path: root/usr/src/man/man4/ftpaccess.4

'\" te
.\" Copyright (C) 2003, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH ftpaccess 4 "10 Sep 2003" "SunOS 5.11" "File Formats"
.SH NAME
ftpaccess \- FTP Server configuration file
.SH SYNOPSIS
.LP
.nf
\fB/etc/ftpd/ftpaccess\fR
.fi

.SH DESCRIPTION
.sp
.LP
The \fBftpaccess\fR file is used to configure the operation of the FTP Server.
.SS "Access Capabilities "
.sp
.LP
The following access capabilities are supported:
.sp
.ne 2
.mk
.na
\fB\fBautogroup\fR \fIgroupname\fR \fIclass\fR \fIclass\fR...\fR
.ad
.sp .6
.RS 4n
If an \fIanonymous\fR user is a member of any of \fIclass\fR, the FTP Server
will perform a \fBsetegid\fR(2) to \fIgroupname\fR. This allows access to group
and owner read-only files and directories to a particular class of anonymous
users. \fIgroupname\fR is a valid group returned by \fBgetgrnam\fR(3C).
.RE

.sp
.ne 2
.mk
.na
\fB\fBclass\fR \fIclass\fR \fItypelist\fR \fIaddrglob\fR\fIaddrglob\fR...\fR
.ad
.sp .6
.RS 4n
Define \fIclass\fR of users, with source addresses of the form \fIaddrglob\fR.
Multiple members of \fIclass\fR may be defined. There may be multiple
\fBclass\fR commands listing additional members of the class. If multiple
\fBclass\fR commands can apply to the current session, the first one listed in
the access file is used. If a valid class for a host is not defined, access
will be denied. \fItypelist\fR is a comma-separated list of any of the keywords
\fBanonymous\fR, \fBguest\fR, and \fBreal\fR. If the \fBreal\fR keyword is
included, the class can match users using FTP to access real accounts. If the
\fBanonymous\fR keyword is included the class can match users using anonymous
FTP. The \fBguest\fR keyword matches guest access accounts.
.sp
\fIaddrglob\fR may be a globbed domain name or a globbed numeric IPv4 address.
It may also be the name of a file, starting with a slash ('/'), which contains
additional address globs. IPv4 numeric addresses may also be specified in the
form \fBaddress:netmask\fR or \fBaddress/CIDR\fR. IPv6 numeric addresses can
only be specified with an optional \fBCIDR\fR, not using globs or netmasks.
.sp
Placing an exclamation (!) before an \fIaddrglob\fR negates the test. For
example,
.sp
.in +2
.nf
class rmtuser real !*.example.com 
.fi
.in -2

will classify real users from outside the \fBexample.com\fR domain as the class
\fBrmtuser\fR. Use care with this option. Remember, the result of each test is
OR'ed with other tests on the line.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdeny\fR \fIaddrglob\fR [\fImessage_file\fR]\fR
.ad
.sp .6
.RS 4n
Deny access to host(s) that match \fIaddrglob\fR and display
\fImessage_file\fR. If the value of \fIaddrglob\fR is \fB!nameserved\fR access
to sites without a working nameservers is denied. \fImessage_file\fR may
contain magic cookies. See \fBmessage\fR for more details.
.RE

.sp
.ne 2
.mk
.na
\fB\fBguestgroup\fR \fIgroupname\fR \fIgroupname\fR...\fR
.ad
.br
.na
\fB\fBguestuser\fR \fIusername\fR \fIusername\fR...\fR
.ad
.br
.na
\fB\fBrealgroup\fR \fIgroupname\fR \fIgroupname\fR...\fR
.ad
.br
.na
\fB\fBrealuser\fR \fIusername\fR \fIusername\fR...\fR
.ad
.sp .6
.RS 4n
For \fBguestgroup\fR, if a \fIreal\fR user is a member of any \fIgroupname\fR,
the session is set up like anonymous FTP. \fIgroupname\fR is a valid group
returned by \fBgetgrnam\fR(3C). The user's home directory must be set up
exactly as anonymous FTP would be. The home directory field of the passwd entry
is divided into two directories. The first field is the root directory that
will be the argument to the \fBchroot\fR(2) call. The second field is the
user's home directory, relative to the root directory. Use a "\fB/./\fR" to
separate the two fields. For example, the following is the real entry in
\fB/etc/passwd\fR:
.sp
.in +2
.nf
guest1:x:100:92:Guest FTP:/export/home/guests/./guest1:/bin/true
.fi
.in -2

When guest1 successfully logs in, the FTP Server will \fBchroot()\fR to
\fB/export/home/guests\fR and then \fBchdir\fR(2) to \fB/guest1\fR. The guest
user will only be able to access the directory structure under
\fB/export/home/guests\fR, which will look and act as \fB/\fR to \fBguest1\fR,
just as an anonymous FTP user would. The d option to \fBftpconfig\fR(1M) is
useful when creating guest FTP user accounts. The group name may be specified
by either name or numeric ID. To use a numeric group ID, place a percent sign
(\fB%\fR) before the number. You can give ranges. Use an asterisk to indicate
all groups. \fBguestuser\fR works like \fBguestgroup\fR, except that it uses
the user name or numeric ID. \fBrealuser\fR and \fBrealgroup\fR have the same
syntax, but they reverse the effect of \fBguestuser\fR and \fBguestgroup\fR.
They allow real user access when the remote user would otherwise be determined
a guest.
.sp
.in +2
.nf
guestuser *    
realgroup admin 
.fi
.in -2

causes all non-anonymous users to be treated as guest, with the sole exception
of users in the \fBadmin\fR group, who are granted real user access.
.RE

.sp
.ne 2
.mk
.na
\fB\fBnice\fR \fInice-delta\fR \fIclass\fR\fR
.ad
.sp .6
.RS 4n
Adjust the process \fBnice\fR value of the FTP server process by the indicated
\fInice-delta\fR value if the remote user is a member of the named \fIclass\fR.
If \fIclass\fR is not specified, then use \fInice-delta\fR as the default
adjustment to the FTP server process \fBnice\fR value. This default \fBnice\fR
value adjustment is used to adjust the \fBnice\fR value of the server process
only for those users who do not belong to any class for which a class-specific
\fBnice\fR directive exists in the \fBftpaccess\fR file.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdefumask\fR \fIumask\fR \fIclass\fR\fR
.ad
.sp .6
.RS 4n
Set the \fIumask\fR applied to files created by the FTP server if the remote
user is a member of the named class. If \fIclass\fR is not specified, then use
the \fIumask\fR as the default for classes that do not have one specified.. The
mode of files created may be specified by using the \fBupload\fR directive.
.RE

.sp
.ne 2
.mk
.na
\fB\fBtcpwindow\fR \fIsize\fR class\fR
.ad
.sp .6
.RS 4n
Set the TCP window size (socket buffer size) for the data connection. Use this
to control network traffic. For instance, slow PPP dialin links may need
smaller TCP windows to speed up throughput. If you do not know what this does,
do not set it.
.RE

.sp
.ne 2
.mk
.na
\fB\fBipcos\fR control|data \fIvalue\fR [\fItypelist\fR]\fR
.ad
.sp .6
.RS 4n
Set the IP Class of Service for either the control or data connection.
.sp
For connections using \fBAF_INET\fR type sockets, this sets the Type of Service
field in the IP header to the value specified.
.sp
For connections using \fBAF_INET6\fR type sockets, this sets the Traffic Class
field in the IP header to the value specified.
.sp
When configured through \fBinetd.conf\fR(4), the socket type is controlled by
the protocol field of the \fBftp\fR service. When running in standalone mode
the default socket type is \fBAF_INET6\fR. The \fBin.ftpd\fR(1M) 4 option
selects \fBAF_INET\fR.
.sp
\fItypelist\fR is a comma-separated list of any of the keywords
\fBanonymous\fR, \fBguest\fR, \fBreal\fR, and \fBclass=\fR. When \fBclass=\fR
appears, it must be followed by a class name.
.RE

