|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
File Formats ftpaccess(4)
NAME
ftpaccess - FTP Server configuration file
SYNOPSIS
/etc/ftpd/ftpaccess
DESCRIPTION
The ftpaccess file is used to configure the operation of the
FTP Server.
Access Capabilities
The following access capabilities are supported:
autogroup groupname class [class...]
If an anonymous user is a member of any of class, the
FTP Server will perform a setegid(2) to groupname. This
allows access to group and owner read-only files and
directories to a particular class of anonymous users.
groupname is a valid group returned by getgrnam(3C).
class class typelist addrglob [addrglob...]
Define class of users, with source addresses of the form
addrglob. Multiple members of class may be defined.
There may be multiple class commands listing additional
members of the class. If multiple class commands can
apply to the current session, the first one listed in
the access file is used. If a valid class for a host is
not defined, access will be denied. typelist is a
comma-separated list of any of the keywords anonymous,
guest, and real. If the real keyword is included, the
class can match users using FTP to access real accounts.
If the anonymous keyword is included the class can match
users using anonymous FTP. The guest keyword matches
guest access accounts.
addrglob may be a globbed domain name or a globbed
numeric IPv4 address. It may also be the name of a file,
starting with a slash ('/'), which contains additional
address globs. IPv4 numeric addresses may also be speci-
fied in the form address:netmask or address/CIDR. IPv6
numeric addresses can only be specified with an optional
CIDR, not using globs or netmasks.
Placing an exclamation (!) before an addrglob negates
the test. For example,
class rmtuser real !*.example.com
SunOS 5.10 Last change: 10 Sep 2003 1
File Formats ftpaccess(4)
will classify real users from outside the example.com
domain as the class rmtuser. Use care with this option.
Remember, the result of each test is OR'ed with other
tests on the line.
deny addrglob [message_file]
Deny access to host(s) that match addrglob and display
message_file. If the value of addrglob is !nameserved
access to sites without a working nameservers is denied.
message_file may contain magic cookies. See message for
more details.
guestgroup groupname [groupname...]
guestuser username [username...]
realgroup groupname [groupname...]
realuser username [username...]
For guestgroup, if a real user is a member of any group-
name, the session is set up like anonymous FTP. group-
name is a valid group returned by getgrnam(3C). The
user's home directory must be set up exactly as
anonymous FTP would be. The home directory field of the
passwd entry is divided into two directories. The first
field is the root directory that will be the argument to
the chroot(2) call. The second field is the user's home
directory, relative to the root directory. Use a "/./"
to separate the two fields. For example, the following
is the real entry in /etc/passwd:
guest1:x:100:92:Guest FTP:/export/home/guests/./guest1:/bin/true
When guest1 successfully logs in, the FTP Server will
chroot() to /export/home/guests and then chdir(2) to
/guest1. The guest user will only be able to access the
directory structure under /export/home/guests, which
will look and act as / to guest1, just as an anonymous
FTP user would. The -d option to ftpconfig(1M) is useful
when creating guest FTP user accounts. The group name
may be specified by either name or numeric ID. To use a
numeric group ID, place a percent sign (%) before the
number. You can give ranges. Use an asterisk to indicate
all groups. guestuser works like guestgroup, except that
it uses the user name or numeric ID. realuser and real-
group have the same syntax, but they reverse the effect
SunOS 5.10 Last change: 10 Sep 2003 2
File Formats ftpaccess(4)
of guestuser and guestgroup. They allow real user access
when the remote user would otherwise be determined a
guest.
guestuser *
realgroup admin
causes all non-anonymous users to be treated as guest,
with the sole exception of users in the admin group, who
are granted real user access.
nice nice-delta [class]
Adjust the process nice value of the FTP server process
by the indicated nice-delta value if the remote user is
a member of the named class. If class is not specified,
then use nice-delta as the default adjustment to the FTP
server process nice value. This default nice value
adjustment is used to adjust the nice value of the
server process only for those users who do not belong to
any class for which a class-specific nice directive
exists in the ftpaccess file.
defumask umask [class]
Set the umask applied to files created by the FTP server
if the remote user is a member of the named class. If
class is not specified, then use the umask as the
default for classes that do not have one specified.. The
mode of files created may be specified by using the
upload directive.
tcpwindow size [class]
Set the TCP window size (socket buffer size) for the
data connection. Use this to control network traffic.
For instance, slow PPP dialin links may need smaller TCP
windows to speed up throughput. If you do not know what
this does, do not set it.
SunOS 5.10 Last change: 10 Sep 2003 3
File Formats ftpaccess(4)
ipcos control|data value [typelist]
Set the IP Class of Service for either the control or
data connection.
For connections using AF_INET type sockets, this sets
the Type of Service field in the IP header to the value
specified.
For connections using AF_INET6 type sockets, this sets
the Traffic Class field in the IP header to the value
specified.
When configured through inetd.conf(4), the socket type
is controlled by the protocol field of the ftp service.
