The following howto describes how to set up ftp only accounts using Apple Mac’s built in ftp server (lukemftpd).

This outline requires you to use the terminal, Account Manager, and have admin privileges on the machine in question.

To create ftp only accounts we need to:

1. Create an ftp login shell
2. Restrict our prospective ftp user to their folder
3. Create the user account
4. Create a folder for the new user
5. Give the user a password

Create An FTP Login Shell

To create an ftp login shell we need to copy or link /sbin/nologin to /sbin/ftplogin. We’ll create a symbolic link from /sbin/nologin to /sbin/ftplogin. To do this:

1. Fire up Terminal
2. Type “sudo ln -s /sbin/nologin /sbin/ftplogin” (without the quotes)
3. Hit return
4. Type in your admin user’s password when prompted

Now we need to add the new “shell” to the list of shells available to the system. To do this we need to add “/sbin/ftplogin” to the list of shells given in the file found at /etc/shells. In Terminal:

1. Type “sudo pico /etc/shells”. This’ll open up the file “shells” in a simple text editor in Terminal
2. Hit return
3. Type in your admin user’s password if prompted
4. Add the string “/sbin/ftplogin” (without the quotes) on a new line at the end of the list of shells available. This’ll give you a final list similar to:/bin/bash
   /bin/csh
   /bin/sh
   /bin/tcsh
   /bin/zsh
   /sbin/ftplogin
5. Type ctl + “o”. That’s the letter “o” while holding down the control key
6. Hit return
7. Type ctl + “x” to eXit Pico

Restrict User To Their Folder

We’re setting this up now so that as soon as the user we’re creating gains access to our machine, they’re restricted to their log-in or root folder. All we have to do is create the file /etc/ftpchroot if it doesn’t exist and then add the prospective user’s username to the file.

1. In Terminal, type “cd /etc” (without the quotes. From here on in, I’ll assume you’re ignoring the quotes)
2. Check to see whether the file “ftpchroot” exists. If it doesn’t, type “sudo touch ./ftpchroot” and give you admin password if prompted for it

Now we need to add the username to the created file. Using pico:

1. In Terminal type “sudo pico ./ftpchroot”. This’ll open up the file “ftpchroot” in a simple text editor in Terminal
2. Type in your prospective ftp user’s username. Ours is “fred”. For safety, make the username all lowercase letters only - although we’ll let you have the underscore (”_”) too.
3. Type ctl + “o”. That’s the letter “o” while holding down the control key
4. Hit return
5. Type ctl + “x” to eXit Pico

Create User Account

Go to System Preferences > Accounts. Add a new user
Ctrl+Click > Advanced Options

User ID - start a new round (like the 600s)
Group ID - 20
Login Shell - /sbin/ftplogin
Home Directory - where you want the users home directory to be. I jailed mine to my iTunes folder so I can share music with my friends.

Create A User Folder

If you specified an already existent folder in the step above this step will not be necessary.

We need to create a user folder and then change its ownership (and permissions) to reflect those of the newly created user.

1. In Terminal, type “cd /Users”. Typing “ls” will give you a list of all the users on your machine
2. Type “mkdir <username>” where <username> is the new user’s username. We’ll be typing “mkdir fred”
3. Change the owner of this file by typing “sudo chown <uid>:20 ./<username>. Where <uid> is the uid for the user you added (and made a mental note of) and <username> is the username…. OK. You’ve got the idea. Oh. If your prompted for a password, give your admin password.
4. Change the permissions of this file so that we can all access it (if you know what you’re doing here, set the permissions as you see fit). “sudo chmod 777 ./<username>”

Now we’re on the home stretch.

Give The User A Password

If you specified an already existent folder in the step before last this step will not be necessary.

The next step is to give the newly created user a password. To do this, in Terminal:

1. Type “sudo passwd <username>”. (So we’ll be typing “sudo passwd fred”).
2. Type in the new password at the prompt.
3. Retype it as prompted.

NAT?

If you’re behind a router or firewall which does Network Address Translation (NAT), there’s one more thing. Passive FTP requires the machine offering the FTP service to return its IP address and a port on which it’ll be listening. If you’re on a NATed network, it’s likely that the FTP server is going to return its internal IP number rather than the external address you’d prefer it to give. To get around this:

Create the file /etc/ftpd.conf

Add the line “advertise all <host>” where <host> is either the host name or external IP address for the FTP server.

Done

Restart the FTP server to ensure that all the caches are flushed and then see whether you can log-in via ftp as the new user. The easiest way of doing this is to turn FTP off and then on again in System Preferences -> Sharing.

Enjoy!
In part from: http://www.ldml.com/services/support/macosx/ftpUserCreate.html