1 .\" $NetBSD: ftpd.conf.5,v 1.36 2008/09/13 02:41:52 lukem Exp $
3 .\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
4 .\" All rights reserved.
6 .\" This code is derived from software contributed to The NetBSD Foundation
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that the following conditions
12 .\" 1. Redistributions of source code must retain the above copyright
13 .\" notice, this list of conditions and the following disclaimer.
14 .\" 2. Redistributions in binary form must reproduce the above copyright
15 .\" notice, this list of conditions and the following disclaimer in the
16 .\" documentation and/or other materials provided with the distribution.
18 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 .\" POSSIBILITY OF SUCH DAMAGE.
41 file specifies various configuration options for
43 that apply once a user has authenticated their connection.
46 consists of a series of lines, each of which may contain a
47 configuration directive, a comment, or a blank line.
48 Directives that appear later in the file override settings by previous
52 entries to define defaults, and then have class-specific overrides.
54 A directive line has the format:
55 .Dl command class [arguments]
59 is the escape character; it can be used to escape the meaning of the
60 comment character, or if it is the last character on a line, extends
61 a configuration directive across multiple lines.
64 is the comment character, and all characters from it to the end of
65 line are ignored (unless it is escaped with the escape character).
67 Each authenticated user is a member of a
69 which is determined by
72 is used to determine which
74 entries apply to the user.
75 The following special classes exist when parsing entries in
77 .Bl -tag -width "chroot" -compact -offset indent
84 Each class has a type, which may be one of:
85 .Bl -tag -width "CHROOT" -offset indent
94 is performed after login.
101 is performed after login.
109 command will return the class settings for the current user as defined by
113 directive is set for the class.
115 Each configuration line may be one of:
117 .It Sy advertize Ar class Op Ar host
118 Set the address to advertise in the response to the
122 commands to the address for
124 (which may be either a host name or IP address).
125 This may be useful in some firewall configurations, although many
126 ftp clients may not work if the address being advertised is different
127 to the address that they've connected to.
134 not is specified, disable this.
135 .It Sy checkportcmd Ar class Op Sy off
138 command for validity.
141 command will fail if the IP address specified does not match the
143 command connection, or if the remote TCP port number is less than
144 .Dv IPPORT_RESERVED .
147 encouraged that this option be used, especially for sites concerned
148 with potential security problems with
157 is specified, disable this feature, otherwise enable it.
158 .It Sy chroot Ar class Op Sy pathformat
165 use the default behavior (see below).
168 is parsed to create a directory to create as the root directory with
173 can contain the following escape strings:
174 .Bl -tag -width "Escape" -offset indent -compact
180 Home directory of user.
189 The default root directory is:
190 .Bl -tag -width "CHROOT" -offset indent -compact
192 The user's home directory.
198 otherwise the home directory of the
206 .It Sy classtype Ar class Ar type
207 Set the class type of
212 .It Sy conversion Ar class Ar suffix Op Ar "type disable command"
213 Define an automatic in-line file conversion.
214 If a file to retrieve ends in
216 and a real file (sans
218 exists, then the output of
220 is returned instead of the contents of the file.
222 .Bl -tag -width "disable" -offset indent
224 The suffix to initiate the conversion.
226 A list of valid file types for the conversion.
233 The name of file that will prevent conversion if it exists.
236 will prevent this disabling action
237 (i.e., the conversion is always permitted.)
239 The command to run for the conversion.
240 The first word should be the full path name
243 is used to execute the command.
244 All instances of the word
248 are replaced with the requested file (sans
252 Conversion directives specified later in the file override earlier
253 conversions with the same suffix.
254 .It Sy denyquick Ar class Op Sy off
259 command is received, rather than after the
262 Whilst enabling this feature may allow information leakage about
263 available accounts (for example, if you allow some users of a
267 class but not others), it is useful in preventing a denied user
270 from entering their password across an insecure connection.
273 recommended for servers which run an anonymous-only service.
280 is specified, disable this feature, otherwise enable it.
281 .It Sy display Ar class Op Ar file
289 Otherwise, each time the user enters a new directory, check if
291 exists, and if so, display its contents to the user.
292 Escape sequences are supported; refer to
293 .Sx Display file escape sequences
296 for more information.
297 .It Sy hidesymlinks Ar class Op Sy off
304 is specified, disable this feature.
307 command lists symbolic links as the file or directory the link
309 .Pq Dq Li "ls -LlA" .
310 Servers which run an anonymous service may wish to enable this
313 users, so that symbolic links do not leak names in
314 directories that are not searchable by
317 .It Sy homedir Ar class Op Sy pathformat
324 use the default behavior (see below).
327 is parsed to create a directory to change into upon login, and to use
330 directory of the user for tilde expansion in pathnames, etc.
336 The default home directory is the home directory of the user for
345 .It Sy limit Ar class Op Ar count Op Ar file
346 Limit the maximum number of concurrent connections for
352 meaning unlimited connections.
353 If the limit is exceeded and
355 is specified, display its contents to the user.
362 is not specified, disable this.
