First, I have to say I have had mixed results with trying to run FTP-based installs on local machines, both on Linux and on Windows. I do a lot of Wordpress stuff and it 'seems to work' -- sometimes. A lot of Wordpress add-ins are designed to be added from the Dashbaord via FTP. (95% of the time it just does not work - I put the files in the folders manually, and then run the installs. I don't know a lot about Drupal, so I can't be a lot of help on their installers.
Second - all the files in opt/lampp/htdocs/ should probably belong to nobody:root.
That said the FTP user is defaulted to 'nobody' - what the password is depends on if you have run /opt/lampp/lampp security or not -
A matter of security (A MUST READ!)
As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured is to be open as possible and allowing the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.
Here a list of missing security in XAMPP:
The MySQL administrator (root) has no password.
The MySQL daemon is accessible via network.
ProFTPD uses the password "lampp" for user "nobody".
PhpMyAdmin is accessible via network.
Examples are accessible via network.
MySQL and Apache running under the same user (nobody).
To fix most of the security weaknesses simply call the following command:
It starts a small security check and makes your XAMPP installation quite secure. For example this protects the XAMPP demo pages by a username ('lampp') and password combination.