How can I set up group-based FTP access?

How can I set up group-based FTP access? Updated: 04/20/01

See-Also: item

Here is how to set up ftp so that a group of users only have ftp access,
they all have their own individual passwd, but they all access the same
set of files (i.e., the system thinks they are all really the same ftp
user). With only a slight change, you can have a group of users that
only have ftp access, each with their own individual passwd, and access
only to their own set of files (this is left as an exercise for the

1) Set up anonymous ftp (assumed in later instructions to be at

2) Add a user and group to /etc/passwd and /etc/group.

For example, in /etc/passwd:

ftpuser:*:1000:1000:FTP User:/users/ftp/ftpusers:/bin/false

and in /etc/group:


Note that ftpuser login is disabled (a "*" in the password field).
This allows various utilities (such as "ls") to recognize files
that belong to an ftp user (particularly important for backups).

3) In /users/ftp/etc, you must have a group and passwd file, of the same
format as their related system files. For example, in
/users/ftp/etc/group add:


and in /users/ftp/etc/passwd add:

ftpuser:*:1000:1000:FTP User:/ftpusers:/bin/false

Also, for each individual that you want to give access, add an
additional entry. Note that these have passwords (see passwd(1)
for instructions on setting passwords in this file).

george:3RgfBzfnipJPQ:1000:1000:George Smith \
(FTP User):/ftpusers:/bin/false

A few things to notice. "ftpuser" is disabled. The home directory
for ftpuser is simply "/ftpusers", since anonymous ftp performs a
chroot to the home directory specified for ftp in /etc/passwd (see
chroot(2) and chroot(1M) for details). "george" has the
same uid, gid, and home directory that ftpuser has. "george"
will login as george with his own password.

4) Under /users/ftp, create a directory "ftpusers". Make this
directory with owner "ftpuser" and group "ftpgroup", with 770
permissions. This effectively prevents anonymous ftp access to this
directory, since it is not world readable/writable.

That's it.

Users access the system via anonymous:

$ ftp sysname
Connected to sysname.whatever.
220 sysname FTP server
Name (something:someuser): ftp
331 Guest login ok, send ident as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.

Then, they use a sublogin to access their files:

ftp> user george
331 Password required for george.
230 User george logged in.
ftp> pwd
257 "/ftpusers" is current directory.

Users are placed in whatever directory is specified as their
home directory in /users/ftp/etc/passwd (relative to the
chroot at /users/ftp).

To remove access, remove their passwd entry from

This is all documented (though poorly) in the various ftp-related