ftpaccess(4) File Formats ftpaccess(4)NAMEftpaccess - FTP Server configuration file
SYNOPSIS
/etc/ftpd/ftpaccess
DESCRIPTION
The ftpaccess file is used to configure the operation of the FTP
Server.
Access Capabilities
The following access capabilities are supported:
autogroup groupname class class...
If an anonymous user is a member of any of class, the FTP Server
performs a setegid(2) to groupname. This allows access to group and
owner read-only files and directories to a particular class of
anonymous users. groupname is a valid group returned by getgr‐
nam(3C).
class class typelist addrglobaddrglob...
Define class of users, with source addresses of the form addrglob.
Multiple members of class may be defined. There may be multiple
class commands listing additional members of the class. If multiple
class commands can apply to the current session, the first one
listed in the access file is used. If a valid class for a host is
not defined, access is denied. typelist is a comma-separated list
of any of the keywords anonymous, guest, and real. If the real key‐
word is included, the class can match users using FTP to access
real accounts. If the anonymous keyword is included the class can
match users using anonymous FTP. The guest keyword matches guest
access accounts.
addrglob may be a globbed domain name or a globbed numeric IPv4
address. It may also be the name of a file, starting with a slash
('/'), which contains additional address globs. IPv4 numeric
addresses may also be specified in the form address:netmask or
address/CIDR. IPv6 numeric addresses can only be specified with an
optional CIDR, not using globs or netmasks.
Placing an exclamation (!) before an addrglob negates the test. For
example,
class rmtuser real !*.example.com
classifies real users from outside the example.com domain as the
class rmtuser. Use care with this option. Remember, the result of
each test is OR'ed with other tests on the line.
deny addrglob [message_file]
Deny access to host(s) that match addrglob and display mes‐
sage_file. If the value of addrglob is !nameserved access to sites
without a working nameservers is denied. message_file may contain
magic cookies. See message for more details.
guestgroup groupname groupname...
guestuser username username...
realgroup groupname groupname...
realuser username username...
For guestgroup, if a real user is a member of any groupname, the
session is set up like anonymous FTP. groupname is a valid group
returned by getgrnam(3C). The user's home directory must be set up
exactly as anonymous FTP would be. The home directory field of the
passwd entry is divided into two directories. The first field is
the root directory that is the argument to the chroot(2) call. The
second field is the user's home directory, relative to the root
directory. Use a "/./" to separate the two fields. For example, the
following is the real entry in /etc/passwd:
guest1:x:100:92:Guest FTP:/export/home/guests/./guest1:/bin/true
When guest1 successfully logs in, the FTP Server performs a
chroot() to /export/home/guests and then chdir(2) to /guest1. The
guest user is only able to access the directory structure under
/export/home/guests, which looks and act as / to guest1, just as an
anonymous FTP user would. The d option to ftpconfig(1M) is useful
when creating guest FTP user accounts. The group name may be speci‐
fied by either name or numeric ID. To use a numeric group ID, place
a percent sign (%) before the number. You can give ranges. Use an
asterisk to indicate all groups. guestuser works like guestgroup,
except that it uses the user name or numeric ID. realuser and real‐
group have the same syntax, but they reverse the effect of gues‐
tuser and guestgroup. They allow real user access when the remote
user would otherwise be determined a guest.
guestuser *
realgroup admin
causes all non-anonymous users to be treated as guest, with the
sole exception of users in the admin group, who are granted real
user access.
nice nice-delta class
Adjust the process nice value of the FTP server process by the
indicated nice-delta value if the remote user is a member of the
named class. If class is not specified, then use nice-delta as the
default adjustment to the FTP server process nice value. This
default nice value adjustment is used to adjust the nice value of
the server process only for those users who do not belong to any
class for which a class-specific nice directive exists in the
ftpaccess file.
defumask umask class
Set the umask applied to files created by the FTP server if the
remote user is a member of the named class. If class is not speci‐
fied, then use the umask as the default for classes that do not
have one specified.. The mode of files created may be specified by
using the upload directive.
tcpwindow size class
Set the TCP window size (socket buffer size) for the data connec‐
tion. Use this to control network traffic. For instance, slow PPP
dialin links may need smaller TCP windows to speed up throughput.
If you do not know what this does, do not set it.
ipcos control|data value [typelist]
Set the IP Class of Service for either the control or data connec‐
tion.
For connections using AF_INET type sockets, this sets the Type of
Service field in the IP header to the value specified.
For connections using AF_INET6 type sockets, this sets the Traffic
Class field in the IP header to the value specified.
