ftpaccess(4)
NAME
ftpaccess - FTP Server configuration file
SYNOPSIS
/etc/ftpd/ftpaccess
DESCRIPTION
The ftpaccess file is used to configure the operation of
the FTP Server.
Access Capabilities
The following access capabilities are supported:
autogroup groupname class [class...]
If an anonymous user is a member of any of class, the
FTP Server will perform a setegid(2) to groupname.
This allows access to group and owner read-only files
and directories to a particular class of anonymous
users. groupname is a valid group returned by
getgrnam(3C).
class class typelist addrglob [addrglob...]
Define class of users, with source addresses of the
form addrglob. Multiple members of class may be
defined. There may be multiple class commands listing
additional members of the class. If multiple class
commands can apply to the current session, the first
one listed in the access file is used. If a valid
class for a host is not defined, access will be
denied. typelist is a comma-separated list of any of
the keywords anonymous, guest, and real. If the real
keyword is included, the class can match users using
FTP to access real accounts. If the anonymous keyword
is included the class can match users using anonymous
FTP. The guest keyword matches guest access accounts.
addrglob may be a globbed domain name or a globbed
numeric IPv4 address. It may also be the name of a
file, starting with a slash ('/'), which contains
additional address globs. IPv4 numeric addresses may
also be specified in the form address:netmask or
address/CIDR. IPv6 numeric addresses can only be
specified with an optional CIDR, not using globs or
netmasks.
Placing an exclamation (!) before an addrglob negates
the test. For example,
class rmtuser real !*.example.com
will classify real users from outside the example.com
domain as the class rmtuser. Use care with this
option. Remember, the result of each test is OR'ed with
other tests on the line.
deny addrglob [message_file]
Deny access to host(s) that match addrglob and display
message_file. If the value of addrglob is !nameserved
access to sites without a working nameservers is
denied. message_file may contain magic cookies. See
message for more details.
guestgroup groupname [groupname...]
guestuser username [username...]
realgroup groupname [groupname...]
realuser username [username...]
For guestgroup, if a real user is a member of any
groupname, the session is set up like anonymous FTP.
groupname is a valid group returned by getgrnam(3C).
The user's home directory must be set up exactly as
anonymous FTP would be. The home directory field of
the passwd entry is divided into two directories. The
first field is the root directory that will be the
argument to the chroot(2) call. The second field is
the user's home directory, relative to the root direc-
tory. Use a "/./" to separate the two fields. For
example, the following is the real entry in
/etc/passwd:
guest1:x:100:92:Guest FTP:/export/home/guests/./guest1:/bin/true
When guest1 successfully logs in, the FTP Server will
chroot() to /export/home/guests and then chdir(2) to
/guest1. The guest user will only be able to access
the directory structure under /export/home/guests, which
will look and act as / to guest1, just as an anonymous FTP
user would. The -d option to ftpconfig(1M) is useful when
creating guest FTP user accounts. The group name may be
specified by either name or numeric ID. To use a numeric
group ID, place a '%' before the number. You can give
ranges. Use an asterisk to indicate all groups. guestuser
works like guestgroup, except that it uses the user name or
numeric ID. realuser and realgroup have the same syntax, but
they reverse the effect of guestuser and guestgroup. They
allow real user access when the remote user would otherwise
be determined a guest.
guestuser *
realgroup admin
causes all non-anonymous users to be treated as guest,
with the sole exception of users in the admin group,
who are granted real user access.
nice nice-delta [class]
Adjust the process nice value of the FTP server pro-
cess by the indicated nice-delta value if the remote
user is a member of the named class. If class is not
specified, then use nice-delta as the default
adjustment to the FTP server process nice value. This
default nice value adjustment is used to adjust the
nice value of the server process only for those users
who do not belong to any class for which a class-
specific nice directive exists in the ftpaccess file.
defumask umask [class]
Set the umask applied to files created by the FTP
server if the remote user is a member of the named
class. If class is not specified, then use the umask
as the default for classes that do not have one speci-
fied.. The mode of files created may be specified by
using the upload directive.
tcpwindow size [class]
Set the TCP window size (socket buffer size) for the
data connection. Use this to control network traffic.
