ftpaccess(5) ftpaccess(5)
Name
ftpaccess - xftpd configuration file
Description
The ftpaccess file is used to configure the operation of xftpd(8).
Access Capabilities
class <class> <typelist> <addrglob> [<addrglob> ...]
Define <class> of users, with source addresses of the form <addr-
glob>. Multiple members of <class> may be defined. There may
be multiple "class" commands listing additional members of the
class. If multiple "class" commands can apply to the current
session, the first one listed in the access file is used.
Failing to define a valid class for a host will cause access to be
denied. <typelist> is a comma-separated list of any of the key-
words "anonymous", "guest" and "real". If the "real" keyword is
included, the class can match users using FTP to access real
accounts, and if the "anonymous" keyword is included the class
can match users using anonymous FTP. The "guest" keyword
matches guest access accounts (see "guest group" for more infor-
mation)
<addrglob> may be a globbed domain name or a globbed numeric address.
It may also be the name of a file, starting with a slash ('/'), which
contains additional address globs, as well as in the form
address:netmask or address/cidr. Placing an exclamation (!) before
an <addrglob> negates the test.
deny <addrglob> <message_file>
Always deny access to host(s) matching <addrglob>. <message_file>
is displayed. <addrglob> may be "!nameserved" to deny access to
sites without a working nameserver. It may also be the name of a
file, starting with a slash ('/'), which contains additional
address globs, as well as in the form address:netmask or
address/cidr.
defumask <umask> [<class>]
Set the umask applied to files created by daemon if the remote use
is a member of the named class. If <class> is not specified, then
use the umask as the default for classes which do not have one
specified. limit-time {*|anonymous} <minutes> Limit the total
time a session can take. By default, there is no limit. Real
users are never limited.
limit <class> <n> <times> <message_file>
Limit <class> to <n> users at times <times>, displaying <mes-
sage_file> if user is denied access. Limit check is performed at
login time only. If multiple "limit" commands can apply to the
current session, the first applicable one is used. Failing to
define a valid limit, or a limit of -1, is equivalent to unlim-
ited. <times> is in same format as the times in the UUCP L.sys
file.
noretrieve [absolute|relative] [class=<classname>] ... [-] <filename>
<filename> ...
Always deny retrieve-ability of these files. If the files are an
absolute path specification (i.e. begins with '/' character) then
only those files are marked un-gettable, otherwise all files with
matching the filename are refused transfer. Example:
noretrieve /etc/passwd core
specifies no one will be able to get the file /etc/passwd whereas
they will be allowed to transfer a file `passwd' if it is not in
/etc. On the other hand no one will be able to get files named
`core' wherever it is.
Absolute path specifications ending with a slash ('/') are taken to
mean all files in the named directory are to marked un-gettable.
The <filename> may be specified as a file glob, or regular expression.
The optional first parameter selects whether names are intepreted as
absolute or relative to the current chroot'd environment. The default
is to intepret names beginning with a slash as absolute.
The noretrieve restrictions may be placed upon members of particular
classes. If any class= is specified the named files are only non-
retrievable if the current user is a member of any of the given
classes.
allow-retrieve [absolute|relative] [class=<classname>]... [-] <file-
name> ...
Allows retrieval of files which would otherwise be denied by nore-
trieve.
krb5_principal <principal name>
Sets the Kerberos V5 service principal name used for the server.
Should be set to ftp/fqdn@REALM
loginfails <number>
After <number> login failures, log a "repeated login failures"
message and terminate the FTP connection. Default value is 5.
Informational Capabilities
greeting full|brief|terse
Allows you to control how much information is given out before the
remote user logs in. 'greeting full' is the default and shows the
hostname and daemon version. 'greeting brief' whose shows the
hostname. 'greeting terse' simply says "FTP server ready."
Although full is the default, brief is recommended.
banner <path>
Works similarly to the message command, except that the banner is
displayed before the user enters the username/password. The
<path> is relative to the real system root, not the base of the
anonymous FTP directory.
WARNING: use of this command can completely prevent non-compliant FTP
clients from making use of the FTP server. Not all clients can handle
multi-line responses (which is how the banner is displayed).
email <name>
Defines the email address of the ftp archive maintainer. This
string will be printed every time the %E magic cookie is used.
message <path> {<when> {<class> ...}}
Define a file with <path> such that xftpd will display the con-
tents of the file to the user login time or upon using the change
working directory command. The <when> parameter may be "LOGIN" or
"CWD=<dir>". If <when> is "CWD=<dir>", <dir> specifies the new
default directory which will trigger the notification.
The optional <class> specification allows the message to be displayed
only to members of a particular class. More than one class may be
specified.
