ftpaccess(4)

Define class of users, with source addresses of the form addrglob. Multiple members of class may be defined. There may be multiple class commands, listing additional members of the class. If multiple class commands can apply to the current session, the first one listed in the access file is used. Failing to define a valid class for a host will cause access to be denied. typelist is a comma-separated list of any of the keywords anonymous, guest and real. If the real keyword is included, the class can match users using FTP to access real accounts, and if the anonymous keyword is included, the class can match users using anonymous FTP. The guest keyword matches guest access accounts (see guestgroup below for more information)

addrglob may be a globbed domain name or a globbed numeric address. There can be multiple addrglob's for this directive. To avoid confusion when you have multiple addrglob's, you can put all the addrglob's in a file and specify the path of the file in place of the addrglob's.

Placing an exclamation (!) before an addrglob negates the test. For example:

class rmtuser real !*.example.com

will classify real users from outside the example.com domain as the class rmtuser. Use care with this option. Remember, the result of each test is OR'ed with other tests on the line.

For guestgroup, if a real user is a member of any of groupname, the session is set up exactly as with anonymous FTP. In other words, a chroot() is done, and the user is no longer permitted to issue the USER and PASS commands. groupname is a valid group from /etc/group (or whatever mechanism your getgrent() library routine uses).

The user's home directory must be properly set up, exactly as anonymous FTP would be. The home directory field of the passwd entry is divided into two directories. The first field is the root directory which will be the argument to the chroot call. The second half is the user's home directory relative to the root directory. The two halves are separated by a /./.

Example:

In the /etc/passwd file, the sample entry is:

guest1:<passwd>:100:92:Guest Account:/ftp/./incoming:/etc/ftponly

When guest1 successfully logs in, the ftp server will chroot (/ftp) and then chdir (/incoming). The guest user will only be able to access the directory structure under /ftp (which will look and act as / to guest1), just as an anonymous FTP user would. The group name may be specified by either name or numeric ID. To use a numeric group ID, place a % before the number. Ranges may be given. Use an asterisk (*) to mean all groups.

guestuser works like guestgroup, except it uses the user name (or numeric ID).

realuser and realgroup have the same syntax, but reverse the effect of guestuser and guestgroup. They allow real user access when the remote user would otherwise be determined a guest. For example:

guestuser *

realgroup admin

causes all non-anonymous users to be treated as guest, with the sole exception of users in the admin group who are granted real user access.

Set the TCP SO_KEEPALIVE option for data sockets. keepalive can be used to control network disconnect. yes means to set the TCP SO_KEEPALIVE option. With no, the behavior depends on the system default settings (see ndd(1M)).

NOTE: It is recommended to set keepalive to yes to keep the network traffic connected.

Set various timeouts.

accept [seconds] (default 120 seconds). Specify how long the daemon will wait for an incoming (PASV) data connection.

connect [seconds] (default 120 seconds). Specify how long the daemon will wait attempting to establish an outgoing (PORT) data connection. This affects the actual connection attempt. The daemon makes several attempts, sleeping a while between each, before completely giving up.

data [seconds] (default 1200 seconds). Specify how long the daemon will wait for some activity on the data connection. It is recommended to keep this value high, because the remote client may have a slow link and there can be quite a bit of data queued for the client.

idle [seconds] (default 900 seconds). Specify how long the daemon will wait for the next command. The default value (900 seconds) can be overridden by using the -t option of ftpd (see ftpd(1M)). If idle is specified, that value will override both the default value as well as the value set with -t option of ftpd. The SITE IDLE ftpd command allows the remote client to establish a higher value for the idle timeout. An idle value of 0 implies that there is no idle timeout period and the control connection is set to an infinite idle timeout period. If idle is set to a value more than maxidle (see the maxidle option), idle will be set to the maxidle value.

maxidle [seconds] (default 7200 seconds). Specify the the maximum number of seconds for the idle timeout. The default value (7200 seconds) can be overridden by using the -T option of ftpd (see ftpd(1M)). If maxidle is specified, that value will override both the default value as well as the value set with -T option of ftpd. A maxidle value of 0 implies that there is no maximum idle timeout period and the control connection is set to an infinite idle timeout period.

RFC931 [seconds] (default 10 seconds). Specify the maximum time that the daemon allows for the entire RFC931 (AUTH/ident) conversation. Setting this to zero (0) seconds completely disables the daemon's use of this protocol. The information obtained via RFC931 is recorded in the system logs and is not actually used in any authentication.