For instance, slow PPP dialin links may need smaller
TCP windows to speed up throughput. If you do not know
what this does, do not set it.
keepalive yes|no
Set the TCP SO_KEEPALIVE option for control and data
sockets. This can be used to control network
disconnect. If yes, then set it. If no, then use the
system default (usually off). You probably want to
set this.
timeout accept seconds
timeout connect seconds
timeout data seconds
timeout idle seconds
timeout maxidle seconds
timeout RFC931 seconds
Set various timeout conditions.
accept
How long the FTP Server will wait for an incom-
ing (PASV) data connection. The default is 120
seconds.
connect
How long the FTP Server will wait attempting to
establish an outgoing (PORT) data connection.
This effects the actual connection attempt. The
daemon makes several attempts, sleeping between
each attempt, before giving up. The default is
120 seconds.
data How long the FTP Server will wait for some
activity on the data connection. You should
keep this long because the remote client may
have a slow link, and there can be quite a bit
of data queued for the client. The default is
1200 seconds.
idle How long the FTP Server will wait for the next
command. The default is 900 seconds. The default
can also be overridden by using the -t option at
the command-line. This access clause overrides
both.
maxidle
The SITE IDLE command allows the remote client
to establish a higher value for the idle
timeout. The maxidle clause sets the upper limit
that the client may request. The default can
also be overridden by using the -T option at the
command-line. This access clause overrides
both. The default is 7200 seconds.
RFC931
The maximum time the FTP server allows for the
entire RFC931 (AUTH/ident) conversation. Set-
ting this to zero (0) disables the server's use
of this protocol. The information obtained by
means of RFC931 is recorded in the system logs
and is not actually used in any authentication.
The default is 10 seconds.
file-limit [raw] in|out|total count [class]
Limit the number of data files a user in the given
class may transfer. The limit may be placed on files
in, out, or total. If no class is specified, the
limit is the default for classes which do not have a
limit specified.
The optional parameter raw applies the limit to the
total traffic rather than just data files.
data-limit [raw] in|out|total count [class]
Limit the number of data bytes a user in the given
class may transfer. The limit may be placed on bytes
in, out, or total. If no class is specified, the
limit is the default for classes which do not have a
limit specified. Note that once it has been exceeded,
this limit will prevent transfers, but it will not
terminate a transfer in progress. The optional param-
eter raw applies the limit to total traffic rather
than just data files.
limit-time *|anonymous|guest minutes
Limit the total time a session can take. By default,
there is no limit. Real users are never limited.
guestserver [hostname...]
Control which hosts may be used for anonymous access.
If used without hostname, all anonymous access is
denied to this site. More than one hostname may be
specified. Anonymous access will only be allowed on
the named machines. If access is denied, the user will
be asked to use the first hostname listed.
limit class n times [message_file]
Limit class to n users at times times, displaying
message_file if the user is denied access. A limit
check is performed at login time only. If multiple
limit commands can apply to the current session, the
first applicable one is used. Failing to define a
valid limit, or a limit of -1, is equivalent to no
limits. The format of times is:
day[day...][time-range][|day[day...][time-range]]...
The value of day can be Su, Mo, Tu, We, Th, Fr, Sa, Wk
(for any weekday Monday through Friday), or Any. time-
range is in 24-hour clock notation. If a time range is
not specified, any time of the day is matched. Multiple
day and time-range may be specified by the "|" symbol.
For example, Wk1730-0900|Sa|Su specifies 5:30 p.m. to
9:00 a.m., Monday through Friday, and anytime on week-
ends. message_file may contain magic cookies. See mes-
sage for more details.
noretrieve [absolute|relative]
[class=classname...][-] filename [filename...]
Always deny retrievability of these files. If
filename specifies a pathname that begins with '/'
character, then only those files are marked no
retrieve. Otherwise all files that match the filename
are refused transfer. For example, noretrieve
/etc/passwd core specifies no one will be able to
retrieve the /etc/passwd file. You will be allowed to
transfer any file named passwd that is not in /etc.
On the other hand, no one will be able to get files
named core, wherever they are. Directory specifica-
tions mark all files and subdirectories in the named
directory unretrievable. The filename may be speci-
fied as a file glob. For example,
noretrieve /etc /home/*/.htaccess
specifies that no files in /etc or any of its subdirec-
tories may be retrieved. Also, no files named .htac-
cess anywhere under the /home directory may be
retrieved. The optional first parameter selects
whether names are interpreted as absolute or relative
to the current chroot'd environment. The default is to
interpret names beginning with a slash as absolute. The
noretrieve restrictions may be placed upon members of
particular classes. If any class= is specified, the
named files cannot be retrieved only if the current
user is a member of one of the given classes.
allow-retrieve [absolute|relative]
[class=classname...][-] filename [filename...]
