HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

100

ftpaccess(4) ftpaccess(4)

bound means "all starting from". For example:

guest-root /home/users guest-root /home/staff %100-999 sally

guest-root /home/users/frank/ftp frank

causes all guest users to chroot() to /home/users

then starts each user in their home directory

speciﬁed in

/home/users/etc/passwd

. Users in the range 100 through 999, inclusive, and user

sally, will be chroot()’d to

/home/staff and the CWD will be taken from their entries in

/home/staff/etc/passwd

. The single user

frank will be chroot()’d to

/home/users/owner/ftp

and the CWD will be from his entry in

/home/users/owner/ftp/etc/passwd

Note that order is important for both

anonymous-root

and guest-root . If a user would match

multiple clauses, only the ﬁrst applies; with the exception of the clause which has no class or uid-

range, which applies only if no other clause matches.

deny-uid uid-range [...]

deny-gid gid-range [...]

allow-uid uid-range [...]

allow-gid gid-range [...]

These clauses allow speciﬁcation of UID and GID values which will be denied access to the ftp server.

The allow-uid and allow-gid clauses may be used to allow access for uid/gid which would oth-

erwise be denied. These checks occur before all others. Deny is checked before allow. The default is

to allow access. Note that in most cases, this can remove the need for an /etc/ftpd/ftpusers

ﬁles. For example:

deny-gid %-99 %65535 deny-uid %-99 %65535

allow-gid ftp

allow-uid ftp

denies ftp access to all privileged or special users and groups on a Linux box except the anonymous ftp

user/group. In many cases, this can eliminate the need for the

/etc/ftpd/ftpusers ﬁle. Sup-

port for that ﬁle still exists so it may be used when changing

/etc/ftpd/ftpaccess

is not

desired.

Throughout the

ftpaccess ﬁle, at any place that a single UID or GID is allowed, either names or

numbers may be used. To use numbers, put a % before it. In places where a range is allowed, put the

% before the range.

restricted-uid uid-range [...]

restricted-gid gid-range [...]

unrestricted-uid

uid-range [...]

unrestricted-gid

gid-range [...]

These clauses control whether or not real or guest users will be allowed access to areas on the FTP

site outside their home directories. They are not meant to replace the use of guestgroup and

guestuser. Instead, use these to supplement the operation of guests. The

unrestricted-uid

and unrestricted-gid

clauses may be used to allow users outside their home directories who

would otherwise be restricted.

An example of the use of these clauses shows their intended use. Assume user

dick has a home

directory /home/dick and jane has a home directory /home/jane:

guest-root /home dick jane

restricted-uid dick jane

While both dick and jane are chroot’d to /home, they cannot access each other’s ﬁles because

they are restricted to their home directories.

Wherever possible, in situations such as this example, try not to rely solely upon the ftp restrictions.

As with all other ftp access rules, try to use directory and ﬁle permissions to backstop the operation of

the ftpaccess conﬁguration.

NOTE: For the above clauses, you must copy the libraries /usr/lib/libnss_files.1

and

/usr/lib/libdld.2 to the /usr/lib directory of the current chroot’d environment.

site-exec-max-lines number [ class ... ]

The SITE EXEC feature traditionally limits the number of lines of output which may be sent to the

remote client. This clause allows you to set this limit. If omitted, the limit is 20 lines. A limit of 0

HP-UX 11i Version 2: December 2007 Update − 12 − Hewlett-Packard Company 95