How can I set up group-based FTP access?
See-Also: item 220.127.116.11
Here is how to set up ftp so that a group of users only have ftp access,
they all have their own individual passwd, but they all access the same
set of files (i.e., the system thinks they are all really the same ftp
user). With only a slight change, you can have a group of users that
only have ftp access, each with their own individual passwd, and access
only to their own set of files (this is left as an exercise for the
1) Set up anonymous ftp (assumed in later instructions to be at
2) Add a user and group to /etc/passwd and /etc/group.
For example, in /etc/passwd:
and in /etc/group:
Note that ftpuser login is disabled (a "*" in the password field).
This allows various utilities (such as "ls") to recognize files
that belong to an ftp user (particularly important for backups).
3) In /users/ftp/etc, you must have a group and passwd file, of the same
format as their related system files. For example, in
and in /users/ftp/etc/passwd add:
Also, for each individual that you want to give access, add an
additional entry. Note that these have passwords (see passwd(1)
for instructions on setting passwords in this file).
george:3RgfBzfnipJPQ:1000:1000:George Smith \
A few things to notice. "ftpuser" is disabled. The home directory
for ftpuser is simply "/ftpusers", since anonymous ftp performs a
chroot to the home directory specified for ftp in /etc/passwd (see
chroot(2) and chroot(1M) for details). "george" has the
same uid, gid, and home directory that ftpuser has. "george"
will login as george with his own password.
4) Under /users/ftp, create a directory "ftpusers". Make this
directory with owner "ftpuser" and group "ftpgroup", with 770
permissions. This effectively prevents anonymous ftp access to this
directory, since it is not world readable/writable.
Users access the system via anonymous:
$ ftp sysname
Connected to sysname.whatever.
220 sysname FTP server
Name (something:someuser): ftp
331 Guest login ok, send ident as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
Then, they use a sublogin to access their files:
ftp> user george
331 Password required for george.
230 User george logged in.
257 "/ftpusers" is current directory.
Users are placed in whatever directory is specified as their
home directory in /users/ftp/etc/passwd (relative to the
chroot at /users/ftp).
To remove access, remove their passwd entry from
This is all documented (though poorly) in the various ftp-related