unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 ftpaccess(4)							ftpaccess(4)




 NAME
      ftpaccess - ftpd configuration file

 SYNOPSIS
      /etc/ftpd/ftpaccess

 DESCRIPTION
      The /etc/ftpd/ftpaccess file is used to configure the operation of
      ftpd (see ftpd(1M)).

    Access Capabilities
      autogroup groupname class [ class ... ]

	   If an anonymous user is a member of any of class, the ftp server
	   will perform a setgid() to groupname.  This allows access to
	   group-and-owner-read-only files and directories to a particular
	   class of anonymous users.  groupname is a valid group from
	   /etc/group (or whatever mechanism your getgrent() library routine
	   uses; see getgrent(3C)).

      class class typelist addrglob [ addrglob ... ]

	   Define class of users, with source addresses of the form
	   addrglob.  Multiple members of class may be defined.	 There may
	   be multiple class commands, listing additional members of the
	   class.  If multiple class commands can apply to the current
	   session, the first one listed in the access file is used.
	   Failing to define a valid class for a host will cause access to
	   be denied.  typelist is a comma-separated list of any of the
	   keywords anonymous, guest and real.	If the real keyword is
	   included, the class can match users using FTP to access real
	   accounts, and if the anonymous keyword is included, the class can
	   match users using anonymous FTP.  The guest keyword matches guest
	   access accounts (see guestgroup below for more information)

	   addrglob may be a globbed domain name or a globbed numeric
	   address. There can be multiple addrglob's for this directive.  To
	   avoid confusion when you have multiple addrglob's, you can put
	   all the addrglob's in a file and specify the path of the file in
	   place of the addrglob's.

      deny addrglob  message_file

	   Always deny access to the host(s) matching addrglob.
	   message_file is the file from which denial message is displayed
	   to the hosts that are denied access.	 addrglob may be !nameserved
	   to deny access to sites without a working nameserver.

      guestgroup groupname [ groupname ... ]





 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)




	   If a real user is a member of any of groupname, the session is
	   set up exactly as with anonymous FTP.  In other words, a chroot()
	   is done, and the user is no longer permitted to issue the USER
	   and PASS commands.  groupname is a valid group from /etc/group
	   (or whatever mechanism your getgrent() library routine uses).

	   The user's home directory must be properly set up, exactly as
	   anonymous FTP would be.  The home directory field of the passwd
	   entry is divided into two directories.  The first field is the
	   root directory which will be the argument to the chroot call.
	   The second half is the user's home directory relative to the root
	   directory.  The two halves are separated by a /./.

	   Example:

	   In the /etc/passwd file, the sample entry is:

	   guest1:<&lt&lt&lt;passwd>&gt&gt&gt;:100:92:Guest Account:/ftp/./incoming:/etc/ftponly

	   When guest1 successfully logs in, the ftp server will chroot
	   (/ftp) and then chdir (/incoming).  The guest user will only be
	   able to access the directory structure under /ftp (which will
	   look and act as / to guest1), just as an anonymous FTP user
	   would.

      limit class  n  times  message_file

	   Limit class to n users at specified times, displaying
	   message_file if user is denied access.  The limit check is
	   performed at login time only.  If multiple limit commands apply
	   to the current session, the first applicable one is used.
	   Failing to define a valid limit, or a limit of -1, is equivalent
	   to unlimited. The format for times can any of the following:
	   Any		       Any week day
	   Fr		       Friday
	   Any0900-1300	       Any day of week between 9.00 - 13.00 hrs.
	   Th|Any0900-1300     Either Thursday or between 9.00 - 13.00.

      noretrieve filename  filename ....

	   Always deny retrievability of these files. If the files are an
	   absolute path specification (i.e. begins with / character), then
	   only those files are marked unretrievable. Otherwise all files
	   with the matching filename are refused transfer. Example:

	   noretrieve /etc/passwd core

	   specifies that no one is able to get the file /etc/passwd,
	   whereas they are allowed to transfer a file, passwd, if it is not
	   in /etc.  On the other hand, no one is be able to get a file
	   named core wherever it is.