Allows retrieval of files which would otherwise be
denied by noretrieve.
loginfails number
After number login failures, log a "repeated login
failures" message and terminate the FTP connection.
The default value for number is 5.
private yes | no
Allow or deny use of the SITE GROUP and SITE GPASS
commands after the user logs in. The SITE GROUP and
SITE GPASS commands specify an enhanced access group
and associated password. If the group name and pass-
word are valid, the user becomes a member of the
group specified in the group access file
/etc/ftpd/ftpgroups by means of setegid(2). See
ftpgroups(4) for the format of the file. For this
option to work for anonymous FTP users, the
FTP Server must keep /etc/group permanently open and
load the group access file into memory. This means
that the FTP Server now has an additional file
descriptor open, and the necessary passwords and
access privileges granted to users by means of SITE
GROUP will be static for the duration of an FTP ses-
sion. If you have an urgent need to change the access
groups or passwords now, you have to kill all of the
running FTP Servers.
Informational Capabilities
The following informational capabilities are supported:
greeting full|brief|terse
greeting text message
The greeting command allows you to control how much
information is given out before the remote user logs
in. greeting full, which is the default greeting,
shows the hostname and daemon version. greeting
brief shows the hostname. greeting terse simply says
"FTP Server ready." Although full is the default,
brief is suggested.
The text form allows you to specify any greeting mes-
sage. message can be any string. Whitespace (spaces
and tabs) is converted to a single space.
banner path
The banner command operates similarly to the message
command, except that the banner is displayed before
the user enters the username. The path is relative
to the real system root, not to the base of the
anonymous FTP directory.
Use of the banner command can completely prevent non-
compliant FTP clients from making use of the FTP
Server. Not all clients can handle multi-line
responses, which is how the banner is displayed.
email name
Use this command to define the email address for the
FTP Server administrator. This string will be
printed every time the %E magic cookie is used in
message files.
hostname some.host.name
Defines the default host name of the FTP Server. This
string will be printed on the greeting message and
every time the %L magic cookie is used. The host
name for
virtual servers overrides this value. If no host
name is specified, the default host name for the local
machine is used.
message path [when [class...]]
Define a file with path such that the FTP Server
will display the contents of the file to the user
at login time or upon using the change working direc-
tory command. The when parameter may be LOGIN or
CWD=dirglob. If when is CWD=dirglob, dirglob speci-
fies the new default directory that will trigger the
notification. A dirglob of "*" matches all direc-
tories.
The optional class specification allows the message
to be displayed only to members of a particular
class. More than one class may be specified.
"Magic cookies" can be present in path that cause the
FTP Server to replace the cookie with a specified text
string:
%T Local time. For example, Thu Nov 15 17:12:42
1990.
%F Free space in partition of CWD, in Kbytes.
%C Current working directory.
%E The email address for the FTP Server administra-
tor.
%R Remote host name.
%L Local host name.
%U Username given at login time.
%u Username as defined by means of RFC 931 authen-
tication.
%M Maximum allowed number of users in this class.
%N Current number of users in this class.
The message is displayed only once to avoid annoying
the user. Remember that when messages are triggered by
an anonymous or guest FTP user, they must be relative
to the base of the anonymous or guest FTP directory
tree.
readme pathglob [when [class...]]
Define a file with pathglob such that the FTP Server
will notify the user at login time or upon using the
change working directory command that the file exists
and the date that it was modified. The when parame-
ter may be LOGIN or CWD=dirglob. If when is
CWD=dirglob, dirglob specifies the new default direc-
tory that will trigger the notification. A dirglob of
"*" matches all directories. The message will only be
displayed once, to avoid bothering users. Remember
that when README messages are triggered by an
anonymous or guest FTP user, the pathglob must be
relative to the base of the anonymous or guest FTP
directory tree.
The optional class specification allows the message
to be displayed only to members of a particular class.
You can specify more than one class.