When running in standalone mode the default socket type
is AF_INET6. The in.ftpd(1M) -4 option selects AF_INET.
typelist is a comma-separated list of any of the key-
words anonymous, guest, real, and class=. When class=
appears, it must be followed by a class name.
keepalive yes|no
Set the TCP SO_KEEPALIVE option for control and data
sockets. This can be used to control network disconnect.
If yes, then set it. If no, then use the system default
(usually off). You probably want to set this.
timeout accept seconds
timeout connect seconds
timeout data seconds
timeout idle seconds
timeout maxidle seconds
timeout RFC931 seconds
Set various timeout conditions.
accept How long the FTP Server will
wait for an incoming (PASV) data
connection. The default is 120
seconds.
SunOS 5.10 Last change: 10 Sep 2003 4
File Formats ftpaccess(4)
connect How long the FTP Server will
wait attempting to establish an
outgoing (PORT) data connection.
This effects the actual connec-
tion attempt. The daemon makes
several attempts, sleeping
between each attempt, before
giving up. The default is 120
seconds.
data How long the FTP Server will
wait for some activity on the
data connection. You should keep
this long because the remote
client may have a slow link, and
there can be quite a bit of data
queued for the client. The
default is 1200 seconds.
idle How long the FTP Server will
wait for the next command. The
default is 900 seconds. The
default can also be overridden
by using the -t option at the
command-line. This access clause
overrides both.
maxidle The SITE IDLE command allows the
remote client to establish a
higher value for the idle
timeout. The maxidle clause sets
the upper limit that the client
may request. The default can
also be overridden by using the
-T option at the command-line.
This access clause overrides
both. The default is 7200
seconds.
RFC931 The maximum time the FTP server
allows for the entire RFC931
(AUTH/ident) conversation. Set-
ting this to zero (0) disables
the server's use of this
SunOS 5.10 Last change: 10 Sep 2003 5
File Formats ftpaccess(4)
protocol. The information
obtained by means of RFC931 is
recorded in the system logs and
is not actually used in any
authentication. The default is
10 seconds.
file-limit [raw] in|out|total count [class]
Limit the number of data files a user in the given class
may transfer. The limit may be placed on files in, out,
or total. If no class is specified, the limit is the
default for classes which do not have a limit specified.
The optional parameter raw applies the limit to the
total traffic rather than just data files.
data-limit [raw] in|out|total count [class]
Limit the number of data bytes a user in the given class
may transfer. The limit may be placed on bytes in, out,
or total. If no class is specified, the limit is the
default for classes which do not have a limit specified.
Note that once it has been exceeded, this limit will
prevent transfers, but it will not terminate a transfer
in progress. The optional parameter raw applies the
limit to total traffic rather than just data files.
limit-time *|anonymous|guest minutes
Limit the total time a session can take. By default,
there is no limit. Real users are never limited.
guestserver [hostname...]
Control which hosts may be used for anonymous access. If
used without hostname, all anonymous access is denied to
this site. More than one hostname may be specified.
Anonymous access will only be allowed on the named
machines. If access is denied, the user will be asked to
use the first hostname listed.
SunOS 5.10 Last change: 10 Sep 2003 6
File Formats ftpaccess(4)
limit class n times [message_file]
Limit class to n users at times times, displaying
message_file if the user is denied access. A limit check
is performed at login time only. If multiple limit com-
mands can apply to the current session, the first appli-
cable one is used. Failing to define a valid limit, or a
limit of -1, is equivalent to no limits. The format of
times is:
day[day...][time-range][|day[day...][time-range]]...
The value of day can be Su, Mo, Tu, We, Th, Fr, Sa, Wk
(for any weekday Monday through Friday), or Any. time-
range is in 24-hour clock notation. If a time range is
not specified, any time of the day is matched. Multiple
day and time-range may be specified by the "|" symbol.
For example, Wk1730-0900|Sa|Su specifies 5:30 p.m. to
9:00 a.m., Monday through Friday, and anytime on week-
ends. message_file may contain magic cookies. See mes-
sage for more details.
noretrieve [absolute|relative]
[class=classname...][-] filename [filename...]
Always deny retrievability of these files. If filename
specifies a pathname that begins with '/' character,
then only those files are marked no retrieve. Otherwise
all files that match the filename are refused transfer.
For example, noretrieve /etc/passwd core specifies no
one will be able to retrieve the /etc/passwd file. You
will be allowed to transfer any file named passwd that
is not in /etc.
On the other hand, no one will be able to get files
named core, wherever they are. Directory specifications
mark all files and subdirectories in the named directory
unretrievable. The filename may be specified as a file
glob. For example,
noretrieve /etc /home/*/.htaccess
specifies that no files in /etc or any of its subdirec-
tories may be retrieved. Also, no files named .htaccess
anywhere under the /home directory may be retrieved. The
optional first parameter selects whether names are
interpreted as absolute or relative to the current
chroot'd environment. The default is to interpret names
SunOS 5.10 Last change: 10 Sep 2003 7
File Formats ftpaccess(4)
beginning with a slash as absolute. The noretrieve res-
trictions may be placed upon members of particular
classes. If any class= is specified, the named files
cannot be retrieved only if the current user is a member
of one of the given classes.
allow-retrieve [absolute|relative]
[class=classname...][-] filename [filename...]
