Controlling and configuring the Mac OS X 10.4 FTP Server

Using a standard (non-Server) Mac OS X installation out-of-the-box as an FTP server is far from ideal, since configuring and controlling the default Mac OS X FTP service is cumbersome when compared to, say, an average Linux installation with ProFTPD. Never the less, there are cases where one wishes to run an FTP server on a remote Mac OS X-based machine. Since Apple is hardly forthcoming when it comes to documentation on advanced server functionality in the workstation version of Mac OS X, I have compiled a short guide to help others avoid the wasted time and frustration involved in puzzling out how to start, stop, configure and generally manage the Mac OS X FTP server that ships with the standard workstation version of the OS.

A Preliminary Overview

As of writing, the latest release of Mac OS X is version 10.4.* "Tiger". This version of the Mac OS ships with the tnftpd server. The binary itself is located in the path /usr/libexec/ftpd.

tnftpd is a tolerable FTP server, but great it is not. There are many third-party solutions to enhance Mac OS X FTP abilities -- I shall not be concerned with these, although I do recommend PureFTPD. I shall assume that you would rather stick with the built-in server. That's what it's there for, after all.

Valuable documentation on the functionality of tnftpd can be found in the man pages for ftpd and /etc/ftpd.conf. I suggest you skim over these to get a basic feeling of the functionality that is on offer.

Starting and stopping the FTP server

A cursory look at the Sharing Preferences pane in the System Preferences application should show you that you can start and stop the built-in FTP server graphically. The settings stay between reboots, as far as I know, so you can turn it on and off there if you have graphical access to the server. In many cases, however, graphical access will not be available. In such cases, you will want to start and stop the server via the command line. To start the Mac OS X FTP server, execute the following command:

/bin/launchctl load -w /System/Library/LaunchDaemons/ftp.plist

And to stop it, execute this command :

/bin/launchctl unload -w /System/Library/LaunchDaemons/ftp.plist

The FTP server does not run as a separate process. Rather, it is controlled by the launchd process. This means that ftpd will not appear in any process listing, and you will not be able to kill it manually.

Configuring the FTP server

The Mac OS X built-in FTP server configuration files are standard UNIX stuff and are adequately documented both in the ftpd.conf and ftpd man pages, and in various tutorials online. However, some special topics are worth mentioning.

Launch options/parameters

The FTP server is started by the launchd process at boot time, or launched via launchctl when started from the graphical interface. In order to configure the launch parameters, you need to modify the XML FTP service configuration file for launchd, which is located at the following path:

/System/Library/LaunchDaemons/ftp.plist

Within this file, you should see something like:

<key>ProgramArguments</key>
    <array>
        <string>ftpd</string>
        <string>-l</string>
    </array>

You can add as many <string> entries as you like, and thus configure the launch parameters to your liking.

chroot

Although this is adequately documented in the ftpd man page, it is worth discussing shortly: chroot-ing is a very important thing to do when providing a publicly accessible FTP server. If FTP users are chrooted, they will be unable to navigate the entire directory structure of the server. This is essential for security reasons. To chroot all FTP users, create a file at the following path:

/etc/ftpchroot

Put a single '*' symbol in the file. This will chroot all those accessing the FTP server.

Change the FTP log format

Unfortunately, the built-in FTP server does not offer a great deal of flexibility when it comes to log formats. By default, some basic FTP transaction information is logged in a non-standard log format in the file /var/log/ftp.log. This particular log format cannot be changed, although logging can be made more extensive (i.e. PUT and GET commands) by adding another -l parameter to the launch options (see above).

If you want to process FTP server log files with a log file analysis tool like AWStats, Webalizer, Analog or Summary, you must make the Mac OS X FTP server output transaction data in wu-ftpd's xferlog format to another log file. To do this, add the following to the launch parameters in ftpd's LaunchDaemon configuration file:

<string>-L</string>
<string>/var/log/ftpd.xferlog</string>

This will output all FTP file transactions to another log file. You can, of course, change the path of that log file to whatever you like.

Alternatives

I have not tested a great deal of alternatives the built-in Mac OS X FTP server, but PureFTPD is a flexible, secure and reasonably configurable server. It has the hefty drawback of requiring susbtantial modifications to the standard Mac OS X FTP setup, and the great advantage of having a free graphical configuration tool called PureFTPD Manager which does all of this for you