faq

功能强大的ftp服务器源代码

localhost, due to SSH tunneling) .

People with no home directory (/dev/null) and no valid shell
(/usr/bin/false) won't be able to get a shell nor to run any command on your
server. But they will be granted FTP-over-SSH sessions.

Here are examples (Linux/OpenBSD/ISOS/EkkoBSD commands, translate them if
necessary) .

1) Creating a regular FTP account:

pure-pw useradd customer1 -m -d /home/customer1 -u ftpuser

2) Creating a FTP-over-SSH account (non-encrypted sessions are denied):

useradd -u ftpuser -g ftpgroup -d /dev/null -s /usr/bin/false customer2
pure-pw useradd customer2 -m -d /home/customer2 -u ftpuser -r 127.0.0.1/32

3) Creating an account who can use regular (unencrypted) FTP from the
internal network (192.168.1.x), but who must use FTP-over-SSH when coming
from an external network (internet):

useradd -u ftpuser -g ftpgroup -d /dev/null -s /usr/bin/false customer3
pure-pw useradd customer3 -m -d /home/customer3 -u ftpuser \
        -r 127.0.0.1/32,192.168.1.0/24



* Virtual users: /etc/pureftpd.pdb .

-> I made changes to /etc/pureftpd.passwd but the server doesn't understand
them: I can't access any account I just created.

The server never reads /etc/pureftpd.passwd directly. Instead, it reads
/etc/pureftpd.pdb (or whatever file name you gave after -lpuredb:...) .

This file is a copy of /etc/pureftpd.passwd, but in a binary format,
optimized for fast lookups.

After having made a manual change to /etc/pureftpd.passwd, you must rebuild
/etc/pureftpd.pdb with the following commands:

pure-pw mkdb

If you add/delete/modify user accounts with pure-pw useradd/usermod/userdel/
passwd, don't forget the '-m' option to automatically rebuild
/etc/pureftpd.pdb and not only update /etc/pureftpd.passwd .



* Giving access to dot-files.

-> I don't want my users to read files beginning with a dot. Except one file
I'd like to give 'John' read (and maybe write) access to.

Create a symbolic link in John's account, pointing to the dot-file. Example:

ln -s .bashrc bashrc

John will be able to access ".bashrc" through the symbolic link, "bashrc".



* Initial banner.

-> How do I display a customized message before the login prompt?

Compile with --with-cookie and run the server with -F <file name> . In that
file, put a nice customized banner message.



* Internet Explorer.

-> Internet Explorer doesn't show any login box.

IE does a very strange trick to detect whether an FTP server does accept
anonymous connections or not. Basically, it connects to the server and logs
in as 'anonymous'. But if you say 'no' at this point, it drops the
connections with an error. You have to say 'ok, anonymous users are
allowed' and then, when a dummy password ('IE@') is sent, you say 'ah
ehm... finally... no... anonymous users aren't allowed' . Silly. To play
that game, you must run pure-ftpd with the -E (non-anonymous server) and -b
(compatibility with broken clients) flags. Then, the magic popup will show
up. But please note that IE (and browsers at large) are usually bad FTP
clients.

-> Internet Explorer doesn't want to log in. (Matthew Enger)

Check that the max number of connections (either per user or per IP) is at
least 2. IE needs two connections to connect to an FTP server.



* Passwords and pure-pw scripting.

-> I would like to create virtual users with a shell-script.  if i us
pure-pw useradd ..... it always asks for the new password. is there any
command-line option which tells pure-pw the password (like useradd ftp-user
ftp-password -m) ? (at1ce) .

Giving cleartext (and badly one-way hashed) passwords through command-line
switches is a bad idea. Because users could issue a simple 'ps' command and
discover these passwords.

One way to enter a password (not from the keyboard) is to put the password
twice in a temporary file, then redirect that file to stdin. Example:

pure-pw useradd john -d /tmp/john -u ftpuser -m < ~/tmp/passfile

And in ~/tmp/passfile, have something like:

john's password
john's password

If you really need to avoid a temporary file and if nobody but you can log
on the machine, you can always do this:

(echo blahblah; echo blahblah) | pure-pw useradd john -d /tmp/john -u ftpuser



* Altlog and pure-uploadscript don't work.

-> pure-uploadscript doesn't run anything. Alternative logging methods (CLF,
stats, W3C...) create a logfile, but it always stays empty.

Maybe your operating system has a buggy realpath() implementation. Some
old Solaris and Linux versions are known to have such a bug.
Try to recompile pure-ftpd, but run ./configure with the --with-brokenrealpath
switch first.



* The server starts, but doesn't listen to any port?

-> The server is properly running, I see it in the process list, but any try
to connect to the configured port (or port 21 by default) fails. The socket
isn't even open.

Check two things :

- If you are running a BSD system and you want to listen to IPv4 addresses,
check that the "-4" switch ("IPV4Only" in config file) is enabled.