When configured through inetd.conf(4), the socket type is con‐
trolled by the protocol field of the ftp service. When running in
standalone mode the default socket type is AF_INET6. The
in.ftpd(1M) 4 option selects AF_INET.
typelist is a comma-separated list of any of the keywords anony‐
mous, guest, real, and class=. When class= appears, it must be fol‐
lowed by a class name.
keepalive yes|no
Set the TCP SO_KEEPALIVE option for control and data sockets. This
can be used to control network disconnect. If yes, then set it. If
no, then use the system default (usually off). You probably want to
set this.
timeout accept seconds
timeout connect seconds
timeout data seconds
timeout glob seconds
timeout idle seconds
timeout maxidle seconds
timeout RFC931 seconds
Set various timeout conditions.
accept How long the FTP Server waits for an incoming (PASV)
data connection. The default is 120 seconds.
connect How long the FTP Server waits and attempts to establish
an outgoing (PORT) data connection. This effects the
actual connection attempt. The daemon makes several
attempts, sleeping between each attempt, before giving
up. The default is 120 seconds.
data How long the FTP Server waits for some activity on the
data connection. You should keep this long because the
remote client may have a slow link, and there can be
quite a bit of data queued for the client. The default
is 1200 seconds.
glob How long the FTP server generates pathnames matching a
pattern from wild cards. The default is 120 seconds.
idle How long the FTP Server waits for the next command. The
default is 900 seconds. The default can also be overrid‐
den by using the t option at the command-line. This
access clause overrides both.
maxidle The SITE IDLE command allows the remote client to estab‐
lish a higher value for the idle timeout. The maxidle
clause sets the upper limit that the client may request.
The default can also be overridden by using the T option
at the command-line. This access clause overrides both.
The default is 7200 seconds.
RFC931 The maximum time the FTP server allows for the entire
RFC931 (AUTH/ident) conversation. Setting this to zero
(0) disables the server's use of this protocol. The
information obtained by means of RFC931 is recorded in
the system logs and is not actually used in any authen‐
tication. The default is 10 seconds.
file-limit raw in|out|total count class
Limit the number of data files a user in the given class may trans‐
fer. The limit may be placed on files in, out, or total. If no
class is specified, the limit is the default for classes which do
not have a limit specified. The optional parameter raw applies the
limit to the total traffic rather than just data files.
data-limit [raw] in|out|total count [class]
Limit the number of data bytes a user in the given class may trans‐
fer. The limit may be placed on bytes in, out, or total. If no
class is specified, the limit is the default for classes which do
not have a limit specified. Note that once it has been exceeded,
this limit prevents transfers, but it does not terminate a transfer
in progress. The optional parameter raw applies the limit to total
traffic rather than just data files.
limit-time *|anonymous|guest minutes
Limit the total time a session can take. By default, there is no
limit. Real users are never limited.
guestserver [hostname...]
Control which hosts may be used for anonymous access. If used with‐
out hostname, all anonymous access is denied to this site. More
than one hostname may be specified. Anonymous access are only
allowed on the named machines. If access is denied, the user is
asked to use the first hostname listed.
limit class n times [message_file]
Limit class to n users at times times, displaying message_file if
the user is denied access. A limit check is performed at login time
only. If multiple limit commands can apply to the current session,
the first applicable one is used. Failing to define a valid limit,
or a limit of -1, is equivalent to no limits. The format of times
is:
day[day...][time-range][|day[day...][time-range]]...
The value of day can be Su, Mo, Tu, We, Th, Fr, Sa, Wk (for any
weekday Monday through Friday), or Any. time-range is in 24-hour
clock notation. If a time range is not specified, any time of the
day is matched. Multiple day and time-range may be specified by the
"|" symbol. For example, Wk1730-0900|Sa|Su specifies 5:30 p.m. to
9:00 a.m., Monday through Friday, and anytime on weekends. mes‐
sage_file may contain magic cookies. See message for more details.
noretrieve [absolute|relative]
[class=classname...][-] filename [filename...]
Always deny retrievability of these files. If filename specifies a
pathname that begins with '/' character, then only those files are
marked no retrieve. Otherwise all files that match the filename are
refused transfer. For example, noretrieve /etc/passwd core speci‐
fies no one is able to retrieve the /etc/passwd file. You are
allowed to transfer any file named passwd that is not in /etc.
On the other hand, no one is able to get files named core, wherever
they are. Directory specifications mark all files and subdirecto‐
ries in the named directory unretrievable. The filename may be
specified as a file glob. For example,
noretrieve /etc /home/*/.htaccess
specifies that no files in /etc or any of its subdirectories may be
retrieved. Also, no files named .htaccess anywhere under the /home
directory may be retrieved. The optional first parameter selects
whether names are interpreted as absolute or relative to the cur‐
rent chroot'd environment. The default is to interpret names begin‐
ning with a slash as absolute. The noretrieve restrictions may be
placed upon members of particular classes. If any class= is speci‐
fied, the named files cannot be retrieved only if the current user
is a member of one of the given classes.
allow-retrieve [absolute|relative]
[class=classname...][-] filename [filename...]
