ftpaccess.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ftpaccess(4) ftpaccess(4)

NAME

ftpaccess - ftpd conﬁguration ﬁle

SYNOPSIS

/etc/ftpd/ftpaccess

DESCRIPTION

The /etc/ftpd/ftpaccess

ﬁle is used to conﬁgure the operation of

ftpd (see ftpd (1M)).

Access Capabilities

autogroup groupname class [ class ... ]

If an

anonymous user is a member of any of class , the ftp server will perform a

setgid() to

groupname . This allows access to group-and-owner-read-only ﬁles and directories to a particular

class of anonymous users. groupname is a valid group from

/etc/group (or whatever mechanism

your

getgrent() library routine uses; see getgrent (3C)).

class class typelist addrglob [ addrglob ... ]

Deﬁne class of users, with source addresses of the form addrglob . Multiple members of class may

be deﬁned. There may be multiple

class commands, listing additional members of the class. If

multiple

class commands can apply to the current session, the ﬁrst one listed in the access ﬁle is

used. Failing to deﬁne a valid class for a host will cause access to be denied. typelist is a comma-

separated list of any of the keywords

anonymous, guest and real. If the real

keyword is

included, the class can match users using FTP to access real accounts, and if the

anonymous key-

word is included, the class can match users using anonymous FTP. The guest keyword matches

guest access accounts (see guestgroup below for more information)

addrglob may be a globbed domain name or a globbed numeric address. There can be multiple

addrglob ’s for this directive. To avoid confusion when you have multiple addrglob ’s, you can put all

the addrglob ’s in a ﬁle and specify the path of the ﬁle in place of the addrglob ’s.

Placing an exclamation (!) before an addrglob negates the test. For example:

class rmtuser real !*.example.com

will classify real users from outside the example.com domain as the class rmtuser. Use care

with this option. Remember, the result of each test is OR’ed with other tests on the line.

Note: addrglob can be an IPv4 glob address of the form n.n.n.n where n is either a decimal number

between 0 to 255 or an asterisk (

*). addrglob can also be an IPv6 address where asterisk (

*) is not

supported. The equivalent functionality of asterisk (

*) is provided in the form of the subnet preﬁx

followed by a forward slash (

/) and the preﬁx length.

This notation of addrglob as a glob address is applicable for all other

ftpaccess directives.

deny addrglob message_ﬁle

Always deny access to the host(s) matching addrglob . message_ﬁle is the ﬁle from which denial

message is displayed to the hosts that are denied access. addrglob may be

!nameserved to deny

access to sites without a working nameserver. It may also be the name of a ﬁle, starting with a

slash (/), which contains additional address globs, as well as in the form address:netmask or

address/cidr.

guestgroup groupname [ groupname ... ]

guestuser username [ username ... ]

realgroup groupname [ groupname ... ]

realuser username [ username ... ]

For

guestgroup,ifareal user is a member of any of groupname , the session is set up exactly as

with anonymous FTP. In other words, a chroot() is done, and the user is no longer permitted to

issue the USER and PASS commands. groupname is a valid group from /etc/group (or whatever

mechanism your getgrent() library routine uses).

The user’s home directory must be properly set up, exactly as anonymous FTP would be. The home

directory ﬁeld of the passwd entry is divided into two directories. The ﬁrst ﬁeld is the root directory

which will be the argument to the

chroot call. The second half is the user’s home directory rela-

tive to the root directory. The two halves are separated by a /./.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (14 pages)