- If you upload script are enabled ("-o", or "CallUploadScript"), make sure
that the pure-uploadscript is started. Or the FTP server will actually wait
until pure-uploadscript is actually ready to process new uploads. If you don't
need the uploadscript facility, remove "-o".



* Double slash.

-> Why do I see double slashes in log files? For instance, the path of a
downloaded file looks like /home/john//pictures/zok.jpg .

'//' is a symbol for the limit of the chroot jail. In that example, it means
that John is caged in /home/john/ .



* Windows port.

-> Does Pure-FTPd run on Windows?

Yes, there's a port available from http://www.pureftpd.org/windows/ .
But the server is developped on Unix and the Win32 version should be
considered experimental and unsupported.



* ftpwho as a non-root user.

-> How do I give access to the 'pure-ftpwho' command to non-root users?

The 'pure-ftpwho' command is restricted to root by default, because users
probably shouldn't be given the ability to spy what other users are doing on
the same host. However, it's safe to put the setuid bit on that command, in
order to have it work as any user:

                   chmod 4711 /usr/local/sbin/pure-ftpwho



* Changing bandwidth throttling on-the-fly.

-> Is it possible to change the bandwidth allocated to an user during a
transfer, so that the change takes place immediately?

Unfortunately, no. Or at least not at pure-ftpd level. Doing so would need
to re-read user's parameters all the time and it would be horribly slow.
Other mechanisms would work, like signals to interrupt transfers, re-read
parameters, then resume. But it would introduce a lot of complexity to the
code.

If you're using a modern operating system like OpenBSD, ISOS, EkkoBSD or Linux,
your kernel already includes a fair TCP/IP traffic shaper. And because it
works at kernel-level, you can easily change the bandwidth allowed to IPs or
services on-the-fly. Have a look at pf.conf(5) OpenBSD, ISOS and EkkoBSD,
and at tc (or read the Linux networking HOWTO) on Linux.
Also see the 'Global bandwidth limitation' section later in this document.



* KERBEROS_V4 rejected as an authentication type.

-> It works and I can log in, but I recieve these strange error messages at
log in, even in a non-chrooted environment: 

220 FTP server ready. 
502 Security extensions not implemented 
502 Security extensions not implemented 
KERBEROS_V4 rejected as an authentication type 

Why and what do they mean?

This is a Linux-specific instllation issue. It means that your command-line
FTP client isn't a normal one, but a Kerberos FTP client. You probably
installed RPMs for Kerberos, although you don't use it.  These messages are
harmless as Kerberos clients will fallback to normal FTP (after these
errors), but you just have to deinstall Kerberos on your client host to have
'ftp' work without these messages.



* Wrong group ownership.

-> I have an user called 'john' whoose group is 'johngroup'. When John
uploads a file, that one belongs to 'john', but to another group like
'wheel' (whoose John isn't a member of). What's wrong?

This is a BSD standard behavior (verified on OpenBSD, ISOS, EkkoBSD and
FreeBSD): when a new file is created, the group is inherited from the parent
directory. On other systems (like GNU/Linux), files are owned by the primary
group of the user, unless the directory has the setgid bit set.

If you want new files uploaded in John's directory to belong to group
'johngroup', have that directory (and probably also subdirectories) belong
to 'johngroup':

chgrp -R johngroup /home/john



* Compilation with MySQL.

-> I can't compile with MySQL. ./configure says that MySQL libraries aren't
properly installed.

The libmysqlclient.so file should be in a path known by your dynamic linker.
For instance, on a GNU/Linux system, add the path to libmysqlclient.so file
(only the path, not the file itself) to /etc/ld.so.conf . Then, run
'ldconfig' .



* "Sorry, I can't trust you".

-> When an user tries to log in, he gets "Sorry, I can't trust you". But his
login/password pair is right. What wrong?

That message can means two things:

- The user has a shell that isn't listed in /etc/shells. You must add it,
even if it's a fake shell like /bin/false . Also make sure that you have a
carriage return after the last entry in /etc/shells.

- You are using the -u <uid> option to deny access to users whoose uid is
below <uid> . But the user you are trying to log in as, has an uid in the
forbidden range.



* Customer-friendly configuration.

-> What switches do you recommend to start the server, for an hosting service?

Here's a good start:

--chrooteveryone \
--maxclientsperip=5 \
--displaydotfiles \
--noanonymous \
--minuid=100 \
--umask=022:022 \
--limitrecursion=10000:3 \
--customerproof



* Anonymous FTP with virtual users.

-> I successfully created a virtual user called 'ftp' or 'anonymous', but
anonymous FTP doesn't work.

Pure-FTPd never fetch any info from the virtual users backends (puredb,
MySQL, LDAP, etc) for anonymous sessions. There are three reasons not to do
so: - Speed: do we need to query a database just to get the anonymous
user's home directory? We don't need to retrieve any password for anonymous
sessions.
     - Consistency: with the virtual hosting mechanism.

To run an anonymous FTP server you must have a *system* account called
'ftp'. Don't give it any valid shell, just a home directory. That home