Allows retrieval of files which would otherwise be denied by nore‐
trieve.
loginfails number
After number login failures, log a repeated login failures message
and terminate the FTP connection. The default value for number is
5.
private yes | no
Allow or deny use of the SITE GROUP and SITE GPASS commands after
the user logs in. The SITE GROUP and SITE GPASS commands specify an
enhanced access group and associated password. If the group name
and password are valid, the user becomes a member of the group
specified in the group access file /etc/ftpd/ftpgroups by means of
setegid(2). See ftpgroups(4) for the format of the file. For this
option to work for anonymous FTP users, the FTP Server must keep
/etc/group permanently open and load the group access file into
memory. This means that the FTP Server now has an additional file
descriptor open, and the necessary passwords and access privileges
granted to users by means of SITE GROUP is static for the duration
of an FTP session. If you have an urgent need to change the access
groups or passwords now, you have to kill all of the running FTP
Servers.
Informational Capabilities
The following informational capabilities are supported:
greeting full|brief|terse
greeting text message
The greeting command allows you to control how much information is
given out before the remote user logs in. greeting full, which is
the default greeting, shows the hostname and daemon version. greet‐
ing brief shows the hostname. greeting terse simply says FTP Server
ready. Although full is the default, brief is suggested.
The text form allows you to specify any greeting message. message
can be any string. Whitespace (spaces and tabs) is converted to a
single space.
banner path
The banner command operates similarly to the message command,
except that the banner is displayed before the user enters the
username. The path is relative to the real system root, not to the
base of the anonymous FTP directory.
Use of the banner command can completely prevent non-compliant FTP
clients from making use of the FTP Server. Not all clients can han‐
dle multi-line responses, which is how the banner is displayed.
email name
Use this command to define the email address for the FTP Server
administrator. This string is printed every time the %E magic
cookie is used in message files.
hostname some.host.name
Defines the default host name of the FTP Server. This string is
printed on the greeting message and every time the %L magic cookie
is used. The host name for virtual servers overrides this value. If
no host name is specified, the default host name for the local
machine is used.
message path [when [class...]]
Define a file with path such that the FTP Server displays the con‐
tents of the file to the user at login time or upon using the
change working directory command. The when parameter may be LOGIN
or CWD=dirglob. If whenis CWD=dirglob, dirglob specifies the new
default directory that triggers the notification. A dirglob of "*"
matches all directories.
The optional class specification allows the message to be displayed
only to members of a particular class. More than one class may be
specified.
Magic cookies can be present in path that cause the FTP Server to
replace the cookie with a specified text string:
%T Local time. For example, Thu Nov 15 17:12:42 1990.
%F Free space in partition of CWD, in Kbytes.
%C Current working directory.
%E The email address for the FTP Server administrator.
%R Remote host name.
%L Local host name.
%U Username given at login time.
%u Username as defined by means of RFC 931 authentication.
%M Maximum allowed number of users in this class.
%N Current number of users in this class.
The following quota magic cookies are also supported but not always
set (see the quota-info capability):
%B absolute limit on disk blocks allocated
%b preferred limit on disk blocks
%Q current block count
%I maximum number of allocated inodes (+1)
%i preferred inode limit
%q current number of allocated inodes
%H time limit for excessive disk use
%h time limit for excessive files
The message is displayed only once to avoid annoying the user.
Remember that when messages are triggered by an anonymous or guest
FTP user, they must be relative to the base of the anonymous or
guest FTP directory tree.
quota-info uid-range [uid-range...]
Enable retrieval of quota information for users matching uid-range.
This sets the quota magic cookies. Retrieving quota information
might cause a significant delay when logging into the server.
uid-range can be a username, single UID, or a UID range. Place a
percent sign(%) before a number. An asterisk means "all users."
readme pathglob [when [class...]]
Define a file with pathglob such that the FTP Server notifies the
user at login time or upon using the change working directory com‐
mand that the file exists and the date that it was modified. The
when parameter may be LOGIN or CWD=dirglob. If when is CWD=dirglob,
dirglob specifies the new default directory that triggers the noti‐
fication. A dirglob of "*" matches all directories. The message is
only displayed once, to avoid bothering users. Remember that when
README messages are triggered by an anonymous or guest FTP user,
the pathglob must be relative to the base of the anonymous or guest
FTP directory tree.
The optional class specification allows the message to be displayed
only to members of a particular class. You can specify more than
one class.