.sp
.ne 2
.mk
.na
\fB\fBkeepalive\fR \fByes\fR|\fBno\fR\fR
.ad
.sp .6
.RS 4n
Set the TCP \fBSO_KEEPALIVE\fR option for control and data sockets. This can be
used to control network disconnect. If \fByes\fR, then set it. If \fBno\fR,
then use the system default (usually off). You probably want to set this.
.RE

.sp
.ne 2
.mk
.na
\fB\fBtimeout accept\fR \fIseconds\fR\fR
.ad
.br
.na
\fB\fBtimeout connect\fR \fIseconds\fR\fR
.ad
.br
.na
\fB\fBtimeout data\fR \fIseconds\fR\fR
.ad
.br
.na
\fB\fBtimeout idle\fR \fIseconds\fR \fR
.ad
.br
.na
\fB\fBtimeout maxidle\fR \fIseconds\fR\fR
.ad
.br
.na
\fB\fBtimeout RFC931\fR \fIseconds\fR\fR
.ad
.sp .6
.RS 4n
Set various timeout conditions.
.sp
.ne 2
.mk
.na
\fB\fBaccept\fR\fR
.ad
.RS 11n
.rt  
How long the FTP Server will wait for an incoming (PASV) data connection. The
default is 120 seconds.
.RE

.sp
.ne 2
.mk
.na
\fB\fBconnect\fR\fR
.ad
.RS 11n
.rt  
How long the FTP Server will wait attempting to establish an outgoing (PORT)
data connection. This effects the actual connection attempt. The daemon makes
several attempts, sleeping between each attempt, before giving up. The default
is 120 seconds.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdata\fR\fR
.ad
.RS 11n
.rt  
How long the FTP Server will wait for some activity on the data connection. You
should keep this long because the remote client may have a slow link, and there
can be quite a bit of data queued for the client. The default is 1200 seconds.
.RE

.sp
.ne 2
.mk
.na
\fB\fBidle\fR\fR
.ad
.RS 11n
.rt  
How long the FTP Server will wait for the next command. The default is 900
seconds. The default can also be overridden by using the t option at the
command-line. This access clause overrides both.
.RE

.sp
.ne 2
.mk
.na
\fB\fBmaxidle\fR\fR
.ad
.RS 11n
.rt  
The \fBSITE IDLE\fR command allows the remote client to establish a higher
value for the idle timeout. The \fBmaxidle\fR clause sets the upper limit that
the client may request. The default can also be overridden by using the T
option at the command-line. This access clause overrides both. The default is
7200 seconds.
.RE

.sp
.ne 2
.mk
.na
\fB\fBRFC931\fR\fR
.ad
.RS 11n
.rt  
The maximum time the FTP server allows for the entire \fBRFC931\fR (AUTH/ident)
conversation. Setting this to zero (0) disables the server's use of this
protocol. The information obtained by means of \fBRFC931\fR is recorded in the
system logs and is not actually used in any authentication. The default is 10
seconds.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fBfile-limit\fR \fIraw\fR \fIin\fR|\fIout\fR|\fItotal\fR \fIcount\fR
\fIclass\fR\fR
.ad
.sp .6
.RS 4n
Limit the number of data files a user in the given class may transfer. The
limit may be placed on files \fIin\fR, \fIout\fR, or \fItotal\fR. If no class
is specified, the limit is the default for classes which do not have a limit
specified. The optional parameter \fIraw\fR applies the limit to the total
traffic rather than just data files.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdata-limit\fR [\fIraw\fR] \fIin\fR|\fIout\fR|\fItotal\fR \fIcount\fR
[\fIclass\fR]\fR
.ad
.sp .6
.RS 4n
Limit the number of data bytes a user in the given class may transfer. The
limit may be placed on bytes \fIin\fR, \fIout\fR, or \fItotal\fR. If no class
is specified, the limit is the default for classes which do not have a limit
specified. Note that once it has been exceeded, this limit will prevent
transfers, but it will not terminate a transfer in progress. The optional
parameter \fIraw\fR applies the limit to total traffic rather than just data
files.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlimit-time\fR \fI*\fR|\fIanonymous\fR|\fIguest\fR \fIminutes\fR\fR
.ad
.sp .6
.RS 4n
Limit the total time a session can take. By default, there is no limit. Real
users are never limited.
.RE

.sp
.ne 2
.mk
.na
\fB\fBguestserver\fR [\fIhostname\fR...]\fR
.ad
.sp .6
.RS 4n
Control which hosts may be used for anonymous access. If used without
\fIhostname\fR, all anonymous access is denied to this site. More than one
\fIhostname\fR may be specified. Anonymous access will only be allowed on the
named machines. If access is denied, the user will be asked to use the first
\fIhostname\fR listed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlimit\fR \fIclass\fR \fIn\fR \fItimes\fR [\fImessage_file\fR]\fR
.ad
.sp .6
.RS 4n
Limit \fIclass\fR to \fIn\fR users at times \fItimes\fR, displaying
\fImessage_file\fR if the user is denied access. A \fBlimit\fR check is
performed at login time only. If multiple \fBlimit\fR commands can apply to the
current session, the first applicable one is used. Failing to define a valid
limit, or a limit of -1, is equivalent to no limits. The format of \fItimes\fR
is\(cd:
.sp
.in +2
.nf
\fIday\fR[\fIday\fR...][\fItime-range\fR][|\fIday\fR[\fIday\fR...][\fItime-range\fR]]...
.fi
.in -2

The value of \fIday\fR can be \fBSu\fR, \fBMo\fR, \fBTu\fR, \fBWe\fR, \fBTh\fR,
\fBFr\fR, \fBSa\fR, \fBWk\fR (for any weekday Monday through Friday), or
\fBAny\fR. \fItime-range\fR is in 24-hour clock notation. If a time range is
not specified, any time of the day is matched. Multiple \fIday\fR and
\fItime-range\fR may be specified by the "|" symbol. For example,
\fBWk1730-0900|Sa|Su\fR specifies 5:30 p.m. to 9:00 a.m., Monday through
Friday, and anytime on weekends. \fImessage_file\fR may contain magic cookies.
See \fBmessage\fR for more details.
.RE

.sp
.ne 2
.mk
.na
\fB\fBnoretrieve\fR [\fBabsolute\fR|\fBrelative\fR]\fR
.ad
.br
.na
\fB[\fBclass=\fR\fIclassname\fR...][-] \fIfilename\fR [\fIfilename\fR...]\fR
.ad
.sp .6
.RS 4n
Always deny retrievability of these files. If \fIfilename\fR specifies a
pathname that begins with '/' character, then only those files are marked no
retrieve. Otherwise all files that match the \fIfilename\fR are refused
transfer. For example, \fBnoretrieve /etc/passwd core \fR specifies no one will
be able to retrieve the \fB/etc/passwd\fR file. You will be allowed to transfer
any file named \fBpasswd\fR that is not in \fB/etc\fR.
.sp
On the other hand, no one will be able to get files named \fBcore\fR, wherever
they are. Directory specifications mark all files and subdirectories in the
named directory unretrievable. The \fIfilename\fR may be specified as a file
glob. For example,
.sp
.in +2
.nf
noretrieve /etc /home/*/.htaccess 
.fi
.in -2

specifies that no files in \fB/etc\fR or any of its subdirectories may be
retrieved. Also, no files named \fB\&.htaccess\fR anywhere under the
\fB/home\fR directory may be retrieved. The optional first parameter selects
whether names are interpreted as absolute or relative to the current chroot'd
environment. The default is to interpret names beginning with a slash as
absolute. The \fBnoretrieve\fR restrictions may be placed upon members of
particular classes. If any \fBclass=\fR is specified, the named files cannot be
retrieved only if the current user is a member of one of the given classes.
.RE

