Configuration file for ftpd
Description:
The /etc/ftpd.conf file specifies various configuration options for
ftpd
that apply once a user has authenticated their connection.
Each authenticated user is a member of a class (determined by the
/etc/ftpusers file)
that associates which entries in this file apply to the user.
When parsing entries the following special classes are available:
- all
- Match any class.
- none
- Match no class.
The /etc/ftpd.conf file consists of a series of lines,
each of which may contain a configuration directive, a comment, or a blank line.
Directives that appear later in the file override settings by previous directives.
This allows wildcard entries to define defaults, and then have class-specific overrides.
A \ is the escape character;
it can be used to escape the meaning of the comment character,
or if it's the last character on a line, extends a configuration directive across multiple lines.
A # is the comment character,
and all characters from it to the end of line are ignored (unless it's escaped with the escape character).
The
ftpd
STAT command returns the class settings for the current
user as defined by /etc/ftpd.conf.
Each configuration line may be one of:
- checkportcmd class [off]
- Check the PORT command for validity.
The PORT command fails if the IP address specified doesn't match the FTP command connection,
or if the remote TCP port number is less than IPPORT_RESERVED.
It's strongly encouraged that this option be used,
espcially for sites concerned with potential security problems with FTP bounce attacks.
If class is none, or if off is specified,
this feature is disabled.
- chroot class [pathformat]
- Specify the root directory to use with
chroot()
at login.
The directory name is created by parsing pathformat; the following escape strings may be used:
Escape: |
Description: |
%c |
Class name |
%d |
Home directory of user |
%u |
Username |
%% |
A % character |
If pathformat isn't specified, or if class is none
then the default root directory is / for REAL users,
or the user's home directory for GUEST and CHROOT users.
- classtype class type
- Set the class type of class to type, where type is one of:
- CHROOT
- chroot()ed users (as per
/etc/ftpchroot).
A chroot()
is performed after login.
- GUEST
- Guests (as per the anonymous and ftp logins).
A chroot()
is performed after login.
- REAL
- Normal users.
- conversion class suffix [type disable command]
- Define an automatic inline file conversion.
If the file to be retrieved ends in suffix, and a real file (without a suffix)
exists, then the output of the command is returned instead of the contents of the file.
- suffix
- The suffix to initiate the conversion.
- type
- A list of valid filetypes for the conversion.
Valid types are: f (file) and d (directory).
- disable
- A file that prevents a conversion if it exists.
A filename of . prevents this action (that is, the conversion is always permitted).
- command
- A command to run for the conversion.
The first word should be the full pathname of the command
as execv() is used to execute the command.
All instances of the word %s in the command are replaced
with the requested file (without the suffix).
Conversion directives specified later on in the file override earlier conversions with the
same suffix.
- display class [file]
- Display the contents of file (if it exists) each time the user enters a new directory.
Escape sequences are supported; for more information, see the Display file escape sequences
section in the NetBSD documentation for ftpd at
http://netbsd.gw.com/cgi-bin/man-cgi?ftpd++NetBSD-4.0.
If file isn't specified, or class is none, disable this.
- limit class count [file]
- Limit the maximum number of concurrent connections for class to count,
with 0 indicating unlimited connections.
If the limit is exceeded, and file is specified, display its contents to the user.
This line is ignored if class is none or if count isn't specified.
- homedir class [pathformat]
- Specify the directory to change into at login,
and use as the home directory of the user for tilde expansion in pathnames, etc.
The pathformat argument is parsed as per the
chroot
directive.
If pathformat isn't specified, or if class is none
then the default home directory is the home directory of the user for REAL users,
or / for GUEST and CHROOT users.
- maxtimeout class time
- Set the maximum timeout period that a client may request (default is 2 hours).
The period can't be less than 30 seconds, or be equal to the value of the
timeout
directive.
This line is ignored if class is none or time isn't specified.
- modify class [off]
- If class is none, or if off is specified,
disable these commands: CHMOD, DELE, MKD, RMD,
RNFR, and UMASK.
Otherwise, enable them.
- motd class [file]
- Display the contents of file after login as the message of the day.
Escape sequences are supported; for more information, see the Display file escape sequences
section in the NetBSD documentation for ftpd at
http://netbsd.gw.com/cgi-bin/man-cgi?ftpd++NetBSD-4.0.
If file isn't specified, or class is none, disable this.
- notify class [fileglob]
- Notify the user of any files matching fileglob. each time the user enters a new directory.
If fileglob isn't specified, or class is none, disable this.
- passive class [off]
- If class is none, or if off is specified,
disallow passive (PASV/LPSV/EPSV) connections.
- portrange class min max
- Set the range of port numbers which are used for the passive data port.
The value of max must be greater than min,
and both numbers must be be between IPPORT_RESERVED and IPPORT_ANONMAX.
- rateget class rate
- Set the maximum get (RETR) transfer rate throttle for class to
rate bytes per second.
If rate is 0, the throttle is disabled.
An optional suffix may be provided, which changes the intrepretation of rate as follows:
- b —Don't modify (optional).
- k —Kilo. Multiply the argument by 1024.
- m —Mega. Multiply the argument by 1048576.
- g —Giga. Multiply the argument by 1073741824.
- rateput class rate
- Set the maximum put (STOR) transfer rate throttle for class to
rate bytes per second.
The rate argument is parsed as described in
rateget.
- template class [refclass]
- Define refclass as the template for class.
All subsequent references to refclass in the directives also apply to members of class.
You'd define a class template so that other classes, which share common attributes,
can be easily defined without unnecessary duplication.
There can be only one template defined at a time.
If refclass isn't specified, disable the template for class.
- timeout class time
- Set the timeout period for inactivity (default is 15 minutes).
It can't be less than 30 seconds, or greater than the value for
maxtimeout.
This line is ignored if class is none or time isn't specified.
- umask class umaskval
- Set the umask to umaskval.
This line is ignored if class is none or umaskval isn't specified.
- upload class [off]
- If class is none, or if off is specified:
disable these commands: APPE, STOR, STOU;
and modify these: CHMOD, DELE, MKD,
RMD, RNFR, UMASK.
Otherwise, enable them.
Default settings
The following defaults are used:
checkportcmd all
classtype chroot CHROOT
classtype guest GUEST
classtype real REAL
display none
limit all -1 # unlimited connections
maxtimeout all 7200 # 2 hours
modify all
motd all motd
notify none
passive all
timeout all 900 # 15 minutes
umask all 027
upload all
modify guest off
umask guest 0707