ftpaccess(4) File Formats ftpaccess(4)
ftpaccess - FTP Server configuration file
The ftpaccess file is used to configure the operation of the FTP Server.
The following access capabilities are supported:
autogroup groupname class class...
If an anonymous user is a member of any of class, the FTP Server will perform a sete-
gid(2) to groupname. This allows access to group and owner read-only files and direc-
tories to a particular class of anonymous users. groupname is a valid group returned
class class typelist addrglobaddrglob...
Define class of users, with source addresses of the form addrglob. Multiple members of
class may be defined. There may be multiple class commands listing additional members
of the class. If multiple class commands can apply to the current session, the first
one listed in the access file is used. If a valid class for a host is not defined,
access will be denied. typelist is a comma-separated list of any of the keywords
anonymous, guest, and real. If the real keyword is included, the class can match users
using FTP to access real accounts. If the anonymous keyword is included the class can
match users using anonymous FTP. The guest keyword matches guest access accounts.
addrglob may be a globbed domain name or a globbed numeric IPv4 address. It may also
be the name of a file, starting with a slash ('/'), which contains additional address
globs. IPv4 numeric addresses may also be specified in the form address:netmask or
address/CIDR. IPv6 numeric addresses can only be specified with an optional CIDR, not
using globs or netmasks.
Placing an exclamation (!) before an addrglob negates the test. For example,
class rmtuser real !*.example.com
will classify real users from outside the example.com domain as the class rmtuser. Use
care with this option. Remember, the result of each test is OR'ed with other tests on
deny addrglob [message_file]
Deny access to host(s) that match addrglob and display message_file. If the value of
addrglob is !nameserved access to sites without a working nameservers is denied. mes-
sage_file may contain magic cookies. See message for more details.
guestgroup groupname groupname...
guestuser username username...
realgroup groupname groupname...
realuser username username...
For guestgroup, if a real user is a member of any groupname, the session is set up
like anonymous FTP. groupname is a valid group returned by getgrnam(3C). The user's
home directory must be set up exactly as anonymous FTP would be. The home directory
field of the passwd entry is divided into two directories. The first field is the root
directory that will be the argument to the chroot(2) call. The second field is the
user's home directory, relative to the root directory. Use a "/./" to separate the two
fields. For example, the following is the real entry in /etc/passwd:
When guest1 successfully logs in, the FTP Server will chroot() to /export/home/guests
and then chdir(2) to /guest1. The guest user will only be able to access the directory
structure under /export/home/guests, which will look and act as / to guest1, just as
an anonymous FTP user would. The d option to ftpconfig(1M) is useful when creating
guest FTP user accounts. The group name may be specified by either name or numeric ID.
To use a numeric group ID, place a percent sign (%) before the number. You can give
ranges. Use an asterisk to indicate all groups. guestuser works like guestgroup,
except that it uses the user name or numeric ID. realuser and realgroup have the same
syntax, but they reverse the effect of guestuser and guestgroup. They allow real user
access when the remote user would otherwise be determined a guest.
causes all non-anonymous users to be treated as guest, with the sole exception of
users in the admin group, who are granted real user access.
nice nice-delta class
Adjust the process nice value of the FTP server process by the indicated nice-delta
value if the remote user is a member of the named class. If class is not specified,
then use nice-delta as the default adjustment to the FTP server process nice value.
This default nice value adjustment is used to adjust the nice value of the server
process only for those users who do not belong to any class for which a class-specific
nice directive exists in the ftpaccess file.
defumask umask class
Set the umask applied to files created by the FTP server if the remote user is a mem-
ber of the named class. If class is not specified, then use the umask as the default
for classes that do not have one specified.. The mode of files created may be speci-
fied by using the upload directive.
tcpwindow size class
Set the TCP window size (socket buffer size) for the data connection. Use this to con-
trol network traffic. For instance, slow PPP dialin links may need smaller TCP windows
to speed up throughput. If you do not know what this does, do not set it.
ipcos control|data value [typelist]
Set the IP Class of Service for either the control or data connection.
For connections using AF_INET type sockets, this sets the Type of Service field in the
IP header to the value specified.
For connections using AF_INET6 type sockets, this sets the Traffic Class field in the
IP header to the value specified.
When configured through inetd.conf(4), the socket type is controlled by the protocol
field of the ftp service. When running in standalone mode the default socket type is
AF_INET6. The in.ftpd(1M) 4 option selects AF_INET.
typelist is a comma-separated list of any of the keywords anonymous, guest, real, and
class=. When class= appears, it must be followed by a class name.
