ftpaccess man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

ftpaccess(4)							  ftpaccess(4)

NAME
       ftpaccess - ftpd configuration file

SYNOPSIS
DESCRIPTION
       The file is used to configure the operation of (see ftpd(1M)).

   Access Capabilities
       [ class ... ]

	      If an user is a member of any of class, the ftp server will per‐
	      form a to groupname.  This  allows  access  to  group-and-owner-
	      read-only	 files and directories to a particular class of anony‐
	      mous users.  groupname is a valid group from (or whatever mecha‐
	      nism your library routine uses; see getgrent(3C)).

       [ addrglob ... ]

	      Define  class  of users, with source addresses of the form addr‐
	      glob.  Multiple members of class may be defined.	There  may  be
	      multiple	commands, listing additional members of the class.  If
	      multiple commands can apply to the current  session,  the	 first
	      one  listed  in  the  access  file is used.  Failing to define a
	      valid class for a host will cause access to be denied.  typelist
	      is a comma-separated list of any of the keywords and If the key‐
	      word is included, the class can match users using FTP to	access
	      real  accounts,  and  if	the keyword is included, the class can
	      match users using anonymous  FTP.	  The  keyword	matches	 guest
	      access accounts (see below for more information)

	      addrglob	may  be	 a  globbed  domain  name or a globbed numeric
	      address.	There can be multiple addrglob's for  this  directive.
	      To  avoid	 confusion  when you have multiple addrglob's, you can
	      put all the addrglob's in a file and specify  the	 path  of  the
	      file in place of the addrglob's.

	      Placing  an exclamation (!) before an addrglob negates the test.
	      For example:

	      will classify real users from outside the domain	as  the	 class
	      Use care with this option.  Remember, the result of each test is
	      OR'ed with other tests on the line.

	      Note: addrglob can be an IPv4 glob address of the	 form  n.n.n.n
	      where n is either a decimal number between 0 to 255 or an aster‐
	      isk addrglob can also be an IPv6 address where asterisk  is  not
	      supported.  The equivalent functionality of asterisk is provided
	      in the form of the subnet prefix followed by a forward slash and
	      the prefix length.

	      This  notation  of  addrglob as a glob address is applicable for
	      all other directives.

	      Always deny access  to  the  host(s)  matching  addrglob.	  mes‐
	      sage_file	 is the file from which denial message is displayed to
	      the hosts that are denied	 access.   addrglob  may  be  to  deny
	      access  to  sites	 without a working nameserver.	It may also be
	      the name of a file, starting with a slash which  contains	 addi‐
	      tional  address globs, as well as in the form address:netmask or
	      address/cidr.

       [ groupname ... ]
       [ username ... ]
       [ groupname ... ]
       [ username ... ]

	      For if a user is a member of any of groupname,  the  session  is
	      set  up  exactly	as  with  anonymous FTP.  In other words, a is
	      done, and the user is no longer permitted to issue the and  com‐
	      mands.   groupname  is a valid group from (or whatever mechanism
	      your library routine uses).

	      The user's home directory must be properly set  up,  exactly  as
	      anonymous	 FTP would be.	The home directory field of the passwd
	      entry is divided into two directories.  The first field  is  the
	      root directory which will be the argument to the call.  The sec‐
	      ond half is the user's  home  directory  relative	 to  the  root
	      directory.  The two halves are separated by a

	      Example:

	      In the file, the sample entry is:

	      When  successfully  logs	in,  the  ftp server will and then The
	      guest user will only be able to access the  directory  structure
	      under  (which  will  look and act as to just as an anonymous FTP
	      user would.

	      The group name may be specified by either name  or  numeric  ID.
	      To  use  a  numeric group ID, place a before the number.	Ranges
	      may be given.  Use an asterisk to mean all groups.

	      works like except it uses the user name (or numeric ID).

	      and have the same syntax, but reverse the	 effect	 of  and  They
	      allow  real  user access when the remote user would otherwise be
	      determined a guest.  For example:

	      causes all non-anonymous users to be treated as guest, with  the
	      sole  exception of users in the admin group who are granted real
	      user access.

       [ class ]

	      Adjust the process nice value of the ftpd server process by  the
	      indicated nice-delta value if the remote user is a member of the
	      named class.  If class is not specified, then use nice-delta  as
	      the  default  adjustment	to the ftpd server process nice value.
	      This default nice value adjustment is used to  adjust  the  nice
	      value  of	 the  server  process  only for those users who do not
	      belong to any class for which a class-specific directive	exists
	      in the file.