.sp
.ne 2
.mk
.na
\fB\fBallow-retrieve\fR [\fBabsolute\fR|\fBrelative\fR]\fR
.ad
.br
.na
\fB[\fBclass=\fR\fIclassname\fR...][-] \fIfilename\fR [\fIfilename\fR...]\fR
.ad
.sp .6
.RS 4n
Allows retrieval of files which would otherwise be denied by noretrieve.
.RE

.sp
.ne 2
.mk
.na
\fB\fBloginfails\fR \fInumber\fR\fR
.ad
.sp .6
.RS 4n
After \fInumber\fR login failures, log a "repeated login failures" message and
terminate the FTP connection. The default value for \fInumber\fR is 5.
.RE

.sp
.ne 2
.mk
.na
\fB\fBprivate\fR \fByes\fR | \fBno\fR\fR
.ad
.sp .6
.RS 4n
Allow or deny use of the \fBSITE GROUP\fR and \fBSITE GPASS\fR commands after
the user logs in. The \fBSITE GROUP\fR and \fBSITE GPASS\fR commands specify an
enhanced access group and associated password. If the group name and password
are valid, the user becomes a member of the group specified in the group access
file \fB/etc/ftpd/ftpgroups\fR by means of \fBsetegid\fR(2). See
\fBftpgroups\fR(4) for the format of the file. For this option to work for
anonymous FTP users, the  FTP Server must keep \fB/etc/group\fR permanently
open and load the group access file into memory. This means that the FTP Server
now has an additional file descriptor open, and the necessary passwords and
access privileges granted to users by means of \fBSITE GROUP\fR will be static
for the duration of an FTP session. If you have an urgent need to change the
access groups or passwords now, you have to kill all of the running FTP
Servers.
.RE

.SS "Informational Capabilities"
.sp
.LP
The following informational capabilities are supported:
.sp
.ne 2
.mk
.na
\fB\fBgreeting\fR \fBfull\fR|\fBbrief\fR|\fBterse\fR\fR
.ad
.br
.na
\fB\fBgreeting\fR \fBtext\fR \fImessage\fR\fR
.ad
.sp .6
.RS 4n
The \fBgreeting\fR command allows you to control how much information is given
out before the remote user logs in. \fBgreeting full\fR, which is the default
greeting, shows the hostname and daemon version. \fBgreeting brief\fR shows the
hostname. \fB greeting terse\fR simply says "FTP Server ready." Although
\fBfull\fR is the default, \fBbrief\fR is suggested.
.sp
The \fBtext\fR form allows you to specify any greeting message. \fImessage\fR
can be any string. Whitespace (spaces and tabs) is converted to a single space.
.RE

.sp
.ne 2
.mk
.na
\fB\fBbanner\fR \fIpath\fR\fR
.ad
.sp .6
.RS 4n
The \fBbanner\fR command operates similarly to the \fBmessage\fR command,
except that the banner is displayed before the user enters the username. The
\fIpath\fR is relative to the real system root, not to the base of the
anonymous \fBFTP\fR directory.
.sp
Use of the \fBbanner\fR command can completely prevent non-compliant \fBFTP\fR
clients from making use of the \fBFTP\fR Server. Not all clients can handle
multi-line responses, which is how the banner is displayed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBemail\fR \fIname\fR\fR
.ad
.sp .6
.RS 4n
Use this command to define the email address for the FTP Server administrator.
This string will be printed every time the \fB%E\fR magic cookie is used in
message files.
.RE

.sp
.ne 2
.mk
.na
\fB\fBhostname\fR \fIsome.host.name\fR\fR
.ad
.sp .6
.RS 4n
Defines the default host name of the FTP Server. This string will be printed on
the greeting message and every time the \fB%L\fR magic cookie is used. The host
name for virtual servers overrides this value. If no host name is specified,
the default host name for the local machine is used.
.RE

.sp
.ne 2
.mk
.na
\fB\fBmessage\fR \fIpath\fR [\fIwhen\fR [\fIclass\fR...]]\fR
.ad
.sp .6
.RS 4n
Define a file with \fIpath\fR such that the FTP Server will display the
contents of the file to the user at login time or upon using the change working
directory command. The \fIwhen\fR parameter may be \fBLOGIN\fR or
\fBCWD=\fIdirglob\fR\fR. If \fIwhen\fRis \fBCWD=\fIdirglob\fR\fR, \fIdirglob\fR
specifies the new default directory that will trigger the notification. A
\fIdirglob\fR of "\fB*\fR" matches all directories.
.sp
The optional \fIclass\fR specification allows the message to be displayed only
to members of a particular class. More than one class may be specified.
.sp
"Magic cookies" can be present in \fIpath\fR that cause the FTP Server to
replace the cookie with a specified text string:
.sp
.ne 2
.mk
.na
\fB\fB%T\fR\fR
.ad
.RS 6n
.rt  
Local time. For example, \fBThu Nov 15 17:12:42 1990\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%F\fR\fR
.ad
.RS 6n
.rt  
Free space in partition of CWD, in Kbytes.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%C\fR\fR
.ad
.RS 6n
.rt  
Current working directory.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%E\fR\fR
.ad
.RS 6n
.rt  
The email address for the FTP Server administrator.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%R\fR\fR
.ad
.RS 6n
.rt  
Remote host name.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%L\fR\fR
.ad
.RS 6n
.rt  
Local host name.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%U\fR\fR
.ad
.RS 6n
.rt  
Username given at login time.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%u\fR\fR
.ad
.RS 6n
.rt  
Username as defined by means of \fIRFC 931\fR authentication.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%M\fR\fR
.ad
.RS 6n
.rt  
Maximum allowed number of users in this class.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%N\fR\fR
.ad
.RS 6n
.rt  
Current number of users in this class.
.RE

The following quota magic cookies are also supported but not always set (see
the \fBquota-info\fR capability):
.sp
.ne 2
.mk
.na
\fB\fB%B\fR\fR
.ad
.RS 6n
.rt  
absolute limit on disk blocks allocated
.RE

.sp
.ne 2
.mk
.na
\fB\fB%b\fR\fR
.ad
.RS 6n
.rt  
preferred limit on disk blocks
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Q\fR\fR
.ad
.RS 6n
.rt  
current block count
.RE

.sp
.ne 2
.mk
.na
\fB\fB%I\fR\fR
.ad
.RS 6n
.rt  
maximum number of allocated inodes (+1)
.RE

.sp
.ne 2
.mk
.na
\fB\fB%i\fR\fR
.ad
.RS 6n
.rt  
preferred inode limit
.RE

.sp
.ne 2
.mk
.na
\fB\fB%q\fR\fR
.ad
.RS 6n
.rt  
current number of allocated inodes
.RE

.sp
.ne 2
.mk
.na
\fB\fB%H\fR\fR
.ad
.RS 6n
.rt  
time limit for excessive disk use
.RE

.sp
.ne 2
.mk
.na
\fB\fB%h\fR\fR
.ad
.RS 6n
.rt  
time limit for excessive files
.RE

The message is displayed only once to avoid annoying the user. Remember that
when messages are triggered by an anonymous or guest FTP user, they must be
relative to the base of the anonymous or guest FTP directory tree.
.RE

.sp
.ne 2
.mk
.na
\fB\fBquota-info\fR \fIuid-range\fR [\fIuid-range\fR...] \fR
.ad
.sp .6
.RS 4n
Enable retrieval of quota information for users matching \fIuid-range\fR. This
sets the quota magic cookies. Retrieving quota information might cause a
significant delay when logging into the server.
.sp
\fIuid-range\fR can be a username, single UID, or a UID range. Place a percent
sign(\fB%\fR) before a number. An asterisk means "all users."
.RE

