grep /home /etc/passwd | awk -F: '{print $1"   "$6"/ftp"}' > /etc/ftpchroot
```


----------



## Nokobon (Jun 26, 2009)

Well, okay. Thanks for your advice...
But I think I'm going to use Pure-FTP now.


----------