There can be "magic cookies" in the readme file which cause the ftp
server to replace the cookie with a specified text string:
%T local time (form Thu Nov 15 17:12:42 1990)
%F free space in partition of CWD (kbytes)
[not supported on all systems]
%C current working directory
%E the maintainer's email address as defined in ftpaccess
%R remote host name
%L local host name
%u username as determined via RFC931 authentication
%U username given at login time
%M maximum allowed number of users in this class
%N current number of users in this class
%B absolute limit on disk blocks allocated
%b preferred limit on disk blocks
%Q current block count
%I maximum number of allocated inodes (+1)
%i preferred inode limit
%q current number of allocated inodes
%H time limit for excessive disk use
%h time limit for excessive files
The message will only be displayed once to avoid annoying the user.
Remember that when MESSAGEs are triggered by an anonymous FTP user, the
<path> must be relative to the base of the anonymous FTP directory
tree.
readme <path> {<when> {<class>}}
Define a file with <path> such that xftpd will notify user at
login time or upon using the change working directory command that
the file exists and was modified on such-and-such date. The
<when> parameter may be "LOGIN" or "CWD=<dir>". If <when> is
"CWD=<dir>", <dir> specifies the new default directory which will
trigger the notification. The message will only be displayed
once, to avoid bothering users. Remember that when README mes-
sages are triggered by an anonymous FTP user, the <path> must be
relative to the base of the anonymous FTP directory tree.
The optional <class> specification allows the message to be displayed
only to members of a particular class. More than one class may be
specified.
Logging Capabilities
log commands <typelist>
Enables logging of individual commands by users. <typelist> is a
comma-separated list of any of the keywords "anonymous" and
"real". If the "real" keyword is included, logging will be done
for users using FTP to access real accounts, and if the "anony-
mous" keyword is included logging will done for users using anony-
mous FTP.
log transfers <typelist> <directions>
Enables logging of file transfers for either real or anonymous FTP
users. Logging of transfers TO the server (incoming) can be
enabled separately from transfers FROM the server (outbound).
<typelist> is a comma-separated list of any of the keywords
"anonymous" and "real". If the "real" keyword is included, log-
ging will be done for users using FTP to access real accounts, and
if the "anonymous" keyword is included logging will done for users
using anonymous FTP. <directions> is a comma-separated list of
any of the two keywords "inbound" and "outbound", and will respec-
tively cause transfers to be logged for files sent to the server
and sent from the server.
log security <typelist>
Enables logging of violations of security rules (noretrieve,
.notar, ...) for real and/or anonymous users. <typelist> is a
comma-separated list of any of the keywords "anonymous" and
"real". If the "real" keyword is included, logging will be done
for users using FTP to access real accounts, and if the "anony-
mous" keyword is included logging will done for users using anony-
mous FTP.
log syslog
Redirects the logging messages for incoming and outgoing transfers
to syslog. Without this option the messages are written to xfer-
log.
Miscellaneous Capabilities
do_rfc931 no
When specified, the xftpd(8) server will suppress the use of
RFC931 (AUTH/ident) to attempt to determine the username on the
client. This behavior may also be suppressed by providing the
command line argument '-I' to xftpd(8).
sjis <yes|no>
Sets the Shift-JIS mode. When sjis is set to yes the xftpd(8)
server expects all user command and filename input to be encoded
in Shift-JIS. All file output and banners will be sent encoded in
Shift-JIS.
keepalive yes | no
Directs the server to set the "KeepAlive" TCP/IP mode for all con-
nections.
alias <string> <dir>
Defines an alias, <string>, for a directory. Can be used to add
the concept of logical directories.
For example:
alias rfc: /pub/doc/rfc
would allow the user to access /pub/doc/rfc from any directory by the
command "cd rfc:". Aliases only apply to the cd command.
cdpath <dir>
Defines an entry in the cdpath. This defines a search path that is
used when changing directories.
For example:
cdpath /pub/packages
cdpath /.aliases
would allow the user to cd into any directory directly under /pub/pack-
ages or /.aliases directories. The search path is defined by the order
the lines appear in the ftpaccess file.
If the user were to give the command:
cd foo
The directory will be searched for in the following order:
./foo
an alias called "foo"
/pub/packages/foo
/.aliases/foo
The cd path is only available with the cd command. If you have a large
number of aliases you might want to set up an aliases directory with
links to all of the areas you wish to make available to users.
compress <yes|no> <classglob> [<classglob> ...]
tar <yes|no> <classglob> [<classglob> ...]
