User profile for user: lynnmonk
lynnmonk Author
User level: Level 1
4 points

FTP permissions question

I want to be able to create user FTP accounts that can only access their own and certain shared folders. However, even if I login by FTP with only a guest account with very limited privileges, I can still see every folder on my computer, most of which I can open to view the files inside. I can even see the system files that are normally invisible to me when I am logged on as an admin to the computer itself!

How can I arrange it so that all unauthorised folders and files are invisible to outside users?

Dual 2.3Ghz PowerPC G5, Mac OS X (10.4.6), 1.5Gb DDR2 SDRAM

Posted on Apr 18, 2006 3:36 PM

Reply
23 replies
User profile for user: Tim Haigh
Tim Haigh
User level: Level 7
24,198 points

Apr 25, 2006 11:22 AM in response to lynnmonk

You need to setup NAT rules on your linksys router for tcp port 21 and 20.

I just left the pureftp app with its default setting and that worked on my LAN.

I used to run a Hotline server on my PC (in the days before I had a LAN) and it was a doddle to set up. I'd like to have something with similar capabilities on the Mac. I don't need the chat functions though.


Hotline started as a Mac server it made to the pc sometime later.

you can get hotline server from the following url

http://www.tucows.com/preview/204033

In my opinion if you want a server similiar to hotline that offers security such as encryted file transfers you should look into using a wired server
Reply
User profile for user: fu
fu
User level: Level 2
455 points

Apr 25, 2006 12:50 PM in response to lynnmonk

I have a small LAN of 3 PCs and the Mac. They are connected to the net through a Linksys ADSL gateway. I have set up the gateway so that only the Mac is visible to the outside World. It only allows one computer to be visible...
...I currently have the ports set to TCP 21. I obviously need these other settings you mention, but where, and in what, do I make these changes? Where do I find the firewall settings of PureFTPd? The settings page has "listens on port 21" and the passive port range is empty. Do I need to put 20 in the "from" & "to" fields?


If you go (again) through the link of PureFTPd firewall configuration, you'll notice that there are 2 scenarios:
1. My firewall is on the same computer as my FTP server
2. My FTP server is running on a dedicated machine behind a router / firewall (The example is for an AirPort BaseStation but the same applies for any device that provides firewall/NAT features)

For the moment let's leave only 1 firewall running:

  1. Your Linksys box provides Firewall&NAT options, so turn off the firewall on your Mac (at least temporarily. btw: what firewall do you run on your Mac? MacOS X's built-in?)

  3. Write down your External IP (either check your Linksys box or online: IPID, IPchicken etc)

  5. Log in to your Linksys box and go to the Port Forwarding (also called Port Mapping) configuration page (consult the manual if u never did this before)

  7. Enable (forward) ports 20, 21 etc to the internal IP of your Mac (I hope that you've set up your Mac's TCP/IP settings manually (No DHCP))


Give it a try now (It's better to give your external IP to a friend and let him/her try the FTP server, cause due to NAT (and depending on how it is configured on your network) you won't be able to log in to the server's external IP from a computer inside your LAN).

I used to run a Hotline server on my PC (in the days before I had a LAN) and it was a doddle to set up. I'd like to have something with similar capabilities on the Mac. I don't need the chat functions though.


Yup! Hotline was the bomb back in the day. You can also try Wired (Free Server + Client) and KDX (not free, but one of the few robust client/server implementations out there)



Macs running 9.x, Macs running 10.4.x and SGI workstations running Irix 6.5.x



Reply
User profile for user: lynnmonk
lynnmonk Author
User level: Level 1
4 points

Apr 25, 2006 12:58 PM in response to Tim Haigh

Hi Tim

What is NAT? There is no mention of that in my Linksys settings.

I have enabled port 21 for FTP, and also tried adding port 20 but it made no difference. I've tried several combinations and still get the same response. I've reset the PureFTPd to default and still get the same response! I can connect to the mac but it's not responding, so I get a "Failed to receive response after connect" error.

I can still connect to the webserver directory ok through HTTP so I think the gateway must be OK.
Reply
User profile for user: lynnmonk
lynnmonk Author
User level: Level 1
4 points

Apr 26, 2006 2:38 PM in response to Tim Haigh

If you don't know what NAT is then your still on the
early part of your networking learning path.


I never said I was an expert! That's why I'm here asking for help. :o)

Thanks for the link. I now know what you're talking about, but my linksys settings still doesn't call it a NAT.

Anyway, I've now got it working thanks to Fu's detailed advice. All that remains now is to get the DynDNS account to work on it so that I can link to my FTP from my website.

Thanks for all your help!
Reply
User profile for user: lynnmonk
lynnmonk Author
User level: Level 1
4 points

Apr 26, 2006 2:47 PM in response to fu

Hi fu

Thankyou, thankyou, thankyou! It now works!

I have played around with the setting up of accounts and folders and it seems secure enough, apart from guests being able to delete the folder shortcuts I put in their folders. At least this way it doesn't delete the actual files, so even if someone was to be malicious, it only takes a couple of minutes to replace the shortcuts.

Just one more quick question...

I have a DynDNS account that is currently pointing to my webserver directory. Now that the FTP works, I wont need a website there. Is it easy to change the account so that it will work on the FTP address instead?

I would like to have a fixed name for the FTP site, but I have a dynamic IP. It would be nice to be able to link to it from my existing website.

Many thanks.
Reply
User profile for user: fu
fu
User level: Level 2
455 points

Apr 26, 2006 3:51 PM in response to lynnmonk

Hi lynnmonk,

Thankyou, thankyou, thankyou! It now works!
I have played around with the setting up of accounts and folders and it seems secure enough, apart from guests being able to delete the folder shortcuts I put in their folders. At least this way it doesn't delete the actual files, so even if someone was to be malicious, it only takes a couple of minutes to replace the shortcuts.

Glad to hear you're up & running 😉

Go through a testing period, initially allowing access (and creating accounts) to people you trust and observe how your server behaves. You can build up several security measures as you get familiar with networking/servers 😉

I have a DynDNS account that is currently pointing to my webserver directory. Now that the FTP works, I wont need a website there. Is it easy to change the account so that it will work on the FTP address instead?
I would like to have a fixed name for the FTP site, but I have a dynamic IP. It would be nice to be able to link to it from my existing website.


Sure you can, quote from the Dynamic DNS How-To:
When you've got all this running, you need something to actually USE your hostname for! The possibilities are really endless. You could run an HTTP server (web server), an FTP server, a mail server, even a UNIX/Linux system offering all of the above and more. Getting the software to provide any of these services is your responsibility and decision. Once you have something running, simply tell people to connect to yourhost.dyndns.org on the correct port, and you'll be all set!


Many thanks.

Happy to help 🙂

Please mark your question as answered so other users can benefit from reading our discussion. Feel free to start new discussions for enhancing you server (or just about anything MacOS X networking);)


Macs running 9.x, Macs running 10.4.x and SGI workstations running Irix 6.5.x



Reply
User profile for user: lynnmonk
lynnmonk Author
User level: Level 1
4 points

Apr 27, 2006 8:39 AM in response to fu

Many thanks fu

You have been most helpful. I have a remote user testing the site for me as we speak.

I have now got the DynDNS working on my FTP. I read through the DynDNS documentation a few times before I realised that all I had to do was check the "wildcard" function! You see, it's simple stuff like this that people fail to explain properly in the documentation!

Anyway, I hope other people find this thread useful. My problem is now solved.

Many thanks to all who contributed to this thread.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

FTP permissions question

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up