Muscle Up Your Mac FTPby Glenn Fleishman
Editor's Note: This article is an excerpt adapted for the Mac DevCenter from the latest revision of Glenn Fleishman's Take Control of Sharing Files in Panther, a $10 eBook from the Take Control series.
The built-in FTP software in both Mac OS X releases (Jaguar and Panther) is an Apple-modified version of FTP software that works fine with other Unix and Linux variants. Unfortunately, when Apple modified the code so that it worked with their particular idea of how FTP should function with Mac OS X users and accounts, they introduced a number of problems.
For instance, it works well for one purpose only: user logins and guest access to specific user folders for uploading and downloading. If you want to set up a secure and configurable FTP server for any other purpose, you will likely run into trouble. The fact that it's difficult to turn guest FTP service off shows how little effort Apple put into making FTP a robust part of Mac OS X; they just put it in because it was available.
Another good point: Security Update 2004-09-07 broke Apple's built-in FTP software because the included FTP server was misconfigured. Apple fixed the problem in a security update a few weeks later, but the fact that the component was tested so minimally (if at all) shows how little attention Apple is paying to FTP.
In light of these problems, I recommend that you avoid Apple's built-in FTP server software. (Note: To turn off Apple's built-in FTP server, open the Sharing pane in System Preferences. Click the Services tab and uncheck FTP Access.)
Let me tell you about a much, much better and vastly easier and safer way to operate FTP on the Mac. You need Pure-FTPd, a free, sophisticated, and superb package that's a bear to configure by hand. Fortunately, you can use PureFTPd Manager, by Jean-Matthieu Schaffhauser, to help with configuration. PureFTPd Manager provides not only a graphical user interface to this free FTP server software, but also a fully compiled and configured version of Pure-FTPd. PureFTPd Manager works under Mac OS X 10.2 and 10.3.
Install PureFTPd Manager
Download PureFTPd Manager and follow its installation directions. If you are running Mac OS X 10.2, follow the instructions in the Read Me section of the installer for version 10.2.
(PureFTPd Manager is a remarkable piece of freeware. The author asks for donations, and after using his software for an hour, I donated €15, or about $20. I encourage you to do the same if you become a regular user--or addict, as I have.)
Configure PureFTPd Manager
When you launch PureFTPd Manager for the first time, it prompts you for your administrative password because its Setup Assistant will change some directories and needs the password to carry out those operations. After you log in, the Setup Assistant appears. As you work through the Setup Assistant, if you have specific knowledge of Unix user and group permissions, you might modify some of these settings. However, the defaults are quite good, and you should stick with them if you don't know what you are doing, and I don't instruct you otherwise. Also, you can skip any step by checking the Skip checkbox. The following steps help you work through the Setup Assistant:
(Note: You can't bypass the assistant--you can check Skip or use defaults for each of these steps, and you must reach Step 6 and click Configure to run the actual manager software.)
- Introduction (Step 1 of 6): The first screen presents an overview of the assistant's functions.
- Anonymous Access (Step 2 of 6): Step 2 lets you choose settings for anonymous
FTP (Figure 1). Pure-FTPd can isolate anonymous and regular users to special
folders; this is called
chroot(for "change root" in Unix parlance), and is often a huge hassle to set up. With PureFTPd Manager, though, it's easy. If you want to turn on anonymous FTP, just click Continue. If you won't need anonymous access, check Skip Anonymous Account Setup and click Continue. You can turn on anonymous access later.
Virtual Users (Step 3 of 6): Virtual Users let you separate your Mac OS X users from FTP-only users (Figure 2). It's a nice feature when you have remote access that you want to keep isolated from your main computer's file system. If you want to turn on Virtual Users, click Continue. Otherwise, check the Skip box and then click Continue.Figure 2.
- Server Logging (Step 4 of 6): Tracking statistics and balancing Pure-FTPd's needs against the rest of your system are both useful options, so I recommend that you leave those checkboxes selected. However, if you are running just an FTP server on the computer on which you're installing this software, uncheck the option for fairly sharing processor resources. Click Continue.