Set the TCP SO_KEEPALIVE option for control and data sockets. This can be used to con-
trol network disconnect. If yes, then set it. If no, then use the system default (usu-
ally off). You probably want to set this.
timeout accept seconds
timeout connect seconds
timeout data seconds
timeout idle seconds
timeout maxidle seconds
timeout RFC931 seconds
Set various timeout conditions.
accept How long the FTP Server will wait for an incoming (PASV) data connection.
The default is 120 seconds.
connect How long the FTP Server will wait attempting to establish an outgoing
(PORT) data connection. This effects the actual connection attempt. The
daemon makes several attempts, sleeping between each attempt, before giving
up. The default is 120 seconds.
data How long the FTP Server will wait for some activity on the data connection.
You should keep this long because the remote client may have a slow link,
and there can be quite a bit of data queued for the client. The default is
idle How long the FTP Server will wait for the next command. The default is 900
seconds. The default can also be overridden by using the t option at the
command-line. This access clause overrides both.
maxidle The SITE IDLE command allows the remote client to establish a higher value
for the idle timeout. The maxidle clause sets the upper limit that the
client may request. The default can also be overridden by using the T
option at the command-line. This access clause overrides both. The default
is 7200 seconds.
RFC931 The maximum time the FTP server allows for the entire RFC931 (AUTH/ident)
conversation. Setting this to zero(0) disables the server's use of this
protocol. The information obtained by means of RFC931 is recorded in the
system logs and is not actually used in any authentication. The default is
file-limit raw in|out|total count class
Limit the number of data files a user in the given class may transfer. The limit may
be placed on files in, out, or total. If no class is specified, the limit is the
default for classes which do not have a limit specified. The optional parameter raw
applies the limit to the total traffic rather than just data files.
data-limit [raw] in|out|total count [class]
Limit the number of data bytes a user in the given class may transfer. The limit may
be placed on bytes in, out, or total. If no class is specified, the limit is the
default for classes which do not have a limit specified. Note that once it has been
exceeded, this limit will prevent transfers, but it will not terminate a transfer in
progress. The optional parameter raw applies the limit to total traffic rather than
just data files.
limit-time *|anonymous|guest minutes
Limit the total time a session can take. By default, there is no limit. Real users are
Control which hosts may be used for anonymous access. If used without hostname, all
anonymous access is denied to this site. More than one hostname may be specified.
Anonymous access will only be allowed on the named machines. If access is denied, the
user will be asked to use the first hostname listed.
limit class n times [message_file]
Limit class to n users at times times, displaying message_file if the user is denied
access. A limit check is performed at login time only. If multiple limit commands can
apply to the current session, the first applicable one is used. Failing to define a
valid limit, or a limit of -1, is equivalent to no limits. The format of times is:
The value of day can be Su, Mo, Tu, We, Th, Fr, Sa, Wk (for any weekday Monday through
Friday), or Any. time-range is in 24-hour clock notation. If a time range is not spec-
ified, any time of the day is matched. Multiple day and time-range may be specified by
the "|" symbol. For example, Wk1730-0900|Sa|Su specifies 5:30 p.m. to 9:00 a.m., Mon-
day through Friday, and anytime on weekends. message_file may contain magic cookies.
See message for more details.
[class=classname...][-] filename [filename...]
Always deny retrievability of these files. If filename specifies a pathname that
begins with '/' character, then only those files are marked no retrieve. Otherwise all
files that match the filename are refused transfer. For example, noretrieve
/etc/passwd core specifies no one will be able to retrieve the /etc/passwd file. You
will be allowed to transfer any file named passwd that is not in /etc.
On the other hand, no one will be able to get files named core, wherever they are.
Directory specifications mark all files and subdirectories in the named directory
unretrievable. The filename may be specified as a file glob. For example,
noretrieve /etc /home/*/.htaccess
specifies that no files in /etc or any of its subdirectories may be retrieved. Also,
no files named .htaccess anywhere under the /home directory may be retrieved. The
optional first parameter selects whether names are interpreted as absolute or relative
to the current chroot'd environment. The default is to interpret names beginning with
a slash as absolute. The noretrieve restrictions may be placed upon members of partic-
ular classes. If any class= is specified, the named files cannot be retrieved only if
the current user is a member of one of the given classes.
