2384 Views 13 Replies Latest reply: Nov 15, 2007 9:23 PM by WhoLikesBread
You can add users in the Accounts pane of System Preferences and that information will be used to allow people to ftp to your machine. There are some alternatives that will allow you to add users to the bsd flat files so they do not also show up as normal users, but this might be a bit complicated for your purposes as it involves Terminal usage and some minor modifications in Directory Utility.
Thanks for writing in - Actually, quite honestly I would prefer the Terminal/Directory method of adding users & defining their home directories for FTP purposes then adding them in Accounts.
I'm not an expert in Terminal and User services, but I'm not that challenged as well.
Can you possibly put me in the right direction and give me some pointers as to how I can add/modify these FTP users using Terminal/Directory?
It's not really that difficult, but I just wanted to gauge your experience. First step is to open /Applications/utilities/Directory Utility and click on the Search Policy tab. Check and see if /BSD/Local is listed in the Directory Domains; this will allow people to authenticate using the /etc/master.passwd file in addition to the local open directory.
One thing to keep in mind before we go the flat file route; you can add users into the local open directory that don't have home folder and don't show up in the login screen. This has become much easier in 10.5 due to the advanced setting available in System Preferences. Goto Accounts, then unlock the prefs pane, then right click on an account and you can edit the UID, GID, and home directory path as well as other details. I would suggest going this route. If you make the UID less then 500 the accounts won't show up in the GUI (like login screen or fast user switching menu). Set eh UID below 500 and great possible a ftp group to use with these accounts; change the home dir to a folder in the ftp server and change the login shell...you should be good to go at that point.
Back to the BSD flat files, you can edit the master.passwd file to add users like this:
Check man on master.passwd for details on what each field is for. I set the shell for ftp only user as /sbin/nologin so they cannot login any way except for ftp. Keep in mind that FTP us very insecure and you way want to consider using SFTP (which I believe is builtin). I'm not really up to speed with the ftp server included with Mac OS X, so I'm not a good resource for securing that. But I can help you add users. I also suggest going the Open Direcotry route rather then the flat file route now that the advanced settings are available. Let me know what needs more explanation.
Thanks again for your detailed response.
I think I did loose you somewhere following your instructions. I too personally would like to take the Directory/Account route rather then the BSD flat file - but I think I got a little confused as to the instructions.
I did confirm that /BSD/Local appears listed in the Search Policy tab in /Applications/utilities/Directory Utility.
When I go into System Preferences->Accounts ... let's say I want to add a User. I click the "+". In the New Account window, I get the following options:
Managed with Parental Controls
I have a notion I should select "Sharing Only" but I could be wrong. What would you suggest I use for an FTP Only user who doesn't need a Home Folder and shouldn't appear in the Login Screen?
Next, Name I'm assuming should be the Login Username
Short Name, Password, Verify & Password Hint are all self-explanatory.
Once the account is set, I can Right-Click and go into "Advanced" to set further options like UID, GID, Home Directory path etc.
UID, as you stated, should be less then 500, so I can probably assign 499 and under.
GID - does this need to be the FTP Group ID? If yes, how do I find out what's the GID for FTP on my Mac?
Home Directory - will this be the directory accessible for this user when he logs on to his FTP Account?
Would love to get answers to these.
I did lookup master.passwd and honestly, it doesn't sound too difficult either. I got most of the options pretty clear, except two. GID - again, I think I need to specify the FTP GID and I don't know what it is. And secondly, it mentions that the password has to be "encrypted". Not sure how to do that either.
Anyhow, I would really appreciate any help you can provide with just the Directory/Account route.
Sorry I didn't realize they added all of those options for adding accounts to 10.5! That makes it even easier. I would use the "Sharing Only" account as you thought. Looks like the UID doesn't matter as this account type is not shown in the GUI anywhere. The only thing you will have to change is the home directory path to somewhere you can secure with a chroot chail or something (on my ftp server I have their home set to /var/ftp/). I was looking for the ftp server on 10.5, but I can't find it...nor is there a service listed in Sharing for it. So I'm confused about that. The GID doesn't necessarily have to be the ftp group, but you could create a ftp group or a group for shared users. You could also leave it as 20, just set the permissions on the home folder to be available to these ftp users.
Again, ftp is very insecure and you should be very careful when setting up a ftp server. I referenced the Practical Unix & Internet Security book by Simson Garfinkel, Gene Spafford, Alan Schwartz for some great tips on setting up a "secure" ftp server.
I followed the steps, set the UID to 499 and GID to 20, set the home directory and looks like everything else was all set as well - However, I'm not able to get FTP Access for this User I created. Not sure what the problem is.
I put in the IP, User & Pass for this User and all I get is "No FTP Access for this User" in one of the FTP Clients.
I'm not sure what I'm doing wrong.
No reason to change the UID for this user as I stated above, try changing it back to what it was before and try again. Also, make sure the home folder exists, I don't think it will be created for you. Check the permissions on it as well.
Can you verify that FTP is working by using a regular account to connect?
I think that's one of my own biggest Question. I don't even know "which" FTP server has been bundled in as built-in with Mac OS X 10.5, let alone knowing the path to and any configuration files associated with it. Unfortunately, none of my google searches for any information on it has yielded any result. I'm at a loss for this Question.
All I did was turn on the "File Sharing" option with FTP checked under Advanced Options in System Preferences->Sharing which turns on the FTP Server. Once I did that, my standard Mac OS X User had FTP access.
Thanks for showing me how to turn it on! I missed the options button. It looks like you will have to get the users added to the pane in the options and allow them to connect. However, Sharing only account don't show up in there, so I am confused about that. I'm not sure accounts in the bsd files will show up either, so we need to figure out where the SACLs (Service Access Control Lists) live for file sharing. I'll keep looking.