Specify the number of bytes after which the data connection idle time is reset, in case of an ASCII mode file transfer (see timeout data above for more information). The number specified must be a positive power of 2. By default, the number is set to 4096 bytes.

NOTE: If the specified number is smaller than 4096 bytes, ftpd will take the default value (4096 bytes). If the specified number is too large, a premature closure of the data connection may be encountered.

Always deny retrievability of these files. If the files are an absolute path specification (that is, begins with / character), then only those files are marked unretrievable. Otherwise all files with the matching filename are refused transfer. Example:

noretrieve /etc/passwd core

specifies that no one is able to get the file /etc/passwd, whereas they are allowed to transfer a file, passwd, if it is not in /etc. On the other hand, no one is able to get a file named core wherever it is.

Directory specifications mark all files and sub-directories in the named directory as "un-gettable" or not obtainable. The filename may be specified as a file glob. For example:

noretrieve /etc /home/*/.htaccess

specifies that no files in /etc or any of its sub-directories may be retrieved. Also, no files named .htaccess anywhere under the /home directory may be retrieved.

The optional first parameter selects whether names are interpreted as absolute or relative to the current chroot'd environment. The default is to interpret names beginning with a slash as absolute.

The noretrieve restrictions may be placed upon members of particular classes. If any class= is specified, then this option is set only for the users of that particular class.

After a user logs in, the SITE GROUP and SITE GPASS ftpd commands may be used to specify an enhanced access group and associated password. If the group name and password are valid, the user becomes (via setgid()) a member of the group specified in the group access file, /etc/ftpd/ftpgroups.

The format of the group access file is:

access_group_name:encrypted_password:real_group_name

where access_group_name is an arbitrary (alphanumeric and punctuation) string. encrypted_password is the password encrypted via crypt() (see crypt(3C)) exactly like in /etc/passwd. real_group_name is the name of a valid group listed in /etc/group.

NOTE: For this option to work for anonymous FTP users, the ftp server must keep /etc/group permanently open and the group access file is loaded into memory. This means that: (1) the ftp server now has an additional file descriptor open, and (2) the necessary passwords and access privileges granted to users via SITE GROUP (see ftpd(1M)) will be static for the duration of an FTP session. If you have an urgent need to change the access groups and/or passwords now (immediately), just kill all of the running FTP servers.

Allows you to control how much information is given out before the remote user logs in. greeting full is the default and shows the hostname and daemon version. greeting brief shows the hostname. greeting terse only displays the message "FTP server ready." Also, this message is printed as the output of the STAT command. Although full is the default, brief is recommended.

NOTE: The two options suppresshostname and suppressversion, are not supported. The greeting option can be used to suppress the hostname or the daemon version.

The greeting text message form allows you to specify any greeting message you desire. The message can be any string; whitespace (spaces and tabs) is converted to a single space.

Works similarly to the message command (see below), except that the banner is displayed before the user enters the username and password. The path is relative to the real system root, not the base of the anonymous FTP directory.

WARNING: use of this command can completely prevent non-compliant FTP clients from making use of the FTP server. Not all clients can handle multi-line responses (which is how the banner is displayed).

Define a file with path such that ftpd will display the contents of the file to the user at login time or upon using the change working directory command. The when parameter may be LOGIN or CWD=dir. If when is CWD=dir, dir specifies the new default directory which will trigger the notification.

The optional class specification allows the message to be displayed only to members of a particular class. More than one class may be specified.

In the message file, the user can key in a message and use the "macros" or "magic cookies" that are available. The ftp server will replace the cookie with a specified text string. The following magic cookies are available:

The message will only be displayed once to avoid annoying the user. Remember that when messages are triggered by an anonymous FTP user, the path must be relative to the base of the anonymous FTP directory tree.

Define a file with path such that ftpd will notify user at login time or upon using the change working directory command that the file exists and was modified on such-and-such date. The when parameter may be LOGIN or CWD=<dir>. If when CWD=<dir>, dir specifies the new default directory which will trigger the notification. The message will only be displayed once, to avoid bothering users. Remember that when README messages are triggered by an anonymous FTP user, the path must be relative to the base of the anonymous FTP directory tree.

The optional class specification allows the message to be displayed only to members of a particular class. More than one class may be specified.

