Sharing Remotely: FTP

Sharing Remotely: FTP

User Level:






Personal File Sharing is probably the most feature-rich and flexible OS X method of sharing files over the Internet or a network. However, it has the distinct disadvantage of only allowing sharing between Macs (unless you install special software on a Windows computer, but that's beyond the scope of this book). Because of this, Mac OS X also provides a number of ways to share files between Macs and non-Macs. FTP, which stands for File Transfer Protocol, is one of these: OS X has an FTP server built in. FTP has been a staple of Unix servers since well before the Mac OS and Windows even existed, and is largely platform agnostic (it allows connections between Macs, Windows, Unix, Linux, and many other operating systems).


FTP has one major drawback: it is one of the least secure methods of communicating between two computers. All usernames, passwords, commands, and file data are sent in plain text, meaning that anyone who might be able to intercept that data would be able to easily figure out the username and password of anyone who connects (and may be able to then use that data to log into other services). For this reason, I recommend not enabling FTP Access. I'm going to talk about it briefly, but if you need FTP-like sharing capability, you're far better off using Secure FTP (SFTP) which I talk about later in the chapter.

What Does It Share?

With FTP Access enabled, users will have the same level of access to files that they would have if they were sitting at the computer. In other words, normal users will have full Read & Write access to their home directory, Read Only access to other users' Public folders and the Shared user folder, and Read Only access to most other files on your computer. (An admin user will have much more leeway.)

Although this type of access should be fine if you know and trust your users, it does post some added security risk, especially if you're providing access to unknown or untrustworthy people. With FTP, Read & Write access means the ability to download, upload, rename, and delete files, and Read Only access means the ability to download files. Thus, any admin-level user who connects via FTP will be able to perform some pretty serious file operations, and even non-admin users will be able to download (and thus view the contents of) many non-private files (i.e., files not located inside private user directories). For example, in the stock configuration of OS X's FTP Access, a normal user could connect and then download all of the files in /Library/Preferences— some of which may contain software licenses—or a file like /var/db/SystemConfiguration/preferences.xml, which contains all of your network settings.

Who Can Access Files?

If FTP Access is enabled, anyone with a user account on your computer can connect to it via an FTP client (from any platform: Windows, Mac, or Unix). However, it's possible to restrict the list of users who can connect over FTP; I've explained how to do this under "How Do I Configure It?"


Most FTP servers have a way to provide anonymous access—users can log in with the username anonymous and no required password. The way many Unix FTP servers, including the one in OS X, enable this feature is to check for a user account called "ftp." If that account exists on the computer, anonymous access is turned on automatically. So unless you want to enable anonymous access to your Mac, don't create a user account called "ftp."

How Do I Configure It?

To enable FTP Access, check the box next to FTP Access in the Services tab of Sharing preferences. If you want to configure some of the more advanced options that the FTP server offers, you need to manually edit configuration files or use a third-party utility as described below.

Disallowing FTP Access to Certain Users

If you're going to enable FTP Access, I recommend disallowing access to everyone but the specific users you want to use it. To do this, you need to edit the file /private/etc/ftpusers (you'll need to launch a text editor as root to edit the file). At the bottom of the list of usernames, type the short username of any user to whom you don't want to provide FTP access. Save the file, disable FTP Access, and then enable it again.

Confining User Access to Certain Folders

It's actually possible to configure Mac OS X's FTP server to restrict access to certain directories; unfortunately, space constraints prevent me from covering that topic (especially since I don't recommend FTP in general). In addition, Mac OS X 10.2 "broke" the common method of restricting access on FTP servers; I hope by the time you're reading this, Apple has fixed the FTP server to honor these methods. If you're interested in how you would do this, and more, check out the Unix configuration utility The Moose's Apprentice (, which is not only an excellent utility for configuring FTP options, but also provides a great deal of information about many Unix configuration files in its documentation (which is available online at

Compressing/Encoding Files

Another drawback of FTP is that sometimes Mac files transferred over FTP lose their resource forks (those that have resource forks, that is). For this reason it's often a good idea to use a utility like DropStuff to not only "stuff" files that will be transferred via FTP, but to also encode them in BinHex format (available from the DropStuff preferences dialog). See "When to Compress Files for Sharing" for more info.

How Do Others Access Files?

Users will be able to access files via FTP from any platform using any standard FTP client. In their FTP client, they should enter your IP address (or your domain name, if applicable) as the server address, and should use their username and password on your computer as their login name and password. (Again, keep in mind the caveats about IP addresses I've mentioned throughout this chapter.)

Alternatively, many web browsers also understand FTP; users can generally enter ftp://youripaddress/ as the URL, and their browser will then ask them for their username and password.

Finally, since FTP is technically a command-line application (it's been in use since long before graphical computing interfaces made their debut—graphical FTP clients are simply providing you with a pretty face to hide the command line), anyone with a terminal or console application and Internet access can connect using the command ftp youripaddress. They'll be prompted for their username and password; once they're logged in, they can use standard ftp commands to access files.


Mac OS X keeps a log of all FTP activity when FTP Access is enabled; it's located at /private/var/log/ftp.log. You can view this log in any text editor, or by using one of the log file utilities I mention in Chapter 14. In fact, if you have a broadband connection, you'll probably see lots of attempts to log in—your friendly neighborhood (or other-side-of-the-world) hacker is testing to see if you've enabled anonymous FTP access. Note that if you allow OS X's weekly maintenance scripts to run (as described in Chapter 14), your FTP log will only include FTP events from the past week, beginning Saturday.