Logging Capabilities
The following logging capabilities are supported:
log commands typelist
Enables logging of the individual FTP commands sent by
users. typelist is a comma-separated list of any of
the keywords anonymous, guest, and real. Command log-
ging information is written to the system log.
log transfers typelist directions
Log file transfers made by FTP users to the xferlog(4)
file. Logging of incoming transfers to the server can
be enabled separately from outbound transfers from the
server. directions is a comma-separated list of any of
the two keywords inbound and outbound, and will
respectively cause transfers to be logged for files
sent to and from the server.
log security typelist
Enables logging of violations of security rules to
the system log, including for example, notretrieve and
.notar.
log syslog
log syslog+xferlog
Redirect the logging messages for incoming and outgo-
ing transfers to syslog. Without this option the
messages are written to xferlog. When you specify
syslog+xferlog, the transfer log messages are sent to
both the system log file and the xferlog file.
Miscellaneous Capabilities
The following miscellaneous capabilities are supported:
alias string dir
Define an alias, string, for a directory. Use this
command to add the concept of logical directories.
For example: alias rfc: /pub/doc/rfc would allow the
user to access /pub/doc/rfc from any directory by the
command "cd rfc:". Aliases only apply to the cd com-
mand.
cdpath dir
Define an entry in the cdpath. This command defines a
search path that is used when changing directories.
For example:
cdpath /pub/packages
cdpath /.aliases
would allow the user to move into any directory
directly under either the /pub/packages or the
/.aliases directories. The search path is defined by
the order in which the lines appear in the ftpaccess
file. If the user were to give the command ftp> cd foo
the directory will be searched for in the following
order:
o ./foo
o an alias called foo
o /pub/packages/foo
o /.aliases/foo
The cdpath is only available with the cd command. If
you have a large number of aliases, you might want to
set up an aliases directory with links to all of the
areas you wish to make available to users.
compress yes|no classglob [classglob...]
tar yes|no classglob [classglob...]
Enable the use of conversions marked with the
O_COMPRESS, O_UNCOMPRESS, and O_TAR options in
/etc/ftpd/ftpconversions. See ftpconversions(4).
shutdown path
If the file pointed to by path exists, the server will
check the file regularly to see if the server is going
to be shut down. If a shutdown is planned, the user is
notified. New connections are denied after a speci-
fied time before shutdown. Current connections are
dropped at a specified time before shutdown.
The format of the file specified by path is:
year month day hour minute deny_offset disc_offset text
year A value of 1970 or greater.
month A value of 0 to 11.
day A value of 1 to 31.
hour A value of 0 to 23.
minute
A value of 0 to 59.
deny_offset
disc_offset
The offsets in HHMM format that new connections
will be denied and existing connections will be
disconnected before the shutdown time.
text Follows the normal rules for any message. The
following additional magic cookies are available:
%s The time at which the system is going to
shut down.
%r The time at which new connections will be
denied.
%d The time at which current connections will
be dropped.
All times are in the form: ddd MMM DD hh:mm:ss YYYY.
Only one shutdown command can be present in the confi-
guration file. You can use the external program
ftpshut(1M) to automate generation of this file.
daemonaddress address
Listen only on the IP address specified. If the value
is not set, then the FTP Server will listen for con-
nections on every IP address. This applies only when
the FTP Server is run in standalone mode.
virtual address root|banner|logfile path
Enable the FTP Server limited virtual hosting capabil-
ities. The address is the IP address of the virtual
server. The second argument specifies that the path is
either the path to the root of the filesystem for
this virtual server, the banner presented to the user
when connecting to this virtual server, or the logfile
where transfers are recorded for this virtual server.
If the logfile is not specified the default log file
will be used. All other message files and permissions
as well as any other settings in this file apply to
all virtual servers. The address may also be specified
as a hostname rather than as an IP number. This is
strongly discouraged since, if DNS is not available at
the time the FTP session begins, the hostname will
not be matched.
root|logfile path
In contrast to limited virtual hosting, complete vir-
tual hosting allows separate configuration files to be
virtual host specific. See ftpservers(4). The only
additions that are necessary in a virtual host's
ftpaccess file is the root directive that ensures the
correct root directory is used for the virtual host.