Logging Capabilities
The following logging capabilities are supported:
log commands typelist
Enables logging of the individual FTP commands sent by users. type‐
list is a comma-separated list of any of the keywords anonymous,
guest, and real. Command logging information is written to the sys‐
tem log.
log transfers typelist directions
Log file transfers made by FTP users to the xferlog(4) file. Log‐
ging of incoming transfers to the server can be enabled separately
from outbound transfers from the server. directions is a comma-sep‐
arated list of any of the two keywords inbound and outbound, and
respectively causes transfers to be logged for files sent to and
from the server.
log security typelist
Enables logging of violations of security rules to the system log,
including for example, noretrieve and .notar.
log syslog
log syslog+xferlog
Redirect the logging messages for incoming and outgoing transfers
to syslog. Without this option the messages are written to xferlog.
When you specify syslog+xferlog, the transfer log messages are sent
to both the system log file and the xferlog file.
xferlog format formatstring
Customize the format of the transfer log entry written. format‐
string can be any string, which might include magic cookies.
Strings of whitespace characters are converted into a single space.
The following transfer-specific magic cookies are recognized only
immediately after a transfer has been completed:
%Xt transfer-time
%Xn bytes-transferred
%XP filename
%Xp chroot-filename
%Xy transfer-type
%Xf special-action-flag
%Xd direction
%Xm access-mode
%Xa authentication-method
%Xc completion-status
%Xs file-size
%Xr restart-offset
xferlog(4) includes a description of these fields. If no xferlog
format entry is present, the default is:
xferlog format %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc
Miscellaneous Capabilities
The following miscellaneous capabilities are supported:
alias string dir
Define an alias, string, for a directory. Use this command to add
the concept of logical directories. For example: alias rfc:
/pub/doc/rfc would allow the user to access /pub/doc/rfc from any
directory by the command cd rfc:. Aliases only apply to the cd com‐
mand.
cdpath dir
Define an entry in the cdpath. This command defines a search path
that is used when changing directories. For example:
cdpath /pub/packages
cdpath /.aliases
would allow the user to move into any directory directly under
either the /pub/packages or the /.aliases directories. The search
path is defined by the order in which the lines appear in the
ftpaccess file. If the user were to give the command ftp> cd foo
the directory is searched for in the following order:
o ./foo
o an alias called foo
o /pub/packages/foo
o /.aliases/foo
The cdpath is only available with the cd command. If you have a
large number of aliases, you might want to set up an aliases direc‐
tory with links to all of the areas you wish to make available to
users.
compress yes|no classglob [classglob...]
tar yes|no classglob [classglob...]
Enable the use of conversions marked with the O_COMPRESS, O_UNCOM‐
PRESS, and O_TAR options in /etc/ftpd/ftpconversions. See ftpcon‐
versions(4).
shutdown path
If the file pointed to by path exists, the server checks the file
regularly to see if the server is going to be shut down. If a shut‐
down is planned, the user is notified. New connections are denied
after a specified time before shutdown. Current connections are
dropped at a specified time before shutdown.
The format of the file specified by path is:
year month day hour minute deny_offset disc_offset text
year A value of 1970 or greater.
month A value of 0 to 11.
day A value of 1 to 31.
hour A value of 0 to 23.
minute A value of 0 to 59.
deny_offset The offsets in HHMM format that new connections is
disc_offset denied and existing connections is disconnected
before the shutdown time.
text Follows the normal rules for any message. The fol‐
lowing additional magic cookies are available:
%s The time at which the system is going to shut
down.
%r The time at which new connections is denied.
%d The time at which current connections is
dropped.
All times are in the form: ddd MMM DD hh:mm:ss YYYY. Only one shut‐
down command can be present in the configuration file. You can use
the external program ftpshut(1M) to automate generation of this
file.
daemonaddress address
Listen only on the IP address specified. If the value is not set,
then the FTP Server listens for connections on every IP address.
This applies only when the FTP Server is run in standalone mode.
virtual address root|banner|logfile path
Enable the FTP Server limited virtual hosting capabilities. The
address is the IP address of the virtual server. The second argu‐
ment specifies that the path is either the path to the root of the
filesystem for this virtual server, the banner presented to the
user when connecting to this virtual server, or the logfile where
transfers are recorded for this virtual server. If the logfile is
not specified the default log file is used. All other message files
and permissions as well as any other settings in this file apply to
all virtual servers. The address may also be specified as a host‐
name rather than as an IP number. This is strongly discouraged
since, if DNS is not available at the time the FTP session begins,
the hostname is not matched.
root|logfile path
In contrast to limited virtual hosting, complete virtual hosting
allows separate configuration files to be virtual host specific.