Allows retrieval of files which would otherwise be
denied by noretrieve.
loginfails number
After number login failures, log a "repeated login
failures" message and terminate the FTP connection. The
default value for number is 5.
private yes | no
Allow or deny use of the SITE GROUP and SITE GPASS com-
mands after the user logs in. The SITE GROUP and SITE
GPASS commands specify an enhanced access group and
associated password. If the group name and password are
valid, the user becomes a member of the group specified
in the group access file /etc/ftpd/ftpgroups by means of
setegid(2). See ftpgroups(4) for the format of the file.
For this option to work for anonymous FTP users, the FTP
Server must keep /etc/group permanently open and load
the group access file into memory. This means that the
FTP Server now has an additional file descriptor open,
and the necessary passwords and access privileges
granted to users by means of SITE GROUP will be static
for the duration of an FTP session. If you have an
urgent need to change the access groups or passwords
now, you have to kill all of the running FTP Servers.
Informational Capabilities
The following informational capabilities are supported:
greeting full|brief|terse
greeting text message
SunOS 5.10 Last change: 10 Sep 2003 8
File Formats ftpaccess(4)
The greeting command allows you to control how much
information is given out before the remote user logs in.
greeting full, which is the default greeting, shows the
hostname and daemon version. greeting brief shows the
hostname. greeting terse simply says "FTP Server
ready." Although full is the default, brief is sug-
gested.
The text form allows you to specify any greeting mes-
sage. message can be any string. Whitespace (spaces and
tabs) is converted to a single space.
banner path
The banner command operates similarly to the message
command, except that the banner is displayed before the
user enters the username. The path is relative to the
real system root, not to the base of the anonymous FTP
directory.
Use of the banner command can completely prevent non-
compliant FTP clients from making use of the FTP Server.
Not all clients can handle multi-line responses, which
is how the banner is displayed.
email name
Use this command to define the email address for the FTP
Server administrator. This string will be printed every
time the %E magic cookie is used in message files.
hostname some.host.name
Defines the default host name of the FTP Server. This
string will be printed on the greeting message and every
time the %L magic cookie is used. The host name for vir-
tual servers overrides this value. If no host name is
specified, the default host name for the local machine
is used.
message path [when [class...]]
Define a file with path such that the FTP Server will
SunOS 5.10 Last change: 10 Sep 2003 9
File Formats ftpaccess(4)
display the contents of the file to the user at login
time or upon using the change working directory command.
The when parameter may be LOGIN or CWD=dirglob. If
whenis CWD=dirglob, dirglob specifies the new default
directory that will trigger the notification. A dirglob
of "*" matches all directories.
The optional class specification allows the message to
be displayed only to members of a particular class. More
than one class may be specified.
"Magic cookies" can be present in path that cause the
FTP Server to replace the cookie with a specified text
string:
%T Local time. For example, Thu Nov 15 17:12:42
1990.
%F Free space in partition of CWD, in Kbytes.
%C Current working directory.
%E The email address for the FTP Server adminis-
trator.
%R Remote host name.
%L Local host name.
%U Username given at login time.
%u Username as defined by means of RFC 931 authen-
tication.
SunOS 5.10 Last change: 10 Sep 2003 10
File Formats ftpaccess(4)
%M Maximum allowed number of users in this class.
%N Current number of users in this class.
The following quota magic cookies are also supported but
not always set (see the quota-info capability):
%B absolute limit on disk blocks allocated
%b preferred limit on disk blocks
%Q current block count
%I maximum number of allocated inodes (+1)
%i preferred inode limit
%q current number of allocated inodes
%H time limit for excessive disk use
%h time limit for excessive files
The message is displayed only once to avoid annoying the
user. Remember that when messages are triggered by an
anonymous or guest FTP user, they must be relative to
the base of the anonymous or guest FTP directory tree.
quota-info uid-range [uid-range...]
Enable retrieval of quota information for users matching
uid-range. This sets the quota magic cookies. Retrieving
SunOS 5.10 Last change: 10 Sep 2003 11
File Formats ftpaccess(4)
quota information might cause a significant delay when
logging into the server.
uid-range can be a username, single UID, or a UID range.
Place a percent sign(%) before a number. An asterisk
means "all users."
readme pathglob [when [class...]]
Define a file with pathglob such that the FTP Server
will notify the user at login time or upon using the
change working directory command that the file exists
and the date that it was modified. The when parameter
may be LOGIN or CWD=dirglob. If when is CWD=dirglob,
dirglob specifies the new default directory that will
trigger the notification. A dirglob of "*" matches all
directories. The message will only be displayed once, to
avoid bothering users. Remember that when README mes-
sages are triggered by an anonymous or guest FTP user,
the pathglob must be relative to the base of the
anonymous or guest FTP directory tree.
The optional class specification allows the message to
be displayed only to members of a particular class. You
can specify more than one class.