.sp
.ne 2
.mk
.na
\fB\fBreadme\fR \fIpathglob\fR [\fIwhen\fR [\fIclass\fR...]]\fR
.ad
.sp .6
.RS 4n
Define a file with \fIpathglob\fR such that the FTP Server will notify the user
at login time or upon using the change working directory command that the file
exists and the date that it was modified. The \fIwhen\fR parameter may be
\fBLOGIN\fR or \fBCWD=\fIdirglob\fR\fR. If \fIwhen\fR is
\fBCWD=\fIdirglob\fR\fR, \fIdirglob\fR specifies the new default directory that
will trigger the notification. A \fIdirglob\fR of "\fB*\fR" matches all
directories. The message will only be displayed once, to avoid bothering users.
Remember that when README messages are triggered by an anonymous or guest FTP
user, the \fIpathglob\fR must be relative to the base of the anonymous or guest
FTP directory tree.
.sp
The optional \fIclass\fR specification allows the message to be displayed only
to members of a particular class. You can specify more than one class.
.RE

.SS "Logging Capabilities"
.sp
.LP
The following logging capabilities are supported:
.sp
.ne 2
.mk
.na
\fB\fBlog commands\fR \fItypelist\fR\fR
.ad
.sp .6
.RS 4n
Enables logging of the individual FTP commands sent by users. \fItypelist\fR is
a comma-separated list of any of the keywords \fBanonymous\fR, \fBguest\fR, and
\fBreal\fR. Command logging information is written to the system log.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlog transfers\fR \fItypelist\fR \fIdirections\fR\fR
.ad
.sp .6
.RS 4n
Log file transfers made by FTP users to the \fBxferlog\fR(4) file. Logging of
incoming transfers to the server can be enabled separately from outbound
transfers from the server. \fIdirections\fR is a comma-separated list of any of
the two keywords \fBinbound\fR and \fBoutbound\fR, and will respectively cause
transfers to be logged for files sent to and from the server.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlog security\fR \fItypelist\fR\fR
.ad
.sp .6
.RS 4n
Enables logging of violations of security rules to the system log, including
for example, \fBnoretrieve\fR and \fB\&.notar\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlog syslog\fR\fR
.ad
.br
.na
\fB\fBlog syslog+xferlog\fR\fR
.ad
.sp .6
.RS 4n
Redirect the logging messages for incoming and outgoing transfers to
\fBsyslog\fR. Without this option the messages are written to \fBxferlog\fR.
When you specify \fBsyslog+xferlog\fR, the transfer log messages are sent to
both the system log file and the \fBxferlog\fR file.
.RE

.sp
.ne 2
.mk
.na
\fB\fBxferlog\fR format \fIformatstring\fR\fR
.ad
.sp .6
.RS 4n
Customize the format of the transfer log entry written. \fIformatstring\fR can
be any string, which might include magic cookies. Strings of whitespace
characters are converted into a single space.
.sp
The following transfer-specific magic cookies are recognized only immediately
after a transfer has been completed:
.sp
.ne 2
.mk
.na
\fB\fB%Xt\fR\fR
.ad
.RS 7n
.rt  
transfer-time
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xn\fR\fR
.ad
.RS 7n
.rt  
bytes-transferred
.RE

.sp
.ne 2
.mk
.na
\fB\fB%XP\fR\fR
.ad
.RS 7n
.rt  
filename
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xp\fR\fR
.ad
.RS 7n
.rt  
chroot-filename
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xy\fR\fR
.ad
.RS 7n
.rt  
transfer-type
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xf\fR\fR
.ad
.RS 7n
.rt  
special-action-flag
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xd\fR\fR
.ad
.RS 7n
.rt  
direction
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xm\fR\fR
.ad
.RS 7n
.rt  
access-mode
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xa\fR\fR
.ad
.RS 7n
.rt  
authentication-method
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xc\fR\fR
.ad
.RS 7n
.rt  
completion-status
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xs\fR\fR
.ad
.RS 7n
.rt  
file-size
.RE

.sp
.ne 2
.mk
.na
\fB\fB%Xr\fR\fR
.ad
.RS 7n
.rt  
restart-offset
.RE

\fBxferlog\fR(4) includes a description of these fields. If no \fBxferlog\fR
format entry is present, the default is:
.sp
.in +2
.nf
xferlog format %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc
.fi
.in -2
.sp

.RE

.SS "Miscellaneous Capabilities"
.sp
.LP
The following miscellaneous capabilities are supported:
.sp
.ne 2
.mk
.na
\fB\fBalias\fR\fI string\fR \fIdir\fR\fR
.ad
.sp .6
.RS 4n
Define an alias, \fI string\fR, for a directory. Use this command to add the
concept of logical directories. For example: \fBalias rfc: /pub/doc/rfc\fR
would allow the user to access \fB/pub/doc/rfc\fR from any directory by the
command "\fBcd rfc:\fR". Aliases only apply to the \fBcd\fR command.
.RE

.sp
.ne 2
.mk
.na
\fB\fBcdpath\fR \fIdir\fR\fR
.ad
.sp .6
.RS 4n
Define an entry in the \fBcdpath\fR. This command defines a search path that is
used when changing directories. For example:
.sp
.in +2
.nf
cdpath /pub/packages
cdpath /.aliases 
.fi
.in -2
.sp

would allow the user to move into any directory directly under either the
\fB/pub/packages\fR or the \fB/.aliases\fR directories. The search path is
defined by the order in which the lines appear in the \fBftpaccess\fR file. If
the user were to give the command \fBftp> cd foo\fR the directory will be
searched for in the following order:
.RS +4
.TP
.ie t \(bu
.el o
\fB\&./foo \fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
an alias called foo
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB/pub/packages/foo\fR
.RE
.RS +4
.TP
.ie t \(bu
.el o
\fB/.aliases/foo\fR
.RE
The \fBcdpath\fR is only available with the \fBcd\fR command. If you have a
large number of aliases, you might want to set up an aliases directory with
links to all of the areas you wish to make available to users.
.RE

.sp
.ne 2
.mk
.na
\fB\fBcompress\fR \fByes\fR|\fBno\fR \fIclassglob\fR [\fIclassglob\fR...]\fR
.ad
.br
.na
\fBtar \fByes\fR|\fBno\fR \fIclassglob\fR [\fIclassglob\fR...]\fR
.ad
.sp .6
.RS 4n
Enable the use of conversions marked with the \fBO_COMPRESS\fR,
\fBO_UNCOMPRESS\fR, and \fBO_TAR\fR options in \fB/etc/ftpd/ftpconversions\fR.
See \fBftpconversions\fR(4).
.RE

.sp
.ne 2
.mk
.na
\fB\fBshutdown\fR \fIpath\fR\fR
.ad
.sp .6
.RS 4n
If the file pointed to by \fIpath\fR exists, the server will check the file
regularly to see if the server is going to be shut down. If a shutdown is
planned, the user is notified. New connections are denied after a specified
time before shutdown. Current connections are dropped at a specified time
before shutdown.
.sp
The format of the file specified by \fIpath\fR is:
.sp
.in +2
.nf
\fIyear\fR \fImonth\fR \fIday\fR \fIhour\fR \fIminute\fR \fIdeny_offset\fR \fIdisc_offset\fR \fItext\fR 
.fi
.in -2

.sp
.ne 2
.mk
.na
\fB\fIyear\fR\fR
.ad
.RS 15n
.rt  
A value of 1970 or greater.
.RE

.sp
.ne 2
.mk
.na
\fB\fImonth\fR\fR
.ad
.RS 15n
.rt  
A value of 0 to 11.
.RE

.sp
.ne 2
.mk
.na
\fB\fIday\fR\fR
.ad
.RS 15n
.rt  
A value of 1 to 31.
.RE

.sp
.ne 2
.mk
.na
\fB\fIhour\fR\fR
.ad
.RS 15n
.rt  
A value of 0 to 23.
.RE

.sp
.ne 2
.mk
.na
\fB\fIminute\fR\fR
.ad
.RS 15n
.rt  
A value of 0 to 59.
.RE

.sp
.ne 2
.mk
.na
\fB\fIdeny_offset\fR\fR
.ad
.br
.na
\fB\fIdisc_offset\fR\fR
.ad
.RS 15n
.rt  
The offsets in HHMM format that new connections will be denied and existing
connections will be disconnected before the shutdown time.
.RE