[class=classname...][-] filename [filename...]
Allows retrieval of files which would otherwise be denied by noretrieve.
After number login failures, log a "repeated login failures" message and terminate the
FTP connection. The default value for number is 5.
private yes | no
Allow or deny use of the SITE GROUP and SITE GPASS commands after the user logs in.
The SITE GROUP and SITE GPASS commands specify an enhanced access group and associated
password. If the group name and password are valid, the user becomes a member of the
group specified in the group access file /etc/ftpd/ftpgroups by means of setegid(2).
See ftpgroups(4) for the format of the file. For this option to work for anonymous FTP
users, the FTP Server must keep /etc/group permanently open and load the group access
file into memory. This means that the FTP Server now has an additional file descriptor
open, and the necessary passwords and access privileges granted to users by means of
SITE GROUP will be static for the duration of an FTP session. If you have an urgent
need to change the access groups or passwords now, you have to kill all of the running
The following informational capabilities are supported:
greeting text message
The greeting command allows you to control how much information is given out before
the remote user logs in. greeting full, which is the default greeting, shows the host-
name and daemon version. greeting brief shows the hostname. greeting terse simply
says "FTP Server ready." Although full is the default, brief is suggested.
The text form allows you to specify any greeting message. message can be any string.
Whitespace (spaces and tabs) is converted to a single space.
The banner command operates similarly to the message command, except that the banner
is displayed before the user enters the username. The path is relative to the real
system root, not to the base of the anonymous FTP directory.
Use of the banner command can completely prevent non-compliant FTP clients from making
use of the FTP Server. Not all clients can handle multi-line responses, which is how
the banner is displayed.
Use this command to define the email address for the FTP Server administrator. This
string will be printed every time the %E magic cookie is used in message files.
Defines the default host name of the FTP Server. This string will be printed on the
greeting message and every time the %L magic cookie is used. The host name for virtual
servers overrides this value. If no host name is specified, the default host name for
the local machine is used.
message path [when [class...]]
Define a file with path such that the FTP Server will display the contents of the file
to the user at login time or upon using the change working directory command. The when
parameter may be LOGIN or CWD=dirglob. If whenis CWD=dirglob, dirglob specifies the
new default directory that will trigger the notification. A dirglob of "*" matches all
The optional class specification allows the message to be displayed only to members of
a particular class. More than one class may be specified.
"Magic cookies" can be present in path that cause the FTP Server to replace the cookie
with a specified text string:
%T Local time. For example, Thu Nov 15 17:12:42 1990.
%F Free space in partition of CWD, in Kbytes.
%C Current working directory.
%E The email address for the FTP Server administrator.
%R Remote host name.
%L Local host name.
%U Username given at login time.
%u Username as defined by means of RFC 931 authentication.
%M Maximum allowed number of users in this class.
%N Current number of users in this class.
The following quota magic cookies are also supported but not always set (see the
%B absolute limit on disk blocks allocated
%b preferred limit on disk blocks
%Q current block count
%I maximum number of allocated inodes (+1)
%i preferred inode limit
%q current number of allocated inodes
%H time limit for excessive disk use
%h time limit for excessive files
The message is displayed only once to avoid annoying the user. Remember that when mes-
sages are triggered by an anonymous or guest FTP user, they must be relative to the
base of the anonymous or guest FTP directory tree.
quota-info uid-range [uid-range...]
Enable retrieval of quota information for users matching uid-range. This sets the
quota magic cookies. Retrieving quota information might cause a significant delay when
logging into the server.
uid-range can be a username, single UID, or a UID range. Place a percent sign(%)
before a number. An asterisk means "all users."
readme pathglob [when [class...]]
Define a file with pathglob such that the FTP Server will notify the user at login
time or upon using the change working directory command that the file exists and the
date that it was modified. The when parameter may be LOGIN or CWD=dirglob. If when is
CWD=dirglob, dirglob specifies the new default directory that will trigger the notifi-
cation. A dirglob of "*" matches all directories. The message will only be displayed
once, to avoid bothering users. Remember that when README messages are triggered by an
anonymous or guest FTP user, the pathglob must be relative to the base of the anony-
mous or guest FTP directory tree.
The optional class specification allows the message to be displayed only to members of
a particular class. You can specify more than one class.