365 is a relative path, it will be searched for in
367 (which can be overridden with
369 .It Sy maxfilesize Ar class Op Ar size
370 Set the maximum size of an uploaded file to
374 meaning unlimited connections.
381 is not specified, disable this.
382 .It Sy maxtimeout Ar class Op Ar time
383 Set the maximum timeout period that a client may request,
384 defaulting to two hours.
385 This cannot be less than 30 seconds, or the value for
393 is not specified, use the default.
394 .It Sy mmapsize Ar class Op Ar size
395 Set the size of the sliding window to map a file using
403 This option affects only binary transfers.
410 is not specified, use the default.
411 .It Sy modify Ar class Op Sy off
418 is specified, disable the following commands:
426 Otherwise, enable them.
427 .It Sy motd Ar class Op Ar file
437 as the message of the day file to display after login.
438 Escape sequences are supported; refer to
439 .Sx Display file escape sequences
442 for more information.
445 is a relative path, it will be searched for in
447 (which can be overridden with
449 .It Sy notify Ar class Op Ar fileglob
457 Otherwise, each time the user enters a new directory,
458 notify the user of any files matching
460 .It Sy passive Ar class Op Sy off
467 is specified, prevent passive
473 Otherwise, enable them.
474 .It Sy portrange Ar class Op Ar min Ar max
475 Set the range of port number which will be used for the passive data port.
479 and both numbers must be be between
486 or no arguments are specified, disable this.
487 .It Sy private Ar class Op Sy off
494 is specified, do not display class information in the output of the
497 Otherwise, display the information.
498 .It Sy rateget Ar class Op Ar rate
501 transfer rate throttle for
508 is 0, the throttle is disabled.
515 is not specified, disable this.
516 .It Sy rateput Ar class Op Ar rate
519 transfer rate throttle for
526 is 0, the throttle is disabled.
533 is not specified, disable this.
534 .It Sy readsize Ar class Op Ar size
535 Set the size of the read buffer to
538 The default is the file system block size.
539 This option affects only binary transfers.
546 is not specified, use the default.
547 .It Sy recvbufsize Ar class Op Ar size
548 Set the size of the socket receive buffer.
549 The default is zero and the system default value will be used.
550 This option affects only passive transfers.
557 is not specified, use the default.
558 .It Sy sanenames Ar class Op Sy off
565 is specified, allow uploaded file names to contain any characters valid for a
567 Otherwise, only permit file names which don't start with a
569 and only comprise of characters from the set
570 .Dq [-+,._A-Za-z0-9] .
571 .It Sy sendbufsize Ar class Op Ar size
572 Set the size of the socket send buffer.
573 The default is zero and the system default value will be used.
574 This option affects only binary transfers.
581 is not specified, use the default.
582 .It Sy sendlowat Ar class Op Ar size
583 Set the low water mark of socket send buffer.
584 The default is zero and system default value will be used.
585 This option affects only for binary transfer.
592 is not specified, use the default.
593 .It Sy template Ar class Op Ar refclass
602 in following directives will also apply to members of
604 This is useful to define a template class so that other classes which are
605 to share common attributes can be easily defined without unnecessary
607 There can be only one template defined at a time.
610 is not specified, disable the template for
612 .It Sy timeout Ar class Op Ar time
613 Set the inactivity timeout period.
614 (the default is fifteen minutes).
615 This cannot be less than 30 seconds, or greater than the value for
623 is not specified, use the default.
624 .It Sy umask Ar class Op Ar umaskval
633 is not specified, set to the default of
635 .It Sy upload Ar class Op Sy off
642 is specified, disable the following commands:
647 as well as the modify commands:
655 Otherwise, enable them.
656 .It Sy writesize Ar class Op Ar size
657 Limit the number of bytes to
660 The default is zero, which means all the data available as a result of
664 will be written at a time.
665 This option affects only binary transfers.
672 is not specified, use the default.
674 .Ss Numeric argument suffix parsing
675 Where command arguments are numeric, a decimal number is expected.
676 Two or more numbers may be separated by an
678 to indicate a product.
679 Each number may have one of the following optional suffixes:
680 .Bl -tag -width 3n -offset indent -compact
682 Block; multiply by 512
684 Kibi; multiply by 1024 (1 KiB)
686 Mebi; multiply by 1048576 (1 MiB)
688 Gibi; multiply by 1073741824 (1 GiB)
690 Tebi; multiply by 1099511627776 (1 TiB)
692 Word; multiply by the number of bytes in an integer
697 for more information.
699 The following defaults are used:
701 .Bd -literal -offset indent -compact
703 classtype chroot CHROOT
704 classtype guest GUEST
707 limit all \-1 # unlimited connections
708 maxtimeout all 7200 # 2 hours
713 timeout all 900 # 15 minutes
720 .Bl -tag -width /usr/share/examples/ftpd/ftpd.conf -compact
721 .It Pa /etc/ftpd.conf
723 .It Pa /usr/share/examples/ftpd/ftpd.conf
736 functionality was implemented in
738 and later releases by Luke Mewburn, based on work by Simon Burge.