Mac OS X,  Mac OS X Server,  Mac Security

FTP On Lion Server

Much has been made about the demise of FTP on OS X Server. Well, while it may be badly burned, it’s not dead yet. Let’s look at enabling FTP first on the server and then per share.

Enable FTP on the Server

The first thing to do on a server that you want to expose through FTP is enable tnftpd. To do so, open Workgroup Manager or Server and create a group that has user who you want to provide FTP services to. In this example we are going to assume a dedicated FTP server and open access to everyone, but feel free to swap out your group name for the everyone group we use here. Once you have your group (everybody exists by default so we won’t need to create that one), use dseditgroup to create a group called com.aple.access_ftp (everything in this article requires sudo btw):

dseditgroup -o create . com.apple.access_ftp

By default the group is empty and so once enabled, no one will have access to the FTP service. So let’s add everybody:

dseditgroup -o edit . -a everyone -t com.apple.access_ftp

Now let’s fire up FTP using the ftp.plist Apple kindly left us in /System/Library/LaunchDaemons:

launchctl load -w /System/Library/LaunchDaemons/ftp.plist

Enable FTP on Shares

By default share points in Lion have AFP and SMB enabled. The sharing command can be used to list and augment shares. To list:

sharing -l

Make note of the name for a share that you would like to enable FTP for, as well as whether AFP and SMB are enabled. Think of 3 boolean slots, with the first slot being AFP, the second FTP and the third SMB. Let’s use an example share of Seldon. Let’s also say AFP and SMB are enabled on Seldon by default. So sharing can be used to make a change (-e for edit) on the Seldon share, setting the services (-s) to 111:

sharing -e Seldon -s 111

Or to enable just FTP (given that this example is a dedicated FTP server):

sharing -e Seldon -s 010

And let’s say Seldon is a bit promiscuous and so we’re also going to enable guest for the FTP share:

sharing -e Seldon -g 010

Finally, provide the permissions via chmod to grant or deny access at a file and folder level and you’re done. FTP on future shares can be enabled with two or three commands so FTP management really isn’t all that big a deal. Command line doesn’t always mean hard. In fact, some times it’s easier ’cause you’re not hunting around in nested screens for what to click on. Having said that, who knows if this is a temporary reprieve from Apple to finally get away from a protocol older than I am. We would all do well to switch to something more secure…