1.\" $NetBSD: ftpd.conf.5,v 1.17 2001/07/08 07:27:14 lukem Exp $ 2.\" 3.\" Copyright (c) 1997-2001 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. All advertising materials mentioning features or use of this software 18.\" must display the following acknowledgement: 19.\" This product includes software developed by the NetBSD 20.\" Foundation, Inc. and its contributors. 21.\" 4. Neither the name of The NetBSD Foundation nor the names of its 22.\" contributors may be used to endorse or promote products derived 23.\" from this software without specific prior written permission. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35.\" POSSIBILITY OF SUCH DAMAGE. 36.\" 37.Dd July 8, 2001 38.Dt FTPD.CONF 5 39.Os 40.Sh NAME 41.Nm ftpd.conf 42.Nd 43.Xr ftpd 8 44configuration file 45.Sh DESCRIPTION 46The 47.Nm 48file specifies various configuration options for 49.Xr ftpd 8 50that apply once a user has authenticated their connection. 51.Pp 52.Nm 53consists of a series of lines, each of which may contain a 54configuration directive, a comment, or a blank line. 55Directives that appear later in the file override settings by previous 56directives. 57This allows 58.Sq wildcard 59entries to define defaults, and then have class-specific overrides. 60.Pp 61A directive line has the format: 62.Dl command class [arguments] 63.Pp 64A 65.Dq \e 66is the escape character; it can be used to escape the meaning of the 67comment character, or if it is the last character on a line, extends 68a configuration directive across multiple lines. 69A 70.Dq # 71is the comment character, and all characters from it to the end of 72line are ignored (unless it is escaped with the escape character). 73.Pp 74Each authenticated user is a member of a 75.Em class , 76which is determined by 77.Xr ftpusers 5 . 78.Em class 79is used to determine which 80.Nm 81entries apply to the user. 82The following special classes exist when parsing entries in 83.Nm "" : 84.Bl -tag -width "chroot" -compact -offset indent 85.It Sy all 86Matches any class. 87.It Sy none 88Matches no class. 89.El 90.Pp 91Each class has a type, which may be one of: 92.Bl -tag -width "CHROOT" -offset indent 93.It Sy GUEST 94Guests (as per the 95.Dq anonymous 96and 97.Dq ftp 98logins). 99A 100.Xr chroot 2 101is performed after login. 102.It Sy CHROOT 103.Xr chroot 2 ed 104users (as per 105.Xr ftpchroot 5 ) . 106A 107.Xr chroot 2 108is performed after login. 109.It Sy REAL 110Normal users. 111.El 112.Pp 113The 114.Xr ftpd 8 115.Sy STAT 116command will return the class settings for the current user as defined by 117.Nm "" . 118.Pp 119Each configuration line may be one of: 120.Bl -tag -width 4n 121.It Sy advertise Ar class Ar host 122.It Sy advertize Ar class Ar host 123Set the address to advertise in the response to the 124.Sy PASV 125and 126.Sy LPSV 127commands to the address for 128.Ar host 129(which may be either a host name or IP address). 130This may be useful in some firewall configurations, although many 131ftp clients may not work if the address being advertised is different 132to the address that they've connected to. 133If 134.Ar class 135is 136.Dq none 137or no argument is given, disable this. 138.It Sy checkportcmd Ar class Op Sy off 139Check the 140.Sy PORT 141command for validity. 142The 143.Sy PORT 144command will fail if the IP address specified does not match the 145.Tn FTP 146command connection, or if the remote TCP port number is less than 147.Dv IPPORT_RESERVED . 148It is 149.Em strongly 150encouraged that this option be used, espcially for sites concerned 151with potential security problems with 152.Tn FTP 153bounce attacks. 154If 155.Ar class 156is 157.Dq none 158or 159.Sy off 160is given, disable this feature, otherwise enable it. 161.It Sy chroot Ar class Op Sy pathformat 162If 163.Ar pathformat 164is not given or 165.Ar class 166is 167.Dq none , 168use the default behaviour (see below). 169Otherwise, 170.Ar pathformat 171is parsed to create a directory to create as the root directory with 172.Xr chroot 2 173into upon login. 174.Pp 175.Ar pathformat 176can contain the following escape strings: 177.Bl -tag -width "Escape" -offset indent -compact 178.It Sy "Escape" 179.Sy Description 180.It "\&%c" 181Class name. 182.It "\&%d" 183Home directory of user. 184.It "\&%u" 185User name. 186.It "\&%\&%" 187A 188.Dq \&% 189character. 