This only works with complete virtual hosting, which
in contrast to limited virtual hosting, allows
separate configuration files to be specified for each
virtual host.
path is either the root of the filesystem for this
virtual server or the logfile where transfers for this
virtual server are recorded. root and logfile may only
be specified when not preceded by virtual address in a
virtual hosts's ftpaccess file.
virtual address hostname|email string
Set the hostname shown in the greeting message and
status command, or the email address used in message
files and on the HELP command, to the given string.
virtual address allow username [username...]
virtual address deny username [username...]
By default, real and guest users are not allowed to
log in on the virtual server, unless they are guests
that are chroot'd to the virtual root. The users
listed on the virtual allow line(s) are granted
access.
You can grant access to all users by giving '*' as
the username. The virtual deny clauses are processed
after the virtual allow clauses. Thus specific users
can be denied access although all users were allowed
in an earlier clause.
virtual address private
Deny log in access to anonymous users on the virtual
server. Anonymous users are generally allowed to log
in on the virtual server if this option is not speci-
fied.
virtual address passwd file
Use a different passwd file for the virtual host.
virtual address shadow file
Use a different shadow file for the virtual host.
defaultserver deny username [username...]
defaultserver allow username [username...]
By default, all users are allowed access to the non-
virtual FTP Server. Use defaultserver deny to revoke
access for specific real and guest users. Specify '*'
to deny access to all users, except anonymous
users. Specific real and guest users can then be
allowed access by using defaultserver allow.
defaultserver private
By default, all users are allowed access to the non-
virtual FTP Server. Use defaultserver private to
revoke access for anonymous users.
The virtual and defaultserver allow, deny and
private clauses provide a means to control which
users are allowed access to which FTP Servers.
passive address externalip cidr
Allow control of the address reported in response to a
passive command. When any control connection
matching cidr requests a passive data connection
(PASV), the externalip address is reported. This does
not change the address that the daemon actually
listens on, only the address reported to the client.
This feature allows the daemon to operate correctly
behind IP renumbering firewalls. For example:
passive address 10.0.1.15 10.0.0.0/8
passive address 192.168.1.5 0.0.0.0/0
Clients connecting from the class-A network 10 will be
told the passive connection is listening on IP address
10.0.1.15 while all others will be told the connection
is listening on 192.168.1.5 Multiple passive addresses
may be specified to handle complex, or multi-gatewayed,
networks.
passive ports cidr min max
Allows control of the TCP port numbers which may be
used for a passive data connection. If the control
connection matches the cidr, a port in the range min
to max will be randomly selected for the daemon to
listen on. This feature allows firewalls to limit the
ports that remote clients may use to connect into the
protected network.
cidr is shorthand for an IP address followed by a
slash and the number of left-most bits that represent
the network address, as opposed to the machine
address. For example, if you are using the reserved
class-A network 10, instead of a netmask of 255.0.0.0,
use a CIDR of /8, as in 10.0.0.0/8, to represent
your network.
pasv-allow class [addrglob...]
port-allow class [addrglob...]
Normally, the FTP Server does not allow a PORT command
to specify an address different than that of the con-
trol connection. Nor does it allow a PASV connection
from another address.
The port-allow clause provides a list of addresses
that the specified class of user may give on a PORT
command. These addresses will be allowed even if they
do not match the IP address of the client-side of the
control connection.
The pasv-allow clause provides a list of addresses
that the specified class of user may make data connec-
tions from. These addresses will be allowed even if
they do not match the IP address of the client-side
of the control connection.
lslong command [options...]
lsshort command [options...]
lsplain command [options...]
Use the lslong, lsshort, and lsplain clauses to
specify the commands and options to use to generate
directory listings. The options cannot contain spaces,
and the default values for these clauses are generally
correct. Use lslong, lsshort, or lsplain only if abso-
lutely necessary.
mailserver hostname
Specify the name of a mail server that will accept
upload notifications for the FTP Server. Multiple
mail servers may be listed. The FTP Server will
attempt to deliver the upload notification to each, in
order, until one accepts the message. If no mail
servers are specified, localhost is used. This option
is only meaningful if anyone is to be notified of
anonymous uploads. See incmail.
incmail emailaddress
virtual address incmail emailaddress
defaultserver incmail emailaddress
Specify email addresses to be notified of anonymous
uploads. Multiple addresses can be specified. Each
will receive a notification. If no addresses are
specified, no notifications are sent.