.sp
.ne 2
.mk
.na
\fB\fItext\fR \fR
.ad
.RS 15n
.rt  
Follows the normal rules for any \fImessage\fR. The following additional magic
cookies are available:
.sp
.ne 2
.mk
.na
\fB\fB%s\fR\fR
.ad
.RS 6n
.rt  
The time at which the system is going to shut down.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%r\fR\fR
.ad
.RS 6n
.rt  
The time at which new connections will be denied.
.RE

.sp
.ne 2
.mk
.na
\fB\fB%d\fR\fR
.ad
.RS 6n
.rt  
The time at which current connections will be dropped.
.RE

.RE

All times are in the form: \fBddd MMM DD hh:mm:ss YYYY\fR. Only one
\fBshutdown\fR command can be present in the configuration file. You can use
the external program \fBftpshut\fR(1M) to automate generation of this file.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdaemonaddress\fR \fIaddress\fR\fR
.ad
.sp .6
.RS 4n
Listen only on the IP address specified. If the value is not set, then the FTP
Server will listen for connections on every IP address. This applies only when
the FTP Server is run in standalone mode.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvirtual\fR \fIaddress\fR \fBroot\fR|\fBbanner\fR|\fBlogfile\fR
\fIpath\fR\fR
.ad
.sp .6
.RS 4n
Enable the FTP Server limited virtual hosting capabilities. The \fIaddress\fR
is the IP address of the virtual server. The second argument specifies that the
\fIpath\fR is either the path to the \fBroot\fR of the filesystem for this
virtual server, the \fBbanner\fR presented to the user when connecting to this
virtual server, or the \fBlogfile\fR where transfers are recorded for this
virtual server. If the \fBlogfile\fR is not specified the default log file will
be used. All other message files and permissions as well as any other settings
in this file apply to all virtual servers. The \fIaddress\fR may also be
specified as a hostname rather than as an IP number. This is strongly
discouraged since, if DNS is not available at the time the FTP session begins,
the hostname will not be matched.
.RE

.sp
.ne 2
.mk
.na
\fB\fBroot\fR|\fBlogfile\fR \fIpath\fR\fR
.ad
.sp .6
.RS 4n
In contrast to limited virtual hosting, complete virtual hosting allows
separate configuration files to be virtual host specific. See
\fBftpservers\fR(4). The only additions that are necessary in a virtual host's
\fBftpaccess\fR file is the \fBroot\fR directive that ensures the correct root
directory is used for the virtual host. This only works with complete virtual
hosting, which in contrast to limited virtual hosting, allows separate
configuration files to be specified for each virtual host.
.sp
\fIpath\fR is either the root of the filesystem for this virtual server or the
logfile where transfers for this virtual server are recorded. root and logfile
may only be specified when not preceded by \fBvirtual\fR \fIaddress\fR in a
virtual hosts's \fBftpaccess\fR file.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvirtual\fR \fIaddress\fR \fBhostname\fR|\fBemail\fR \fIstring\fR\fR
.ad
.sp .6
.RS 4n
Set the hostname shown in the greeting message and status command, or the email
address used in message files and on the HELP command, to the given
\fIstring\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvirtual\fR \fIaddress\fR \fBallow\fR \fIusername\fR
[\fIusername\fR...]\fR
.ad
.br
.na
\fB\fBvirtual\fR \fIaddress\fR \fBdeny\fR \fIusername\fR [\fIusername\fR...]\fR
.ad
.sp .6
.RS 4n
By default, real and guest users are not allowed to log in on the virtual
server, unless they are guests that are chroot'd to the virtual root. The users
listed on the \fBvirtual allow\fR line(s) are granted access. You can grant
access to all users by giving '*' as the \fIusername\fR. The \fBvirtual deny\fR
clauses are processed after the \fBvirtual allow\fR clauses. Thus specific
users can be denied access although all users were allowed in an earlier
clause.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvirtual\fR \fIaddress\fR \fBprivate\fR\fR
.ad
.sp .6
.RS 4n
Deny log in access to anonymous users on the virtual server. Anonymous users
are generally allowed to log in on the virtual server if this option is not
specified.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvirtual\fR \fIaddress\fR \fBpasswd\fR \fIfile\fR\fR
.ad
.sp .6
.RS 4n
Use a different \fBpasswd\fR file for the virtual host.
.RE

.sp
.ne 2
.mk
.na
\fB\fBvirtual\fR \fIaddress\fR \fBshadow\fR \fIfile\fR\fR
.ad
.sp .6
.RS 4n
Use a different \fBshadow\fR file for the virtual host.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdefaultserver\fR \fBdeny\fR \fIusername\fR [\fIusername\fR...]\fR
.ad
.br
.na
\fB\fBdefaultserver\fR \fBallow\fR \fIusername\fR [\fIusername\fR...]  \fR
.ad
.sp .6
.RS 4n
By default, all users are allowed access to the non-virtual FTP Server. Use
\fBdefaultserver\fR \fBdeny\fR to revoke access for specific real and guest
users. Specify '*' to deny access to all users, except anonymous users.
Specific real and guest users can then be allowed access by using
\fBdefaultserver\fR \fBallow\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdefaultserver\fR \fBprivate\fR\fR
.ad
.sp .6
.RS 4n
By default, all users are allowed access to the non-virtual FTP Server. Use
\fBdefaultserver\fR \fBprivate\fR to revoke access for anonymous users.
.sp
The \fBvirtual\fR and \fBdefaultserver\fR \fBallow\fR, \fBdeny\fR and
\fBprivate\fR clauses provide a means to control which users are allowed access
to which FTP Servers.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpassive\fR \fBaddress\fR \fIexternalip\fR \fIcidr\fR\fR
.ad
.sp .6
.RS 4n
Allow control of the address reported in response to a \fBpassive\fR command.
When any control connection matching \fIcidr\fR requests a passive data
connection (PASV), the \fIexternalip\fR address is reported. This does not
change the address that the daemon actually listens on, only the address
reported to the client. This feature allows the daemon to operate correctly
behind IP renumbering firewalls. For example:
.sp
.in +2
.nf
passive address 10.0.1.15   10.0.0.0/8
passive address 192.168.1.5 0.0.0.0/0
.fi
.in -2

Clients connecting from the class-A network 10 will be told the passive
connection is listening on IP address 10.0.1.15 while all others will be told
the connection is listening on 192.168.1.5. Multiple passive addresses may be
specified to handle complex, or multi-gatewayed, networks.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpassive\fR \fBports\fR \fIcidr\fR \fImin\fR \fImax\fR\fR
.ad
.sp .6
.RS 4n
Allows control of the TCP port numbers which may be used for a passive data
connection. If the control connection matches the \fIcidr\fR, a port in the
range \fImin\fR to \fImax\fR will be randomly selected for the daemon to listen
on. This feature allows firewalls to limit the ports that remote clients may
use to connect into the protected network.
.sp
\fIcidr\fR is shorthand for an IP address followed by a slash and the number of
left-most bits that represent the network address, as opposed to the machine
address. For example, if you are using the reserved class-A network 10, instead
of a netmask of 255.0.0.0, use a CIDR of /8, as in 10.0.0.0/8, to represent
your network.
.sp
When \fImin\fR and \fImax\fR are both 0, the kernel rather than the FTP server
selects the TCP port to listen on. Kernel port selection is usually not
desirable if the kernel allocates TCP ports sequentially. If in doubt, let the
FTP server do the port selection.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpasv-allow\fR \fIclass\fR [\fIaddrglob\fR...]\fR
.ad
.br
.na
\fB\fBport-allow\fR \fIclass\fR [\fIaddrglob\fR...]\fR
.ad
.sp .6
.RS 4n
Normally, the FTP Server does not allow a \fBPORT\fR command to specify an
address different than that of the control connection. Nor does it allow a
\fBPASV\fR connection from another address.
.sp
The \fBport-allow\fR clause provides a list of addresses that the specified
class of user may give on a \fBPORT\fR command. These addresses will be allowed
even if they do not match the IP address of the client-side of the control
connection.
.sp
The \fBpasv-allow\fR clause provides a list of addresses that the specified
class of user may make data connections from. These addresses will be allowed
even if they do not match the IP address of the client-side of the control
connection.
.RE