       [ class ]

	      Set  the	umask applied to files created by daemon if the remote
	      user is a member of the named class.  If class is not specified,
	      then  use the umask as the default for classes which do not have
	      one specified.

	      Set the TCP option for data sockets.  can	 be  used  to  control
	      network  disconnect.   means  to	set  the TCP option.  With the
	      behavior depends on the system default settings (see ndd(1M)).

	      NOTE: It is recommended to set to to keep	 the  network  traffic
	      connected.

       [ seconds ]
       [ seconds ]
       [ seconds ]
       [ seconds ]
       [ seconds ]
       [ seconds ]

	      Set various timeouts.

	      [seconds]	 (default  120	seconds).  Specify how long the daemon
	      will wait for an incoming (PASV) data connection.

	      [seconds] (default 120 seconds).	Specify how  long  the	daemon
	      will  wait  attempting to establish an outgoing (PORT) data con‐
	      nection.	This affects the actual connection attempt.  The  dae‐
	      mon  makes  several  attempts,  sleeping	a  while between each,
	      before completely giving up.

	      [seconds] (default 1200 seconds).	 Specify how long  the	daemon
	      will  wait for some activity on the data connection.  It is rec‐
	      ommended to keep this value high, because the remote client  may
	      have a slow link and there can be quite a bit of data queued for
	      the client.

	      [seconds] (default 900 seconds).	Specify how  long  the	daemon
	      will wait for the next command.  The default value (900 seconds)
	      can be overridden by using the option of (see ftpd(1M)).	If  is
	      specified,  that	value  will override both the default value as
	      well as the value set with  option  of  The  SITE	 IDLE  command
	      allows  the  remote  client  to establish a higher value for the
	      idle timeout.  An value of implies that there is no idle timeout
	      period  and  the	control	 connection is set to an infinite idle
	      timeout period.  If is  set  to  a  value	 more  than  (see  the
	      option), will be set to the value.

	      [seconds]	 (default 7200 seconds).  Specify the the maximum num‐
	      ber of seconds for the idle timeout.  The	 default  value	 (7200
	      seconds)	 can  be  overridden  by  using	 the  option  of  (see
	      ftpd(1M)).  If is specified, that value will override  both  the
	      default value as well as the value set with option of A value of
	      implies that there is no maximum idle  timeout  period  and  the
	      control connection is set to an infinite idle timeout period.

	      [seconds]	 (default  10 seconds).	 Specify the maximum time that
	      the daemon allows for the entire RFC931  (AUTH/ident)  conversa‐
	      tion.   Setting this to zero (0) seconds completely disables the
	      daemon's use of this protocol.   The  information	 obtained  via
	      RFC931  is  recorded in the system logs and is not actually used
	      in any authentication.

       [ bytes ]

	      Specify the number of bytes after which the data connection idle
	      time is reset, in case of an ASCII mode file transfer (see above
	      for more information).  The number specified must be a  positive
	      power of 2.  By default, the number is set to 4096 bytes.

	      NOTE:   If the specified number is smaller than 4096 bytes, will
	      take the default value (4096 bytes).  If the specified number is
	      too  large,  a  premature	 closure of the data connection may be
	      encountered.

       [ raw ]	count [ class ]

	      Limit the number (count) of data files that a user in the	 given
	      class  may  transfer.   The  limit  may be placed on files or If
	      class is not specified, the  limit  is  the  default  for	 those
	      classes  which  do not have a limit specified.  The optional raw
	      parameter applies the limit to the  total	 traffic  rather  than
	      just data files.

       [ raw ]	count [ class ]

	      Limit  the  number  of  data bytes a user in the given class may
	      transfer.	 The limit may be place on bytes or  If	 no  class  is
	      specified,  the  limit  is  the default for classes which do not
	      have a limit specified.  The optional raw parameter applies  the
	      limit to total traffic rather than just data files.

       minutes

	      Limit  the  total time a session can take.  By default, there is
	      no limit.	 Real users are never limited.

       [ hostname ] ...

	      Controls which hosts may be used for anonymous or guest  access.
	      If  used without hostname, all guest or anonymous access to this
	      site is denied.  More than one hostname may be specified.	 Guest
	      and anonymous access will only be allowed on the named machines.
	      If access is denied, the user will be asked  to  use  the	 first
	      hostname listed.