 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)




	   No globbing is done.

      loginfails number

	   After number login failures, log a  message and terminate the FTP
	   connection.	Default value is 5.

      private yes|no

	   After a user logs in, the SITE GROUP and SITE GPASS ftpd commands
	   may be used to specify an enhanced access group and associated
	   password.  If the group name and password are valid, the user
	   becomes (via setgid()) a member of the group specified in the
	   group access file, /etc/ftpd/ftpgroups.

	   The format of the group access file is:

	   access_group_name:encrypted_password:real_group_name

	   where access_group_name is an arbitrary (alphanumeric and
	   punctuation) string.	 encrypted_password is the password
	   encrypted via crypt() (see crypt(3C)) exactly like in
	   /etc/passwd.	 real_group_name is the name of a valid group listed
	   in /etc/group.

	   NOTE: For this option to work for anonymous FTP users, the ftp
	   server must keep /etc/group permanently open and the group access
	   file is loaded into memory.	This means that: (1) the ftp server
	   now has an additional file descriptor open, and (2) the necessary
	   passwords and access privileges granted to users via SITE GROUP
	   (see ftpd(1M)) will be static for the duration of an FTP session.
	   If you have an urgent need to change the access groups and/or
	   passwords now, you just kill all of the running FTP servers.

    Informational Capabilities
      banner path

	   Works similarly to the message command (see below), except that
	   the banner is displayed before the user enters the username and
	   password.  The path is relative to the real system root, not the
	   base of the anonymous FTP directory.

      email name

	   Defines the email address of the ftp archive maintainer.  This
	   string will be printed every time the %E magic cookie is used.

      message path [ when [ class... ]]

	   Define a file with path such that ftpd will display the contents
	   of the file to the user at login time or upon using the change



 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)




	   working directory command.  The when parameter may be LOGIN or
	   CWD=<&lt&lt&lt;dir>&gt&gt&gt;.  If when is CWD=<&lt&lt&lt;dir>&gt&gt&gt;, dir specifies the new default
	   directory which will trigger the notification.

	   The optional class specification allows the message to be
	   displayed only to members of a particular class.  More than one
	   class may be specified.

	   In the message file the user can key in a message and use the
	   `macros' or `magic cookies' that are available. The ftp server
	   will replace the cookie with a specified text string.  The
	   following magic cookies are available:

	   %T	local time (form Thu Nov 15 17:12:42 1990)
	   %C	current working directory
	   %E	the maintainer's email address as defined in ftpaccess
	   %R	remote host name
	   %L	local host name
	   %u	username as determined via RFC931 authentication
	   %U	username given at login time
	   %M	maximum allowed number of users in this class
	   %N	current number of users in this class

	   The message will only be displayed once to avoid annoying the
	   user.  Remember that when messages are triggered by an anonymous
	   FTP user, the path must be relative to the base of the anonymous
	   FTP directory tree.

      readme path [ when [ class ]]

	   Define a file with path such that ftpd will notify user at login
	   time or upon using the change working directory command that the
	   file exists and was modified on such-and-such date.	The when
	   parameter may be LOGIN or CWD=<&lt&lt&lt;dir>&gt&gt&gt;.	 If when CWD=<&lt&lt&lt;dir>&gt&gt&gt;, dir
	   specifies the new default directory which will trigger the
	   notification.  The message will only be displayed once, to avoid
	   bothering users.  Remember that when README messages are
	   triggered by an anonymous FTP user, the path must be relative to
	   the base of the anonymous FTP directory tree.

	   The optional class specification allows the message to be
	   displayed only to members of a particular class.  More than one
	   class may be specified.

      sendfiletransfer yes|no

	   If this option is set, sendfile() will be used for file transfer.
	   If set to no, send() will be used.  sendfile() will be the
	   default mode of transfer if this option is not used.





