1

We currently have a LAMP stack for shared webhosting, and are using ProFTP with that.

Currently the ProFTP config is fairly stock - users are chrooted to ~. Currently running as the default user/group. We only use system users - no virtual users.

We use SuPHP to run each PHP process as the appropriate user/group.

What I'd really like is to have ProFTP automatically set the user:group of uploaded files to whomever is logged in. So if I login to FTP as "customer-a", I'd like any uploaded files be owned by "customer-a".

The main reason for this is, it seems, if I login as someone right now, they don't have permission to write to their home directory. Instead of loosening permissions, I'd like ProFTP to switch the user context appropriately.

Possible Solutions

One thing I've considered is perhaps declaring a virtual-host for each customer domain, which would then allow me to configure the User and Group directives individually.

1) This is a pain to do, I'd rather avoid having to append config for each user created. 2) ProFTP doesn't seem to support name-based virtual hosts.

Alternatively, I could make use of the UserOwner and GroupOwner directives, and create a new <Directory> block for each customer in the config.

I imagine something like this might work:

<Directory /home/customer-a/>
    UserOwner customer-a
    UserGroup customer-a
</Directory>

But it would be nice to be able to do this in a more general fashion, similar to the %u variable, documented here. But I don't think that will work with UserOwner.

Some details

  • Using Ubuntu
  • ProFTP 1.3.4a
  • Apache 2.2
  • Using SuPHP with PHP-CGI.
Geekman
  • 111
  • 2

1 Answers1

0

A better solution would be to use MySQL authentication and not have each customer having a system account. This would give you far more flexibility in terms of directory locations, user IDs and also give you a security boost.

To do that, build proftpd with mysql support.

Then in mysql, create a table (maybe called "users"):

  CREATE TABLE users (
    userid VARCHAR(30) NOT NULL UNIQUE,
    passwd VARCHAR(80) NOT NULL,
    uid INTEGER UNIQUE,
    gid INTEGER,
    homedir VARCHAR(255),
    shell VARCHAR(255),
    active BOOLEAN DEFAULT true
  );

  CREATE INDEX users_userid_idx ON users (userid);

Then to add users. The password can be in a number of formats (as per the SQLAuthTypes directive in proftpd.conf), but you should be able to just put the existing encrypted passwords in there. 

   INSERT INTO users (username,password, uid, homedir) VALUES ('username','APassWord', 77, '/home/sftpcustomers/custname/')

Your proftpd.conf should have:

     SQLBackend            mysql
     SQLAuthenticate       users
     AuthOrder             mod_sql.c
     SQLAuthTypes          OpenSSL Plaintext Crypt
     SQLConnectInfo        dbname@localhost:3306 db_username db_password

     SQLUserInfo     users username password uid NULL homedir NULL
     SQLUserWhereClause "Active = 1"
Quetza
  • 996
  • 7
  • 2
  • Forgive me, as it's been a number of years using ProFTP with an SQL backend, but how are permissions then handled? How does this serve the ultimate goal of allowing permissions to remain strict and isolated? Thanks! – Geekman Oct 24 '13 at 02:21