HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
f
ftpaccess(4) ftpaccess(4)
guest-root root-dir [ uid-range ... ]
root-dir specifies the chroot() path for guest users. If
guest-root is not matched, the old
method of parsing the user’s home directory is used. If no uid-range is specified, the root directory is
for guest users who do not match any other guest-root specification. Multiple uid ranges may be given
on the line. If a
guest-root is chosen for the user, the user’s home directory in the root-
dir
/etc/passwd file is used to determine the initial directory and their home directory in the
system-wide /etc/passwd is not used.
uid-range specifies numeric UID values. Ranges are specified by giving the lower and upper bounds
(inclusive), separated by a dash. Omitting the lower bound means "all up to", and omitted the upper
bound means "all starting from". For example:
guest-root /home/users guest-root /home/staff %100-999 sally
guest-root /home/users/frank/ftp frank
causes all guest users to chroot() to /home/users
then starts each user in their home directory
specified in
/home/users/etc/passwd
. Users in the range 100 through 999, inclusive, and user
sally, will be chroot()’d to
/home/staff and the CWD will be taken from their entries in
/home/staff/etc/passwd
. The single user frank will be chroot()’d to
/home/users/owner/ftp
and the CWD will be from his entry in
/home/users/owner/ftp/etc/passwd
.
Note that order is important for both
anonymous-root
and guest-root . If a user would match
multiple clauses, only the first applies; with the exception of the clause which has no class or uid-
range, which applies only if no other clause matches.
deny-uid uid-range [...]
deny-gid gid-range [...]
allow-uid uid-range [...]
allow-gid gid-range [...]
These clauses allow specification of UID and GID values which will be denied access to the ftp server.
The allow-uid and allow-gid clauses may be used to allow access for uid/gid which would oth-
erwise be denied. These checks occur before all others. Deny is checked before allow. The default is
to allow access. Note that in most cases, this can remove the need for an /etc/ftpd/ftpusers
files. For example:
deny-gid %-99 %65535 deny-uid %-99 %65535
allow-gid ftp
allow-uid ftp
denies ftp access to all privileged or special users and groups on a Linux box except the anonymous ftp
user/group. In many cases, this can eliminate the need for the
/etc/ftpd/ftpusers file. Sup-
port for that file still exists so it may be used when changing
/etc/ftpd/ftpaccess
is not
desired.
Throughout the
ftpaccess file, at any place that a single UID or GID is allowed, either names or
numbers may be used. To use numbers, put a % before it. In places where a range is allowed, put the
% before the range.
restricted-uid uid-range [...]
restricted-gid gid-range [...]
unrestricted-uid uid-range [...]
unrestricted-gid gid-range [...]
These clauses control whether or not real or guest users will be allowed access to areas on the FTP
site outside their home directories. They are not meant to replace the use of guestgroup and
guestuser. Instead, use these to supplement the operation of guests. The unrestricted-uid
and unrestricted-gid clauses may be used to allow users outside their home directories who
would otherwise be restricted.
An example of the use of these clauses shows their intended use. Assume user dick has a home
directory /home/dick and jane has a home directory /home/jane :
guest-root /home dick jane
restricted-uid dick jane
While both dick and jane are chroot’d to /home, they cannot access each other’s files because
they are restricted to their home directories.
HP-UX 11i Version 3: February 2007 − 12 − Hewlett-Packard Company 121