The following logging capabilities are supported:
log commands typelist
Enables logging of the individual FTP commands sent by users. typelist is a comma-sep-
arated list of any of the keywords anonymous, guest, and real. Command logging infor-
mation is written to the system log.
log transfers typelist directions
Log file transfers made by FTP users to the xferlog(4) file. Logging of incoming
transfers to the server can be enabled separately from outbound transfers from the
server. directions is a comma-separated list of any of the two keywords inbound and
outbound, and will respectively cause transfers to be logged for files sent to and
from the server.
log security typelist
Enables logging of violations of security rules to the system log, including for exam-
ple, noretrieve and .notar.
Redirect the logging messages for incoming and outgoing transfers to syslog. Without
this option the messages are written to xferlog. When you specify syslog+xferlog, the
transfer log messages are sent to both the system log file and the xferlog file.
xferlog format formatstring
Customize the format of the transfer log entry written. formatstring can be any
string, which might include magic cookies. Strings of whitespace characters are con-
verted into a single space.
The following transfer-specific magic cookies are recognized only immediately after a
transfer has been completed:
xferlog(4) includes a description of these fields. If no xferlog format entry is
present, the default is:
xferlog format %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc
The following miscellaneous capabilities are supported:
alias string dir
Define an alias, string, for a directory. Use this command to add the concept of log-
ical directories. For example: alias rfc: /pub/doc/rfc would allow the user to access
/pub/doc/rfc from any directory by the command "cd rfc:". Aliases only apply to the cd
Define an entry in the cdpath. This command defines a search path that is used when
changing directories. For example:
would allow the user to move into any directory directly under either the /pub/pack-
ages or the /.aliases directories. The search path is defined by the order in which
the lines appear in the ftpaccess file. If the user were to give the command ftp> cd
foo the directory will be searched for in the following order:
o an alias called foo
The cdpath is only available with the cd command. If you have a large number of
aliases, you might want to set up an aliases directory with links to all of the areas
you wish to make available to users.
compress yes|no classglob [classglob...]
tar yes|no classglob [classglob...]
Enable the use of conversions marked with the O_COMPRESS, O_UNCOMPRESS, and O_TAR
options in /etc/ftpd/ftpconversions. See ftpconversions(4).
If the file pointed to by path exists, the server will check the file regularly to see
if the server is going to be shut down. If a shutdown is planned, the user is noti-
fied. New connections are denied after a specified time before shutdown. Current con-
nections are dropped at a specified time before shutdown.
The format of the file specified by path is:
year month day hour minute deny_offset disc_offset text
year A value of 1970 or greater.
month A value of 0 to 11.
day A value of 1 to 31.
hour A value of 0 to 23.
minute A value of 0 to 59.
deny_offset The offsets in HHMM format that new connections will be denied and
disc_offset existing connections will be disconnected before the shutdown time.
text Follows the normal rules for any message. The following additional
magic cookies are available:
%s The time at which the system is going to shut down.
%r The time at which new connections will be denied.
%d The time at which current connections will be dropped.
All times are in the form: ddd MMM DD hh:mm:ss YYYY. Only one shutdown command can be
present in the configuration file. You can use the external program ftpshut(1M) to
automate generation of this file.
Listen only on the IP address specified. If the value is not set, then the FTP Server
will listen for connections on every IP address. This applies only when the FTP Server
is run in standalone mode.
virtual address root|banner|logfile path
Enable the FTP Server limited virtual hosting capabilities. The address is the IP
address of the virtual server. The second argument specifies that the path is either
the path to the root of the filesystem for this virtual server, the banner presented
to the user when connecting to this virtual server, or the logfile where transfers are
recorded for this virtual server. If the logfile is not specified the default log file
will be used. All other message files and permissions as well as any other settings in
this file apply to all virtual servers. The address may also be specified as a host-
name rather than as an IP number. This is strongly discouraged since, if DNS is not
available at the time the FTP session begins, the hostname will not be matched.
In contrast to limited virtual hosting, complete virtual hosting allows separate con-
figuration files to be virtual host specific. See ftpservers(4). The only additions
that are necessary in a virtual host's ftpaccess file is the root directive that
ensures the correct root directory is used for the virtual host. This only works with
complete virtual hosting, which in contrast to limited virtual hosting, allows sepa-
rate configuration files to be specified for each virtual host.
path is either the root of the filesystem for this virtual server or the logfile where
transfers for this virtual server are recorded. root and logfile may only be specified
when not preceded by virtual address in a virtual hosts's ftpaccess file.
virtual address hostname|email string
Set the hostname shown in the greeting message and status command, or the email
address used in message files and on the HELP command, to the given string.
virtual address allow username [username...]
virtual address deny username [username...]