 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)




      suppresshostname yes|no

	   If this option is set, the name of the FTP server will be
	   suppressed in the banner output and in the output of the STAT
	   command.

      suppressversion yes|no

	   If this option is set, the version of FTP server will be
	   suppressed in the banner output and in the output of the STAT
	   command. This option requires that the suppresshostname option be
	   set.

    Logging Capabilities
      log commands typelist

	   Enables logging of individual commands by users.  typelist is a
	   comma-separated list of any of the keywords anonymous, guest and
	   real.  If the real keyword is included, logging will be done for
	   users using FTP to access real accounts, and if the anonymous
	   keyword is included logging will done for users using anonymous
	   FTP.	 The guest keyword matches guest access accounts (see
	   guestgroup in the Access Capabilities subsection above for more
	   information).

      log  transfers typelist directions

	   Enables logging of file transfers for either real or anonymous
	   FTP users.  Logging of transfers TO the server (incoming) can be
	   enabled separately from transfers FROM the server (outbound).
	   typelist is a comma-separated list of any of the keywords
	   anonymous, guest and real.  If the real keyword is included,
	   logging will be done for users using FTP to access real accounts,
	   and if the anonymous keyword is included, logging will be done
	   for users using anonymous FTP. The guest keyword matches guest
	   access accounts (see guestgroup in the Access Capabilities
	   subsection above for more information).  directions is a comma-
	   separated list of any of the two keywords inbound and outbound,
	   and will respectively cause transfers to be logged for files sent
	   to the server and sent from the server. All the logging is done
	   into the file /var/adm/syslog/xferlog.

    Miscellaneous Capabilities
      alias string dir

	   Defines an alias, string, for the specified directory, dir.	Can
	   be used to add the concept of logical directories.

	   For example:





 Hewlett-Packard Company	    - 5 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)




	   alias rfc /pub/doc/rfc

	   would allow the user to access /pub/doc/rfc from any directory by
	   the command cd rfc:.	 Aliases only apply to the cd command.

      cdpath dir

	   Defines a directory entry in the cdpath.  dir defines a search
	   path that is used when changing directories.

	   For example:

	   cdpath /pub/packages cdpath /.aliases

	   would allow the user to cd into any directory directly under
	   /pub/packages or /.aliases directories.  The search path is
	   defined by the order in which the lines appear in the
	   /etc/ftpd/ftpaccess file.

	   If the user were to give the command:

	   cd foo

	   The directory will be searched for in the following order:

	   ./foo
	   an alias called foo
	   /pub/packages/foo
	   /.aliases/foo

	   The cd path is only available with the cd command. If you have a
	   large number of aliases, you might want to set up an aliases
	   directory with links to all of the areas that you wish to make
	   available to users.

      compress yes|no classglob [ classglob ... ]

      tar yes|no classglob[classglob...]

	   Enables compress or tar capabilities for any class matching any
	   of classglob.  The actual conversions are defined in the external
	   file /etc/ftpd/ftpconversions.

      shutdown path

	   If the file pointed to by path exists, the server will check the
	   file regularly to see if the server is going to be shut down.  If
	   a shutdown is planned, the user is notified, new connections are
	   denied after a specified time before shutdown and current
	   connections are dropped at a specified time before shutdown.
	   path points to a file structured as follows:



 Hewlett-Packard Company	    - 6 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)





	   year	  month	  day	hour   minute	deny_offset   disc_offset
	   text

	   year		  any year > 1970
	   month	  0-11 <-- Note: month index begins from 0
	   hour		  0-23
	   minute	  0-59

	   deny_offset and disc_offset are the offsets in HHMM format before
	   the shutdown time that new connections will be denied and
	   existing connections will be disconnected.

	   text follows the normal rules for any message (see message in the
	   Informational Capabilities subsection), with the following
	   additional magic cookies available:

	   %s	time system is going to shut down
	   %r	time new connections will be denied
	   %d	time current connections will be dropped

	   All times are in the form: ddd MMM DD hh:mm:ss YYYY.	 There can
	   be only one shutdown command in the configuration file.