Logging Capabilities
The following logging capabilities are supported:
log commands typelist
Enables logging of the individual FTP commands sent by
users. typelist is a comma-separated list of any of the
keywords anonymous, guest, and real. Command logging
information is written to the system log.
log transfers typelist directions
Log file transfers made by FTP users to the xferlog(4)
file. Logging of incoming transfers to the server can be
enabled separately from outbound transfers from the
server. directions is a comma-separated list of any of
the two keywords inbound and outbound, and will respec-
tively cause transfers to be logged for files sent to
and from the server.
SunOS 5.10 Last change: 10 Sep 2003 12
File Formats ftpaccess(4)
log security typelist
Enables logging of violations of security rules to the
system log, including for example, noretrieve and
.notar.
log syslog
log syslog+xferlog
Redirect the logging messages for incoming and outgoing
transfers to syslog. Without this option the messages
are written to xferlog. When you specify syslog+xferlog,
the transfer log messages are sent to both the system
log file and the xferlog file.
xferlog format formatstring
Customize the format of the transfer log entry written.
formatstring can be any string, which might include
magic cookies. Strings of whitespace characters are con-
verted into a single space.
The following transfer-specific magic cookies are recog-
nized only immediately after a transfer has been com-
pleted:
%Xt transfer-time
%Xn bytes-transferred
%XP filename
%Xp chroot-filename
%Xy transfer-type
SunOS 5.10 Last change: 10 Sep 2003 13
File Formats ftpaccess(4)
%Xf special-action-flag
%Xd direction
%Xm access-mode
%Xa authentication-method
%Xc completion-status
%Xs file-size
%Xr restart-offset
xferlog(4) includes a description of these fields. If no
xferlog format entry is present, the default is:
xferlog format %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc
Miscellaneous Capabilities
The following miscellaneous capabilities are supported:
alias string dir
Define an alias, string, for a directory. Use this com-
mand to add the concept of logical directories. For
example: alias rfc: /pub/doc/rfc would allow the user to
access /pub/doc/rfc from any directory by the command
"cd rfc:". Aliases only apply to the cd command.
cdpath dir
Define an entry in the cdpath. This command defines a
search path that is used when changing directories. For
SunOS 5.10 Last change: 10 Sep 2003 14
File Formats ftpaccess(4)
example:
cdpath /pub/packages
cdpath /.aliases
would allow the user to move into any directory directly
under either the /pub/packages or the /.aliases direc-
tories. The search path is defined by the order in which
the lines appear in the ftpaccess file. If the user were
to give the command ftp> cd foo the directory will be
searched for in the following order:
./foo
an alias called foo
/pub/packages/foo
/.aliases/foo
The cdpath is only available with the cd command. If you
have a large number of aliases, you might want to set up
an aliases directory with links to all of the areas you
wish to make available to users.
compress yes|no classglob [classglob...]
tar yes|no classglob [classglob...]
Enable the use of conversions marked with the
O_COMPRESS, O_UNCOMPRESS, and O_TAR options in
/etc/ftpd/ftpconversions. See ftpconversions(4).
shutdown path
If the file pointed to by path exists, the server will
check the file regularly to see if the server is going
to be shut down. If a shutdown is planned, the user is
notified. New connections are denied after a specified
time before shutdown. Current connections are dropped at
a specified time before shutdown.
The format of the file specified by path is:
year month day hour minute deny_offset disc_offset text
SunOS 5.10 Last change: 10 Sep 2003 15
File Formats ftpaccess(4)
year A value of 1970 or greater.
month A value of 0 to 11.
day A value of 1 to 31.
hour A value of 0 to 23.
minute A value of 0 to 59.
deny_offset The offsets in HHMM format that
disc_offset new connections will be denied
and existing connections will be
disconnected before the shutdown
time.
text Follows the normal rules for any
message. The following addi-
tional magic cookies are avail-
able:
%s The time at which the
system is going to shut
down.
%r The time at which new
connections will be
denied.
%d The time at which
current connections
will be dropped.
SunOS 5.10 Last change: 10 Sep 2003 16
File Formats ftpaccess(4)
All times are in the form: ddd MMM DD hh:mm:ss YYYY.
Only one shutdown command can be present in the confi-
guration file. You can use the external program
ftpshut(1M) to automate generation of this file.
daemonaddress address
Listen only on the IP address specified. If the value is
not set, then the FTP Server will listen for connections
on every IP address. This applies only when the FTP
Server is run in standalone mode.
virtual address root|banner|logfile path
Enable the FTP Server limited virtual hosting capabili-
ties. The address is the IP address of the virtual
server. The second argument specifies that the path is
either the path to the root of the filesystem for this
virtual server, the banner presented to the user when
connecting to this virtual server, or the logfile where
transfers are recorded for this virtual server. If the
logfile is not specified the default log file will be
used. All other message files and permissions as well as
any other settings in this file apply to all virtual
servers. The address may also be specified as a hostname
rather than as an IP number. This is strongly
discouraged since, if DNS is not available at the time
the FTP session begins, the hostname will not be
matched.
root|logfile path
In contrast to limited virtual hosting, complete virtual
hosting allows separate configuration files to be vir-
tual host specific. See ftpservers(4). The only addi-
tions that are necessary in a virtual host's ftpaccess
file is the root directive that ensures the correct root
directory is used for the virtual host. This only works
with complete virtual hosting, which in contrast to lim-
ited virtual hosting, allows separate configuration
files to be specified for each virtual host.
path is either the root of the filesystem for this vir-
tual server or the logfile where transfers for this vir-
tual server are recorded. root and logfile may only be
specified when not preceded by virtual address in a vir-
tual hosts's ftpaccess file.