By default, real and guest users are not allowed to log in on the virtual server,
unless they are guests that are chroot'd to the virtual root. The users listed on the
virtual allow line(s) are granted access. You can grant access to all users by giving
'*' as the username. The virtual deny clauses are processed after the virtual allow
clauses. Thus specific users can be denied access although all users were allowed in
an earlier clause.
virtual address private
Deny log in access to anonymous users on the virtual server. Anonymous users are gen-
erally allowed to log in on the virtual server if this option is not specified.
virtual address passwd file
Use a different passwd file for the virtual host.
virtual address shadow file
Use a different shadow file for the virtual host.
defaultserver deny username [username...]
defaultserver allow username [username...]
By default, all users are allowed access to the non-virtual FTP Server. Use default-
server deny to revoke access for specific real and guest users. Specify '*' to deny
access to all users, except anonymous users. Specific real and guest users can then be
allowed access by using defaultserver allow.
By default, all users are allowed access to the non-virtual FTP Server. Use default-
server private to revoke access for anonymous users.
The virtual and defaultserver allow, deny and private clauses provide a means to con-
trol which users are allowed access to which FTP Servers.
passive address externalip cidr
Allow control of the address reported in response to a passive command. When any con-
trol connection matching cidr requests a passive data connection (PASV), the exter-
nalip address is reported. This does not change the address that the daemon actually
listens on, only the address reported to the client. This feature allows the daemon to
operate correctly behind IP renumbering firewalls. For example:
passive address 10.0.1.15 10.0.0.0/8
passive address 192.168.1.5 0.0.0.0/0
Clients connecting from the class-A network 10 will be told the passive connection is
listening on IP address 10.0.1.15 while all others will be told the connection is lis-
tening on 192.168.1.5. Multiple passive addresses may be specified to handle complex,
or multi-gatewayed, networks.
passive ports cidr min max
Allows control of the TCP port numbers which may be used for a passive data connec-
tion. If the control connection matches the cidr, a port in the range min to max will
be randomly selected for the daemon to listen on. This feature allows firewalls to
limit the ports that remote clients may use to connect into the protected network.
cidr is shorthand for an IP address followed by a slash and the number of left-most
bits that represent the network address, as opposed to the machine address. For exam-
ple, if you are using the reserved class-A network 10, instead of a netmask of
255.0.0.0, use a CIDR of /8, as in 10.0.0.0/8, to represent your network.
When min and max are both 0, the kernel rather than the FTP server selects the TCP
port to listen on. Kernel port selection is usually not desirable if the kernel allo-
cates TCP ports sequentially. If in doubt, let the FTP server do the port selection.
pasv-allow class [addrglob...]
port-allow class [addrglob...]
Normally, the FTP Server does not allow a PORT command to specify an address different
than that of the control connection. Nor does it allow a PASV connection from another
The port-allow clause provides a list of addresses that the specified class of user
may give on a PORT command. These addresses will be allowed even if they do not match
the IP address of the client-side of the control connection.
The pasv-allow clause provides a list of addresses that the specified class of user
may make data connections from. These addresses will be allowed even if they do not
match the IP address of the client-side of the control connection.
lslong command [options...]
lsshort command [options...]
lsplain command [options...]
Use the lslong, lsshort, and lsplain clauses to specify the commands and options to
use to generate directory listings. The options cannot contain spaces, and the default
values for these clauses are generally correct. Use lslong, lsshort, or lsplain only
if absolutely necessary.
Specify the name of a mail server that will accept upload notifications for the FTP
Server. Multiple mail servers may be listed. The FTP Server will attempt to deliver
the upload notification to each, in order, until one accepts the message. If no mail
servers are specified, localhost is used. This option is only meaningful if anyone is
to be notified of anonymous uploads. See incmail.
virtual address incmail emailaddress
defaultserver incmail emailaddress
Specify email addresses to be notified of anonymous uploads. Multiple addresses can be
specified. Each will receive a notification. If no addresses are specified, no notifi-
cations are sent.
