Back to main page

The Quick-N-Dirty Guide to pure-ftpd

1.) Do you have pure-ftpd

At a command prompt type
which pureftpd

If you get an answer like /usr/bin/pureftpd or /usr/sbin/pureftpd go to step 3, otherwise go to step 2. Different distributions put it in different places and you may have to have root's $PATH to find it. That is, if it's in /usr/sbin or /usr/local/sbin, in some distributions, only root's $PATH looks in those directories--normal users only have a $PATH that sees /usr/bin and /usr/local/bin.

Some distributions, as well as FreeBSD, call it pure-ftpd rather than pureftpd. (FreeBSD also aliases it as ftpd.)

2.) Installing pure-ftpd

Although pure-ftpd is not typically included with most distributions, it's a popular program. There's a good chance that your distribution has a package for it.

For help with installing take a look at our QND guide to installing software. If your distribution isn't covered, then you may have to install from source. Fear not, we have a QND guide for installing from source as well.

If you are following this guide, then, if installing from source, you will definitely want the option of virtualchroot so when installing, during the configure steps, be sure you use the option

3.) Configuring pure-ftpd

In my case, I wanted one shared directory where members of a select group could upload, download and delete files. As ftp sends passwords in clear text, and is, of course, a way into the machine, I wanted this chrooted so that users couldn't leave their home directory. The pure-ftpd makes this quite easy. Their README.Virtual-Users (included in the documentation and also available on their website gives pretty clear instructions. Much of the below is taken from those instructions.

I was running this on a FreeBSD box. Some of the details may vary depending upon your operating system.

Let's say I have three users, john, robert and susan. I want the three of them to have access to a directory called shared. They will not have accounts on the BSD box, only FTP accounts.

First, we create an ftpuser system user and ftpgroup. For many Unix and Unix like systems the command is
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser

For FreeBSD
pw groupadd ftpgroup
pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc

A quick note on this. You might see an error on startup, either at the console or in /var/log/messages that it can't find the ftp account. This has to do with the -s flag, which disallows anonymous users to download files owned by 'ftp', the anonymous access account. In the pure-ftpd.conf file, it is the AntiWareZ option. The message is harmless, everything still works.

The users we add next will not be in /etc/passwd. Instead, we'll use pure-pw, pure-ftpd's own password database. First we'll add user john
pure-pw useradd john -u ftpuser -d /home/ftpusers/john

We will create a password for him. The -d makes him chrooted. The /home/ftpusers/john directory doesn't have to be created, we're going to configure pure-ftpd to automatically create it when john logs in for the first time.

The pure-pw program reads a database file called pureftpd.pdb (by default). In FreeBSD, it will be created in /usr/local/etc. We'll now create the database.
pure-pw mkdb

Now, we create robert. If we add -m to the pure-pw useradd line, pure-pw will automatically regenerate the database.
pure-pw useradd robert -u ftpuser -d /home/ftpusers/robert -m

Next we look in /etc/ or /usr/local/etc/ in FreeBSD for the pure-ftpd.conf file. In FreeBSD, it is installed as pure-ftpd.conf.sample. Copy it to pure-ftpd.conf.

Most of it can be left at default settings. I make sure that the AnonymousOnly is set to no. I only want authenticated users.

The program can be started from the command line. In my case, I want it running when the system boots. For FreeBSD, it puts a script called in /usr/local/etc/rc.d and one adds the line

to /etc/rc.conf. Now the program will run at startup.

Note that the default pure-ftpd.conf file in FreeBSD looks for pureftpd.pdb in /etc rather than /usr/local/etc. Edit your pure-ftpd.conf file and change
PureDB user database (see README.Virtual-Users)

# PureDB                        /etc/pureftpd.pdb

to read
PureDB user database (see README.Virtual-Users)

 PureDB                        /usr/local/etc/pureftpd.pdb

(The # sign in the default file is also removed, as shown.)

4.) Testing

There are various options one can use at the command line. Depending upon distribution, if one starts pureftpd (in FreeBSD and probably some others, pure-ftpd) if you simply type pure-ftpd at the command line, it may read the pure-ftpd.conf file or you may have to add flags manually. With FreeBSD, I simply run the /usr/local/etc/rc.d/ script.
/usr/local/etc/rc.d/ start

The program starts, with a note of what flags it is using. First, I want to be sure that anonymous users can't log in so I start with
ftp localhost

By default it will give the user name that I am using. I try typing anonymous only to have it rejected. I then try a few user accounts on the machine to make sure that it's rejecting them as well.

Now, I log in as john with his password. I see that it works. I log out by typing bye.

I see that I now have a /home/ftpusers directory and john's home directory has been created in there. I create my shared directory.
cd /home/ftpusers
mkdir shared
chmod -R  770 shared
chown ftpusers:ftpgroup shared

After logging in as robert and susan to create their directories, I now symlink shared to all three of them. I do this as root or with root privilege.
cd /home/ftpusers/john
ln -s /usr/home/ftpusers/shared

I repeat the process for robert and susan.

I've found, in FreeBSD at least, if I simply type ln -s ../shared, it doesn't work properly, I have to type the full path. (In FreeBSD, /home is actually a link to /usr/home.)

I test it by logging in as john and uploading something to shared. Then, I log in as susan and delete the file in shared. For my particular setup, this is necessary. You might not want to give your users such permissions. These are affected by the 770 permissions I've put on the shared directory. There is also a configuration option in pure-ftpd.conf to prohibit users deleting files.

Users might have trouble connecting through Internet Explorer. This is because IE, among others, tries to connect anonymously and may not give pure-ftpd the proper chance to request a username and password. One can, in the pure-ftp.conf file change the line BrokenClientsCompatibility from no to yes. This might or might not work, it seems to depend upon what version of IE that someone is using.

However, they should be able to use their browser by typing in an address like

with john being the username and being, obviously enough, the ftp server.

There are free ftp clients for both Windows and Mac. For Windows, our users have FileZilla and for Mac there is Cyberduck.


man pure-ftpd
The pure-ftpd documentation site.

Additionally, in many installations, the program installs documentation in /usr/share/doc or /usr/local/share/doc.

Back to main page