SunOS 5.10 Last change: 10 Sep 2003 17
File Formats ftpaccess(4)
virtual address hostname|email string
Set the hostname shown in the greeting message and
status command, or the email address used in message
files and on the HELP command, to the given string.
virtual address allow username [username...]
virtual address deny username [username...]
By default, real and guest users are not allowed to log
in on the virtual server, unless they are guests that
are chroot'd to the virtual root. The users listed on
the virtual allow line(s) are granted access. You can
grant access to all users by giving '*' as the username.
The virtual deny clauses are processed after the virtual
allow clauses. Thus specific users can be denied access
although all users were allowed in an earlier clause.
virtual address private
Deny log in access to anonymous users on the virtual
server. Anonymous users are generally allowed to log in
on the virtual server if this option is not specified.
virtual address passwd file
Use a different passwd file for the virtual host.
virtual address shadow file
Use a different shadow file for the virtual host.
defaultserver deny username [username...]
defaultserver allow username [username...]
By default, all users are allowed access to the non-
virtual FTP Server. Use defaultserver deny to revoke
access for specific real and guest users. Specify '*' to
deny access to all users, except anonymous users.
Specific real and guest users can then be allowed access
by using defaultserver allow.
SunOS 5.10 Last change: 10 Sep 2003 18
File Formats ftpaccess(4)
defaultserver private
By default, all users are allowed access to the non-
virtual FTP Server. Use defaultserver private to revoke
access for anonymous users.
The virtual and defaultserver allow, deny and private
clauses provide a means to control which users are
allowed access to which FTP Servers.
passive address externalip cidr
Allow control of the address reported in response to a
passive command. When any control connection matching
cidr requests a passive data connection (PASV), the
externalip address is reported. This does not change the
address that the daemon actually listens on, only the
address reported to the client. This feature allows the
daemon to operate correctly behind IP renumbering
firewalls. For example:
passive address 10.0.1.15 10.0.0.0/8
passive address 192.168.1.5 0.0.0.0/0
Clients connecting from the class-A network 10 will be
told the passive connection is listening on IP address
10.0.1.15 while all others will be told the connection
is listening on 192.168.1.5. Multiple passive addresses
may be specified to handle complex, or multi-gatewayed,
networks.
passive ports cidr min max
Allows control of the TCP port numbers which may be used
for a passive data connection. If the control connection
matches the cidr, a port in the range min to max will be
randomly selected for the daemon to listen on. This
feature allows firewalls to limit the ports that remote
clients may use to connect into the protected network.
cidr is shorthand for an IP address followed by a slash
and the number of left-most bits that represent the net-
work address, as opposed to the machine address. For
example, if you are using the reserved class-A network
10, instead of a netmask of 255.0.0.0, use a CIDR of /8,
as in 10.0.0.0/8, to represent your network.
SunOS 5.10 Last change: 10 Sep 2003 19
File Formats ftpaccess(4)
When min and max are both 0, the kernel rather than the
FTP server selects the TCP port to listen on. Kernel
port selection is usually not desirable if the kernel
allocates TCP ports sequentially. If in doubt, let the
FTP server do the port selection.
pasv-allow class [addrglob...]
port-allow class [addrglob...]
Normally, the FTP Server does not allow a PORT command
to specify an address different than that of the control
connection. Nor does it allow a PASV connection from
another address.
The port-allow clause provides a list of addresses that
the specified class of user may give on a PORT command.
These addresses will be allowed even if they do not
match the IP address of the client-side of the control
connection.
The pasv-allow clause provides a list of addresses that
the specified class of user may make data connections
from. These addresses will be allowed even if they do
not match the IP address of the client-side of the con-
trol connection.
lslong command [options...]
lsshort command [options...]
lsplain command[options...]
Use the lslong, lsshort, and lsplain clauses to specify
the commands and options to use to generate directory
listings. The options cannot contain spaces, and the
default values for these clauses are generally correct.
Use lslong, lsshort, or lsplain only if absolutely
necessary.
mailserver hostname
Specify the name of a mail server that will accept
upload notifications for the FTP Server. Multiple mail
servers may be listed. The FTP Server will attempt to
deliver the upload notification to each, in order, until
SunOS 5.10 Last change: 10 Sep 2003 20
File Formats ftpaccess(4)
one accepts the message. If no mail servers are speci-
fied, localhost is used. This option is only meaningful
if anyone is to be notified of anonymous uploads. See
incmail.
incmail emailaddress
virtual address incmail emailaddress
defaultserver incmail emailaddress
Specify email addresses to be notified of anonymous
uploads. Multiple addresses can be specified. Each will
receive a notification. If no addresses are specified,
no notifications are sent.