If addresses are specified for a virtual host, only those addresses will be sent noti-
fication of anonymous uploads on that host. Otherwise, notifications will be sent to
the global addresses.
defaultserver addresses only apply when the FTP session is not using one of the vir-
tual hosts. In this way, you can receive notifications for your default anonymous
area, but not see notifications to virtual hosts that do not have their own notifica-
virtual address mailfrom emailaddress
defaultserver mailfrom emailaddress
Specify the sender's email address for anonymous upload notifications. Only one
address may be specified. If no mailfrom applies, email is sent from the default mail-
box name wu-ftpd. To avoid problems if the recipient attempts to reply to a notifica-
tion, or if downstream mail problems generate bounces, you should ensure the mailfrom
address is deliverable.
sendbuf size [typelist]
recvbuf size [typelist]
Set the send or receive buffer sizes used for binary transfers. They have no effect on
rhostlookup yes|no [addrglob ...]
Allows or disallows the lookup of the remote host's name. Name lookups can be slow,
but skipping them means that places where an addrglob is matched (for example, in the
class capability) will match only an IP address, not a name. Also deny !nameserved and
dns refuse_no_reverse or refuse_mismatch will deny access when a name lookup is not
done. The default is to lookup the remote host's name.
Only IP addresses, not names, are matched in addrglob.
flush-wait yes|no [typelist]
Controls the behavior at the end of a download or directory listing. If yes, shutdown
the data connection for sending and wait for the client to close its end before send-
ing a transfer complete reply on the control connection. This is the default behavior.
If no, close the data connection and send the transfer complete reply without waiting
for the client. With this behavior, data loss can go undetected.
If a client hangs at the end of a directory listing, or the system has many sockets in
the FIN_WAIT_2 state, try setting to no as a workaround for broken client behavior.
The following permission capabilities are supported:
chmod yes|no typelist
delete yes|no typelist
overwrite yes|no typelist
rename yes|no typelist
umask yes|no typelist
Allows or disallows the ability to perform the specified function. By default, all
real and guest users are allowed. Anonymous users are only allowed overwrite and
typelist is a comma-separated list of any of the keywords anonymous, guest, real and
class=. When class= appears, it must be followed by a classname. If any class=
appears, the typelist restriction applies only to users in that class.
passwd-check none|trivial|rfc822 [enforce|warn]
Define the level and enforcement of password checking done by the FTP Server for
none No password checking is performed.
trivial The password must contain an '@'.
rfc822 The password must be RFC 822 compliant.
warn Warn, but permit the login.
enforce Notify and deny the login.
Consider the email address given as an argument as invalid. If passwd-check is set to
enforce, anonymous users giving this address as a password cannot log in. That way,
you can stop users from having stupid WWW browsers use fake addresses like IE?0User@
or mozilla@. (by using this, you are not shutting out users using a WWW browser for
ftp - you just make them configure their browser correctly.) Only one address is
allowed per line, but you can have as many deny-email addresses as you like.
path-filter typelist message allowed_regexp
For users in typelist, path-filter defines regular expressions that control what char-
acters can be used in the filename of an uploaded file or created directory. There may
be multiple disallowed regular expressions. If a filename is invalid due to failure to
match the regular expression criteria, message will be displayed to the user. For
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^. ^-
specifies that all upload filenames for anonymous users must be made of only the char-
acters A-Z, a-z, 0-9, and "._-" and may not begin with a "." or a "-". If the filename
is invalid, /etc/pathmsg will be displayed to the user.
upload [absolute|relative] [class=classname]... [-]
root-dir dirglob yes|no owner group mode
Define a directory with dirglob that permits or denies uploads. If it does permit
uploads, all newly created files will be owned by owner and group and will have their
permissions set according to mode. Existing files that are overwritten will retain
their original ownership and permissions. Directories are matched on a best-match
basis. For example:
upload /var/ftp * no
upload /var/ftp /incoming yes ftp daemon 0666
upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs
would only allow uploads into /incoming and /incoming/gifs. Files that were uploaded
to /incoming are owned by ftp/daemon and have permissions of 0666. Files uploaded to
/incoming/gifs are owned by jlc/guest and have permissions of 0600. The optional
"dirs" and "nodirs" keywords can be specified to allow or disallow the creation of new
subdirectories using the mkdir command. If the upload command is used, directory cre-
ation is allowed by default. To turn it off by default, you must specify a user, group
and mode followed by the "nodirs" keyword as the first line where the upload command
is used in this file. If directories are permitted, the optional d_mode determines the
permissions for a newly created directory. If d_mode is omitted, the permissions are
inferred from mode. The permissions are 0777 if mode is also omitted. The upload key-
word only applies to users who have a home directory of root-dir. root-dir may be
specified as "*" to match any home directory. The owner or group may each be specified
as "*", in which case any uploaded files or directories will be created with the own-
ership of the directory in which they are created. The optional first parameter
selects whether root-dir names are interpreted as absolute or relative to the current
chroot'd environment. The default is to interpret <root-dir> names as absolute. You
can specify any number of class=classname restrictions. If any are specified, this
upload clause only takes effect if the current user is a member of one of the classes.