If addresses are specified for a virtual host, only
those addresses will be sent notification of anonymous
uploads on that host. Otherwise, notifications will
be sent to the global addresses.
defaultserver addresses only apply when the FTP ses-
sion is not using one of the virtual hosts. In this
way, you can receive notifications for your default
anonymous area, but not see notifications to virtual
hosts that do not have their own notifications.
mailfrom emailaddress
virtual address mailfrom emailaddress
defaultserver mailfrom emailaddress
Specify the sender's email address for anonymous
upload notifications. Only one address may be speci-
fied. If no mailfrom applies, email is sent from the
default mailbox name wu-ftpd. To avoid problems if
the recipient attempts to reply to a notification, or
if downstream mail problems generate bounces, you
should ensure the mailfrom address is deliverable.
Permission Capabilities
The following permission capabilities are supported:
chmod yes|no typelist
delete yes|no typelist
overwrite yes| no typelist
rename yes|no typelist
umask yes|no typelist
Allows or disallows the ability to perform the
specified function. By default, all real and guest
users are allowed. Anonymous users are only allowed
overwrite and umask.
typelist is a comma-separated list of any of the key-
words anonymous, guest, real and class=. When class=
appears, it must be followed by a classname. If any
class= appears, the typelist restriction applies only
to users in that class.
passwd-check none|trivial|rfc822 [enforce|warn]
Define the level and enforcement of password checking
done by the FTP Server for anonymous FTP.
none No password checking is performed.
trivial
The password must contain an '@'.
rfc822
The password must be RFC 822 compliant.
warn Warn, but permit the login.
enforce
Notify and deny the login.
deny-email case-insensitive-emailaddress
Consider the email address given as an argument as
invalid. If passwd-check is set to enforce,
anonymous users giving this address as a password can-
not log in. That way, you can stop users from having
stupid WWW browsers use fake addresses like IE?0User@
or mozilla@. (by using this, you are not shutting out
users using a WWW browser for ftp - you just
make them configure their browser correctly.) Only one
address is allowed per line, but you can have as many
deny-email addresses as you like.
path-filter typelist message allowed_regexp
[disallowed_regexp...]
For users in typelist, path-filter defines regular
expressions that control what characters can be used
in the filename of an uploaded file or created direc-
tory. There may be multiple disallowed regular
expressions. If a filename is invalid due to failure
to match the regular expression criteria, message will
be displayed to the user. For example:
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^. ^-
specifies that all upload filenames for anonymous users
must be made of only the characters A-Z, a-z, 0-9, and
"._-" and may not begin with a "." or a "-". If
the filename is invalid, /etc/pathmsg will be displayed
to the user.
upload [absolute|relative] [class=classname]... [-]
root-dir dirglob yes| no owner group mode
[dirs|nodirs] [d_mode]
Define a directory with dirglob that permits or denies
uploads. If it does permit uploads, all newly created
files will be owned by owner and group and will have
their permissions set according to mode. Existing
files that are overwritten will retain their original
ownership and permissions. Directories are matched on
a best-match basis. For example:
upload /var/ftp * no
upload /var/ftp /incoming yes ftp daemon 0666
upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs
would only allow uploads into /incoming and
/incoming/gifs. Files that were uploaded to /incoming are
owned by ftp/daemon and have permissions of 0666. Files
uploaded to /incoming/gifs are owned by jlc/guest and have
permissions of 0600. The optional "dirs" and "nodirs" key-
words can be specified to allow or disallow the creation of
new subdirectories using the mkdir command. If the upload
command is used, directory creation is allowed by default.
To turn it off by default, you must specify a user, group
and mode followed by the "nodirs" keyword as the first
line where the upload command is used in this file. If
directories are permitted, the optional d_mode determines
the permissions for a newly created directory. If d_mode is
omitted, the permissions are inferred from mode. The permis-
sions are 0777 if mode is also omitted. The upload keyword
only applies to users who have a home directory of root-dir.
root-dir may be specified as "*" to match any home direc-
tory. The owner or group may each be specified as "*", in
which case any uploaded files or directories will be
created with the ownership of the directory in which they
are created. The optional first parameter selects whether
root-dir names are interpreted as absolute or relative to
the current chroot'd environment. The default is to inter-
pret <root-dir> names as absolute. You can specify any
number of class=classname restrictions. If any are speci-
fied, this upload clause only takes effect if the current
user is a member of one of the classes.