See ftpservers(4). The only additions that are necessary in a vir‐
tual host's ftpaccess file is the root directive that ensures the
correct root directory is used for the virtual host. This only
works with complete virtual hosting, which in contrast to limited
virtual hosting, allows separate configuration files to be speci‐
fied for each virtual host.
path is either the root of the filesystem for this virtual server
or the logfile where transfers for this virtual server are
recorded. root and logfile may only be specified when not preceded
by virtual address in a virtual hosts's ftpaccess file.
virtual address hostname|email string
Set the hostname shown in the greeting message and status command,
or the email address used in message files and on the HELP command,
to the given string.
virtual address allow username [username...]
virtual address deny username [username...]
By default, real and guest users are not allowed to log in on the
virtual server, unless they are guests that are chroot'd to the
virtual root. The users listed on the virtual allow line(s) are
granted access. You can grant access to all users by giving '*' as
the username. The virtual deny clauses are processed after the vir‐
tual allow clauses. Thus specific users can be denied access
although all users were allowed in an earlier clause.
virtual address private
Deny log in access to anonymous users on the virtual server. Anony‐
mous users are generally allowed to log in on the virtual server if
this option is not specified.
virtual address passwd file
Use a different passwd file for the virtual host.
virtual address shadow file
Use a different shadow file for the virtual host.
defaultserver deny username [username...]
defaultserver allow username [username...]
By default, all users are allowed access to the non-virtual FTP
Server. Use defaultserver deny to revoke access for specific real
and guest users. Specify '*' to deny access to all users, except
anonymous users. Specific real and guest users can then be allowed
access by using defaultserver allow.
defaultserver private
By default, all users are allowed access to the non-virtual FTP
Server. Use defaultserver private to revoke access for anonymous
users.
The virtual and defaultserver allow, deny and private clauses pro‐
vide a means to control which users are allowed access to which FTP
Servers.
passive address externalip cidr
Allow control of the address reported in response to a passive com‐
mand. When any control connection matching cidr requests a passive
data connection (PASV), the externalip address is reported. This
does not change the address that the daemon actually listens on,
only the address reported to the client. This feature allows the
daemon to operate correctly behind IP renumbering firewalls. For
example:
passive address 10.0.1.15 10.0.0.0/8
passive address 192.168.1.5 0.0.0.0/0
Clients connecting from the class-A network 10 is told the passive
connection is listening on IP address 10.0.1.15 while all others is
told the connection is listening on 192.168.1.5. Multiple passive
addresses may be specified to handle complex, or multi-gatewayed,
networks.
passive ports cidr min max
Allows control of the TCP port numbers which may be used for a pas‐
sive data connection. If the control connection matches the cidr, a
port in the range min to max is randomly selected for the daemon to
listen on. This feature allows firewalls to limit the ports that
remote clients may use to connect into the protected network.
cidr is shorthand for an IP address followed by a slash and the
number of left-most bits that represent the network address, as
opposed to the machine address. For example, if you are using the
reserved class-A network 10, instead of a netmask of 255.0.0.0, use
a CIDR of /8, as in 10.0.0.0/8, to represent your network.
When min and max are both 0, the kernel rather than the FTP server
selects the TCP port to listen on. Kernel port selection is usually
not desirable if the kernel allocates TCP ports sequentially. If in
doubt, let the FTP server do the port selection.
pasv-allow class [addrglob...]
port-allow class [addrglob...]
Normally, the FTP Server does not allow a PORT command to specify
an address different than that of the control connection. Nor does
it allow a PASV connection from another address.
The port-allow clause provides a list of addresses that the speci‐
fied class of user may give on a PORT command. These addresses is
allowed even if they do not match the IP address of the client-side
of the control connection.
The pasv-allow clause provides a list of addresses that the speci‐
fied class of user may make data connections from. These addresses
are allowed even if they do not match the IP address of the client-
side of the control connection.
lslong command [options...]
lsshort command [options...]
lsplain command [options...]
Use the lslong, lsshort, and lsplain clauses to specify the com‐
mands and options to use to generate directory listings. The
options cannot contain spaces, and the default values for these
clauses are generally correct. Use lslong, lsshort, or lsplain only
if absolutely necessary.
mailserver hostname
Specify the name of a mail server that accepts upload notifica‐
tions for the FTP Server. Multiple mail servers may be listed. The
FTP Server attempts to deliver the upload notification to each, in
order, until one accepts the message. If no mail servers are speci‐
fied, localhost is used. This option is only meaningful if anyone
is to be notified of anonymous uploads. See incmail.
incmail emailaddress
virtual address incmail emailaddress
defaultserver incmail emailaddress
Specify email addresses to be notified of anonymous uploads. Multi‐
ple addresses can be specified. Each receives a notification. If no
addresses are specified, no notifications are sent.