190.El 191.Pp 192The default root directory is: 193.Bl -tag -width "CHROOT" -offset indent -compact 194.It Sy CHROOT 195The user's home directory. 196.It Sy GUEST 197If 198.Fl a Ar anondir 199is given, use 200.Ar anondir , 201otherwise the home directory of the 202.Sq ftp 203user. 204.It Sy REAL 205By default no 206.Xr chroot 2 207is performed. 208.El 209.It Sy classtype Ar class Ar type 210Set the class type of 211.Ar class 212to 213.Ar type 214(see above). 215.It Xo Sy conversion Ar class 216.Ar suffix Op Ar "type disable command" 217.Xc 218Define an automatic in-line file conversion. 219If a file to retrieve ends in 220.Ar suffix , 221and a real file (sans 222.Ar suffix ) 223exists, then the output of 224.Ar command 225is returned instead of the contents of the file. 226.Pp 227.Bl -tag -width "disable" -offset indent 228.It Ar suffix 229The suffix to initiate the conversion. 230.It Ar type 231A list of valid filetypes for the conversion. 232Valid types are: 233.Sq f 234(file), and 235.Sq d 236(directory). 237.It Ar disable 238The name of file that will prevent conversion if it exists. 239A file name of 240.Dq Pa \&. 241will prevent this disabling action 242(i.e., the conversion is always permitted.) 243.It Ar command 244The command to run for the conversion. 245The first word should be the full path name 246of the command, as 247.Xr execv 3 248is used to execute the command. 249All instances of the word 250.Dq %s 251in 252.Ar command 253are replaced with the requested file (sans 254.Ar suffix ) . 255.El 256.Pp 257Conversion directives specified later in the file override earlier 258conversions with the same suffix. 259.It Sy display Ar class Op Ar file 260If 261.Ar file 262is not given or 263.Ar class 264is 265.Dq none , 266disable this. 267Otherwise, each time the user enters a new directory, check if 268.Ar file 269exists, and if so, display its contents to the user. 270Escape sequences are supported; refer to 271.Sx Display file escape sequences 272in 273.Xr ftpd 8 274for more information. 275.It Sy homedir Ar class Op Sy pathformat 276If 277.Ar pathformat 278is not given or 279.Ar class 280is 281.Dq none , 282use the default behaviour (see below). 283Otherwise, 284.Ar pathformat 285is parsed to create a directory to change into upon login, and to use 286as the 287.Sq home 288directory of the user for tilde expansion in pathnames, etc. 289.Ar pathformat 290is parsed as per the 291.Sy chroot 292directive. 293.Pp 294The default home directory is the home directory of the user for 295.Sy REAL 296users, and 297.Pa / 298for 299.Sy GUEST 300and 301.Sy CHROOT 302users. 303.It Xo Sy limit Ar class 304.Ar count Op Ar file 305.Xc 306Limit the maximum number of concurrent connections for 307.Ar class 308to 309.Ar count , 310with 311.Sq 0 312meaning unlimited connections. 313If the limit is exceeded and 314.Ar file 315is given, display its contents to the user. 316If 317.Ar class 318is 319.Dq none 320or 321.Ar count 322is not specified, disable this. 323If 324.Ar file 325is a relative path, it will be searched for in 326.Pa /etc 327(which can be overridden with 328.Fl c Ar confdir ) . 329.It Sy maxfilesize Ar class Ar size 330Set the maximum size of an uploaded file to 331.Ar size . 332If 333.Ar class 334is 335.Dq none 336or no argument is given, disable this. 337.It Sy maxtimeout Ar class Ar time 338Set the maximum timeout period that a client may request, 339defaulting to two hours. 340This cannot be less than 30 seconds, or the value for 341.Sy timeout . 342If 343.Ar class 344is 345.Dq none 346or 347.Ar time 348is not specified, set to default of 2 hours. 349.It Sy modify Ar class Op Sy off 350If 351.Ar class 352is 353.Dq none 354or 355.Sy off 356is given, disable the following commands: 357.Sy CHMOD , 358.Sy DELE , 359.Sy MKD , 360.Sy RMD , 361.Sy RNFR , 362and 363.Sy UMASK . 364Otherwise, enable them. 365.It Sy motd Ar class Op Ar file 366If 367.Ar file 368is not given or 369.Ar class 370is 371.Dq none , 372disable this. 373Otherwise, use 374.Ar file 375as the message of the day file to display after login. 376Escape sequences are supported; refer to 377.Sx Display file escape sequences 378in 379.Xr ftpd 8 380for more information. 381If 382.Ar file 383is a relative path, it will be searched for in 384.Pa /etc 385(which can be overridden with 386.Fl c Ar confdir ) . 