1 .\" $NetBSD: ftpd.conf.5,v 1.32 2005/09/11 23:31:46 wiz Exp $
4 .\" Copyright (c) 1997-2001, 2005 The NetBSD Foundation, Inc.
5 .\" All rights reserved.
7 .\" This code is derived from software contributed to The NetBSD Foundation
10 .\" Redistribution and use in source and binary forms, with or without
11 .\" modification, are permitted provided that the following conditions
13 .\" 1. Redistributions of source code must retain the above copyright
14 .\" notice, this list of conditions and the following disclaimer.
15 .\" 2. Redistributions in binary form must reproduce the above copyright
16 .\" notice, this list of conditions and the following disclaimer in the
17 .\" documentation and/or other materials provided with the distribution.
18 .\" 3. All advertising materials mentioning features or use of this software
19 .\" must display the following acknowledgement:
20 .\" This product includes software developed by the NetBSD
21 .\" Foundation, Inc. and its contributors.
22 .\" 4. Neither the name of The NetBSD Foundation nor the names of its
23 .\" contributors may be used to endorse or promote products derived
24 .\" from this software without specific prior written permission.
26 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
27 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
28 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
29 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
30 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
31 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
32 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
33 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
34 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
35 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
36 .\" POSSIBILITY OF SUCH DAMAGE.
49 file specifies various configuration options for
51 that apply once a user has authenticated their connection.
54 consists of a series of lines, each of which may contain a
55 configuration directive, a comment, or a blank line.
56 Directives that appear later in the file override settings by previous
60 entries to define defaults, and then have class-specific overrides.
62 A directive line has the format:
63 .Dl command class [arguments]
67 is the escape character; it can be used to escape the meaning of the
68 comment character, or if it is the last character on a line, extends
69 a configuration directive across multiple lines.
72 is the comment character, and all characters from it to the end of
73 line are ignored (unless it is escaped with the escape character).
75 Each authenticated user is a member of a
77 which is determined by
80 is used to determine which
82 entries apply to the user.
83 The following special classes exist when parsing entries in
85 .Bl -tag -width "chroot" -compact -offset indent
92 Each class has a type, which may be one of:
93 .Bl -tag -width "CHROOT" -offset indent
102 is performed after login.
109 is performed after login.
117 command will return the class settings for the current user as defined by
121 directive is set for the class.
123 Each configuration line may be one of:
125 .It Sy advertize Ar class Op Ar host
126 Set the address to advertise in the response to the
130 commands to the address for
132 (which may be either a host name or IP address).
133 This may be useful in some firewall configurations, although many
134 ftp clients may not work if the address being advertised is different
135 to the address that they've connected to.
142 not is specified, disable this.
143 .It Sy checkportcmd Ar class Op Sy off
146 command for validity.
149 command will fail if the IP address specified does not match the
151 command connection, or if the remote TCP port number is less than
152 .Dv IPPORT_RESERVED .
155 encouraged that this option be used, especially for sites concerned
156 with potential security problems with
165 is specified, disable this feature, otherwise enable it.
166 .It Sy chroot Ar class Op Sy pathformat
173 use the default behavior (see below).
176 is parsed to create a directory to create as the root directory with
181 can contain the following escape strings:
182 .Bl -tag -width "Escape" -offset indent -compact
188 Home directory of user.
197 The default root directory is:
198 .Bl -tag -width "CHROOT" -offset indent -compact
200 The user's home directory.
206 otherwise the home directory of the
214 .It Sy classtype Ar class Ar type
215 Set the class type of
220 .It Xo Sy conversion Ar class
221 .Ar suffix Op Ar "type disable command"
223 Define an automatic in-line file conversion.
224 If a file to retrieve ends in
226 and a real file (sans
228 exists, then the output of
230 is returned instead of the contents of the file.
232 .Bl -tag -width "disable" -offset indent
234 The suffix to initiate the conversion.
236 A list of valid filetypes for the conversion.
243 The name of file that will prevent conversion if it exists.
246 will prevent this disabling action
247 (i.e., the conversion is always permitted.)
249 The command to run for the conversion.
250 The first word should be the full path name
253 is used to execute the command.
254 All instances of the word
258 are replaced with the requested file (sans
262 Conversion directives specified later in the file override earlier
263 conversions with the same suffix.
264 .It Sy denyquick Ar class Op Sy off
269 command is received, rather than after the
272 Whilst enabling this feature may allow information leakage about
273 available accounts (for example, if you allow some users of a
277 class but not others), it is useful in preventing a denied user
280 from entering their password across an insecure connection.
283 recommended for servers which run an anonymous-only service.
290 is specified, disable this feature, otherwise enable it.
291 .It Sy display Ar class Op Ar file
299 Otherwise, each time the user enters a new directory, check if
301 exists, and if so, display its contents to the user.
302 Escape sequences are supported; refer to
303 .Sx Display file escape sequences
306 for more information.
307 .It Sy hidesymlinks Ar class Op Sy off
314 is specified, disable this feature.
317 command lists symbolic links as the file or directory the link
319 .Pq Dq Li "ls -LlA" .
320 Servers which run an anonymous service may wish to enable this
323 users, so that symbolic links do not leak names in
324 directories that are not searchable by
327 .It Sy homedir Ar class Op Sy pathformat
334 use the default behavior (see below).
337 is parsed to create a directory to change into upon login, and to use
340 directory of the user for tilde expansion in pathnames, etc.