In the absence of any matching upload clause, real and guest users can upload files
and make directories, but anonymous users cannot. The mode of uploaded files is 0666.
For created directories, the mode is 0777. Both modes are modified by the current
throughput root-dir subdir-glob file-glob-list
bytes-per-second bytes-per-second-multiply remote-glob-list
Define files by means of a comma-separated file-glob-list in subdir matched by subdir-
glob under root-dir that have restricted transfer throughput of bytes-per-second on
download when the remote hostname or remote IP address matches the comma-separated
remote-glob-list. Entries are matched on a best-match basis. For example:
throughput /e/ftp * * oo - *
throughput /e/ftp /sw* * 1024 0.5 *
throughput /e/ftp /sw* README oo - *
throughput /e/ftp /sw* * oo - *.foo.com
would set maximum throughput per default, but restrict download to 1024 bytes per sec-
ond for any files under /e/ftp/sw/ that are not named README. The only exceptions are
remote hosts from within the domain foo.com which always get maximum throughput. Every
time a remote client has retrieved a file under /e/ftp/sw/ the bytes per seconds of
the matched entry line are internally multiplied by a factor, here 0.5. When the
remote client retrieves its second file, it is served with 512 bytes per second, the
third time with only 256 bytes per second, the fourth time with only 128 bytes per
second, and so on. The string "oo" for the bytes per second field means no throughput
restriction. A multiply factor of 1.0 or "-" means no change of the throughput after
every successful transfer. The root-dir here must match the home directory specified
in the password database . The throughput keyword only applies to users who have a
home directory of root-dir.
anonymous-root root-dir [class...]
root-dir specifies the chroot() path for anonymous users. If no anonymous-root is
matched, the old method of parsing the home directory for the FTP user is used. If no
class is specified, this is the root directory for anonymous users who do not match
any other anonymous-root specification. Multiple classes may be specified on this
line. If an anonymous-root is chosen for the user, the FTP user's home directory in
the root-dir/etc/passwd file is used to determine the initial directory and the FTP
user's home directory in the system-wide /etc/passwd is not used. For example:
anonymous-root /home/localftp localnet
causes all anonymous users to be chroot'd to the directory /home/ftp. If the FTP user
exists in /home/ftp/etc/passwd, their initial CWD is that home directory. Anonymous
users in the class localnet, however, are chroot'd to the directory /home/localftp and
their initial CWD is taken from the FTP user's home directory in
guest-root root-dir [uid-range...]
root-dir specifies the chroot() path for guest users. If no guest-root is matched, the
old method of parsing the user's home directory is used. If no uid-range is specified,
this is the root directory for guestusers who do not match any other guest-root speci-
fication. Multiple UID ranges may be given on this line. If a guest-root is chosen for
the user, the user's home directory in the root-dir/etc/passwd file is used to deter-
mine the initial directory and the home directory in the system-wide /etc/passwd is
not used. uid-range specifies names or numeric UID values. To use numbers, put a per-
cent sign (%) symbol before it or before the range. Ranges are specified by giving the
lower and upper bounds (inclusive), separated by a dash. If the lower bound is omit-
ted, it means all up to. If the upper bound is omitted, it means all starting from.
guest-root /home/staff %100-999 sally
guest-root /home/users/owner/ftp frank
causes all guest users to chroot() to /home/users then starts each user in the user's
home directory, as specifiedin /home/users/etc/passwd. Users in the range 100 through
999, inclusive, and user sally, will be chroot'd to /home/staff and the CWD will be
taken from their entries in /home/staff/etc/passwd. The single user frank will be
chroot'd to /home/users/owner/ftp and the CWD will be from his entry in
The order is important for both anonymous-root and guest-root. If a user would match
multiple clauses, only the first applies; with the exception of the clause which has
no class or uid-range, which applies only if no other clause matches.
deny-uid uid-range [uid-range...]
deny-gid gid-range [gid-range...]
allow-uid uid-range [uid-range...]
allow-gid gid-range [gid-range...]
