Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
FTPD.CONF(5)		      File Formats Manual		  FTPD.CONF(5)

NAME
       ftpd.conf -- tnftpd(8) configuration file

DESCRIPTION
       The   ftpd.conf	 file  specifies  various  configuration  options  for
       tnftpd(8) that apply once a user	has authenticated their	connection.

       ftpd.conf consists of a series of lines,	each of	which  may  contain  a
       configuration  directive,  a comment, or	a blank	line.  Directives that
       appear later in the file	 override  settings  by	 previous  directives.
       This allows `wildcard' entries to define	defaults, and then have	class-
       specific	overrides.

       A directive line	has the	format:
	     command class [arguments]

       A  "\" is the escape character; it can be used to escape	the meaning of
       the comment character, or if it is the last character on	 a  line,  ex-
       tends  a	 configuration	directive across multiple lines.  A "#"	is the
       comment character, and all characters from it to	the end	 of  line  are
       ignored (unless it is escaped with the escape character).

       Each  authenticated user	is a member of a class,	which is determined by
       ftpusers(5).  class is used to determine	which ftpd.conf	entries	 apply
       to  the user.  The following special classes exist when parsing entries
       in ftpd.conf:
	     all     Matches any class.
	     none    Matches no	class.

       Each class has a	type, which may	be one of:

	     GUEST   Guests (as	per the	 "anonymous"  and  "ftp"  logins).   A
		     chroot(2) is performed after login.

	     CHROOT  chroot(2)ed  users	(as per	ftpchroot(5)).	A chroot(2) is
		     performed after login.

	     REAL    Normal users.

       The tnftpd(8) STAT command will return the class	settings for the  cur-
       rent  user as defined by	ftpd.conf, unless the private directive	is set
       for the class.

       Each configuration line may be one of:

       advertize class [host]
	     Set the address to	advertise in the response to the PASV and LPSV
	     commands to the address for host (which may be either a host name
	     or	IP address).  This may be useful in some  firewall  configura-
	     tions,  although many ftp clients may not work if the address be-
	     ing advertised is different to the	address	that they've connected
	     to.  If class is "none" or	host not is specified, disable this.

       checkportcmd class [off]
	     Check the PORT command for	validity.  The PORT command will  fail
	     if	 the  IP address specified does	not match the FTP command con-
	     nection,  or  if  the  remote  TCP	 port  number  is  less	  than
	     IPPORT_RESERVED.	It  is strongly	encouraged that	this option be
	     used, especially for  sites  concerned  with  potential  security
	     problems  with  FTP bounce	attacks.  If class is "none" or	off is
	     specified,	disable	this feature, otherwise	enable it.

       chroot class [pathformat]
	     If	pathformat is not specified or class is	"none",	 use  the  de-
	     fault  behavior  (see below).  Otherwise, pathformat is parsed to
	     create a directory	to create as the root directory	with chroot(2)
	     into upon login.

	     pathformat	can contain the	following escape strings:
		   Escape  Description
		   %c	   Class name.
		   %d	   Home	directory of user.
		   %u	   User	name.
		   %%	   A "%" character.

	     The default root directory	is:
		   CHROOT  The user's home directory.
		   GUEST   If -a anondir is specified, use anondir,  otherwise
			   the home directory of the `ftp' user.
		   REAL	   By default no chroot(2) is performed.

       classtype class type
	     Set the class type	of class to type (see above).

       conversion class	suffix [type disable command]
	     Define  an	 automatic  in-line file conversion.  If a file	to re-
	     trieve ends in suffix, and	a real file (sans suffix) exists, then
	     the output	of command is returned instead of the contents of  the
	     file.

		   suffix   The	suffix to initiate the conversion.

		   type	    A  list  of	 valid	file types for the conversion.
			    Valid types	are: `f' (file), and `d' (directory).

		   disable  The	name of	file that will prevent	conversion  if
			    it	exists.	  A file name of "." will prevent this
			    disabling action (i.e., the	conversion  is	always
			    permitted.)

		   command  The	 command to run	for the	conversion.  The first
			    word should	be the full path name of the  command,
			    as	execv(3)  is used to execute the command.  All
			    instances of the word "%s" in command are replaced
			    with the requested file (sans suffix).

	     Conversion	directives specified later in the file	override  ear-
	     lier conversions with the same suffix.

       denyquick class [off]
	     Enforce  ftpusers(5)  rules  after	 the USER command is received,
	     rather than after the PASS	command	is received.  Whilst  enabling
	     this  feature  may	 allow information leakage about available ac-
	     counts (for example, if you allow some users of a REAL or	CHROOT
	     class  but	 not others), it is useful in preventing a denied user
	     (such as `root') from entering their password across an  insecure
	     connection.   This	 option	 is  strongly  recommended for servers
	     which run an anonymous-only service.  If class is "none"  or  off
	     is	specified, disable this	feature, otherwise enable it.

       display class [file]
	     If	 file is not specified or class	is "none", disable this.  Oth-
	     erwise, each time the user	enters a new directory,	check if  file
	     exists,  and if so, display its contents to the user.  Escape se-
	     quences are supported; refer to "Display file  escape  sequences"
	     in	tnftpd(8) for more information.

