Yesterday I finished configuring a FTP Server using Pure-FTPd. The method I am using is the "Virtual Users" method.
The commands below are basically what I executed it in order to make it work:
PureFTPd (Debian 10)
Instalar FTP usando o Pure-FTPd no Debian 10:
sudo apt install -y pure-ftpd-common pure-ftpd # Install Pure-FTPd
sudo ss -lnpt | grep pure-ftpd # Check what port is Pure-FTPd is running
Initial Steps for Preparing Pure-FTPd to work:
System User and Group:
sudo su -
groupadd ftpgroup # Create FTP Group
useradd -g ftpgroup -d /dev/null -s /etc ftpuser # Create Emulated System User for Virtual FTP User
mkdir /home/ftpusers # Create Base Home dir for Virtual Users
chown root:root /home/ftpusers -R # Set root Permissions so Pure-FTPd can create folders Automatically
chgrp ftpgroup /home/ftpusers # Set permissions to FTP Group for Virtual Users Permissions
chmod g+rx /home/ftpusers
PureFTPd Config
echo "yes" > /etc/pure-ftpd/conf/Daemonize # Run as Daemon
echo "yes" > /etc/pure-ftpd/conf/NoAnonymous # Prohibit Anonymous
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone # Enable chroot
echo “yes” > /etc/pure-ftpd/conf/VerboseLog # Enable Verbose Logging
echo yes > /etc/pure-ftpd/conf/CreateHomeDir # Create Folders Automatically
echo no > /etc/pure-ftpd/conf/PAMAuthentication # ??? Check Later
echo no > /etc/pure-ftpd/conf/UnixAuthentication # ??? Check Later - Disable login, maybe?
>/var/log/pure-ftpd/transfer.log && chmod 755 /var/log/pure-ftpd/transfer.log # Enable Logging
Config. Pure-FTPd => /etc/pure-ftpd/pure-ftpd.conf
# This limits accounts to only what is in the Pure-FTPd database
AUTH="-lpuredb:/etc/pure-ftpd/pureftpd.pdb"
# Disallow anonymous connections. Only accept authenticated users.
NoAnonymous yes
# File creation mask. <umask for files>:<umask for dirs> - Use 177:077 if you’re paranoid.
Umask 003:002
# Enable Passive mode to avoid Firewall NAT problems.
PassivePortRange 40000 60000
Config. Common Pure-FTPd => vi /etc/default/pure-ftpd-common
id -u ftpuser # Get UID/GID of FTP User first.
Change UPLOADUID/UPLOADGID on pure-ftpd-common file.
Those commands are needed for some reason, otherwise, user can’t login:
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/40PureDB
ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50pure
Virtual User PureFTPd
pure-pw useradd victor -u ftpuser -g ftpgroup -d /home/ftpusers/victor
pure-pw passwd victor -m
Reload PureFTPd
pure-pw mkdb -f /etc/pure-ftpd/pureftpd.passwd -F /etc/pure-ftpd/pureftpd.pdb # Update PureFTPd Database
service pure-ftpd restart
But, after this, my next need was to make a HTML folder from a NGINX installation available to the client transfer his files over FTP. As of the commands above, and his Chrooted FTP Folder - Everything is working fine! If i try to upload anything to his FTP folder, using MobaXTerm or other FTP Client, I can do it.
But, if I try to upload it to the HTML binded folder I created using the commands below, it does not let me:
CHRoot HTML Folder
mkdir -p /home/ftpusers/victor/sites # Create Websites Folder for Victor
mount --bind /var/www/html /home/ftpusers/victor/sites # Bind Mount because Link command does not work
Config. for FSTab in order to mount it at boot:
/mnt/data/html /var/www/html none nofail,bind 0 0
/var/www/html /home/ftpusers/victor/sites none nofail,bind 0 0
groups www-data # Check what groups NGINX user is in
chown -R :<group> /var/www/html # Just to be sure let’s redo HTML Permission for NGINX.
chmod -R g+w /var/www/html # Group can Edit/Write
usermod -a -G www-data ftpuser # Add our FTP User to NGINX Group
groups ftpuser # Now FTP User is in the same groups as NGINX User
Read and Write tests for FTP using cURL => All Tests worked when the owners were ftpuser ftpgroup.
When Owners were www-data www-data it does not let my FTP User replace and upload files... Even tho, I added the FTP User above as being in the group that is owning the files.
curl ftp://localhost:21/testfile_read -u 'victor:ftp_password' -O # Read Permissions from Outside HTML folder
curl ftp://localhost:21/sites/testfile_html_read -u 'victor:ftp_password' -O # Read Permissions from Inside HTML folder.
curl -T testfile_write ftp://localhost:21/ -u 'victor:ftp_password' # Write Permissions from Outside HTML folder.
curl -T testfile_html_write ftp://localhost:21/sites/ -u 'victor:ftp_password' # Write Permissions from Inside HTML folder.
So, it looks like it is a problem with the permissions for www-data and the binded folder itself... But it does not make sense since I added the FTP User to the group that can edit/write already...
I am getting crazy, please, can someone help me?
TL;DR: I need help allowing an FTP user to read and write to a binded HTML folder within their chrooted FTP folder. Currently, I'm getting a 553 error (Permission denied) when trying to upload files to the binded HTML folder, even though I added the FTP user to the www-data group.
In summary, I want to give the FTP user the necessary permissions to access and modify the binded HTML folder. Despite adding the user to the www-data group, I'm encountering a 553 error when attempting to upload files to that folder. Any assistance would be greatly appreciated.