If addresses are specified for a virtual host, only
those addresses will be sent notification of anonymous
uploads on that host. Otherwise, notifications will be
sent to the global addresses.
defaultserver addresses only apply when the FTP session
is not using one of the virtual hosts. In this way, you
can receive notifications for your default anonymous
area, but not see notifications to virtual hosts that do
not have their own notifications.
mailfrom emailaddress
virtual address mailfrom emailaddress
defaultserver mailfrom emailaddress
Specify the sender's email address for anonymous upload
notifications. Only one address may be specified. If no
mailfrom applies, email is sent from the default mailbox
name wu-ftpd. To avoid problems if the recipient
attempts to reply to a notification, or if downstream
mail problems generate bounces, you should ensure the
mailfrom address is deliverable.
sendbuf size [typelist]
recvbuf size [typelist]
Set the send or receive buffer sizes used for binary
transfers. They have no effect on ASCII transfers.
SunOS 5.10 Last change: 10 Sep 2003 21
File Formats ftpaccess(4)
rhostlookup yes|no [addrglob ...]
Allows or disallows the lookup of the remote host's
name. Name lookups can be slow, but skipping them means
that places where an addrglob is matched (for example,
in the class capability) will match only an IP address,
not a name. Also deny !nameserved and dns
refuse_no_reverse or refuse_mismatch will deny access
when a name lookup is not done. The default is to lookup
the remote host's name.
Only IP addresses, not names, are matched in addrglob.
flush-wait yes|no [typelist]
Controls the behavior at the end of a download or direc-
tory listing. If yes, shutdown the data connection for
sending and wait for the client to close its end before
sending a transfer complete reply on the control connec-
tion. This is the default behavior. If no, close the
data connection and send the transfer complete reply
without waiting for the client. With this behavior, data
loss can go undetected.
If a client hangs at the end of a directory listing, or
the system has many sockets in the FIN_WAIT_2 state, try
setting to no as a workaround for broken client
behavior.
Permission Capabilities
The following permission capabilities are supported:
chmod yes|no typelist
delete yes|no typelist
overwrite yes|no typelist
rename yes|no typelist
umask yes|no typelist
Allows or disallows the ability to perform the specified
function. By default, all real and guest users are
allowed. Anonymous users are only allowed overwrite and
umask.
typelist is a comma-separated list of any of the key-
words anonymous, guest, real and class=. When class=
appears, it must be followed by a classname. If any
class= appears, the typelist restriction applies only to
users in that class.
SunOS 5.10 Last change: 10 Sep 2003 22
File Formats ftpaccess(4)
passwd-check none|trivial|rfc822 [enforce|warn]
Define the level and enforcement of password checking
done by the FTP Server for anonymous FTP.
none No password checking is performed.
trivial The password must contain an '@'.
rfc822 The password must be RFC 822 compliant.
warn Warn, but permit the login.
enforce Notify and deny the login.
deny-email case-insensitive-emailaddress
Consider the email address given as an argument as
invalid. If passwd-check is set to enforce, anonymous
users giving this address as a password cannot log in.
That way, you can stop users from having stupid WWW
browsers use fake addresses like IE?0User@ or mozilla@.
(by using this, you are not shutting out users using a
WWW browser for ftp - you just make them configure their
browser correctly.) Only one address is allowed per
line, but you can have as many deny-email addresses as
you like.
path-filter typelist message allowed_regexp
[disallowed_regexp...]
For users in typelist, path-filter defines regular
expressions that control what characters can be used in
the filename of an uploaded file or created directory.
There may be multiple disallowed regular expressions. If
a filename is invalid due to failure to match the regu-
lar expression criteria, message will be displayed to
the user. For example:
SunOS 5.10 Last change: 10 Sep 2003 23
File Formats ftpaccess(4)
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^. ^-
specifies that all upload filenames for anonymous users
must be made of only the characters A-Z, a-z, 0-9, and
"._-" and may not begin with a "." or a "-". If the
filename is invalid, /etc/pathmsg will be displayed to
the user.
upload [absolute|relative] [class=classname]... [-]
root-dir dirglob yes|no owner group mode
[dirs|nodirs] [d_mode]
Define a directory with dirglob that permits or denies
uploads. If it does permit uploads, all newly created
files will be owned by owner and group and will have
their permissions set according to mode. Existing files
that are overwritten will retain their original owner-
ship and permissions. Directories are matched on a
best-match basis. For example:
upload /var/ftp * no
upload /var/ftp /incoming yes ftp daemon 0666
upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs
would only allow uploads into /incoming and
/incoming/gifs. Files that were uploaded to /incoming
are owned by ftp/daemon and have permissions of 0666.
