Virtual Users with Pure-FTPd and MySQL
From FrugalWiki
Contents |
Introduction
This document is written for Pure-FTPd 0.99.1 and higher.
Pure-FTPd is a free (BSD-licenced), secure, production-quality and standard-conformant FTP server based upon Troll-FTPd. It doesn't provide useless bells and whistles, but focuses on efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers.
The MySQL database server is the world's most popular open source database. Its architecture makes it extremely fast and easy to customize. Extensive reuse of code within the software and a minimalistic approach to producing functionally-rich features has resulted in a database management system unmatched in speed, compactness, 1000 stability and ease of deployment. The unique separation of the core server from the table handler makes it possible to run with strict transaction control or with ultra-fast transactionless disk access, whichever is most appropriate for the situation.
Disclaimer
This document assumes that you have some knowledge on Pure-FTPd, and MySQL. At least enough to get everything installed. Installing the software is outside the scope of this document.
This document originally based on this article.
MySQL Install
Installation of MySQL is outside the scope of this document. We will use an out of the box MySQL install:
pacman -S mysql
MySQL Setup
You just have to have fields with the following info:
- The user's login.
- The user's password, in plaintext, MD5, crypt()ed or MySQL's password()
format. Pure-FTPd also accepts the "any" value for the MySQLCrypt field. With "any", all hashing functions (not plaintext) are tried.
Note: Avoid password() whoose hash function is rather weak, not portable, and it is supposed to be only used for internal accounts of MySQL servers. password() is no more supported by Pure-FTPd with MySQL 4.1.0 and later.
- The home directory.
Here's a dump of a simple table to handle this:
CREATE TABLE users ( User varchar(16) NOT NULL default , Password varchar(64) NOT NULL default , Dir varchar(128) NOT NULL default , PRIMARY KEY (User) );
PureFTPd Install
If you want to install Pure-FTPd with pacman, simply install it with
pacman -Sy pure-ftpd
You'll need at least 1.0.20-2.
PureFTPd Setup
ftpusers user/group
We'll need at least one user and group that represents the ftp users on the system.
# groupadd ftpusers # useradd ftpuser -g ftpusers # mkdir -p /home/ftpusers/someuser # chown -R ftpuser:ftpusers /home/ftpusers/someuser
On my system ftpuser's uid is 1010, and ftpusers' gid is 106.
MySQL Configuration file
Before running the server, you have to create a configuration file. Why a configuration file instead of simple command-line options? you may ask. Because of security reasons, you may want to hide how to connect to your MySQL server. And as command-line options can be discovered by local users (with 'ps auxwww' for instance), it's more secure to use a configuration file for sensitive data. Keep it readable only by root (chmod 600).
Here's a sample configuration file:
#MYSQLServer localhost #MYSQLPort 3306 MYSQLSocket /tmp/mysql.sock MYSQLUser user MYSQLPassword userpw MYSQLDatabase pureftpd MYSQLCrypt cleartext MYSQLGetPW SELECT Password FROM users WHERE User="\L" MYSQLGetDir SELECT Dir FROM users WHERE User="\L" MYSQLDefaultUID 1010 MYSQLDefaultGID 106
The uid/gid numbers are likely different on your system!
You should change the MYSQLUser and MYSQLPassword fields to confirm with your system.
Have a look at the sample pureftpd-mysql.conf configuration file for explanations of every keyword.
Save the configuration file anywhere. Let's say /etc/pureftpd-mysql.conf.
Pure-FTPd Configuration file
Add this line:
MySQLConfigFile /etc/pureftpd-mysql.conf
to your /etc/pure-ftpd.conf.
Then, in the pureftpd-mysql.conf configuration file, you have to provide SQL templates to fetch the needed info.
Let's take the previous example:
MYSQLGetPW SELECT Password FROM users WHERE User="\L" MYSQLGetDir SELECT Dir FROM users WHERE User="\L"
For each query:
- \L is replaced by the login of an user trying to authenticate.
- \I is replaced by the IP address the client connected to.
- \P is replaced by the port number the client connected to.
- \R is replaced by the remote IP address the client connected from.
- \D is replaced by the remote IPv4 address, as a long decimal number.
You can mix all of these to store info in various tables. For instance, with \I, you can have a different table for every domain, so that joe@domain1
1000 won't be the same account than joe@domain2 . And with \R, you can restrict one account to one specific address.
Please note that a login can only contains common characters: A...Z, a...z, 0...9, -, ., _, space, :, @ and ' . For security purposes, other characters are forbidden.
You can also remove uid and gid fields in your tables and use default values instead (thus saving useless lookups) . Two directives are useful to serve that purpose: MYSQLDefaultUID and MYSQLDefaultGID.
Obvious example:
MYSQLDefaultUID 1000 MYSQLDefaultGID 1000
Using these directives overrides MYSQLGetUID and MYSQLGetGID.