	      Limit  class  to	n  users  at  specified times, displaying mes‐
	      sage_file if user is denied access.  The	limit  check  is  per‐
	      formed  at  login	 time only.  If multiple commands apply to the
	      current session, the first applicable one is used.   Failing  to
	      define  a valid limit, or a limit of is equivalent to unlimited.
	      The format for times can be any of the following:
	    Any week day
	    Friday
	    Any day of week between 9.00 - 13.00 hrs.
	    Either Thursday or between 9.00 - 13.00.

       classname ] ...
       filename [ filename ] ...

	      Always deny retrievability of these files.  If the files are  an
	      absolute	path  specification  (that is, begins with character),
	      then only those files are marked unretrievable.	Otherwise  all
	      files with the matching filename are refused transfer.  Example:

	      specifies	 that  no one is able to get the file whereas they are
	      allowed to transfer a file, if it is not in On the  other	 hand,
	      no one is able to get a file named wherever it is.

	      Directory	 specifications	 mark all files and sub-directories in
	      the named directory as "un-gettable"  or	not  obtainable.   The
	      filename may be specified as a file glob.	 For example:

	      specifies	 that no files in or any of its sub-directories may be
	      retrieved.  Also, no files named anywhere	 under	the  directory
	      may be retrieved.

	      The  optional  first  parameter selects whether names are inter‐
	      preted as absolute or relative to the current environment.   The
	      default  is  to  interpret names beginning with a slash as abso‐
	      lute.

	      The restrictions	may  be	 placed	 upon  members	of  particular
	      classes.	 If any is specified, then this option is set only for
	      the users of that particular class.

       classname ] ...
       filename [ filename ] ...

	      Allows retrieval of files which would  otherwise	be  denied  by
	      noretrieve.

	      After number login failures, log a message and terminate the FTP
	      connection.  Default value is 5.

	      After a user logs in, the and commands may be used to specify an
	      enhanced	access	group  and  associated password.  If the group
	      name and password are valid, the user becomes (via a  member  of
	      the group specified in the group access file,

	      The format of the group access file is:

	      where  access_group_name is an arbitrary (alphanumeric and punc‐
	      tuation) string.	encrypted_password is the  password  encrypted
	      via  (see crypt(3C)) exactly like in real_group_name is the name
	      of a valid group listed in

	      NOTE: For this option to work for anonymous FTP users,  the  ftp
	      server  must  keep permanently open and the group access file is
	      loaded into memory.  This means that: (1) the ftp server now has
	      an  additional file descriptor open, and (2) the necessary pass‐
	      words and access privileges granted to users via (see  ftpd(1M))
	      will  be static for the duration of an FTP session.  If you have
	      an urgent need to change the access groups and/or passwords  now
	      (immediately), just kill all of the running FTP servers.

   Informational Capabilities
	      Allows  you  to control how much information is given out before
	      the remote user logs in.	is the default and shows the  hostname
	      and daemon version.  shows the hostname.	only displays the mes‐
	      sage "FTP server ready."	Also, this message is printed  as  the
	      output of the command.  Although is the default, is recommended.

	      NOTE:  The  two  options	and  are  not supported.  The greeting
	      option can be used to suppress the hostname or the  daemon  ver‐
	      sion.

	      The  form allows you to specify any greeting message you desire.
	      The message can be any string; whitespace (spaces and  tabs)  is
	      converted to a single space.

	      Works similarly to the command (see below), except that the ban‐
	      ner is displayed before the user enters the username  and	 pass‐
	      word.   The  path	 is  relative to the real system root, not the
	      base of the anonymous FTP directory.

	      use of this command can  completely  prevent  non-compliant  FTP
	      clients  from making use of the FTP server.  Not all clients can
	      handle multi-line responses (which is how	 the  banner  is  dis‐
	      played).

	      Defines  the  default  host name of the ftp server.  This string
	      will be printed on the greeting message and every time the magic
	      cookie  is  used.	  See  below for a list of magic cookies.  The
	      host name for virtual servers  overrides	this  value.   If  not
	      specified, the default host name for the local machine is used.

	      Defines  the  email address of the ftp archive maintainer.  This
	      string will be printed every time the magic cookie is used.  See
	      below for a list of magic cookies.