All files in the directory dirname and its subdirectories can be downloaded freely ignoring the ratio. See ul-dl-rate above.

Note that both dl-free and dl-free-dir are relative to the system's root environment, not the chroot environment.

Defines an alias, string, for the specified directory, dir. Can be used to add the concept of logical directories.

For example:

alias rfc /pub/doc/rfc

would allow the user to access /pub/doc/rfc from any directory by the command cd rfc:. Aliases only apply to the cd command.

Defines a directory entry in the cdpath. dir defines a search path that is used when changing directories.

For example:

cdpath /pub/packages

cdpath /.aliases

would allow the user to cd into any directory directly under /pub/packages or /.aliases directories. The search path is defined by the order in which the lines appear in the /etc/ftpd/ftpaccess file.

If the user were to give the command:

cd foo

The directory will be searched for in the following order:

If the file pointed to by path exists, the server will check the file regularly to see if the server is going to be shut down. If a shutdown is planned, the user is notified, new connections are denied after a specified time before shutdown and current connections are dropped at a specified time before shutdown. path points to a file structured as follows:

year month day hour minute deny_offset disc_offset

text

deny_offset and disc_offset are the offsets in HHMM format before the shutdown time that new connections will be denied and existing connections will be disconnected.

text follows the normal rules for any message (see message in the Informational Capabilities subsection), with the following additional magic cookies available:

All times are in the form: ddd MMM DD hh:mm:ss YYYY. There can be only one shutdown command in the configuration file.

The external program ftpshut can be used to automate the process of generating this file.

Enables the virtual ftp server capabilities. The address is the IP address of the virtual server. The second argument specifies that the path is one of the following:

All other message files and permissions as well as any other settings in this file apply to all virtual servers.

The address may also be specified as the hostname rather than the IP number. This is strongly discouraged because if DNS is not available at the time the FTP session begins, the hostname will not be matched.

The above options must be used in the /etc/ftpd/ftpaccess file only and not in the virtual domain ftpaccess file.

Sets string to either the hostname shown in the greeting message and STAT command, or to the email address used in message files and on the HELP command.

The above options must be used in the /etc/ftpd/ftpaccess file only and not in the virtual domain ftpaccess file.

Normally, real and guest users are not allowed to log in on the virtual server unless they are guests and chroot'd to the virtual root. The users listed on the virtual allow line(s) will be granted access. All users can be granted access by giving * as the username. The virtual deny clauses are processed after the virtual allow clauses and are used to deny access to specific users when all users were allowed.

The above options can be used in both the /etc/ftpd/ftpaccess file and in the virtual domain ftpaccess file.

Normally, anonymous users are allowed to log in on the virtual server. This option denies them access.

The above option must be used in the /etc/ftpd/ftpaccess file only and not in the virtual domain ftpaccess file.

Use a different passwd file for the virtual domain.

Note: This option is currently not supported in HP-UX.

Use a different shadow file for this virtual domain.

Note: This option is currently not supported in HP-UX.

Normally, anonymous users are allowed on the default (non-virtual) FTP server. This statement disallows anonymous access.

The virtual and defaultserver allow, deny, and private clauses provide a means to control which users are allowed access on which FTP servers.

Allows control of the address reported in response to a PASV command. When any control connection matching the cidr requests a passive data connection (PASV), the externalip address is reported.

NOTE: this does not change the address that the daemon actually listens on, only the address reported to the client. This feature allows the daemon to operate correctly behind IP-renumbering firewalls. For example:

passive address 10.0.1.15 10.0.0.0/8

passive address 192.168.1.5 0.0.0.0/0

Clients connecting from the class-A network 10 will be told the passive connection is listening on IP-address 10.0.1.15 while all others will be told the connection is listening on 192.168.1.5.

Multiple passive addresses may be specified to handle complex, or multi-gatewayed, networks.

Note: This option is not supported on IPv6 enabled systems.

Allows control of the TCP port numbers which may be used for a passive data connection. If the control connection matches the cidr, a port in the range min to max will be randomly selected for the daemon to listen on. This feature allows firewalls to limit the ports which remote clients may use to connect into the protected network.

cidr is shorthand for an IP address in dotted-quad notation followed by a slash and the number of left-most bits which represent the network address (as opposed to the machine address). For example, if you are using the reserved class-A network 10, instead of a netmask of 255.0.0.0, use a cidr of /8 as in 10.0.0.0/8 to represent your network.

