ProFTPD: Running by Nonroot User

ProFTPD: Running as a Nonroot User

Occasionally, one might want to run ProFTPD on a system where root privs are not available to you as a user. It is still possible to setup a functioning FTP server without root privileges. There are a few catches and special considerations for this, however.

Here are the configuration directives that you will need to use in order to run the server without root privileges:

Port
This needs to be a number greater than 1023. Lower number ports require root privileges in order for the process to bind to that address. This will also mean that clients wishing to contact your server will need to know the port on which it is listening. Most FTP clients connect to the standard FTP port (21).
Example:
```
    Port 20021
```
AuthUserFile, AuthGroupFile
In order to authenticate users, by default the server looks in /etc/passwd for account information, and in /etc/shadow for the password. Comparing stored passwords requires root privileges, which this nonroot-running daemon will not have. You can get around this requirement by supplying your own passwd (and possibly group) files via the AuthUserFile and AuthGroupFile directives. Make sure the permissions on your custom files allow for the daemon to read them (but hopefully not other users).
Example:
```
    AuthUserFile /path/to/custom/ftpd.passwd
    AuthGroupFile /path/to/custom/ftpd.group
```
AuthPAM
PAM authentication requires root privileges. This directive will need to be set off.
Example:
```
    AuthPAM off
```

PidFile
This directive will need to be used to cause the server to write its PID to some file writable by the user.
Example:
```
    PidFile /home/bob/ftpd/proftpd.pid
```

ScoreboardFile
This directive will need to be used to cause the server to write its scoreboard to some file writable by the user.
Example:
```
    ScoreboardFile /home/bob/ftpd/proftpd.scoreboard
```
WtmpLog
Logging to wtmp files requires root privileges. While it is not strictly necessary for this directive to be set to off, failure to do so will result in server log messages like:
```
  host.domain.net (localhost[127.0.0.1]) - wtmpx /var/adm/wtmpx: Permission denied
```
Example:
```
    WtmpLog off
```
User, Group
The ability to switch the identity of the server process to those configured by the User and Group directives requires, of course, root privileges. It is best to configure User to be your username, and Group to be the name of your primary group (which is usually the first group listed by the groups command).
Example:
```
    User bob
    Group bob
```

Note that other configuration directives will be affected by the lack of root privileges: DefaultRoot will not work, nor will <Anonymous> sections, nor UserOwner. Basically any operation that requires root privileges will be disabled.

If using the SystemLog directive, make sure the file to which the server is to log can be written to by the configured daemon User or Group.

The daemon should now start successfully. Complaints about not being able to switch UIDs and such will be logged, but the daemon should still function properly.