7 Replies Latest reply: Jul 11, 2013 8:55 PM by Topher Kessler
ap-photo Level 1 Level 1 (0 points)

My FTP users can read files, but can't download them, nor can they upload, even when all permissions are set to Read, Write, Execute. Many of them receive error-500.  I can't find the source of the issue... could this be it?

 

I am using PureFTPd Manager to manage useres and permissions. Running OSX 10.8.4.

 

Manny thanks.


OS X Mountain Lion (10.8.3)
  • Topher Kessler Level 6 Level 6 (9,790 points)

    Admins can be members of the staff group. The only thing that differs from standard accounts is that admin accounts are members of the "admin" group. Being a member of both admin and staff should not affect a thing, and is in fact the default behavior. All accounts are members of "staff," with admins simply being additionally members of the "admin" group. What is the permissions setup of your FTP directory?

  • ap-photo Level 1 Level 1 (0 points)

    FTP directory is as follows: MacHD/users/ftp/VirtualUsers

     

    The FTP directory is Read & Write as do all the subfolders.

     

    When users attempt downlaods, the error reads:

     

    FTP Error: Download Failed

    500 I won't open a connection to 192.168.x.x (only to 50.53.xxx.xx)

  • Topher Kessler Level 6 Level 6 (9,790 points)

    What address are users using to contact your FTP server, and are they doing so from the local network, or from outside of a firewall/router?

     

    If the server is intended to be private then dont post the address here, but rather I am wondering if it's a private LAN address such as 192.168.1.5, or a publicly accessible one. Additionally, are you using the default ports or requiring a custom port be used?

  • ap-photo Level 1 Level 1 (0 points)

    Users are accessing my FTP outside my local network through my IP address, which is behind a router (ports forwarded already)

  • Topher Kessler Level 6 Level 6 (9,790 points)

    Being third-party server software, if your port and address setup is done correctly, then its going to be some configuration issue with the software. You can try contacting the PureFTPd developers to see what options they suggest, but this server daemon is separate from Apple's supplied options.

     

    If you enable Remote Access then you will enable access via sftp, which is an encrypted and secure FTP service built into OS X and interfaces with the OS X accounts directory so you can give access to local user accounts instead of maintaining a separate authorization list. This is just another option that perhaps might be useful for what you are doing. Alternatively, you can enable the classic FTP server in OS X to do a similar thing, but this will not be as secure of an implementation.

  • ap-photo Level 1 Level 1 (0 points)

    Topher, thanks so much for your help here. 

     

    The reason I chose to use PureFTPis because when I set up the user for the SFTP through OSX, the users could read all of the files, for every user. I don't mind using the SFTP method through OSX, but how can I set permissions so users can only view and navigate their own directory?

  • Topher Kessler Level 6 Level 6 (9,790 points)

    With sftp the system should observe standard filesystem permissions for all directories, meaning that it should behave with the same restrictions as if the user is logged on. If the users can see folders you would not like them to, then get information on the folder and set the permissiosn so that user does not have access.

     

    By default, the system will permit access to the root of a user's home folder, but not allow access to the Documents, Movies, Music, and other folders within the user's directory. These are the private resources in the system, whereas most others will at least be readable.

     

    If you want more than this default behavior, then you will need to customize the ssh configuration files to add various directives for users and groups to further limit access. If you are familiar with the Terminal then you can edit and test the configuration; just be sure you back up configuration files before editing them.