346 The default home directory is the home directory of the user for
355 .It Xo Sy limit Ar class
356 .Op Ar count Op Ar file
358 Limit the maximum number of concurrent connections for
364 meaning unlimited connections.
365 If the limit is exceeded and
367 is specified, display its contents to the user.
374 is not specified, disable this.
377 is a relative path, it will be searched for in
379 (which can be overridden with
381 .It Sy maxfilesize Ar class Op Ar size
382 Set the maximum size of an uploaded file to
386 meaning unlimited connections.
393 is not specified, disable this.
394 .It Sy maxtimeout Ar class Op Ar time
395 Set the maximum timeout period that a client may request,
396 defaulting to two hours.
397 This cannot be less than 30 seconds, or the value for
405 is not specified, use the default.
406 .It Sy mmapsize Ar class Op Ar size
407 Set the size of the sliding window to map a file using
415 An optional suffix may be provided as per
417 This option affects only binary transfers.
424 is not specified, use the default.
425 .It Sy modify Ar class Op Sy off
432 is specified, disable the following commands:
440 Otherwise, enable them.
441 .It Sy motd Ar class Op Ar file
451 as the message of the day file to display after login.
452 Escape sequences are supported; refer to
453 .Sx Display file escape sequences
456 for more information.
459 is a relative path, it will be searched for in
461 (which can be overridden with
463 .It Sy notify Ar class Op Ar fileglob
471 Otherwise, each time the user enters a new directory,
472 notify the user of any files matching
474 .It Sy passive Ar class Op Sy off
481 is specified, prevent passive
487 Otherwise, enable them.
488 .It Sy portrange Ar class Oo
491 Set the range of port number which will be used for the passive data port.
495 and both numbers must be be between
502 or no arguments are specified, disable this.
503 .It Sy private Ar class Op Sy off
510 is specified, do not display class information in the output of the
513 Otherwise, display the information.
514 .It Sy rateget Ar class Op Ar rate
517 transfer rate throttle for
524 is 0, the throttle is disabled.
531 is not specified, disable this.
533 An optional suffix may be provided, which changes the interpretation of
536 .Bl -tag -width 3n -offset indent -compact
538 Causes no modification.
541 Kilo; multiply the argument by 1024
543 Mega; multiply the argument by 1048576
545 Giga; multiply the argument by 1073741824
547 Tera; multiply the argument by 1099511627776
549 .It Sy rateput Ar class Op Ar rate
552 transfer rate throttle for
557 which is parsed as per
558 .Sy rateget Ar rate .
565 is not specified, disable this.
566 .It Sy readsize Ar class Op Ar size
567 Set the size of the read buffer to
570 The default is the file system block size.
571 An optional suffix may be provided as per
573 This option affects only binary transfers.
580 is not specified, use the default.
581 .It Sy recvbufsize Ar class Op Ar size
582 Set the size of the socket receive buffer.
583 An optional suffix may be provided as per
585 The default is zero and the system default value will be used.
586 This option affects only passive transfers.
593 is not specified, use the default.
594 .It Sy sanenames Ar class Op Sy off
601 is specified, allow uploaded file names to contain any characters valid for a
603 Otherwise, only permit file names which don't start with a
605 and only comprise of characters from the set
606 .Dq [-+,._A-Za-z0-9] .
607 .It Sy sendbufsize Ar class Op Ar size
608 Set the size of the socket send buffer.
609 An optional suffix may be provided as per
611 The default is zero and the system default value will be used.
612 This option affects only binary transfers.
619 is not specified, use the default.
620 .It Sy sendlowat Ar class Op Ar size
621 Set the low water mark of socket send buffer.
622 An optional suffix may be provided as per
624 The default is zero and system default value will be used.
625 This option affects only for binary transfer.
632 is not specified, use the default.
633 .It Sy template Ar class Op Ar refclass
642 in following directives will also apply to members of
644 This is useful to define a template class so that other classes which are
645 to share common attributes can be easily defined without unnecessary
647 There can be only one template defined at a time.
650 is not specified, disable the template for
652 .It Sy timeout Ar class Op Ar time
653 Set the inactivity timeout period.
654 (the default is fifteen minutes).
655 This cannot be less than 30 seconds, or greater than the value for
663 is not specified, use the default.
664 .It Sy umask Ar class Op Ar umaskval
673 is not specified, set to the default of
675 .It Sy upload Ar class Op Sy off
682 is specified, disable the following commands:
687 as well as the modify commands:
695 Otherwise, enable them.
696 .It Sy writesize Ar class Op Ar size
697 Limit the number of bytes to
700 The default is zero, which means all the data available as a result of
704 will be written at a time.
705 An optional suffix may be provided as per
707 This option affects only binary transfers.
714 is not specified, use the default.
717 The following defaults are used:
719 .Bd -literal -offset indent -compact
721 classtype chroot CHROOT
722 classtype guest GUEST
725 limit all \-1 # unlimited connections
726 maxtimeout all 7200 # 2 hours
731 timeout all 900 # 15 minutes
738 .Bl -tag -width /usr/share/examples/ftpd/ftpd.conf -compact
739 .It Pa /etc/ftpd.conf
741 .It Pa /usr/share/examples/ftpd/ftpd.conf
754 functionality was implemented in
756 and later releases by Luke Mewburn, based on work by Simon Burge.