       [ when [ class... ]]

	      Define  a	 file with path such that will display the contents of
	      the file to the user at login time  or  upon  using  the	change
	      working directory command.  The when parameter may be or If when
	      is dir specifies the new default directory  which	 will  trigger
	      the notification.

	      The  optional  class specification allows the message to be dis‐
	      played only to members of a particular  class.   More  than  one
	      class may be specified.

	      In  the  message file, the user can key in a message and use the
	      "macros" or "magic cookies" that are available.  The ftp	server
	      will  replace the cookie with a specified text string.  The fol‐
	      lowing magic cookies are available:

	      local time (form Thu Nov 15 17:12:42 1990)

	      current working directory

	      the maintainer's email address as defined in

	      remote host name

	      local host name

	      username as determined via RFC931 authentication

	      username given at login time

	      maximum allowed number of users in this class

	      current number of users in this class

	      absolute limit on disk blocks allocated

	      preferred limit on disk blocks

	      current block count

	      maximum number of allocated inodes (+1)

	      preferred inode limit

	      current number of allocated inodes

	      time limit for excessive disk use

	      time limit for excessive files
		   ratios:

		   Uploaded bytes

		   Downloaded bytes

		   Upload/Download ratio (1:n)

		   Credit bytes

		   Time limit (minutes)

		   Elapsed time since login (minutes)

		   Time left

		   Upload limit

		   Download limit

	      The message will only be displayed once to  avoid	 annoying  the
	      user.  Remember that when messages are triggered by an anonymous
	      FTP user, the path must be relative to the base of the anonymous
	      FTP directory tree.

       [ when [ class ]]

	      Define a file with path such that will notify user at login time
	      or upon using the change working directory command that the file
	      exists and was modified on such-and-such date.  The when parame‐
	      ter may be or If when dir specifies the  new  default  directory
	      which  will  trigger the notification.  The message will only be
	      displayed once, to avoid bothering users.	  Remember  that  when
	      messages	are  triggered by an anonymous FTP user, the path must
	      be relative to the base of the anonymous FTP directory tree.

	      The optional class specification allows the message to  be  dis‐
	      played  only  to	members	 of a particular class.	 More than one
	      class may be specified.

   Logging Capabilities
	      Enables logging of individual commands by users.	typelist is  a
	      comma-separated  list  of any of the keywords and If the keyword
	      is included, logging will be done for users using FTP to	access
	      real  accounts, and if the keyword is included logging will done
	      for users using anonymous FTP.  The keyword matches guest access
	      accounts	(see  in  the  subsection above for more information).
	      The individual commands are logged in the file.

	      Enables logging of file transfers for either real	 or  anonymous
	      FTP users.  Logging of transfers TO the server (incoming) can be
	      enabled separately from transfers FROM  the  server  (outbound).
	      typelist is a comma-separated list of any of the keywords and If
	      the keyword is included, logging will be done  for  users	 using
	      FTP  to  access real accounts.  If the keyword is included, log‐
	      ging will be done for users using anonymous  FTP.	  The  keyword
	      matches  guest  access accounts (see in the subsection above for
	      more information).  directions is a comma-separated list of  any
	      of the two keywords and and will respectively cause transfers to
	      be logged for files sent to the server and sent from the server.
	      All the logging is done into the file

	      Enables  logging	of  violations	of security rules (noretrieve,
	      notar, ...)  for real, guest and/or anonymous  users.   typelist
	      is a comma-separated list of any of the keywords and If the key‐
	      word is included, logging will be done for users	using  FTP  to
	      access  real accounts.  If the keyword is included, logging will
	      done for users using anonymous FTP.  The keyword	matches	 guest
	      access accounts (see for more information).

	      Redirects	 the logging messages for incoming and outgoing trans‐
	      fers to either or or both.  By default (if  is  not  specified),
	      the transfer log messages are put into will put the log messages
	      into only will put the log messages into both and

   Upload/Download Ratios
       [ class ... ]

	      Specify an Upload/Download ratio (1:rate).  For each  byte  that
	      an  ftp user uploads, rate bytes can be downloaded.  By default,
	      there is no ratio.

       [ class ... ]

	      The file filename can be downloaded freely ignoring  the	ratio.
	      See above.

       [ class ... ]

	      All files in the directory dirname and its subdirectories can be
	      downloaded freely ignoring the ratio.  See above.

	      Note that both and are relative to the  system's	root  environ‐
	      ment, not the environment.