If addresses are specified for a virtual host, only those addresses
are sent notification of anonymous uploads on that host. Otherwise,
notifications are sent to the global addresses.
defaultserver addresses only apply when the FTP session is not
using one of the virtual hosts. In this way, you can receive noti‐
fications for your default anonymous area, but not see notifica‐
tions to virtual hosts that do not have their own notifications.
mailfrom emailaddress
virtual address mailfrom emailaddress
defaultserver mailfrom emailaddress
Specify the sender's email address for anonymous upload notifica‐
tions. Only one address may be specified. If no mailfrom applies,
email is sent from the default mailbox name wu-ftpd. To avoid prob‐
lems if the recipient attempts to reply to a notification, or if
downstream mail problems generate bounces, you should ensure the
mailfrom address is deliverable.
sendbuf size [typelist]
recvbuf size [typelist]
Set the send or receive buffer sizes used for binary transfers.
They have no effect on ASCII transfers.
rhostlookup yes|no [addrglob ...]
Allows or disallows the lookup of the remote host's name. Name
lookups can be slow, but skipping them means that places where an
addrglob is matched (for example, in the class capability) matches
only an IP address, not a name. Also deny !nameserved and dns
refuse_no_reverse or refuse_mismatch denies access when a name
lookup is not done. The default is to lookup the remote host's
name.
Only IP addresses, not names, are matched in addrglob.
flush-wait yes|no [typelist]
Controls the behavior at the end of a download or directory list‐
ing. If yes, shutdown the data connection for sending and wait for
the client to close its end before sending a transfer complete
reply on the control connection. This is the default behavior. If
no, close the data connection and send the transfer complete reply
without waiting for the client. With this behavior, data loss can
go undetected.
If a client hangs at the end of a directory listing, or the system
has many sockets in the FIN_WAIT_2 state, try setting to no as a
workaround for broken client behavior.
Permission Capabilities
The following permission capabilities are supported:
chmod yes|no typelist
delete yes|no typelist
overwrite yes|no typelist
rename yes|no typelist
umask yes|no typelist
Allows or disallows the ability to perform the specified function.
By default, all real and guest users are allowed. Anonymous users
are only allowed overwrite and umask.
typelist is a comma-separated list of any of the keywords anony‐
mous, guest, real and class=. When class= appears, it must be fol‐
lowed by a classname. If any class= appears, the typelist restric‐
tion applies only to users in that class.
passwd-check none|trivial|rfc822 [enforce|warn]
Define the level and enforcement of password checking done by the
FTP Server for anonymous FTP.
none No password checking is performed.
trivial The password must contain an '@'.
rfc822 The password must be RFC 822 compliant.
warn Warn, but permit the login.
enforce Notify and deny the login.
deny-email case-insensitive-emailaddress
Consider the email address given as an argument as invalid. If
passwd-check is set to enforce, anonymous users giving this address
as a password cannot log in. That way, you can stop users from hav‐
ing stupid WWW browsers use fake addresses like IE?0User@ or
mozilla@. (by using this, you are not shutting out users using a
WWW browser for ftp - you just make them configure their browser
correctly.) Only one address is allowed per line, but you can have
as many deny-email addresses as you like.
path-filter typelist message allowed_regexp
[disallowed_regexp...]
For users in typelist, path-filter defines regular expressions that
control what characters can be used in the filename of an uploaded
file or created directory. There may be multiple disallowed regular
expressions. If a filename is invalid due to failure to match the
regular expression criteria, message is displayed to the user. For
example:
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^. ^-
specifies that all upload filenames for anonymous users must be
made of only the characters A-Z, a-z, 0-9, and ._- and may not
begin with a . or a -. If the filename is invalid, /etc/pathmsg is
displayed to the user.
upload [absolute|relative] [class=classname]... [-]
root-dir dirglob yes|no owner group mode
[dirs|nodirs] [d_mode]
Define a directory with dirglob that permits or denies uploads. If
it does permit uploads, all newly created files is owned by owner
and group and has their permissions set according to mode. Existing
files that are overwritten retains their original ownership and
permissions. Directories are matched on a best-match basis. For
example:
upload /var/ftp * no
upload /var/ftp /incoming yes ftp daemon 0666
upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs
would only allow uploads into /incoming and /incoming/gifs. Files
that were uploaded to /incoming are owned by ftp/daemon and have
permissions of 0666. Files uploaded to /incoming/gifs are owned by
jlc/guest and have permissions of 0600. The optional dirs and
nodirs keywords can be specified to allow or disallow the creation
of new subdirectories using the mkdir command. If the upload com‐
mand is used, directory creation is allowed by default. To turn it
off by default, you must specify a user, group and mode followed by
the nodirs keyword as the first line where the upload command is
used in this file. If directories are permitted, the optional
d_mode determines the permissions for a newly created directory. If
d_mode is omitted, the permissions are inferred from mode. The per‐
missions are 0777 if mode is also omitted. The upload keyword only
applies to users who have a home directory of root-dir. root-dir
may be specified as * to match any home directory. The owner or
group may each be specified as *, in which case any uploaded files
or directories are created with the ownership of the directory in
which they are created. The optional first parameter selects
whether root-dir names are interpreted as absolute or relative to
the current chroot'd environment. The default is to interpret
<root-dir> names as absolute. You can specify any number of
class=classname restrictions. If any are specified, this upload
clause only takes effect if the current user is a member of one of
the classes.