.sp
.ne 2
.mk
.na
\fB\fBlslong\fR\fI command\fR [\fIoptions\fR...] \fR
.ad
.br
.na
\fB\fBlsshort\fR\fI command\fR [\fIoptions\fR...] \fR
.ad
.br
.na
\fB\fBlsplain\fR\fI command\fR [\fIoptions\fR...] \fR
.ad
.sp .6
.RS 4n
Use the \fBlslong\fR, \fBlsshort\fR, and \fBlsplain\fR clauses to specify the
commands and options to use to generate directory listings. The options cannot
contain spaces, and the default values for these clauses are generally correct.
Use \fBlslong\fR, \fBlsshort\fR, or \fBlsplain\fR only if absolutely necessary.
.RE

.sp
.ne 2
.mk
.na
\fB\fBmailserver\fR \fIhostname\fR\fR
.ad
.sp .6
.RS 4n
Specify the name of a mail server that will accept upload notifications for the
FTP Server. Multiple mail servers may be listed. The FTP Server will attempt to
deliver the upload notification to each, in order, until one accepts the
message. If no mail servers are specified, \fBlocalhost\fR is used. This option
is only meaningful if anyone is to be notified of anonymous uploads. See
\fBincmail\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBincmail\fR \fIemailaddress\fR\fR
.ad
.br
.na
\fB\fBvirtual\fR \fIaddress\fR \fBincmail\fR \fIemailaddress\fR\fR
.ad
.br
.na
\fB\fBdefaultserver\fR \fBincmail\fR \fIemailaddress\fR\fR
.ad
.sp .6
.RS 4n
Specify email addresses to be notified of anonymous uploads. Multiple addresses
can be specified. Each will receive a notification. If no addresses are
specified, no notifications are sent.
.sp
If addresses are specified for a virtual host, only those addresses will be
sent notification of anonymous uploads on that host. Otherwise, notifications
will be sent to the global addresses.
.sp
\fBdefaultserver\fR addresses only apply when the FTP session is not using one
of the virtual hosts. In this way, you can receive notifications for your
default anonymous area, but not see notifications to virtual hosts that do not
have their own notifications.
.RE

.sp
.ne 2
.mk
.na
\fB\fBmailfrom\fR \fIemailaddress\fR\fR
.ad
.br
.na
\fB\fBvirtual\fR \fIaddress\fR \fBmailfrom\fR \fIemailaddress\fR\fR
.ad
.br
.na
\fB\fBdefaultserver\fR \fBmailfrom\fR \fIemailaddress\fR\fR
.ad
.sp .6
.RS 4n
Specify the sender's email address for anonymous upload notifications. Only one
address may be specified. If no \fBmailfrom\fR applies, email is sent from the
default mailbox name \fBwu-ftpd\fR. To avoid problems if the recipient attempts
to reply to a notification, or if downstream mail problems generate bounces,
you should ensure the \fBmailfrom\fR address is deliverable.
.RE

.sp
.ne 2
.mk
.na
\fB\fBsendbuf\fR \fIsize\fR [\fItypelist\fR]\fR
.ad
.br
.na
\fB\fBrecvbuf\fR \fIsize\fR [\fItypelist\fR]\fR
.ad
.sp .6
.RS 4n
Set the send or receive buffer sizes used for binary transfers. They have no
effect on ASCII transfers.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrhostlookup\fR yes|no [\fIaddrglob\fR ...]\fR
.ad
.sp .6
.RS 4n
Allows or disallows the lookup of the remote host's name. Name lookups can be
slow, but skipping them means that places where an \fIaddrglob\fR is matched
(for example, in the class capability) will match only an IP address, not a
name. Also \fBdeny !nameserved\fR and \fBdns refuse_no_reverse\fR or
\fBrefuse_mismatch\fR will deny access when a name lookup is not done. The
default is to lookup the remote host's name.
.sp
Only IP addresses, not names, are matched in \fIaddrglob\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBflush-wait\fR yes|no [\fItypelist\fR]\fR
.ad
.sp .6
.RS 4n
Controls the behavior at the end of a download or directory listing. If
\fByes\fR, shutdown the data connection for sending and wait for the client to
close its end before sending a transfer complete reply on the control
connection. This is the default behavior. If \fBno\fR, close the data
connection and send the transfer complete reply without waiting for the client.
With this behavior, data loss can go undetected.
.sp
If a client hangs at the end of a directory listing, or the system has many
sockets in the \fBFIN_WAIT_2\fR state, try setting to \fBno\fR as a workaround
for broken client behavior.
.RE

.SS "Permission Capabilities"
.sp
.LP
The following permission capabilities are supported:
.sp
.ne 2
.mk
.na
\fB\fBchmod\fR \fByes\fR|\fBno\fR \fItypelist\fR\fR
.ad
.br
.na
\fB\fBdelete\fR \fByes\fR|\fBno\fR \fItypelist\fR\fR
.ad
.br
.na
\fB\fBoverwrite\fR \fByes\fR|\fBno\fR \fItypelist\fR\fR
.ad
.br
.na
\fB\fBrename\fR \fByes\fR|\fBno\fR \fItypelist\fR\fR
.ad
.br
.na
\fB\fBumask\fR \fByes\fR|\fBno\fR \fItypelist\fR\fR
.ad
.sp .6
.RS 4n
Allows or disallows the ability to perform the specified function. By default,
all real and guest users are allowed. Anonymous users are only allowed
\fBoverwrite\fR and \fBumask\fR.
.sp
\fItypelist\fR is a comma-separated list of any of the keywords
\fBanonymous\fR, \fBguest\fR, \fBreal\fR and \fBclass=\fR. When \fBclass=\fR
appears, it must be followed by a classname. If any \fBclass=\fR appears, the
\fItypelist\fR restriction applies only to users in that class.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpasswd-check\fR \fBnone\fR|\fBtrivial\fR|\fBrfc822\fR
[\fBenforce\fR|\fBwarn\fR]\fR
.ad
.sp .6
.RS 4n
Define the level and enforcement of password checking done by the FTP Server
for anonymous FTP.
.sp
.ne 2
.mk
.na
\fB\fBnone\fR\fR
.ad
.RS 11n
.rt  
No password checking is performed.
.RE

.sp
.ne 2
.mk
.na
\fB\fBtrivial\fR\fR
.ad
.RS 11n
.rt  
The password must contain an '@'.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrfc822\fR\fR
.ad
.RS 11n
.rt  
The password must be \fIRFC 822\fR compliant.
.RE

.sp
.ne 2
.mk
.na
\fB\fBwarn\fR\fR
.ad
.RS 11n
.rt  
Warn, but permit the login.
.RE

.sp
.ne 2
.mk
.na
\fB\fBenforce\fR\fR
.ad
.RS 11n
.rt  
Notify and deny the login.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fBdeny-email\fR \fIcase-insensitive-emailaddress\fR\fR
.ad
.sp .6
.RS 4n
Consider the email address given as an argument as invalid. If
\fBpasswd-check\fR is set to \fBenforce\fR, anonymous users giving this address
as a password cannot log in. That way, you can stop users from having stupid
WWW browsers use fake addresses like IE?0User@ or mozilla@. (by using this, you
are not shutting out users using a WWW browser for ftp - you just make them
configure their browser correctly.) Only one address is allowed per line, but
you can have as many \fBdeny-email\fR addresses as you like.
.RE

