ftpaccess.4 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

ftpaccess(4) ftpaccess(4)

anonymous-root /home/ftp

anonymous-root /home/localftp localnet

causes all anonymous users to be chroot()

’d to the directory /home/ftp. Then, if the ftp user

exists in

/home/ftp/etc/passwd

, their initial

CWD is that home directory. Anonymous users in

the class localnet, however, are

chroot()’d to the directory

/home/localftp

, and their initial

CWD is taken from the ftp user’s home directory in

/home/localftp/etc/passwd

guest-root root-dir [ uid-range ... ]

root-dir speciﬁes the

chroot() path for guest users. If

guest-root is not matched, the old

method of parsing the user’s home directory is used. If no uid-range is speciﬁed, the root directory

is for guest users who do not match any other guest-root speciﬁcation. Multiple uid ranges may be

given on the line. If a

guest-root is chosen for the user, the user’s home directory in the root-

dir

/etc/passwd ﬁle is used to determine the initial directory and their home directory in the

system-wide /etc/passwd is not used.

uid-range speciﬁes numeric UID values. Ranges are speciﬁed by giving the lower and upper bounds

(inclusive), separated by a dash. Omitting the lower bound means "all up to", and omitted the upper

bound means "all starting from". For example:

guest-root /home/users guest-root /home/staff %100-999 sally

guest-root /home/users/frank/ftp frank

causes all guest users to chroot() to /home/users then starts each user in their home directory

speciﬁed in /home/users/etc/passwd

. Users in the range 100 through 999, inclusive, and

user

sally, will be chroot()’d to /home/staff and the CWD will be taken from their entries

in /home/staff/etc/passwd

. The single user frank will be chroot()’d to

/home/users/owner/ftp

and the CWD will be from his entry in

/home/users/owner/ftp/etc/passwd

Note that order is important for both

anonymous-root

and guest-root. If a user would match

multiple clauses, only the ﬁrst applies; with the exception of the clause which has no class or uid-

range, which applies only if no other clause matches.

deny-uid uid-range [...]

deny-gid gid-range [...]

allow-uid uid-range [...]

allow-gid gid-range [...]

These clauses allow speciﬁcation of UID and GID values which will be denied access to the ftp

server. The

allow-uid and allow-gid clauses may be used to allow access for uid/gid which

would otherwise be denied. These checks occur before all others. Deny is checked before allow.

The default is to allow access. Note that in most cases, this can remove the need for an

/etc/ftpd/ftpusers

ﬁles. For example:

deny-gid %-99 %65535 deny-uid %-99 %65535

allow-gid ftp

allow-uid ftp

denies ftp access to all privileged or special users and groups on a Linux box except the anonymous

ftp user/group. In many cases, this can eliminate the need for the /etc/ftpd/ftpusers

ﬁle.

Support for that ﬁle still exists so it may be used when changing

/etc/ftpd/ftpaccess is not

desired.

Throughout the

ftpaccess ﬁle, at any place that a single UID or GID is allowed, either names or

numbers may be used. To use numbers, put a % before it. In places where a range is allowed, put

the % before the range.

restricted-uid uid-range [...]

restricted-gid gid-range [...]

unrestricted-uid uid-range [...]

unrestricted-gid gid-range [...]

These clauses control whether or not real or guest users will be allowed access to areas on the FTP

site outside their home directories. They are not meant to replace the use of guestgroup and

guestuser. Instead, use these to supplement the operation of guests. The

unrestricted-uid

and unrestricted-gid clauses may be used to allow users outside their home directories who

would otherwise be restricted.

12 Hewlett-Packard Company − 12 − HP-UX 11i Version 3: September 2010