PAGE 1
ftpaccess(4) ftpaccess(4) NAME ftpaccess - ftpd configuration file SYNOPSIS /etc/ftpd/ftpaccess DESCRIPTION The /etc/ftpd/ftpaccess file is used to configure the operation of ftpd (see ftpd (1M)). Access Capabilities autogroup groupname class [ class ... ] If an anonymous user is a member of any of class , the ftp server will perform a setgid() to groupname . This allows access to group-and-owner-read-only files and directories to a particular class of anonymous users.
PAGE 2
ftpaccess(4) ftpaccess(4) Example: In the /etc/passwd file, the sample entry is: guest1::100:92:Guest Account:/ftp/./incoming:/etc/ftponly When guest1 successfully logs in, the ftp server will chroot (/ftp) and then chdir (/incoming). The guest user will only be able to access the directory structure under /ftp (which will look and act as / to guest1), just as an anonymous FTP user would. The group name may be specified by either name or numeric ID.
PAGE 3
ftpaccess(4) ftpaccess(4) than maxidle (see the maxidle option), idle will be set to the maxidle value. maxidle [seconds ] (default 7200 seconds). Specify the the maximum number of seconds for the idle timeout. The default value (7200 seconds) can be overridden by using the -T option of ftpd (see ftpd (1M)). If maxidle is specified, that value will override both the default value as well as the value set with -T option of ftpd.
PAGE 4
ftpaccess(4) ftpaccess(4) Directory specifications mark all files and sub-directories in the named directory as "un-gettable" or not obtainable. The filename may be specified as a file glob. For example: noretrieve /etc /home/*/.htaccess specifies that no files in /etc or any of its sub-directories may be retrieved. Also, no files named .htaccess anywhere under the /home directory may be retrieved.
PAGE 5
ftpaccess(4) ftpaccess(4) hostname some.host.name Defines the default host name of the ftp server. This string will be printed on the greeting message and every time the %L magic cookie is used. See message below for a list of magic cookies. The host name for virtual servers overrides this value. If not specified, the default host name for the local machine is used. email name Defines the email address of the ftp archive maintainer. This string will be printed every time the %E magic cookie is used.
PAGE 6
ftpaccess(4) ftpaccess(4) anonymous FTP directory tree. readme path [ when [ class ]] Define a file with path such that ftpd will notify user at login time or upon using the change working directory command that the file exists and was modified on such-and-such date. The when parameter may be LOGIN or CWD=
. If when CWD=, dir specifies the new default directory which will trigger the notification. The message will only be displayed once, to avoid bothering users.
PAGE 7
ftpaccess(4) ftpaccess(4) Miscellaneous Capabilities alias string dir Defines an alias, string , for the specified directory, dir . Can be used to add the concept of logical directories. For example: alias rfc /pub/doc/rfc would allow the user to access /pub/doc/rfc from any directory by the command cd rfc:. Aliases only apply to the cd command. cdpath dir Defines a directory entry in the cdpath. dir defines a search path that is used when changing directories.
PAGE 8
ftpaccess(4) ftpaccess(4) The external program ftpshut can be used to automate the process of generating this file. daemonaddress address If this value is not set, then the server will listen for connections on every IP addresses. Otherwise it will only listen on the IP address specified. Use of this clause is discouraged as it will break virtual hosting. This option will work only when ftpd is running in the standalone mode (see ftpd (1M)).
PAGE 9
ftpaccess(4) ftpaccess(4) virtual address shadow file Use a different shadow file for this virtual domain. Note: This option is currently not supported in HP-UX. defaultserver deny username [ username ... ] defaultserver allow username [ username ... ] Normally, all users are allowed access to the default (non-virtual) FTP server. Use defaultserver deny to revoke access for specific users. Specify defaultserver deny to deny access to all users.
PAGE 10
ftpaccess(4) ftpaccess(4) command is used to provide directory listings. To change the path for ls, specify it in command. The defaults for these clauses are generally correct. For normal users lsshort is used. For anonymous users lslong is used. lsplain is used for special cases. Use lslong, lsshort, or lsplain only if absolutely necessary. mailserver hostname [ hostname ... ] Specify the name of a mail server which will accept upload notifications for the FTP daemon.
PAGE 11
ftpaccess(4) ftpaccess(4) deny-email clauses as you like. path-filter typelist mesg allowed_charset [ disallowed_regexp ... ] For users in typelist , path-filter defines regular expressions that control what a filename can or cannot be. Disallowed regular expressions, disallowed_regexp, may be specified with multiple regular expressions (see regexp (5)). If a filename is invalid due to failure to match the regular expression criteria, mesg will be displayed to the user.
PAGE 12
ftpaccess(4) ftpaccess(4) anonymous-root /home/ftp anonymous-root /home/localftp localnet causes all anonymous users to be chroot()’d to the directory /home/ftp. Then, if the ftp user exists in /home/ftp/etc/passwd, their initial CWD is that home directory. Anonymous users in the class localnet, however, are chroot()’d to the directory /home/localftp, and their initial CWD is taken from the ftp user’s home directory in /home/localftp/etc/passwd. guest-root root-dir [ uid-range ...
PAGE 13
ftpaccess(4) ftpaccess(4) An example of the use of these clauses shows their intended use. Assume user dick has a home directory /home/dick and jane has a home directory /home/jane: guest-root /home dick jane restricted-uid dick jane While both dick and jane are chroot’d to /home, they cannot access each other’s files because they are restricted to their home directories. Wherever possible, in situations such as this example, try not to rely solely upon the ftp restrictions.
PAGE 14
(Notes) A (Notes) fA 14 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010