Files uploaded to /incoming/gifs are owned by jlc/guest
and have permissions of 0600. The optional "dirs" and
"nodirs" keywords can be specified to allow or disallow
the creation of new subdirectories using the mkdir com-
mand. If the upload command is used, directory creation
is allowed by default. To turn it off by default, you
must specify a user, group and mode followed by the
"nodirs" keyword as the first line where the upload com-
mand is used in this file. If directories are permitted,
the optional d_mode determines the permissions for a
newly created directory. If d_mode is omitted, the per-
missions are inferred from mode. The permissions are
0777 if mode is also omitted. The upload keyword only
applies to users who have a home directory of root-dir.
root-dir may be specified as "*" to match any home
directory. The owner or group may each be specified as
"*", in which case any uploaded files or directories
will be created with the ownership of the directory in
which they are created. The optional first parameter
selects whether root-dir names are interpreted as abso-
lute or relative to the current chroot'd environment.
SunOS 5.10 Last change: 10 Sep 2003 24
File Formats ftpaccess(4)
The default is to interpret <root-dir> names as abso-
lute. You can specify any number of class=classname res-
trictions. If any are specified, this upload clause only
takes effect if the current user is a member of one of
the classes.
In the absence of any matching upload clause, real and
guest users can upload files and make directories, but
anonymous users cannot. The mode of uploaded files is
0666. For created directories, the mode is 0777. Both
modes are modified by the current umask setting.
throughput root-dir subdir-glob file-glob-list
bytes-per-second bytes-per-second-multiply remote-glob-list
Define files by means of a comma-separated file-glob-
list in subdir matched by subdir-glob under root-dir
that have restricted transfer throughput of bytes-per-
second on download when the remote hostname or remote IP
address matches the comma-separated remote-glob-list.
Entries are matched on a best-match basis. For example:
throughput /e/ftp * * oo - *
throughput /e/ftp /sw* * 1024 0.5 *
throughput /e/ftp /sw* README oo - *
throughput /e/ftp /sw* * oo - *.foo.com
would set maximum throughput per default, but restrict
download to 1024 bytes per second for any files under
/e/ftp/sw/ that are not named README. The only excep-
tions are remote hosts from within the domain foo.com
which always get maximum throughput. Every time a remote
client has retrieved a file under /e/ftp/sw/ the bytes
per seconds of the matched entry line are internally
multiplied by a factor, here 0.5. When the remote client
retrieves its second file, it is served with 512 bytes
per second, the third time with only 256 bytes per
second, the fourth time with only 128 bytes per second,
and so on. The string "oo" for the bytes per second
field means no throughput restriction. A multiply factor
of 1.0 or "-" means no change of the throughput after
every successful transfer. The root-dir here must match
the home directory specified in the password database .
The throughput keyword only applies to users who have a
home directory of root-dir.
SunOS 5.10 Last change: 10 Sep 2003 25
File Formats ftpaccess(4)
anonymous-root root-dir [class...]
root-dir specifies the chroot() path for anonymous
users. If no anonymous-root is matched, the old method
of parsing the home directory for the FTP user is used.
If no class is specified, this is the root directory for
anonymous users who do not match any other anonymous-
root specification. Multiple classes may be specified on
this line. If an anonymous-root is chosen for the user,
the FTP user's home directory in the root-dir/etc/passwd
file is used to determine the initial directory and the
FTP user's home directory in the system-wide /etc/passwd
is not used. For example:
anonymous-root /home/ftp
anonymous-root /home/localftp localnet
causes all anonymous users to be chroot'd to the direc-
tory /home/ftp. If the FTP user exists in
/home/ftp/etc/passwd, their initial CWD is that home
directory. Anonymous users in the class localnet, how-
ever, are chroot'd to the directory /home/localftp and
their initial CWD is taken from the FTP user's home
directory in /home/localftp/etc/passwd.
guest-root root-dir [uid-range...]
root-dir specifies the chroot() path for guest users. If
no guest-root is matched, the old method of parsing the
user's home directory is used. If no uid-range is speci-
fied, this is the root directory for guestusers who do
not match any other guest-root specification. Multiple
UID ranges may be given on this line. If a guest-root is
chosen for the user, the user's home directory in the
root-dir/etc/passwd file is used to determine the ini-
tial directory and the home directory in the system-wide
/etc/passwd is not used. uid-range specifies names or
numeric UID values. To use numbers, put a percent sign
(%) symbol before it or before the range. Ranges are
specified by giving the lower and upper bounds
(inclusive), separated by a dash. If the lower bound is
omitted, it means all up to. If the upper bound is omit-
ted, it means all starting from. For example:
guest-root /home/users
guest-root /home/staff %100-999 sally
guest-root /home/users/owner/ftp frank
SunOS 5.10 Last change: 10 Sep 2003 26
File Formats ftpaccess(4)
causes all guest users to chroot() to /home/users then
starts each user in the user's home directory, as speci-
fiedin /home/users/etc/passwd. Users in the range 100
through 999, inclusive, and user sally, will be chroot'd
to /home/staff and the CWD will be taken from their
entries in /home/staff/etc/passwd. The single user frank
will be chroot'd to /home/users/owner/ftp and the CWD
will be from his entry in
/home/users/owner/ftp/etc/passwd.
The order is important for both anonymous-root and
guest-root. If a user would match multiple clauses, only
the first applies; with the exception of the clause
which has no class or uid-range, which applies only if
no other clause matches.
deny-uid uid-range [uid-range...]
deny-gid gid-range [gid-range...]
allow-uid uid-range [uid-range...]
allow-gid gid-range [gid-range...]