	   The external program ftpshut can be used to automate the process
	   of generating this file.

      virtual address root|banner|logfile path

	   Enables the virtual ftp server capabilities. The address is the
	   IP address of the virtual server. The second argument specifies
	   that the path is either the path to the root of the filesystem
	   for this virtual server, the banner presented to the user when
	   connecting to this virtual server, or the logfile where transfers
	   are recorded for this virtual server. If the logfile is not
	   specified, the default logfile will be used.	 All  other message
	   files and permissions as well as any other settings in this file
	   apply to all virtual servers.

    Permission Capabilities
      chmod yes|no typelist

      delete yes|no typelist

      overwrite yes|no typelist

      rename yes|no typelist

      umask yes|no typelist





 Hewlett-Packard Company	    - 7 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)




	   Allows or disallows the ability to perform the specified
	   function.  By default, all users are allowed.

	   typelist is a comma-separated list of any of the keywords
	   anonymous, guest and real.

      passwd-check none | trivial | rfc822 [ enforce | warn ]

	   Define the level and enforcement of password checking done by the
	   server for anonymous ftp.

	   none		  no password checking performed.
	   trivial	  password must contain an @.
	   rfc822	  password must be an rfc822 compliant address.
	   warn		  warn the user, but allow them to log in.
	   enforce	  warn the user, and then log them out.

      path-filter typelist mesg allowed_charset [ disallowed_regexp ... ]

	   For users in typelist, path-filter defines regular expressions
	   that control what a filename can or cannot be.  Disallowed
	   regular expressions, disallowed_regexp, may be specified with
	   multiple regular expressions (see regexp(5)).  If a filename is
	   invalid due to failure to match the regular expression criteria,
	   mesg will be displayed to the user.	For example:

	   path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-

	   specifies that all upload filenames for anonymous users must be
	   made of only the characters A-Z, a-z, 0-9, period (.), dash (-),
	   and underscore (_); and may not begin with a period (.) or a dash
	   (-).	 If the filename is invalid, /etc/pathmsg will be displayed
	   to the user.

      upload root-dir dirglob yes|no owner group mode dirs|nodirs

	   Define a directory with dirglob that permits or denies uploads.

	   If it does permit uploads, all files will be owned by owner and
	   group and will have the permissions set according to mode.

	   Directories are matched on a best-match basis.

	   For example:
	   upload  /var/ftp  *		     no
	   upload  /var/ftp  /incoming	     yes  ftp  daemon  0666
	   upload  /var/ftp  /incoming/gifs  yes  jlc  guest   0600  nodirs

	   This would only allow uploads into /incoming and /incoming/gifs.
	   Files that were uploaded to /incoming would be owned by
	   ftp/daemon and would have permissions of 0666.  File uploaded to



 Hewlett-Packard Company	    - 8 -   HP-UX Release 11i: November 2000






 ftpaccess(4)							ftpaccess(4)




	   /incoming/gifs would be owned by jlc/guest and have permissions
	   of 0600.  Note that the root-dir here must match the home
	   directory specified in the password database for the ftp user.

	   The optional dirs and nodirs keywords can be specified to allow
	   or disallow the creation of new subdirectories using the mkdir
	   command.

	   The upload keyword only applies to users who have a home
	   directory (the argument to the chroot()) of root-dir.

 FILES
      /etc/ftpd/ftpaccess

      /usr/newconfig/etc/ftpd/examples/ftpaccess   sample ftpaccess file

 AUTHOR
      ftpaccess was developed by the Washington University, St. Louis,
      Missouri.

 SEE ALSO
      ftpshut(1), groups(1), passwd(1), ftpd(1M), chroot(2), umask(2),
      ftpconversions(4), ftpgroups(4).































 Hewlett-Packard Company	    - 9 -   HP-UX Release 11i: November 2000