   Miscellaneous Capabilities
	      Defines an alias, string, for the specified directory, dir.  Can
	      be used to add the concept of logical directories.

	      For example:

	      would allow the user to access from any directory by the command
	      Aliases only apply to the command.

	      Defines  a directory entry in the dir defines a search path that
	      is used when changing directories.

	      For example:

	      would allow the user to into any	directory  directly  under  or
	      directories.   The  search path is defined by the order in which
	      the lines appear in the

	      If the user were to give the command:

	      The directory will be searched for in the following order:

	      The path is only available with the  command.   If  you  have  a
	      large  number  of	 aliases,  you might want to set up an aliases
	      directory with links to all of the areas that you wish  to  make
	      available to users.

       classglob [ classglob ... ]
       classglob [ classglob ... ]

	      Enables or capabilities for any class matching any of classglob.
	      The actual conversions are defined in the external file

	      If the file pointed to by path exists, the server will check the
	      file  regularly  to  see if the server is going to be shut down.
	      If a shutdown is planned, the user is notified, new  connections
	      are  denied  after  a specified time before shutdown and current
	      connections are dropped at a  specified  time  before  shutdown.
	      path points to a file structured as follows:

	      year   month   day   hour	  minute   deny_offset	 disc_offset
	      text

	      year	     any year > 1970
	      month	     <-- Note: month index begins from
	      hour
	      minute

	      deny_offset  and	disc_offset  are  the  offsets	in HHMM format
	      before the shutdown time that new connections will be denied and
	      existing connections will be disconnected.

	      text  follows  the normal rules for any message (see in the sub‐
	      section), with the following additional magic cookies available:

	      time system is going to shut down
	      time new connections will be denied
	      time current connections will be dropped

	      All times are in the form: ddd MMM DD hh:mm:ss YYYY.  There  can
	      be only one command in the configuration file.

	      The external program can be used to automate the process of gen‐
	      erating this file.

	      If this value is not set, then the server will listen  for  con‐
	      nections	on  every IP addresses.	 Otherwise it will only listen
	      on the IP address specified.  Use of this clause is  discouraged
	      as  it  will  break virtual hosting.  This option will work only
	      when is running in the standalone mode (see ftpd(1M)).

	      Specifies the transfer logfile for the default server.   Virtual
	      hosts  can  override  this  with the "" option.  If omitted, the
	      default logfile is used.

	      Normally used in a virtual host file, the root directive is used
	      to  specify  the	path  to  the  root  of the directory for this
	      server.

       path

	      Enables the virtual ftp server capabilities.  The address is the
	      IP address of the virtual server.	 The second argument specifies
	      that the path is one of the following:

	      The root of the filesystem for this virtual server.

	      The banner presented to the user when connecting to this virtual
	      server.

	      The  logfile  where  transfers  are  recorded  for  this virtual
	      server.  If
			  is not specified, the default logfile will be used.

	      All other message files and permissions as  well	as  any	 other
	      settings in this file apply to all virtual servers.

	      The  address  may	 also be specified as the hostname rather than
	      the IP number.  This is strongly discouraged because if  DNS  is
	      not  available  at the time the FTP session begins, the hostname
	      will not be matched.

	      The above options must be used in the file only and not  in  the
	      virtual domain file.

       { hostname|email } string

	      Sets string to either the hostname shown in the greeting message
	      and command, or to the email address used in message  files  and
	      on the command.

	      The  above  options must be used in the file only and not in the
	      virtual domain file.

       [ username ... ]
       [ username ... ]

	      Normally, real and guest users are not allowed to log in on  the
	      virtual  server  unless they are guests and to the virtual root.
	      The users listed on the line(s) will  be	granted	 access.   All
	      users  can  be  granted  access  by giving as the username.  The
	      clauses are processed after the clauses and  are	used  to  deny
	      access to specific users when all users were allowed.

	      The  above  options can be used in both the file and in the vir‐
	      tual domain file.

	      Normally, anonymous users are allowed to log in on  the  virtual
	      server.  This option denies them access.

	      The  above  option  must be used in the file only and not in the
	      virtual domain file.

	      Use a different passwd file for the virtual domain.

	      Note: This option is currently not supported in HP-UX.

	      Use a different shadow file for this virtual domain.

	      Note: This option is currently not supported in HP-UX.

