Tiny Deathstars of Foulness

Much has been made about the demise of FTP on OS X Server. Well, while it may be badly burned, it’s not dead yet. Let’s look at enabling FTP first on the server and then per share.

Enable FTP on the Server

The first thing to do on a server that you want to expose through FTP is enable tnftpd. To do so, open Workgroup Manager or Server and create a group that has user who you want to provide FTP services to. In this example we are going to assume a dedicated FTP server and open access to everyone, but feel free to swap out your group name for the everyone group we use here. Once you have your group (everybody exists by default so we won’t need to create that one), use dseditgroup to create a group called com.aple.access_ftp (everything in this article requires sudo btw):

dseditgroup -o create .

By default the group is empty and so once enabled, no one will have access to the FTP service. So let’s add everybody:

dseditgroup -o edit . -a everyone -t

Now let’s fire up FTP using the ftp.plist Apple kindly left us in /System/Library/LaunchDaemons:

launchctl load -w /System/Library/LaunchDaemons/ftp.plist

Enable FTP on Shares

By default share points in Lion have AFP and SMB enabled. The sharing command can be used to list and augment shares. To list:

sharing -l

Make note of the name for a share that you would like to enable FTP for, as well as whether AFP and SMB are enabled. Think of 3 boolean slots, with the first slot being AFP, the second FTP and the third SMB. Let’s use an example share of Seldon. Let’s also say AFP and SMB are enabled on Seldon by default. So sharing can be used to make a change (-e for edit) on the Seldon share, setting the services (-s) to 111:

sharing -e Seldon -s 111

Or to enable just FTP (given that this example is a dedicated FTP server):

sharing -e Seldon -s 010

And let’s say Seldon is a bit promiscuous and so we’re also going to enable guest for the FTP share:

sharing -e Seldon -g 010

Finally, provide the permissions via chmod to grant or deny access at a file and folder level and you’re done. FTP on future shares can be enabled with two or three commands so FTP management really isn’t all that big a deal. Command line doesn’t always mean hard. In fact, some times it’s easier ’cause you’re not hunting around in nested screens for what to click on. Having said that, who knows if this is a temporary reprieve from Apple to finally get away from a protocol older than I am. We would all do well to switch to something more secure…

August 2nd, 2011

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , , , ,

  • Dave Graham

    After I enabled this and connected with my FTP client I was able to browse out of the share point, all the way to the root of the volume. Do you know how to restrict FTP access to share points only?

    • You have to do a chroot 🙁

  • Will

    Awesome stuff, but I am a little lost. “sharing” doesn’t seem to be a valid command. What am I missing?

    • What’s the output of ‘which sharing’? Is it OS X Server?

  • Morten Nielsen


    Thanks for this – I think you have made a small mistake in the dseditgroup command – there is a minus n missing before the dot – e.g.:

    dseditgroup -o create .

    should be:

    dseditgroup -o create -n .

    I have a problem, though. When I do as you have described then the users in the new group are able to see all directories on the server when connecting via ftp. With Snow Leopard only the directories configured with the sharing tool would be visible from ftp.

    If I create the file /etc/ftpchroot with a single ‘*’ symbol in the file I am able to ensure that the users can at least only see their home directory.

    Do you have any idea about how to configure ftpd to only give ftp users access to the directories specified by the sharing tool?

    Best regards,

  • innermotion

    All very useful and as an addition I found it is useful to set the umask setting for FTP server. My only use for FTP is scanning from copiers as SMBX has broken all connections to Lion and could not get it to work for copiers that i support.

    I created a local user account on server called “canon” and created a home folder on an accessible network share and gave the folder group “mystaff” RWX permisisons.

    I cleared out all standard folders as this will only be used as FTP endpoint. I wanted all “mystaff” users to have RW perms on files so they can clear out folder if need be.

    create a file /etc/ftpd.conf if it does not exist
    add line umask all 002
    This will of course give RWX to owner and group when files are uploaded to folder form copier.

  • Matthew

    Am just setting up a Lion Server at the moment, and I need FTP access – so thanks for this, much appreciated!

    However, I found that any user granted FTP access, when they connect, they get landed straight in / – with seemingly no respect for share-specific enablement as above.

    Any idea how to restrict them to certain directories, either for all users or on a per-user basis?

  • Pingback: Setting Up File Services in OS X 10.8 Mountain Lion Server |

  • Tim

    Great instructions. Do you know were I could find some documentation on ftpd.conf settings? I am running 10.7 server

    • Sorry, but I haven’t seen any. I’ll post them if I find ’em.