In the absence of any matching upload clause, real and guest users
can upload files and make directories, but anonymous users cannot.
The mode of uploaded files is 0666. For created directories, the
mode is 0777. Both modes are modified by the current umask setting.
throughput root-dir subdir-glob file-glob-list
bytes-per-second bytes-per-second-multiply remote-glob-list
Define files by means of a comma-separated file-glob-list in subdir
matched by subdir-glob under root-dir that have restricted transfer
throughput of bytes-per-second on download when the remote hostname
or remote IP address matches the comma-separated remote-glob-list.
Entries are matched on a best-match basis. For example:
throughput /e/ftp * * oo - *
throughput /e/ftp /sw* * 1024 0.5 *
throughput /e/ftp /sw* README oo - *
throughput /e/ftp /sw* * oo - *.foo.com
would set maximum throughput per default, but restrict download to
1024 bytes per second for any files under /e/ftp/sw/ that are not
named README. The only exceptions are remote hosts from within the
domain foo.com which always get maximum throughput. Every time a
remote client has retrieved a file under /e/ftp/sw/ the bytes per
seconds of the matched entry line are internally multiplied by a
factor, here 0.5. When the remote client retrieves its second file,
it is served with 512 bytes per second, the third time with only
256 bytes per second, the fourth time with only 128 bytes per sec‐
ond, and so on. The string oo for the bytes per second field means
no throughput restriction. A multiply factor of 1.0 or - means no
change of the throughput after every successful transfer. The root-
dir here must match the home directory specified in the password
database . The throughput keyword only applies to users who have a
home directory of root-dir.
anonymous-root root-dir [class...]
root-dir specifies the chroot() path for anonymous users. If no
anonymous-root is matched, the old method of parsing the home
directory for the FTP user is used. If no class is specified, this
is the root directory for anonymous users who do not match any
other anonymous-root specification. Multiple classes may be speci‐
fied on this line. If an anonymous-root is chosen for the user, the
FTP user's home directory in the root-dir/etc/passwd file is used
to determine the initial directory and the FTP user's home direc‐
tory in the system-wide /etc/passwd is not used. For example:
anonymous-root /home/ftp
anonymous-root /home/localftp localnet
causes all anonymous users to be chroot'd to the directory
/home/ftp. If the FTP user exists in /home/ftp/etc/passwd, their
initial CWD is that home directory. Anonymous users in the class
localnet, however, are chroot'd to the directory /home/localftp and
their initial CWD is taken from the FTP user's home directory in
/home/localftp/etc/passwd.
guest-root root-dir [uid-range...]
root-dir specifies the chroot() path for guest users. If no guest-
root is matched, the old method of parsing the user's home direc‐
tory is used. If no uid-range is specified, this is the root direc‐
tory for guestusers who do not match any other guest-root specifi‐
cation. Multiple UID ranges may be given on this line. If a guest-
root is chosen for the user, the user's home directory in the root-
dir/etc/passwd file is used to determine the initial directory and
the home directory in the system-wide /etc/passwd is not used. uid-
range specifies names or numeric UID values. To use numbers, put a
percent sign (%) symbol before it or before the range. Ranges are
specified by giving the lower and upper bounds (inclusive), sepa‐
rated by a dash. If the lower bound is omitted, it means all up to.
If the upper bound is omitted, it means all starting from. For
example:
guest-root /home/users
guest-root /home/staff %100-999 sally
guest-root /home/users/owner/ftp frank
causes all guest users to chroot() to /home/users then starts each
user in the user's home directory, as specifiedin
/home/users/etc/passwd. Users in the range 100 through 999, inclu‐
sive, and user sally, is chroot'd to /home/staff and the CWD is
taken from their entries in /home/staff/etc/passwd. The single user
frank is chroot'd to /home/users/owner/ftp and the CWD is from his
entry in /home/users/owner/ftp/etc/passwd.