       [ username ... ]
       [ username ... ]

	      Normally, all users are allowed access to the default  (non-vir‐
	      tual)  FTP  server.   Use	 to  revoke access for specific users.
	      Specify to deny access to all users.  Specific users can then be
	      allowed using

	      Normally,	 anonymous  users are allowed on the default (non-vir‐
	      tual) FTP server.	 This statement disallows anonymous access.

	      The and and clauses provide a means to control which  users  are
	      allowed access on which FTP servers.

	      Allows control of the address reported in response to a command.
	      When any control connection matching the cidr requests a passive
	      data connection the externalip address is reported.

	      NOTE:  this does not change the address that the daemon actually
	      listens on, only the address reported to the client.  This  fea‐
	      ture  allows the daemon to operate correctly behind IP-renumber‐
	      ing firewalls.  For example:

	      Clients connecting from the class-A network 10 will be told  the
	      passive  connection  is  listening on IP-address 10.0.1.15 while
	      all  others  will	 be  told  the	connection  is	listening   on
	      192.168.1.5.

	      Multiple	passive	 addresses may be specified to handle complex,
	      or multi-gatewayed, networks.

	      Note: This option is not supported on IPv6 enabled systems.

	      Allows control of the TCP port numbers which may be used	for  a
	      passive  data connection.	 If the control connection matches the
	      cidr, a port in the range min to max will be  randomly  selected
	      for  the	daemon to listen on.  This feature allows firewalls to
	      limit the ports which remote clients may use to connect into the
	      protected network.

	      cidr is shorthand for an IP address in dotted-quad notation fol‐
	      lowed by a slash and the number of left-most bits	 which	repre‐
	      sent  the	 network  address (as opposed to the machine address).
	      For example, if you are using the reserved class-A  network  10,
	      instead  of  a  netmask  of  255.0.0.0,  use  a cidr of /8 as in
	      10.0.0.0/8 to represent your network.

	      Note: This option is not supported on IPv6 enabled systems.

       [ addrglob ... ]
       [ addrglob ... ]

	      Normally, the daemon does not allow  a  command  to  specify  an
	      address  different  than that of the control connection.	And it
	      does not allow a connection from another address.

	      The clause provides a list  of  addresses	 which	the  specified
	      class  of	 user  may give on a command.  These addresses will be
	      allowed even if they do not match the IP-address of the  client-
	      side of the control connection.

	      The  clause  provides  a	list  of addresses which the specified
	      class of user may make data connections from.   These  addresses
	      will  be allowed even if they do not match the IP-address of the
	      client-side of the control connection.

       [ options ... ]
       [ options ... ]
       [ options ... ]

	      The and clauses specify the command and the command options used
	      to generate directory listings.  Note the options cannot contain
	      spaces.  Typically the command  is  used	to  provide  directory
	      listings.	 To change the path for specify it in The defaults for
	      these clauses are generally correct.  For normal users is	 used.
	      For anonymous users is used.  is used for special cases.	Use or
	      only if absolutely necessary.

       [ hostname ... ]

	      Specify the name of a mail server which will accept upload noti‐
	      fications	 for  the  FTP	daemon.	  Multiple mail servers may be
	      listed; the daemon will attempt to deliver the upload  notifica‐
	      tion  to	each,  in order, until one accepts the message.	 If no
	      mail servers are specified, localhost is used.  This  option  is
	      only meaningful if anyone is to be notified of anonymous uploads
	      (see below).

	      Specify email addresses to be  notified  of  anonymous  uploads.
	      Multiple addresses can be specified; each will receive a notifi‐
	      cation.  If none are specified, no notifications are sent.

	      If addresses are specified for a host, only those addresses will
	      receive  notification up anonymous uploads on that host.	Other‐
	      wise, notifications will be sent to the global addresses.

	      The above option must be used in the file only and  not  in  the
	      virtual domain file.

	      The  addresses  only  apply to real hosts and not virtual hosts.
	      In this way, the real host can receive notifications of  uploads
	      on their default anonymous area.	However, with this option set,
	      the virtual hosts will not be notified.

	      Specify the sender's email address for anonymous upload  notifi‐
	      cations.	 Only  one  address  may be specified.	If no applies,
	      email is sent from the default mailbox name To avoid problems if
	      the  recipient  attempts to reply to a notification, or if down‐
	      stream mail problems generate bounces, you should ensure the  is
	      deliverable.

	      The  above  option  must be used in the file only and not in the
	      virtual domain file.

