Note: Here we will assume that ProFTPd has been configured for SQL authentication.

Restricting Access Via Shell

The first thing that needs to be done is to restrict permissions on the FTP disk so that shell users aren’t allowed to read it. This requires some simple UNIX permissions knowledge, and I used the following to get the job done.

chown -r gongloo:ftp /var/ftp
find /var/ftp -type f -exec chmod 640 {} \;
find /var/ftp -type d -exec chmod 755 {} \;

That’ll set the permissions for all directories so that they can be opened by anyone but written to only by gongloo, and permissions for all files so that they can only be read by those in the ftp group and, again, can only be written to by gongloo. This means that any users who have FTP access as well as shell access will be able to list, but unable to read, the files on the FTP disk via shell.

Now all that we have to do is make sure that the ftp UNIX group contains only members that should have access to the FTP disk via shell.

Allowing Access Via FTP

The second thing we need to get done is to allow access to the files via FTP for those users who should have it. This is fairly straightforward if we configure ProFTPd to assign GIDs directly from the SQL database that it uses as its authentication backend. We simply create an entry in the SQL table for ProFTPd groups matching the ftp entry in /etc/group. I used something like the following:

INSERT INTO groups (groupname, gid, members) VALUES
('ftp', '21', 'userid1, userid2, userid3, ..., useridn');

And that’s it! Users listed in the ftp group in the SQL database are now able to grab files off of the FTP disk. Huzzah!