Use these clauses to specify UID and GID values that
will be denied access to the FTP Server. The allow-uid
and allow-gid clauses may be used to allow access for
UID and GID values which would otherwise be denied.
These checks occur before all others. deny is checked
before allow. The default is to allow access. These
clauses do not apply to anonymous users. Use
defaultserver private to deny access to anonymous users.
In most cases, these clauses obviate the need for an
ftpusers(4) file. For example, the following clauses
deny FTP Server access to all privileged or special
users and groups, except the guest1 user or group.
deny-gid %-99 nobody noaccess nogroup
deny-uid %-99 nobody noaccess nobody4
allow-gid guest1
allow-uid guest1
Support for the ftpusers file still exists, so it may be
used when changing the ftpaccess file is not desired. In
any place a single UID or GID is allowed throughout the
ftpaccess file, either names or numbers also may be
used. To use a number, put a percent sign (%) symbol
before it. In places where a range is allowed, put the
percent sign before the range. A "*" matches all UIDs or
GIDs.
SunOS 5.10 Last change: 10 Sep 2003 27
File Formats ftpaccess(4)
restricted-uid uid-range [uid-range...]
restricted-gid gid-range [gid-range...]
unrestricted-uid uid-range [uid-range...]
unrestricted-gid gid-range [gid-range...]
These clauses control whether or not real or guest users
will be allowed access to areas on the FTP site outside
their home directories. These clauses are not meant to
replace the use of guestgroup and guestuser. Instead,
use these clauses to supplement the operation of guests.
The unrestricted-uid and unrestricted-gid clauses may be
used to allow users outside their home directories who
would otherwise be restricted.
The following example shows the intended use for these
clauses. Assume user dick has a home directory
/home/dick and jane has a home directory /home/jane:
guest-root /home dick jane
restricted-uid dick jane
While both dick and jane are chroot'd to /home, they
cannot access each other's files because they are res-
tricted to their home directories. However, you should
not rely solely upon the FTP restrictions to control
access. As with all other FTP access rules, you should
also use directory and file permissions to support the
operation of the ftpaccess configuration.
site-exec-max-lines number [class...]
The SITE EXEC feature traditionally limits the number of
lines of output that may be sent to the remote client.
Use this clause to set this limit. If this clause is
omitted, the limit is 20 lines. A limit of 0 (zero)
implies no limit. Be very careful if you choose to
remove the limit. If a clause is found matching the
remote user's class, that limit is used. Otherwise, the
clause with class '*', or no class given, is used. For
example:
site-exec-max-lines 200 remote
site-exec-max-lines 0 local
site-exec-max-lines 25
SunOS 5.10 Last change: 10 Sep 2003 28
File Formats ftpaccess(4)
limits output from SITE EXEC (and therefore SITE INDEX)
to 200 lines for remote users, specifies there is no
limit at all for local users, and sets a limit of 25
lines for all other users.
dns refuse_mismatch filename [override]
Refuse FTP sessions when the forward and reverse lookups
for the remote site do not match. Lookups are done using
the system's name service as configured in
nsswitch.conf(4). Display the named file, like a message
file, admonishing the user. If the optional override is
specified, allow the connection after complaining.
dns refuse_no_reverse filename [override]
Refuse FTP sessions when the remote host's IP address
has no associated name. Lookups are done using the
system's name service as configured in nsswitch.conf(4).
Display the named file, such as a message file, admon-
ishing the user. If the optional override is specified,
allow the connection after complaining.
dns resolveroptions [options]
Modify certain internal resolver variables. This only
has an effect when DNS is used as the system's name ser-
vice. The line takes a series of options which are used
to set the RES_OPTIONS environment variable, see
resolv.conf(4) for details. For example:
dns resolveroptions rotate attempts:1
turns on querying name servers round-robin and selects
querying each name server only once.
Lines that begin with a # sign are treated as comment lines
and are ignored.
FILES
/etc/ftpd/ftpaccess
SunOS 5.10 Last change: 10 Sep 2003 29
File Formats ftpaccess(4)
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWftpr |
|_____________________________|_____________________________|
| Interface Stability | External |
|_____________________________|_____________________________|
SEE ALSO
compress(1), ls(1), tar(1), ftpaddhost(1M), ftpconfig(1M),
ftpshut(1M), in.ftpd(1M), chroot(2), nice(2), umask(2),
getgrnam(3C), resolver(3RESOLV), ftpconversions(4),
ftpgroups(4), ftpservers(4), ftpusers(4), nsswitch.conf(4),
resolv.conf(4), timezone(4), xferlog(4), attributes(5),
fnmatch(5)
Crocker, David H. RFC 822, Standard For The Format Of ARPA
Internet Text Messages. Network Information Center. August
1982.
St. Johns, Michael. RFC 931, Authentication Server. Network
Working Group. January 1985.
SunOS 5.10 Last change: 10 Sep 2003 30
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:27:23 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2876 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2487 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2407 hits)
(Suse Linux 10.1)
|
Man Pages 