   Permission Capabilities
       typelist
       typelist
       typelist
       typelist
       typelist

	      Allows or disallows the ability to perform the  specified	 func‐
	      tion.  By default, all users are allowed.

	      typelist	is  a  comma-separated list of any of the keywords and
	      When appears, it must  be	 followed  by  a  classname.   If  any
	      appears,	the typelist restriction applies only to users in that
	      class.

	      Define the level and enforcement of password  checking  done  by
	      the server for anonymous ftp.

	      no password checking performed.
	      password must contain an
	      password must be an rfc822 compliant address.
	      warn the user, but allow them to log in.
	      warn the user, and then log them out.

	      The  e-mail  address  given  as  an argument is considered to be
	      invalid.	If is set to  enforce,	anonymous  users  giving  this
	      address as password cannot log in.  This is one way that you can
	      stop users from having web browsers that use fake addresses like
	      IE?0User@	 or mozilla@.  By using you are not shutting out users
	      using a web browser for ftp.  You	 just  making  them  configure
	      their browser correctly.	Only one address per line, but you can
	      have as many clauses as you like.

       [ disallowed_regexp ... ]

	      For users in typelist, defines regular expressions that  control
	      what  a  filename	 can or cannot be.  Disallowed regular expres‐
	      sions, disallowed_regexp, may be specified with multiple regular
	      expressions  (see	 regexp(5)).   If a filename is invalid due to
	      failure to match the regular expression criteria, mesg  will  be
	      displayed to the user.  For example:

	      specifies	 that all upload filenames for anonymous users must be
	      made of only the characters period dash and underscore The file‐
	      names  may not begin with a period or a dash as specified by ^\.
	      and ^- respectively.  If the filename is invalid, will  be  dis‐
	      played to the user.

       classname ]...  [-] root-dir dirglob owner group mode [ d_mode ]

	      Define a directory with dirglob that permits or denies uploads.

	      If it does permit uploads, all newly created files will be owned
	      by owner and group and will have the permissions	set  according
	      to  mode.	  Existing files which are overwritten will keep their
	      original ownership and permissions.

	      Directories are matched on a best-match basis.

	      For example:

	      These commands would only allow uploads into and Files that were
	      uploaded to would be owned by and would have permissions of File
	      uploaded to would be owned by and have permissions of Note  that
	      the root-dir here must match the home directory specified in the
	      password database for the user.

	      The optional and keywords can be specified to allow or  disallow
	      the creation of new subdirectories using the command.

	      Note  that if the command is used, directory creation is allowed
	      by default.  To turn it off by default, you must specify a user,
	      group  and  mode followed by the keyword as the first line where
	      the command is used in this file.

	      If directories are permitted, the optional d_mode determines the
	      permissions  for	a newly created directory.  If d_mode is omit‐
	      ted, the permissions are inferred from mode or are  if  mode  is
	      also omitted.

	      only applies to users who have a home directory (the argument to
	      the of root-dir.	root-dir may be specified as to match any home
	      directory.

	      The  owner  and/or  group may each be specified as in which case
	      any uploaded files or directories will be created with the  own‐
	      ership of the directory in which they are created.

	      The  optional first parameter selects whether root-dir names are
	      interpreted as absolute or relative to the current  environment.
	      The default is to interpret root-dir names as absolute.

	      You  can	specify any number of restrictions.  If any are speci‐
	      fied, this upload clause only takes effect if the	 current  user
	      is a member of one of the classes.

       [ class ... ]

	      root-dir	specifies  the	path  for  anonymous  users.  If no is
	      matched, the old method of parsing the home  directory  for  the
	      ftp  user	 is  used.   If no class is specified, root-dir is the
	      root directory for anonymous users who do	 not  have  any	 other
	      specification.   Multiple	 classes may be given on the line.  If
	      an is chosen for the user, the ftp user's home directory in  the
	      file  is	used  to  determine the initial directory, and the ftp
	      user's home directory in the system-wide is not used.  For exam‐
	      ple:

	      causes  all  anonymous users to be to the directory Then, if the
	      ftp user exists in their initial is that home directory.	Anony‐
	      mous  users in the class localnet, however, are to the directory
	      and their initial is taken from the ftp user's home directory in

       [ uid-range ... ]

	      root-dir specifies the path for guest users.  If is not matched,
	      the old method of parsing the user's home directory is used.  If
	      no uid-range is specified, the root directory is for guest users
	      who  do  not match any other guest-root specification.  Multiple
	      uid ranges may be given on the line.  If a  is  chosen  for  the
	      user, the user's home directory in the file is used to determine
	      the initial directory and their home directory  in  the  system-
	      wide is not used.