In the absence of any matching upload clause, real and
guest users can upload files and make directories, but
anonymous users cannot. The mode of uploaded files is
0666. For created directories, the mode is 0777. Both
modes are modified by the current umask setting.
throughput root-dir subdir-glob file-glob-list
bytes-per-second bytes-per-second-multiply remote-glob-list
Define files by means of a comma-separated file-glob-
list in subdir matched by subdir-glob under root-dir
that have restricted transfer throughput of bytes-
per-second on download when the remote hostname or
remote IP address matches the comma-separated remote-
glob-list. Entries are matched on a best-match basis.
For example:
throughput /e/ftp * * oo - *
throughput /e/ftp /sw* * 1024 0.5 *
throughput /e/ftp /sw* README oo - *
throughput /e/ftp /sw* * oo - *.foo.com
would set maximum throughput per default, but restrict
download to 1024 bytes per second for any files under
/e/ftp/sw/ that are not named README. The only excep-
tions are remote hosts from within the domain foo.com
which always get maximum throughput. Every time a
remote client has retrieved a file under /e/ftp/sw/
the bytes per seconds of the matched entry line are
internally multiplied by a factor, here 0.5. When the
remote client retrieves its second file, it is served
with 512 bytes per second, the third time with only 256
bytes per second, the fourth time with only 128 bytes
per second, and so on. The string "oo" for the bytes
per second field means no throughput restriction. A
multiply factor of 1.0 or "-" means no change of the
throughput after every successful transfer. The root-
dir here must match the home directory specified in the
password database . The throughput keyword only
applies to users who have a home directory of root-dir.
anonymous-root root-dir [class...]
root-dir specifies the chroot() path for anonymous
users. If no anonymous-root is matched, the old
method of parsing the home directory for the FTP user
is used. If no class is specified, this is the root
directory for anonymous users who do not match any
other anonymous-root specification. Multiple classes
may be specified on this line. If an anonymous-root is
chosen for the user, the FTP user's home directory
in the root-dir/etc/passwd file is used to determine
the initial directory and the FTP user's home direc-
tory in the system-wide /etc/passwd is not used. For
example:
anonymous-root /home/ftp
anonymous-root /home/localftp localnet
causes all anonymous users to be chroot'd to the direc-
tory /home/ftp. If the FTP user exists in
/home/ftp/etc/passwd, their initial CWD is that home
directory. Anonymous users in the class localnet, how-
ever, are chroot'd to the directory /home/localftp and
their initial CWD is taken from the FTP user's home
directory in /home/localftp/etc/passwd.
guest-root root-dir [uid-range...]
root-dir specifies the chroot() path for guest users.
If no guest-root is matched, the old method of parsing
the user's home directory is used. If no uid-range is
specified, this is the root directory for guestusers
who do not match any other guest-root specification.
Multiple UID ranges may be given on this line. If a
guest-root is chosen for the user, the user's home
directory in the root-dir/etc/passwd file is used to
determine the initial directory and the home directory
in the system-wide /etc/passwd is not used. uid-range
specifies names or numeric UID values. To use numbers,
put a % symbol before it or before the range. Ranges
are specified by giving the lower and upper bounds
(inclusive), separated by a dash. If the lower bound
is omitted, it means all up to. If the upper bound is
omitted, it means all starting from. For example:
guest-root /home/users
guest-root /home/staff %100-999 sally
guest-root /home/users/owner/ftp frank
causes all guest users to chroot() to /home/users then
starts each user in the user's home directory, as speci-
fied in /home/users/etc/passwd. Users in the range 100
through 999, inclusive, and user sally, will be chroot'd
to /home/staff and the CWD will be taken from their
entries in /home/staff/etc/passwd. The single user frank
will be chroot'd to /home/users/owner/ftp and the CWD will
be from his entry in /home/users/owner/ftp/etc/passwd.
The order is important for both anonymous-root and
guest-root. If a user would match multiple clauses,
only the first applies; with the exception of the
clause which has no class or uid-range, which applies
only if no other clause matches.
deny-uid uid-range [uid-range...]
deny-gid gid-range [gid-range...]
allow-uid uid-range [uid-range...]
allow-gid gid-range [gid-range...]
