1.\" $NetBSD: ftpusers.5,v 1.17 2008/09/13 02:41:52 lukem Exp $ 2.\" 3.\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd July 17, 2000 31.Dt FTPUSERS 5 32.Os 33.Sh NAME 34.Nm ftpusers , 35.Nm ftpchroot 36.Nd 37.Xr ftpd 8 38access control file 39.Sh DESCRIPTION 40The 41.Nm 42file provides user access control for 43.Xr ftpd 8 44by defining which users may login. 45.Pp 46If the 47.Nm 48file does not exist, all users are denied access. 49.Pp 50A 51.Dq \e 52is the escape character; it can be used to escape the meaning of the 53comment character, or if it is the last character on a line, extends 54a configuration directive across multiple lines. 55A 56.Dq # 57is the comment character, and all characters from it to the end of 58line are ignored (unless it is escaped with the escape character). 59.Pp 60The syntax of each line is: 61.Dl userglob[:groupglob][@host] [directive [class]] 62.Pp 63These elements are: 64.Bl -tag -width "groupglob" -offset indent 65.It Sy userglob 66matched against the user name, using 67.Xr fnmatch 3 68glob matching 69(e.g, 70.Sq f* ) . 71.It Sy groupglob 72matched against all the groups that the user is a member of, using 73.Xr fnmatch 3 74glob matching 75(e.g, 76.Sq *src ) . 77.It Sy host 78either a CIDR address (refer to 79.Xr inet_net_pton 3 ) 80to match against the remote address 81(e.g, 82.Sq 1.2.3.4/24 ) , 83or an 84.Xr fnmatch 3 85glob to match against the remote hostname 86(e.g, 87.Sq *.NetBSD.org ) . 88.It Sy directive 89If 90.Dq allow 91or 92.Dq yes 93the user is allowed access. 94If 95.Dq deny 96or 97.Dq no , 98or 99.Sy directive 100is not given, the user is denied access. 101.It Sy class 102defines the class to use in 103.Xr ftpd.conf 5 . 104.El 105.Pp 106If 107.Sy class 108is not given, it defaults to one of the following: 109.Bl -tag -width "chroot" -offset indent 110.It Sy chroot 111If there is a match in 112.Sx /etc/ftpchroot 113for the user. 114.It Sy guest 115If the user name is 116.Dq anonymous 117or 118.Sq ftp . 119.It Sy real 120If neither of the above is true. 121.El 122.Pp 123No further comparisons are attempted after the first successful match. 124If no match is found, the user is granted access. 125This syntax is backward-compatible with the old syntax. 126.Pp 127If a user requests a guest login, the 128.Xr ftpd 8 129server checks to see that 130both 131.Dq anonymous 132and 133.Dq ftp 134have access, so if you deny all users by default, you will need to add both 135.Dq "anonymous allow" 136and 137.Dq "ftp allow" 138to 139.Pa /etc/ftpusers 140in order to allow guest logins. 141.Ss /etc/ftpchroot 142The file 143.Pa /etc/ftpchroot 144is used to determine which users will have their session's root directory 145changed (using 146.Xr chroot 2 ) , 147either to the directory specified in the 148.Xr ftpd.conf 5 149.Sy chroot 150directive (if set), 151or to the home directory of the user. 152If the file does not exist, the root directory change is not performed. 153.Pp 154The syntax is similar to 155.Nm , 156except that the 157.Sy class 158argument is ignored. 159If there's a positive match, the session's root directory is changed. 160No further comparisons are attempted after the first successful match. 161This syntax is backward-compatible with the old syntax. 162.Sh FILES 163.Bl -tag -width /usr/share/examples/ftpd/ftpusers -compact 164.It Pa /etc/ftpchroot 165List of normal users who should have their ftp session's root directory 166changed by using 167.Xr chroot 2 . 168.It Pa /etc/ftpusers 169This file. 170.It Pa /usr/share/examples/ftpd/ftpusers 171A sample 172.Nm 173file. 174.El 175.Sh SEE ALSO 176.Xr fnmatch 3 , 177.Xr inet_net_pton 3 , 178.Xr ftpd.conf 5 , 179.Xr ftpd 8 180