	      uid-range specifies numeric UID values.  Ranges are specified by
	      giving the lower and upper bounds (inclusive),  separated	 by  a
	      dash.   Omitting	the lower bound means "all up to", and omitted
	      the upper bound means "all starting from".  For example:

	      causes all guest users to to then starts each user in their home
	      directory	 specified  in	Users  in  the	range 100 through 999,
	      inclusive, and user will be to and the CWD will  be  taken  from
	      their  entries in The single user will be to and the CWD will be
	      from his entry in

	      Note that order is important for both and If a user would	 match
	      multiple	clauses, only the first applies; with the exception of
	      the clause which has no class or uid-range, which	 applies  only
	      if no other clause matches.

	      These  clauses  allow  specification of UID and GID values which
	      will be denied access to the ftp server.	The and clauses may be
	      used  to	allow  access  for  uid/gid  which  would otherwise be
	      denied.  These checks occur before all others.  Deny is  checked
	      before  allow.   The  default  is to allow access.  Note that in
	      most cases, this can remove the need for an files.  For example:

	      denies ftp access to all privileged or special users and	groups
	      on  a  Linux  box	 except the anonymous ftp user/group.  In many
	      cases, this can eliminate the need for the  file.	  Support  for
	      that  file  still	 exists so it may be used when changing is not
	      desired.

	      Throughout the file, at any place that a single UID  or  GID  is
	      allowed,	either	names or numbers may be used.  To use numbers,
	      put a before it.	In places where a range is  allowed,  put  the
	      before the range.

	      These clauses control whether or not real or guest users will be
	      allowed access to areas on  the  FTP  site  outside  their  home
	      directories.   They  are	not meant to replace the use of guest‐
	      group and guestuser.  Instead, use these to supplement the oper‐
	      ation  of	 guests.   The	and clauses may be used to allow users
	      outside  their  home  directories	  who	would	otherwise   be
	      restricted.

	      An example of the use of these clauses shows their intended use.
	      Assume user has a home directory and has a home directory

	      While both and are to they  cannot  access  each	other's	 files
	      because they are restricted to their home directories.

	      Wherever	possible,  in situations such as this example, try not
	      to rely solely upon the ftp restrictions.	 As with all other ftp
	      access rules, try to use directory and file permissions to back‐
	      stop the operation of the configuration.

       [ class ... ]

	      The SITE EXEC feature traditionally limits the number  of	 lines
	      of  output  which may be sent to the remote client.  This clause
	      allows you to set this limit.   If  omitted,  the	 limit	is  20
	      lines.   A  limit of 0 (zero) implies no limit.  Be very careful
	      if you choose to remove the limit.  If a clause is found	match‐
	      ing the remote user's class, that limit is used.	Otherwise, the
	      clause with class or no class given, is used.  For example:

	      The above examples limit output from SITE	 EXEC  (and  therefore
	      SITE  INDEX)  to lines for users, specifies there is no limit at
	      all for users, and sets a limit of lines for all other users.

	      Refuse FTP sessions when the forward and reverse lookups for the
	      remote  site  do	not  match.   Display the named file, filename
	      (like a message file), admonishing the user.  If the optional is
	      specified, allow the connection after complaining.

	      Refuse  FTP  sessions when there is no reverse DNS entry for the
	      remote site.  Display the named file, filename (like  a  message
	      file),  admonishing  the	user.	If  the optional is specified,
	      allow the connection after complaining.

       [ options ]

	      allows you to tweak name	server	options.   The	line  takes  a
	      series  of flags as documented in resolver(3N) (with the leading
	      RES_ removed).  Each can be preceded by an optional or For exam‐
	      ple,

	      turns  on	 the  option  (only  accept authoritative answers) and
	      turns off the option (search the domain path).

       NOTE: For any  clause  that  involves  make  sure  that	you  copy  the
       libraries and to the directory of the current environment.

FILES
AUTHOR
       was developed by the Washington University, St. Louis, Missouri.

SEE ALSO
       ftpshut(1),   groups(1),	  passwd(1),  ftpd(1M),	 chroot(2),  umask(2),
       resolver(3N), ftpconversions(4), ftpgroups(4).

								  ftpaccess(4)
[top]

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net