Use these clauses to specify UID and GID values that
will be denied access to the FTP Server. The allow-uid
and allow-gid clauses may be used to allow access for
UID and GID values which would otherwise be denied.
These checks occur before all others. deny is checked
before allow. The default is to allow access. These
clauses do not apply to anonymous users. Use
defaultserver private to deny access to anonymous
users. In most cases, these clauses obviate the need
for an ftpusers(4) file. For example, the following
clauses deny FTP Server access to all privileged or
special users and groups, except the guest1 user or
group.
deny-gid %-99 nobody noaccess nogroup
deny-uid %-99 nobody noaccess nobody4
allow-gid guest1
allow-uid guest1
Support for the ftpusers file still exists, so it may
be used when changing the ftpaccess file is not
desired. In any place a single UID or GID is allowed
throughout the ftpaccess file, either names or numbers
also may be used. To use a number, put a '%' symbol
before it. In places where a range is allowed, put the
'%' before the range. A "*" matches all UIDs or GIDs.
restricted-uid uid-range [uid-range...]
restricted-gid gid-range [gid-range...]
unrestricted-uid uid-range [uid-range...]
unrestricted-gid gid-range [gid-range...]
These clauses control whether or not real or guest
users will be allowed access to areas on the FTP
site outside their home directories. These clauses
are not meant to replace the use of guestgroup and
guestuser. Instead, use these clauses to supplement
the operation of guests. The unrestricted-uid and
unrestricted-gid clauses may be used to allow users
outside their home directories who would otherwise be
restricted.
The following example shows the intended use for these
clauses. Assume user dick has a home directory
/home/dick and jane has a home directory /home/jane:
guest-root /home dick jane
restricted-uid dick jane
While both dick and jane are chroot'd to /home, they
cannot access each other's files because they are res-
tricted to their home directories. However, you should
not rely solely upon the FTP restrictions to control
access. As with all other FTP access rules, you should
also use directory and file permissions to support the
operation of the ftpaccess configuration.
site-exec-max-lines number [class...]
The SITE EXEC feature traditionally limits the number
of lines of output that may be sent to the remote
client. Use this clause to set this limit. If this
clause is omitted, the limit is 20 lines. A limit of 0
(zero) implies no limit. Be very careful if you
choose to remove the limit. If a clause is found
matching the remote user's class, that limit is used.
Otherwise, the clause with class '*', or no class
given, is used. For example:
site-exec-max-lines 200 remote
site-exec-max-lines 0 local
site-exec-max-lines 25
limits output from SITE EXEC (and therefore SITE INDEX)
to 200 lines for remote users, specifies there is
no limit at all for local users, and sets a limit of 25
lines for all other users.
dns refuse_mismatch filename [override]
Refuse FTP sessions when the forward and reverse look-
ups for the remote site do not match. Display the
named file, like a message file, admonishing the user.
If the optional override is specified, allow the con-
nection after complaining.
dns refuse_no_reverse filename [override]
Refuse FTP sessions when there is no reverse DNS entry
for the remote site. Display the named file, like a
message file, admonishing the user. If the optional
override is specified, allow the connection after com-
plaining.
dns resolveroptions [options]
The dns resolveroptions option allows you to adjust
name server options. The line takes a series of flags
as documented in resolver(3resolv), with the leading
RES_ removed. Each can be preceded by an optional +
or -. For example:
dns resolveroptions +aaonly -dnsrch
turns on the aaonly option (only accept authoritative
answers) and turns off the dnsrch option (search the
domain path).
Lines that begin with a # sign are treated as comment lines
and are ignored.
FILES
/etc/ftpd/ftpaccess
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWftpr |
|_____________________________|_____________________________|
SEE ALSO
compress(1), ls(1), tar(1), ftpaddhost(1M), ftpconfig(1M),
ftpshut(1M), in.ftpd(1M), chroot(2), nice(2), umask(2),
getgrnam(3C), resolver(3resolv), ftpconversions(4),
ftpgroups(4), ftpservers(4), ftpusers(4), timezone(4), xfer-
log(4), attributes(5), fnmatch(5)
Crocker, David H. RFC 822, Standard For The Format Of ARPA
Internet Text Messages. Network Information Center. August
1982.
St. Johns, Michael. RFC 931, Authentication Server. Network
Working Group. January 1985.
Man(1) output converted with
man2html