.sp
.ne 2
.mk
.na
\fB\fBpath-filter\fR \fItypelist\fR \fImessage\fR \fIallowed_regexp\fR \fR
.ad
.br
.na
\fB[\fIdisallowed_regexp\fR...]\fR
.ad
.sp .6
.RS 4n
For users in \fItypelist\fR, \fBpath-filter\fR defines regular expressions that
control what characters can be used in the filename of an uploaded file or
created directory. There may be multiple disallowed regular expressions. If a
filename is invalid due to failure to match the regular expression criteria,
\fImessage\fR will be displayed to the user. For example:
.sp
.in +2
.nf
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
.fi
.in -2

specifies that all upload filenames for anonymous users must be made of only
the characters A-Z, a-z, 0-9, and "._-" and may not begin with a "." or a "-".
If the filename is invalid, \fB/etc/pathmsg\fR will be displayed to the user.
.RE

.sp
.ne 2
.mk
.na
\fB\fBupload\fR [\fBabsolute\fR|\fBrelative\fR]
[\fBclass=\fR\fIclassname\fR]... [\fB-\fR] \fR
.ad
.br
.na
\fB\fIroot-dir\fR \fIdirglob\fR \fByes\fR|\fBno\fR \fIowner\fR \fIgroup\fR
\fImode\fR\fR
.ad
.br
.na
\fB[\fBdirs\fR|\fBnodirs\fR] [\fId_mode\fR]\fR
.ad
.sp .6
.RS 4n
Define a directory with \fIdirglob\fR that permits or denies uploads. If it
does permit uploads, all newly created files will be owned by \fIowner\fR and
\fIgroup\fR and will have their permissions set according to \fImode\fR.
Existing files that are overwritten will retain their original ownership and
permissions. Directories are matched on a best-match basis. For example:
.sp
.in +2
.nf
upload /var/ftp  *  no
upload /var/ftp /incoming yes ftp daemon 0666
upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs
.fi
.in -2

would only allow uploads into \fB/incoming\fR and \fB/incoming/gifs\fR. Files
that were uploaded to \fB/incoming\fR are owned by \fBftp/daemon\fR and have
permissions of 0666. Files uploaded to \fB/incoming/gifs\fR are owned by
\fBjlc/guest\fR and have permissions of 0600. The optional "\fBdirs\fR" and
"\fBnodirs\fR" keywords can be specified to allow or disallow the creation of
new subdirectories using the \fBmkdir\fR command. If the \fBupload\fR command
is used, directory creation is allowed by default. To turn it off by default,
you must specify a user, group and mode followed by the "nodirs" keyword as the
first line where the \fBupload\fR command is used in this file. If directories
are permitted, the optional \fId_mode\fR determines the permissions for a newly
created directory. If \fId_mode\fR is omitted, the permissions are inferred
from \fImode\fR. The permissions are 0777 if \fImode\fR is also omitted. The
\fBupload\fR keyword only applies to users who have a home directory of
\fIroot-dir\fR. \fIroot-dir\fR may be specified as "*" to match any home
directory. The \fIowner\fR or \fIgroup\fR may each be specified as "*", in
which case any uploaded files or directories will be created with the ownership
of the directory in which they are created. The optional first parameter
selects whether \fIroot-dir\fR names are interpreted as absolute or relative to
the current \fBchroot'd\fR environment. The default is to interpret
\fB<root-dir>\fR names as absolute. You can specify any number of
\fBclass=\fIclassname\fR\fR restrictions. If any are specified, this upload
clause only takes effect if the current user is a member of one of the classes.
.sp
In the absence of any matching \fBupload\fR clause, real and guest users can
upload files and make directories, but anonymous users cannot. The mode of
uploaded files is 0666. For created directories, the mode is 0777. Both modes
are modified by the current umask setting.
.RE

.sp
.ne 2
.mk
.na
\fB\fBthroughput\fR \fIroot-dir\fR \fIsubdir-glob\fR \fIfile-glob-list\fR \fR
.ad
.br
.na
\fB\fIbytes-per-second\fR \fIbytes-per-second-multiply\fR \fIremote-glob-list
\fR\fR
.ad
.sp .6
.RS 4n
Define files by means of a comma-separated \fIfile-glob-list\fR in \fBsubdir\fR
matched by \fIsubdir-glob\fR under \fIroot-dir\fR that have restricted transfer
throughput of \fIbytes-per-second\fR on download when the remote hostname or
remote IP address matches the comma-separated \fIremote-glob-list\fR. Entries
are matched on a best-match basis. For example:
.sp
.in +2
.nf
throughput /e/ftp *    *      oo   -   *
throughput /e/ftp /sw* *      1024 0.5 *
throughput /e/ftp /sw* README oo   -   *
throughput /e/ftp /sw* *      oo   -   *.foo.com
.fi
.in -2

would set maximum throughput per default, but restrict download to 1024 bytes
per second for any files under \fB/e/ftp/sw/\fR that are not named README. The
only exceptions are remote hosts from within the domain \fBfoo.com\fR which
always get maximum throughput. Every time a remote client has retrieved a file
under \fB/e/ftp/sw/\fR the bytes per seconds of the matched entry line are
internally multiplied by a factor, here 0.5. When the remote client retrieves
its second file, it is served with 512 bytes per second, the third time with
only 256 bytes per second, the fourth time with only 128 bytes per second, and
so on. The string "oo" for the bytes per second field means no throughput
restriction. A multiply factor of 1.0 or "-" means no change of the throughput
after every successful transfer. The \fIroot-dir\fR here must match the home
directory specified in the password database . The \fBthroughput\fR keyword
only applies to users who have a home directory of \fIroot-dir\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBanonymous-root\fR \fIroot-dir\fR [\fIclass\fR...]\fR
.ad
.sp .6
.RS 4n
\fIroot-dir\fR specifies the \fBchroot()\fR path for anonymous users. If no
anonymous-root is matched, the old method of parsing the home directory for the
FTP user is used. If no \fIclass\fR is specified, this is the root directory
for anonymous users who do not match any other anonymous-root specification.
Multiple classes may be specified on this line. If an anonymous-root is chosen
for the user, the FTP user's home directory in the
\fB\fIroot-dir\fR/etc/passwd\fR file is used to determine the initial directory
and the FTP user's home directory in the system-wide \fB/etc/passwd\fR is not
used. For example:
.sp
.in +2
.nf
anonymous-root /home/ftp
anonymous-root /home/localftp localnet
.fi
.in -2

causes all anonymous users to be \fBchroot'd\fR to the directory
\fB/home/ftp\fR. If the FTP user exists in \fB/home/ftp/etc/passwd\fR, their
initial \fBCWD\fR is that home directory. Anonymous users in the class
\fBlocalnet\fR, however, are \fBchroot'd\fR to the directory
\fB/home/localftp\fR and their initial \fBCWD\fR is taken from the FTP user's
home directory in \fB/home/localftp/etc/passwd\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBguest-root\fR \fIroot-dir\fR [\fIuid-range\fR...]\fR
.ad
.sp .6
.RS 4n
\fIroot-dir\fR specifies the \fBchroot()\fR path for guest users. If no
guest-root is matched, the old method of parsing the user's home directory is
used. If no \fIuid-range\fR is specified, this is the root directory for
guestusers who do not match any other guest-root specification. Multiple UID
ranges may be given on this line. If a guest-root is chosen for the user, the
user's home directory in the \fB\fIroot-dir\fR/etc/passwd\fR file is used to
determine the initial directory and the home directory in the system-wide
\fB/etc/passwd\fR is not used. \fIuid-range\fR specifies names or numeric UID
values. To use numbers, put a percent sign (\fB%\fR) symbol before it or before
the range. Ranges are specified by giving the lower and upper bounds
(inclusive), separated by a dash. If the lower bound is omitted, it means
\fBall up to\fR. If the upper bound is omitted, it means \fBall starting
from\fR. For example:
.sp
.in +2
.nf
guest-root /home/users
guest-root /home/staff %100-999 sally
guest-root /home/users/owner/ftp frank
.fi
.in -2

