HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

ftpaccess(4) ftpaccess(4)

allow-gid ftp

allow-uid ftp

denies ftp access to all privileged or special users and groups on a Linux box except the anonymous

ftp user/group. In many cases, this can eliminate the need for the

/etc/ftpd/ftpusers

ﬁle.

Support for that ﬁle still exists so it may be used when changing

/etc/ftpd/ftpaccess

is not

desired.

Throughout the

ftpaccess ﬁle, at any place that a single UID or GID is allowed, either names or

numbers may be used. To use numbers, put a

% before it. In places where a range is allowed, put

the

% before the range.

restricted-uid

uid-range [...]

restricted-gid

gid-range [...]

unrestricted-uid

uid-range [...]

unrestricted-gid

gid-range [...]

These clauses control whether or not real or guest users will be allowed access to areas on the FTP

site outside their home directories. They are not meant to replace the use of guestgroup and

guestuser. Instead, use these to supplement the operation of guests. The

unrestricted-uid

and unrestricted-gid

clauses may be used to allow users outside their home directories who

would otherwise be restricted.

An example of the use of these clauses shows their intended use. Assume user

dick has a home

directory /home/dick and jane has a home directory /home/jane:

guest-root /home dick jane

restricted-uid dick jane

While both dick and jane are chroot’d to /home, they cannot access each other’s ﬁles because

they are restricted to their home directories.

Wherever possible, in situations such as this example, try not to rely solely upon the ftp restrictions.

As with all other ftp access rules, try to use directory and ﬁle permissions to backstop the operation

of the ftpaccess conﬁguration.

NOTE: For the above clauses, you must copy the libraries

/usr/lib/libnss_files.1

and

/usr/lib/libdld.2

to the /usr/lib directory of the current chroot’d environment.

site-exec-max-lines

number [ class ... ]

The SITE EXEC feature traditionally limits the number of lines of output which may be sent to the

remote client. This clause allows you to set this limit. If omitted, the limit is 20 lines. A limit of 0

(zero) implies no limit. Be very careful if you choose to remove the limit. If a clause is found match-

ing the remote user’s class, that limit is used. Otherwise, the clause with class ’*’, or no class given,

is used. For example:

site-exec-max-lines 200 remote

site-exec-max-lines 0 local

site-exec-max-lines 25

The above examples limit output from SITE EXEC (and therefore SITE INDEX) to 200 lines for

remote users, speciﬁes there is no limit at all for local users, and sets a limit of 25 lines for all

other users.

dns refuse_mismatch ﬁlename [ override ]

Refuse FTP sessions when the forward and reverse lookups for the remote site do not match.

Display the named ﬁle, ﬁlename (like a message ﬁle), admonishing the user. If the optional

over-

ride is speciﬁed, allow the connection after complaining.

dns refuse_no_reverse ﬁlename [ override ]

Refuse FTP sessions when there is no reverse DNS entry for the remote site. Display the named

ﬁle, ﬁlename (like a message ﬁle), admonishing the user. If the optional

override is speciﬁed,

allow the connection after complaining.

dns resolveroptions [ options ]

dns resolveroptions allows you to tweak name server options. The line takes a series of ﬂags

as documented in resolver (3N) (with the leading RES_ removed). Each can be preceded by an

optional + or -. For example,

Section 4−−70 Hewlett-Packard Company − 12 − HP-UX 11i Version 2: September 2004