Use these clauses to specify UID and GID values that will be denied access to the FTP
Server. The allow-uid and allow-gid clauses may be used to allow access for UID and
GID values which would otherwise be denied. These checks occur before all others. deny
is checked before allow. The default is to allow access. These clauses do not apply to
anonymous users. Use defaultserver private to deny access to anonymous users. In most
cases, these clauses obviate the need for an ftpusers(4) file. For example, the fol-
lowing clauses deny FTP Server access to all privileged or special users and groups,
except the guest1 user or group.
deny-gid %-99 nobody noaccess nogroup
deny-uid %-99 nobody noaccess nobody4
Support for the ftpusers file still exists, so it may be used when changing the ftpac-
cess file is not desired. In any place a single UID or GID is allowed throughout the
ftpaccess file, either names or numbers also may be used. To use a number, put a per-
cent sign (%) symbol before it. In places where a range is allowed, put the percent
sign before the range. A "*" matches all UIDs or GIDs.
restricted-uid uid-range [uid-range...]
restricted-gid gid-range [gid-range...]
unrestricted-uid uid-range [uid-range...]
unrestricted-gid gid-range [gid-range...]
These clauses control whether or not real or guest users will be allowed access to
areas on the FTP site outside their home directories. These clauses are not meant to
replace the use of guestgroup and guestuser. Instead, use these clauses to supplement
the operation of guests. The unrestricted-uid and unrestricted-gid clauses may be used
to allow users outside their home directories who would otherwise be restricted.
The following example shows the intended use for these clauses. Assume user dick has a
home directory /home/dick and jane has a home directory /home/jane:
guest-root /home dick jane
restricted-uid dick jane
While both dick and jane are chroot'd to /home, they cannot access each other's files
because they are restricted to their home directories. However, you should not rely
solely upon the FTP restrictions to control access. As with all other FTP access
rules, you should also use directory and file permissions to support the operation of
the ftpaccess configuration.
site-exec-max-lines number [class...]
The SITE EXEC feature traditionally limits the number of lines of output that may be
sent to the remote client. Use this clause to set this limit. If this clause is omit-
ted, the limit is 20 lines. A limit of 0 (zero) implies no limit. Be very careful if
you choose to remove the limit. If a clause is found matching the remote user's class,
that limit is used. Otherwise, the clause with class '*', or no class given, is used.
site-exec-max-lines 200 remote
site-exec-max-lines 0 local
limits output from SITE EXEC (and therefore SITE INDEX) to 200 lines for remote users,
specifies there is no limit at all for local users, and sets a limit of 25 lines for
all other users.
dns refuse_mismatch filename [override]
Refuse FTP sessions when the forward and reverse lookups for the remote site do not
match. Lookups are done using the system's name service as configured in nss-
witch.conf(4). Display the named file, like a message file, admonishing the user. If
the optional override is specified, allow the connection after complaining.
dns refuse_no_reverse filename [override]
Refuse FTP sessions when the remote host's IP address has no associated name. Lookups
are done using the system's name service as configured in nsswitch.conf(4). Display
the named file, such as a message file, admonishing the user. If the optional override
is specified, allow the connection after complaining.
dns resolveroptions [options]
Modify certain internal resolver variables. This only has an effect when DNS is used
as the system's name service. The line takes a series of options which are used to set
the RES_OPTIONS environment variable, see resolv.conf(4) for details. For example:
dns resolveroptions rotate attempts:1
turns on querying name servers round-robin and selects querying each name server only
Lines that begin with a # sign are treated as comment lines and are ignored.
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|Availability |SUNWftpr |
|Interface Stability |External |
compress(1), ls(1), tar(1), ftpaddhost(1M), ftpconfig(1M), ftpshut(1M), in.ftpd(1M),
chroot(2), nice(2), umask(2), getgrnam(3C), resolver(3RESOLV), ftpconversions(4), ftp-
groups(4), ftpservers(4), ftpusers(4), nsswitch.conf(4), resolv.conf(4), timezone(4),
xferlog(4), attributes(5), fnmatch(5)
Crocker, David H. RFC 822, Standard For The Format Of ARPA Internet Text Messages. Network
Information Center. August 1982.
St. Johns, Michael. RFC 931, Authentication Server. Network Working Group. January 1985.
SunOS 5.11 10 Sep 2003 ftpaccess(4)