Note: This option is not supported on IPv6 enabled systems.

Normally, the daemon does not allow a PORT command to specify an address different than that of the control connection. And it does not allow a PASV connection from another address.

The port-allow clause provides a list of addresses which the specified class of user may give on a PORT command. These addresses will be allowed even if they do not match the IP-address of the client-side of the control connection.

The pasv-allow clause provides a list of addresses which the specified class of user may make data connections from. These addresses will be allowed even if they do not match the IP-address of the client-side of the control connection.

Specify email addresses to be notified of anonymous uploads. Multiple addresses can be specified; each will receive a notification. If none are specified, no notifications are sent.

If addresses are specified for a virtual host, only those addresses will receive notification up anonymous uploads on that host. Otherwise, notifications will be sent to the global addresses.

The above virtual option must be used in the /etc/ftpd/ftpaccess file only and not in the virtual domain ftpaccess file.

The defaultserver addresses only apply to real hosts and not virtual hosts. In this way, the real host can receive notifications of uploads on their default anonymous area. However, with this option set, the virtual hosts will not be notified.

Specify the sender's email address for anonymous upload notifications. Only one address may be specified. If no mailfrom applies, email is sent from the default mailbox name wu-ftpd. To avoid problems if the recipient attempts to reply to a notification, or if downstream mail problems generate bounces, you should ensure the mailfrom emailaddress is deliverable.

The above virtual option must be used in the /etc/ftpd/ftpaccess file only and not in the virtual domain ftpaccess file.

Allows or disallows the ability to perform the specified function. By default, all users are allowed.

typelist is a comma-separated list of any of the keywords anonymous, guest, real and class=. When class= appears, it must be followed by a classname. If any class= appears, the typelist restriction applies only to users in that class.

For users in typelist, path-filter defines regular expressions that control what a filename can or cannot be. Disallowed regular expressions, disallowed_regexp, may be specified with multiple regular expressions (see regexp(5)). If a filename is invalid due to failure to match the regular expression criteria, mesg will be displayed to the user. For example:

path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

specifies that all upload filenames for anonymous users must be made of only the characters A-Z, a-z, 0-9, period (.), dash (-), and underscore (_). The filenames may not begin with a period (.) or a dash (-) as specified by ^\. and ^- respectively. If the filename is invalid, /etc/pathmsg will be displayed to the user.

Define a directory with dirglob that permits or denies uploads.

If it does permit uploads, all newly created files will be owned by owner and group and will have the permissions set according to mode. Existing files which are overwritten will keep their original ownership and permissions.

Directories are matched on a best-match basis.

For example:

upload /var/ftp * no

upload /var/ftp /incoming yes ftp daemon 0666

upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs

These upload commands would only allow uploads into /incoming and /incoming/gifs. Files that were uploaded to /incoming would be owned by ftp/daemon and would have permissions of 0666. File uploaded to /incoming/gifs would be owned by jlc/guest and have permissions of 0600. Note that the root-dir here must match the home directory specified in the password database for the ftp user.

The optional dirs and nodirs keywords can be specified to allow or disallow the creation of new subdirectories using the mkdir command.

Note that if the upload command is used, directory creation is allowed by default. To turn it off by default, you must specify a user, group and mode followed by the nodirs keyword as the first line where the upload command is used in this file.

If directories are permitted, the optional d_mode determines the permissions for a newly created directory. If d_mode is omitted, the permissions are inferred from mode or are 0777 if mode is also omitted.

upload only applies to users who have a home directory (the argument to the chroot()) of root-dir. root-dir may be specified as * to match any home directory.

The owner and/or group may each be specified as *, in which case any uploaded files or directories will be created with the ownership of the directory in which they are created.

The optional first parameter selects whether root-dir names are interpreted as absolute or relative to the current chroot'd environment. The default is to interpret root-dir names as absolute.