The order is important for both anonymous-root and guest-root. If a
user would match multiple clauses, only the first applies; with the
exception of the clause which has no class or uid-range, which
applies only if no other clause matches.
deny-uid uid-range [uid-range...]
deny-gid gid-range [gid-range...]
allow-uid uid-range [uid-range...]
allow-gid gid-range [gid-range...]
Use these clauses to specify UID and GID values that is denied
access to the FTP Server. The allow-uid and allow-gid clauses may
be used to allow access for UID and GID values which would other‐
wise be denied. These checks occur before all others. deny is
checked before allow. The default is to allow access. These clauses
do not apply to anonymous users. Use defaultserver private to deny
access to anonymous users. In most cases, these clauses obviate the
need for an ftpusers(4) file. For example, the following clauses
deny FTP Server access to all privileged or special users and
groups, except the guest1 user or group.
deny-gid %-99 nobody noaccess nogroup
deny-uid %-99 nobody noaccess nobody4
allow-gid guest1
allow-uid guest1
Support for the ftpusers file still exists, so it may be used when
changing the ftpaccess file is not desired. In any place a single
UID or GID is allowed throughout the ftpaccess file, either names
or numbers also may be used. To use a number, put a percent sign
(%) symbol before it. In places where a range is allowed, put the
percent sign before the range. A "*" matches all UIDs or GIDs.
restricted-uid uid-range [uid-range...]
restricted-gid gid-range [gid-range...]
unrestricted-uid uid-range [uid-range...]
unrestricted-gid gid-range [gid-range...]
These clauses control whether or not real or guest users is allowed
access to areas on the FTP site outside their home directories.
These clauses are not meant to replace the use of guestgroup and
guestuser. Instead, use these clauses to supplement the operation
of guests. The unrestricted-uid and unrestricted-gid clauses may be
used to allow users outside their home directories who would other‐
wise be restricted.
The following example shows the intended use for these clauses.
Assume user dick has a home directory /home/dick and jane has a
home directory /home/jane:
guest-root /home dick jane
restricted-uid dick jane
While both dick and jane are chroot'd to /home, they cannot access
each other's files because they are restricted to their home direc‐
tories. However, you should not rely solely upon the FTP restric‐
tions to control access. As with all other FTP access rules, you
should also use directory and file permissions to support the oper‐
ation of the ftpaccess configuration.
site-exec-max-lines number [class...]
The SITE EXEC feature traditionally limits the number of lines of
output that may be sent to the remote client. Use this clause to
set this limit. If this clause is omitted, the limit is 20 lines. A
limit of 0 (zero) implies no limit. Be very careful if you choose
to remove the limit. If a clause is found matching the remote
user's class, that limit is used. Otherwise, the clause with class
'*', or no class given, is used. For example:
site-exec-max-lines 200 remote
site-exec-max-lines 0 local
site-exec-max-lines 25
limits output from SITE EXEC (and therefore SITE INDEX) to 200
lines for remote users, specifies there is no limit at all for
local users, and sets a limit of 25 lines for all other users.
dns refuse_mismatch filename [override]
Refuse FTP sessions when the forward and reverse lookups for the
remote site do not match. Lookups are done using the system's name
service as configured in nsswitch.conf(4). Display the named file,
like a message file, admonishing the user. If the optional override
is specified, allow the connection after complaining.
dns refuse_no_reverse filename [override]
Refuse FTP sessions when the remote host's IP address has no asso‐
ciated name. Lookups are done using the system's name service as
configured in nsswitch.conf(4). Display the named file, such as a
message file, admonishing the user. If the optional override is
specified, allow the connection after complaining.
dns resolveroptions [options]
Modify certain internal resolver variables. This only has an effect
when DNS is used as the system's name service. The line takes a
series of options which are used to set the RES_OPTIONS environment
variable. See resolv.conf(4) for details. For example:
dns resolveroptions rotate attempts:1
turns on querying name servers round-robin and selects querying
each name server only once.
Lines that begin with a # sign are treated as comment lines and are
ignored.
FILES
/etc/ftpd/ftpaccess
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWftpr │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │External │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOcompress(1), ls(1), tar(1), ftpaddhost(1M), ftpconfig(1M), ftpshut(1M),
in.ftpd(1M), chroot(2), nice(2), umask(2), getgrnam(3C),
resolver(3RESOLV), ftpconversions(4), ftpgroups(4), ftpservers(4),
ftpusers(4), nsswitch.conf(4), resolv.conf(4), timezone(4), xferlog(4),
attributes(5), fnmatch(5)
Crocker, David H. RFC 822, Standard For The Format Of ARPA Internet
Text Messages. Network Information Center. August 1982.
St. Johns, Michael. RFC 931, Authentication Server. Network Working
Group. January 1985.
SunOS 5.10 28 Dec 2010 ftpaccess(4)