387.It Sy notify Ar class Op Ar fileglob 388If 389.Ar fileglob 390is not given or 391.Ar class 392is 393.Dq none , 394disable this. 395Otherwise, each time the user enters a new directory, 396notify the user of any files matching 397.Ar fileglob . 398.It Sy passive Ar class Op Sy off 399If 400.Ar class 401is 402.Dq none 403or 404.Sy off 405is given, disallow passive 406.Sy ( PASV , 407.Sy LPSV , 408and 409.Sy EPSV ) 410connections. 411Otherwise, enable them. 412.It Sy portrange Ar class Ar min Ar max 413Set the range of port number which will be used for the passive data port. 414.Ar max 415must be greater than 416.Ar min , 417and both numbers must be be between 418.Dv IPPORT_RESERVED 419(1024) and 65535. 420If 421.Ar class 422is 423.Dq none 424or no arguments are given, disable this. 425.It Sy rateget Ar class Ar rate 426Set the maximum get 427.Pq Sy RETR 428transfer rate throttle for 429.Ar class 430to 431.Ar rate 432bytes per second. 433If 434.Ar rate 435is 0, the throttle is disabled. 436If 437.Ar class 438is 439.Dq none 440or no arguments are given, disable this. 441.Pp 442An optional suffix may be provided, which changes the intrepretation of 443.Ar rate 444as follows: 445.Bl -tag -width 3n -offset indent -compact 446.It b 447Causes no modification. (Default; optional) 448.It k 449Kilo; multiply the argument by 1024 450.It m 451Mega; multiply the argument by 1048576 452.It g 453Giga; multiply the argument by 1073741824 454.It t 455Tera; multiply the argument by 1099511627776 456.El 457.It Sy rateput Ar class Ar rate 458Set the maximum put 459.Pq Sy STOR 460transfer rate throttle for 461.Ar class 462to 463.Ar rate 464bytes per second, 465which is parsed as per 466.Sy rateget Ar rate . 467If 468.Ar class 469is 470.Dq none 471or no arguments are given, disable this. 472.It Sy sanenames Ar class Op Sy off 473If 474.Ar class 475is 476.Dq none 477or 478.Sy off 479is given, allow uploaded file names to contain any characters valid for a 480file name. 481Otherwise, only permit file names which don't start with a 482.Sq \&. 483and only comprise of characters from the set 484.Dq [-+,._A-Za-z0-9] . 485.It Sy template Ar class Op Ar refclass 486Define 487.Ar refclass 488as the 489.Sq template 490for 491.Ar class ; 492any reference to 493.Ar refclass 494in following directives will also apply to members of 495.Ar class . 496This is useful to define a template class so that other classes which are 497to share common attributes can be easily defined without unnecessary 498duplication. 499There can be only one template defined at a time. 500If 501.Ar refclass 502is not given, disable the template for 503.Ar class . 504.It Sy timeout Ar class Ar time 505Set the inactivity timeout period. 506(the default is fifteen minutes). 507This cannot be less than 30 seconds, or greater than the value for 508.Sy maxtimeout . 509If 510.Ar class 511is 512.Dq none 513or 514.Ar time 515is not specified, set to the default of 15 minutes. 516.It Sy umask Ar class Ar umaskval 517Set the umask to 518.Ar umaskval . 519If 520.Ar class 521is 522.Dq none 523or 524.Ar umaskval 525is not specified, set to the default of 526.Li 027 . 527.It Sy upload Ar class Op Sy off 528If 529.Ar class 530is 531.Dq none 532or 533.Sy off 534is given, disable the following commands: 535.Sy APPE , 536.Sy STOR , 537and 538.Sy STOU , 539as well as the modify commands: 540.Sy CHMOD , 541.Sy DELE , 542.Sy MKD , 543.Sy RMD , 544.Sy RNFR , 545and 546.Sy UMASK . 547Otherwise, enable them. 548.El 549.Sh DEFAULTS 550The following defaults are used: 551.Pp 552.Bd -literal -offset indent -compact 553checkportcmd all 554classtype chroot CHROOT 555classtype guest GUEST 556classtype real REAL 557display none 558limit all -1 # unlimited connections 559maxtimeout all 7200 # 2 hours 560modify all 561motd all motd 562notify none 563passive all 564timeout all 900 # 15 minutes 565umask all 027 566upload all 567modify guest off 568umask guest 0707 569.Ed 570.Sh FILES 571.Bl -tag -width /usr/share/examples/ftpd/ftpd.conf -compact 572.It Pa /etc/ftpd.conf 573This file. 574.It Pa /usr/share/examples/ftpd/ftpd.conf 575A sample 576.Nm 577file. 578.El 579.Sh SEE ALSO 580.Xr ftpchroot 5 , 581.Xr ftpusers 5 , 582.Xr ftpd 8 583.Sh HISTORY 584The 585.Nm 586functionality was implemented in 587.Nx 1.3 588and later releases by Luke Mewburn, based on work by Simon Burge. 589