Enables compress or tar capabilities for any class matching any of
<classglob>. The actual conversions are defined in the external
file FTPLIB/ftpconversions.
shutdown <path>
If the file pointed to by <path> exists, the server will check the
file regularly to see if the server is going to be shut down. If
a shutdown is planned, the user is notified, new connections are
denied after a specified time before shutdown and current connec-
tions are dropped at a specified time before shutdown. <path>
points to a file structured as follows:
<year> <month> <day> <hour> <minute> <deny_offset> <disc_offset>
<text>
<year> any year > 1970
<month> 0-11 <---- LOOK!
<hour> 0-23
<minute> 0-59
<deny_offset> and <disc_offset> are the offsets in HHMM format
before the shutdown time that new connections will be denied and
existing connections will be disconnected.
<text> follows the normal rules for any message (see "message"), with
the following additional magic cookies available:
%s time system is going to shut down
%r time new connections will be denied
%d time current connections will be dropped
all times are in the form: ddd MMM DD hh:mm:ss YYYY. There can be only
one "shutdown" command in the configuration file.
The external program ftpshut(8) can be used to automate the process of
generating this file.
passive address <externalip> <cidr>
Allows control of the address reported in response to a PASV com-
mand. When any control connection matching the <cidr> requests a
passive data connection (PASV), the <externalip> address is
reported. NOTE: this does not change the address the daemone
actually listens on, only the address reported to the client.
This feature allows the daemon to operate correctly behind IP-
renumbering firewalls.
For example:
passive address 10.0.1.15 10.0.0.0/8
passive address 192.168.1.5 0.0.0.0/0
Clients connecting from the class-A network 10 will be told the passive
connection is listening on IP-address 10.0.1.15 while all others will
be told the connection is listening on 192.168.1.5
Multiple passive addresses may be specified to handle complex, or
multi-gatewayed, networks.
passive ports <cidr> <min> <max>
Allows control of the TCP port numbers which may be used for a
passive data connection. If the control connection matches the
<cidr> a port in the range <min> to <max> will be randomly
selected for the daemon to listen on. This feature allows fire-
walls to limit the ports which remote clients may use to connect
into the protected network.
<cidr> is shorthand for an IP address in dotted-quad notation followed
by a slash and the number of left-most bits which represent the network
address (as opposed to the machine address). For example, if you're
using the reserved class-A network 10, instead of a netmask of
255.0.0.0 use a CIDR of /8 as in 10.0.0.0/8 to represent your network.
Permission Capabilities
auth_level standard | gssapi | both
Sets the level of authentication xftpd(8) will accept for login.
standard will accept a cleartext password using the PASS command.
gssapi will accept a Kerberos v5 (GSS) service ticket using the
ADAT command. both directs xftpd(8) to accept either authentica-
tion method.
chroot_type standard | homedir | restricted
Sets the type of restricted environment the user is under when he
logs on. standard Allows users to access the ftp root, their
homedir, and sharepoints. homedir Allows users to access the
their homedir and sharepoints. restricted restricts users to
their own home directory.
chmod <yes|no> <typelist>
delete <yes|no> <typelist>
overwrite <yes|no> <typelist>
rename <yes|no> <typelist>
umask <yes|no> <typelist>
Allows or disallows the ability to perform the specified function.
By default, all users are allowed.
<typelist> is a comma-separated list of any of the keywords "anony-
mous", "real" and "class=". When "class=" appears, it must be followed
by a classname. If any class= appears, the <typelist> restriction
applies only to users in that class.
anonFTP yes | no
Enables/Disables anonymous ftp.
passwd-check <none|trivial|rfc822> (<enforce|warn>)
Define the level and enforcement of password checking done by the
server for anonymous ftp.
none no password checking performed.
trivial password must contain an '@'.
rfc822 password must be an rfc822 compliant address.
warn warn the user, but allow them to log in.
enforce warn the user, and then log them out.
deny-email <case-insensitive-email-address>
Consider the e-mail address given as an argument as invalid. If
passwd-check is set to enforce, anonymous users giving this
address as password cannot log in. That way, you can stop users
from having stupid WWW browsers use fake addresses like IE?0User@
or mozilla@. (by using this, you are not shutting out users using
a WWW browser for ftp - you just make them configure their browser
correctly.) Only one address per line, but you can have as many
deny-email addresses as you like.
defrootdir path
Sets path as the root directory for the FTP server.
path-filter <typelist> <mesg> <allowed_charset> {<disallowed regexp>
...}
For users in <typelist>, path-filter defines regular expressions
that control what a filename can or can not be. There may be mul-
tiple disallowed regexps. If a filename is invalid due to failure
to match the regexp criteria, <mesg> will be displayed to the
user. For example:
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
specifies that all upload filenames for anonymous users must be
made of only the characters A-Z, a-z, 0-9, and "._-" and may not
begin with a "." or a "-". If the filename is invalid,
/etc/pathmsg will be displayed to the user.
upload [absolute|relative] [class=<classname>]... [-] <root-dir> <dir-
glob> <yes|no> <owner> <group> <mode> ["dirs"|"nodirs"] [<d_mode>]
Define a directory with <dirglob> that permits or denies uploads.