- System Settings (Step 5 of 6): In most cases, you want Pure-FTPd to launch every time the system launches. If you need to launch it manually just when an FTP need arises, uncheck Automatically Launch PureFTPd at System Startup. The program doesn't have an option to omit creating virtual users and hosts directories, but that shouldn't cause you any problems, even if you're not using either feature. Click Continue.
- Conclusion (Step 6 of 6): The final screen shows a summary of your choices. Click Configure to implement them and launch PureFTPd Manager.
You can run through this assistant again at any time from the Server Status tab of PureFTPd Manager by clicking Easy Setup Assistant.
Turn on Anonymous FTP Access
Surely, anonymous FTP is one of the greatest uses of the Internet. With anonymous FTP, users don't need special accounts. This has been particularly difficult to set up securely under Mac OS X, and PureFTPd and the manager software finally give us that clean ability.
To turn on anonymous FTP access in PureFTPd Manager, follow these steps:
- In PureFTPd's Preferences window, open the Anonymous pane.
- If you followed the default setup with the Setup Assistant (as I explained in the steps just previously), Disable Anonymous Access is unchecked (Figure 3). Note that you can check that box to turn off anonymous access if and when you no longer need to allow anonymous access.
I recommend the following settings:
- Check Disable Upload unless you're positive that anonymous users need to upload files. If so, your best bet is to create the anonymous account's file directory on a separate hard drive or disk partition from your boot disk. This will keep a malicious user from filling up your computer. (You can also set a preference to prevent this; see "Other Options," below.)
- Uncheck Anonymous Users Can Create Directories, because there is usually no reason to let just anyone create a directory.
- Check Anonymous Can't Download Files Uploaded by Anonymous. This protects your anonymous FTP server from becoming a pirated software or a "warez" hijacked repository. This happens quite frequently.
- Set Speed Limits to a percentage of your overall speed to prevent FTP users from overwhelming your Internet connection. If you have 768Kbps DSL, you might set Upload and Download to 512 or 256.
To apply the settings, close the Preferences window.
Create FTP Users Without Using Mac OS X Accounts
A virtual user in PureFTPd Manager can optionally have access only to directories with a particular login name in the location you have chosen. This allows you to create users without creating a full Mac OS X login account. To create a virtual user, follow these steps:
- Click the User Manager button in the PureFTPd Manager toolbar.
- Click the New button (in the toolbar). A new entry appears in the Virtual Users list at the left.
In the General pane, enter the basic details for this user, such as full name (used to display information in the Server Status dialog), user name (in the Login field), and password (Figure 4). If you want to set the Home Directory to something other than the default, click Choose. Checking Restrict User Access to His Home Directory allows a user (of either gender) to view only the files in that directory and deeper. Unchecking it gives access to the entire computer. Restrict Time Access is a terrific option if you want certain users to have access just during work hours or at night. Checking Disabled keeps all the settings in place, but disables the account as long as the box is checked.Figure 4.
- Click the Virtual Folders tab to add directories that a user can view (or have read/write access to) that would otherwise be unavailable, because the user would be restricted to a home directory.
- Click the Transfers tab to set a variety of quotas and limits, such as maximum storage size for that user. I highly recommend setting a megabyte limit--even a quite large one--if the user's home directory is on your boot disk.
- Click the Other tab to create a banner message that this user sees on login if his FTP client displays banners; some, such as Fetch, don't.
- Also in the Other pane, you can set the IP Restrictions fields in order to limit or exclude from access just specific IP ranges or addresses. This can be useful if you see abuse or if you're working just with a specific set of people with static addresses.
- Choose File -> Save (
S) or click the Save button to save these changes and have them applied. (You'll be prompted if the server needs to be restarted.)
You can modify the default virtual user folder area in PureFTPd Manager's preferences. In the Mac OS X preference pane, click the Choose button to the right of the Virtual Users Base Directory field (Figure 5).
Pages: 1, 2