You can specify any number of class=classname restrictions. If any are specified, this upload clause only takes effect if the current user is a member of one of the classes.

root-dir specifies the chroot() path for anonymous users. If no anonymous-root is matched, the old method of parsing the home directory for the ftp user is used. If no class is specified, root-dir is the root directory for anonymous users who do not have any other anonymous-root specification. Multiple classes may be given on the line. If an anonymous-root is chosen for the user, the ftp user's home directory in the root-dir/etc/passwd file is used to determine the initial directory, and the ftp user's home directory in the system-wide /etc/passwd is not used. For example:

anonymous-root /home/ftp

anonymous-root /home/localftp localnet

causes all anonymous users to be chroot()'d to the directory /home/ftp. Then, if the ftp user exists in /home/ftp/etc/passwd, their initial CWD is that home directory. Anonymous users in the class localnet, however, are chroot()'d to the directory /home/localftp, and their initial CWD is taken from the ftp user's home directory in /home/localftp/etc/passwd.

root-dir specifies the chroot() path for guest users. If guest-root is not matched, the old method of parsing the user's home directory is used. If no uid-range is specified, the root directory is for guest users who do not match any other guest-root specification. Multiple uid ranges may be given on the line. If a guest-root is chosen for the user, the user's home directory in the root-dir/etc/passwd file is used to determine the initial directory and their home directory in the system-wide /etc/passwd is not used.

uid-range specifies numeric UID values. Ranges are specified by giving the lower and upper bounds (inclusive), separated by a dash. Omitting the lower bound means "all up to", and omitted the upper bound means "all starting from". For example:

guest-root /home/users guest-root /home/staff %100-999 sally

guest-root /home/users/frank/ftp frank

causes all guest users to chroot() to /home/users then starts each user in their home directory specified in /home/users/etc/passwd. Users in the range 100 through 999, inclusive, and user sally, will be chroot()'d to /home/staff and the CWD will be taken from their entries in /home/staff/etc/passwd. The single user frank will be chroot()'d to /home/users/owner/ftp and the CWD will be from his entry in /home/users/owner/ftp/etc/passwd.

Note that order is important for both anonymous-root and guest-root. If a user would match multiple clauses, only the first applies; with the exception of the clause which has no class or uid-range, which applies only if no other clause matches.

These clauses allow specification of UID and GID values which will be denied access to the ftp server. The allow-uid and allow-gid clauses may be used to allow access for uid/gid which would otherwise be denied. These checks occur before all others. Deny is checked before allow. The default is to allow access. Note that in most cases, this can remove the need for an /etc/ftpd/ftpusers files. For example:

deny-gid %-99 %65535 deny-uid %-99 %65535

allow-gid ftp

allow-uid ftp

denies ftp access to all privileged or special users and groups on a Linux box except the anonymous ftp user/group. In many cases, this can eliminate the need for the /etc/ftpd/ftpusers file. Support for that file still exists so it may be used when changing /etc/ftpd/ftpaccess is not desired.

Throughout the ftpaccess file, at any place that a single UID or GID is allowed, either names or numbers may be used. To use numbers, put a % before it. In places where a range is allowed, put the % before the range.

These clauses control whether or not real or guest users will be allowed access to areas on the FTP site outside their home directories. They are not meant to replace the use of guestgroup and guestuser. Instead, use these to supplement the operation of guests. The unrestricted-uid and unrestricted-gid clauses may be used to allow users outside their home directories who would otherwise be restricted.

An example of the use of these clauses shows their intended use. Assume user dick has a home directory /home/dick and jane has a home directory /home/jane:

guest-root /home dick jane

restricted-uid dick jane

While both dick and jane are chroot'd to /home, they cannot access each other's files because they are restricted to their home directories.

Wherever possible, in situations such as this example, try not to rely solely upon the ftp restrictions. As with all other ftp access rules, try to use directory and file permissions to backstop the operation of the ftpaccess configuration.

The SITE EXEC feature traditionally limits the number of lines of output which may be sent to the remote client. This clause allows you to set this limit. If omitted, the limit is 20 lines. A limit of 0 (zero) implies no limit. Be very careful if you choose to remove the limit. If a clause is found matching the remote user's class, that limit is used. Otherwise, the clause with class *, or no class given, is used. For example:

site-exec-max-lines 200 remote

site-exec-max-lines 0 local

site-exec-max-lines 25

The above examples limit output from SITE EXEC (and therefore SITE INDEX) to 200 lines for remote users, specifies there is no limit at all for local users, and sets a limit of 25 lines for all other users.

dns resolveroptions allows you to tweak name server options. The line takes a series of flags as documented in resolver(3N) (with the leading RES_ removed). Each can be preceded by an optional + or -. For example,

dns resolveroptions +aaonly -dnsrch

turns on the aaonly option (only accept authoritative answers) and turns off the dnsrch option (search the domain path).