If it does permit uploads, all files will be owned by <owner> and
<group> and will have the permissions set according to <mode>.
Directories are matched on a best-match basis.
For example:
upload /var/ftp * no
upload /var/ftp /incoming yes ftp daemon 0666
upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs
This would only allow uploads into /incoming and /incoming/gifs. Files
that were uploaded to /incoming would be owned by ftp/daemon and would
have permissions of 0666. File uploaded to /incoming/gifs would be
owned by jlc/guest and have permissions of 0600. Note that the <root-
dir> here must match the home directory specified in the password data-
base for the "ftp" user.
The optional "dirs" and "nodirs" keywords can be specified to allow or
disallow the creation of new subdirectories using the mkdir command.
Note that if the upload command is used, directory creation is allowed
by default. To turn it off by default, you must specify a user, group
and mode followed by the "nodirs" keyword as the first line where the
upload command is used in this file.
If directories are permitted, the optional <d_mode> determines the per-
missions for a newly created directory. If <d_mode> is omitted, the
permissions are inferred from <mode> or are 0777 if <mode> is also
omitted.
The upload keyword only applies to users who have a home directory (the
argument to the chroot() ) of <root-dir>. <root-dir> may be specified
as "*" to match any home directory.
The <owner> and/or <group> may each be specified as "*", in which case
any uploaded files or directories will be created with the ownership of
the directory in which they are created.
The optional first parameter selects whether <root-dir> names are
intepreted as absolute or relative to the current chroot'd environment.
The default is to intepret <root-dir> names as absolute.
You can specify any number of 'class=<classname>' restrictions. If any
are specified, this upload clause only takes effect if the current user
is a member of one of the classes.
throughput <root-dir> <subdir-glob> <file-glob-list> <bytes-per-second>
<bytes-per-second-multiply> <remote-glob-list>
Define files via comma-seperated <file-glob-list> in subdir
matched by <subdir-glob> under <root-dir> that have restricted
transfer throughput of <bytes-per-second> on download when the
remote hostname or remote IP address matches the comma-seperated
<remote-glob-list>.
Entries are matched on a best-match basis.
For example:
throughput /e/ftp * * oo - *
throughput /e/ftp /sw* * 1024 0.5 *
throughput /e/ftp /sw* README oo - *
throughput /e/ftp /sw* * oo - *.foo.com
This would set maximum throughput per default, but restrict down-
load to 1024 bytes/s for any files under /e/ftp/sw/ which are not
named README. The only exceptions are remote hosts from within the
domain foo.com which always get maximum throughput. Every time a
remote client has retrieved a file under /e/ftp/sw/ the bytes per
seconds of the matched entry line are internally multiplied by a
factor, here 0.5. So when the remote client retrieves its second
file it is served with 512 bytes/s, the third time with only 254
bytes/s, the fourth time with only 128 bytes/s and so on.
The string "oo" for the bytes per second field means no throughput
restriction. A multiply factor of 1.0 or "-" means no change of
the throughput after every successful transfer.
Note that the <root-dir> here must match the home directory speci-
fied in the password database for the "ftp" user. The throughput
keyword only applies to users who have a home directory (the argu-
ment to the chroot() ) of <root-dir>.
deny-uid <uid-range> [...]
deny-gid <gid-range> [...]
allow-uid <uid-range> [...]
allow-gid <gid-range> [...]
These clauses allow specification of UID and GID values which will
be denied access to the ftp server. The allow-uid and allow-gid
clauses may be used to allow access for uid/gid which would other-
wise be denied. These checks occur before all others. Deny is
checked before allow. The default is to allow access. Note that
in most cases, this can remove the need for an /etc/ftpusers
files. For example:
deny-gid %-99 %65535
deny-uid %-99 %65535
allow-gid ftp
allow-uid ftp
denies ftp access to all privileged or special users and groups
box except the anonymous 'ftp' user/group. In many cases, this
can eliminate the need for the /etc/ftpusers file. support for
that file still exists so it may be used when changing /etc/ftpac-
cess is not desired.
Throughout the ftpaccess file, any place a single UID or GID is
allowed, either names or numbers may be used. To use numbers, put
a '%' before it. In places where a range is allowed, put the '%'
before the range.
Files
FTPLIB/ftpaccess
See Also
xftpd(8), umask(2), ftplog(5), ftpconversions(5), ftpshut(8)
ftpaccess(5)
Mac OS X 10.6Server - Generated Thu Apr 15 07:12:13 CDT 2010