causes all guest users to \fBchroot()\fR to \fB/home/users\fR then starts each
user in the user's home directory, as specifiedin \fB/home/users/etc/passwd\fR.
Users in the range 100 through 999, inclusive, and user sally, will be
\fBchroot'd\fR to \fB/home/staff\fR and the \fBCWD\fR will be taken from their
entries in \fB/home/staff/etc/passwd\fR. The single user frank will be
\fBchroot'd\fR to \fB/home/users/owner/ftp\fR and the \fBCWD\fR will be from
his entry in \fB/home/users/owner/ftp/etc/passwd\fR.
.sp
The order is important for both anonymous-root and guest-root. If a user would
match multiple clauses, only the first applies; with the exception of the
clause which has no \fIclass\fR or \fIuid-range\fR, which applies only if no
other clause matches.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdeny-uid\fR \fIuid-range\fR [\fIuid-range\fR...]\fR
.ad
.br
.na
\fB\fBdeny-gid\fR \fIgid-range\fR [\fIgid-range\fR...]\fR
.ad
.br
.na
\fB\fBallow-uid\fR \fIuid-range \fR [\fIuid-range\fR...]\fR
.ad
.br
.na
\fB\fBallow-gid\fR \fIgid-range\fR [\fIgid-range\fR...]\fR
.ad
.sp .6
.RS 4n
Use these clauses to specify UID and GID values that will be denied access to
the FTP Server. The \fBallow-uid\fR and \fBallow-gid\fR clauses may be used to
allow access for UID and GID values which would otherwise be denied. These
checks occur before all others. \fBdeny\fR is checked before \fBallow\fR. The
default is to allow access. These clauses do not apply to anonymous users. Use
\fBdefaultserver\fR \fBprivate\fR to deny access to anonymous users. In most
cases, these clauses obviate the need for an \fBftpusers\fR(4) file. For
example, the following clauses deny FTP Server access to all privileged or
special users and groups, except the guest1 user or group.
.sp
.in +2
.nf
deny-gid %-99 nobody noaccess nogroup
deny-uid %-99 nobody noaccess nobody4
allow-gid guest1
allow-uid guest1
.fi
.in -2

Support for the \fBftpusers\fR file still exists, so it may be used when
changing the \fBftpaccess\fR file is not desired. In any place a single UID or
GID is allowed throughout the \fBftpaccess\fR file, either names or numbers
also may be used. To use a number, put a percent sign (\fB%\fR) symbol before
it. In places where a range is allowed, put the percent sign before the range.
A "\fB*\fR" matches all UIDs or GIDs.
.RE

.sp
.ne 2
.mk
.na
\fB\fBrestricted-uid\fR \fIuid-range\fR [\fIuid-range\fR...]\fR
.ad
.br
.na
\fB\fBrestricted-gid\fR \fIgid-range\fR [\fIgid-range\fR...]\fR
.ad
.br
.na
\fB\fBunrestricted-uid\fR \fIuid-range\fR [\fIuid-range\fR...]\fR
.ad
.br
.na
\fB\fBunrestricted-gid\fR \fIgid-range\fR [\fIgid-range\fR...]\fR
.ad
.sp .6
.RS 4n
These clauses control whether or not real or guest users will be allowed access
to areas on the FTP site outside their home directories. These clauses are not
meant to replace the use of \fBguestgroup\fR and \fBguestuser\fR. Instead, use
these clauses to supplement the operation of guests. The \fBunrestricted-uid\fR
and \fBunrestricted-gid\fR clauses may be used to allow users outside their
home directories who would otherwise be restricted.
.sp
The following example shows the intended use for these clauses. Assume user
\fBdick\fR has a home directory \fB/home/dick\fR and \fBjane\fR has a home
directory \fB/home/jane\fR:
.sp
.in +2
.nf
guest-root /home dick jane
restricted-uid dick jane
.fi
.in -2

While both \fBdick\fR and \fBjane\fR are \fBchroot'd\fR to \fB/home\fR, they
cannot access each other's files because they are restricted to their home
directories. However, you should not rely solely upon the FTP restrictions to
control access. As with all other FTP access rules, you should also use
directory and file permissions to support the operation of the \fBftpaccess\fR
configuration.
.RE

.sp
.ne 2
.mk
.na
\fB\fBsite-exec-max-lines\fR \fInumber\fR [\fIclass\fR...]\fR
.ad
.sp .6
.RS 4n
The \fBSITE EXEC\fR feature traditionally limits the number of lines of output
that may be sent to the remote client. Use this clause to set this limit. If
this clause is omitted, the limit is 20 lines. A limit of 0 (zero) implies no
limit. Be very careful if you choose to remove the limit. If a clause is found
matching the remote user's class, that limit is used. Otherwise, the clause
with class '*', or no class given, is used. For example:
.sp
.in +2
.nf
site-exec-max-lines 200 remote
site-exec-max-lines 0 local
site-exec-max-lines 25
.fi
.in -2

limits output from \fBSITE EXEC\fR (and therefore \fBSITE INDEX\fR) to 200
lines for remote users, specifies there is no limit at all for local users, and
sets a limit of 25 lines for all other users.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdns refuse_mismatch\fR \fIfilename\fR [\fBoverride\fR]\fR
.ad
.sp .6
.RS 4n
Refuse FTP sessions when the forward and reverse lookups for the remote site do
not match. Lookups are done using the system's name service as configured in
\fBnsswitch.conf\fR(4). Display the named file, like a message file,
admonishing the user. If the optional override is specified, allow the
connection after complaining.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdns refuse_no_reverse\fR \fIfilename\fR [\fBoverride\fR]\fR
.ad
.sp .6
.RS 4n
Refuse FTP sessions when the remote host's IP address has no associated name.
Lookups are done using the system's name service as configured in
\fBnsswitch.conf\fR(4). Display the named file, such as a message file,
admonishing the user. If the optional override is specified, allow the
connection after complaining.
.RE

.sp
.ne 2
.mk
.na
\fB\fBdns resolveroptions\fR [\fBoptions\fR]\fR
.ad
.sp .6
.RS 4n
Modify certain internal resolver variables. This only has an effect when DNS is
used as the system's name service. The line takes a series of options which are
used to set the RES_OPTIONS environment variable, see resolv.conf(4) for
details. For example:
.sp
.in +2
.nf
dns resolveroptions rotate attempts:1
.fi
.in -2

turns on querying name servers round-robin and selects querying each name
server only once.
.RE

.sp
.LP
Lines that begin with a \fB#\fR sign are treated as comment lines and are
ignored.
.SH FILES
.sp
.ne 2
.mk
.na
\fB \fB/etc/ftpd/ftpaccess\fR\fR
.ad
.RS 24n
.rt  
 
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Interface StabilityExternal
.TE

.SH SEE ALSO
.sp
.LP
\fBcompress\fR(1), \fBls\fR(1), \fBtar\fR(1), \fBftpaddhost\fR(1M),
\fBftpconfig\fR(1M), \fBftpshut\fR(1M), \fBin.ftpd\fR(1M), \fBchroot\fR(2),
\fBnice\fR(2), \fBumask\fR(2), \fBgetgrnam\fR(3C), \fBresolver\fR(3RESOLV),
\fBftpconversions\fR(4), \fBftpgroups\fR(4), \fBftpservers\fR(4),
\fBftpusers\fR(4), \fBnsswitch.conf\fR(4), \fBresolv.conf\fR(4),
\fBtimezone\fR(4), \fBxferlog\fR(4), \fBattributes\fR(5), \fBfnmatch\fR(5)
.sp
.LP
Crocker, David H. \fIRFC 822, Standard For The Format Of ARPA Internet Text
Messages\fR. Network Information Center. August 1982.
.sp
.LP
St. Johns, Michael. \fIRFC 931, Authentication Server\fR. Network Working
Group. January 1985.