       hidesymlinks class [off]
	     If	 class	is  "none"  or off is specified, disable this feature.
	     Otherwise,	the LIST command lists symbolic	links as the  file  or
	     directory	the link references ("ls -LlA").  Servers which	run an
	     anonymous service may wish	 to  enable  this  feature  for	 GUEST
	     users,  so	 that  symbolic	links do not leak names	in directories
	     that are not searchable by	GUEST users.

       homedir class [pathformat]
	     If	pathformat is not specified or class is	"none",	 use  the  de-
	     fault  behavior  (see below).  Otherwise, pathformat is parsed to
	     create a directory	to change into upon login, and to use  as  the
	     `home'  directory	of  the	user for tilde expansion in pathnames,
	     etc.  pathformat is parsed	as per the chroot directive.

	     The default home directory	is the home directory of the user  for
	     REAL users, and / for GUEST and CHROOT users.

       limit class [count [file]]
	     Limit  the	 maximum number	of concurrent connections for class to
	     count, with `-1' meaning unlimited	connections.  If the limit  is
	     exceeded and file is specified, display its contents to the user.
	     If	 class	is "none" or count is not specified, disable this.  If
	     file  is  a  relative  path,  it  will   be   searched   for   in
	     /usr/local/etc (which can be overridden with -c confdir).

       maxfilesize class [size]
	     Set the maximum size of an	uploaded file to size, with `-1' mean-
	     ing  unlimited  connections.   If	class is "none"	or size	is not
	     specified,	disable	this.

       maxtimeout class	[time]
	     Set the maximum timeout period that a  client  may	 request,  de-
	     faulting  to  two hours.  This cannot be less than	30 seconds, or
	     the value for timeout.  If	class is "none"	or time	is not	speci-
	     fied, use the default.

       mmapsize	class [size]
	     Set  the  size of the sliding window to map a file	using mmap(2).
	     If	zero, tnftpd(8)	will use  read(2)  instead.   The  default  is
	     zero.   This  option  affects only	binary transfers.  If class is
	     "none" or size is not specified, use the default.

       modify class [off]
	     If	class is "none"	or off is  specified,  disable	the  following
	     commands: CHMOD, DELE, MKD, RMD, RNFR, and	UMASK.	Otherwise, en-
	     able them.

       motd class [file]
	     If	 file is not specified or class	is "none", disable this.  Oth-
	     erwise, use file as the message of	the day	file to	display	 after
	     login.   Escape  sequences	 are supported;	refer to "Display file
	     escape sequences" in tnftpd(8) for	more information.  If file  is
	     a relative	path, it will be searched for in /usr/local/etc	(which
	     can be overridden with -c confdir).

       notify class [fileglob]
	     If	 fileglob  is  not specified or	class is "none", disable this.
	     Otherwise,	each time the user enters a new	directory, notify  the
	     user of any files matching	fileglob.

       passive class [off]
	     If	 class	is  "none" or off is specified,	prevent	passive	(PASV,
	     LPSV, and EPSV) connections.  Otherwise, enable them.

       portrange class [min max]
	     Set the range of port number which	will be	used for  the  passive
	     data  port.   max must be greater than min, and both numbers must
	     be	between	IPPORT_RESERVED	(1024) and 65535.  If class is	"none"
	     or	no arguments are specified, disable this.

       private class [off]
	     If	 class is "none" or off	is specified, do not display class in-
	     formation in the output of	the STAT command.  Otherwise,  display
	     the information.

       rateget class [rate]
	     Set  the  maximum	get (RETR) transfer rate throttle for class to
	     rate bytes	per second.  If	rate is	0, the throttle	 is  disabled.
	     If	class is "none"	or rate	is not specified, disable this.

       rateput class [rate]
	     Set  the  maximum	put (STOR) transfer rate throttle for class to
	     rate bytes	per second.  If	rate is	0, the throttle	 is  disabled.
	     If	class is "none"	or rate	is not specified, disable this.

       readsize	class [size]
	     Set  the  size of the read	buffer to read(2) a file.  The default
	     is	the file system	block size.  This option affects  only	binary
	     transfers.	  If class is "none" or	size is	not specified, use the
	     default.

       recvbufsize class [size]
	     Set the size of the socket	receive	buffer.	 The default  is  zero
	     and  the  system default value will be used.  This	option affects
	     only passive transfers.  If class is "none" or size is not	speci-
	     fied, use the default.

       sanenames class [off]
	     If	class is "none"	or off is specified, allow uploaded file names
	     to	contain	any characters valid for a file	name.  Otherwise, only
	     permit file names which don't start with a	`.' and	only  comprise
	     of	characters from	the set	"[-+,._A-Za-z0-9]".

       sendbufsize class [size]
	     Set  the size of the socket send buffer.  The default is zero and
	     the system	default	value will be used.  This option affects  only
	     binary  transfers.	  If class is "none" or	size is	not specified,
	     use the default.

       sendlowat class [size]
	     Set the low water mark of socket send  buffer.   The  default  is
	     zero  and system default value will be used.  This	option affects
	     only for binary transfer.	If class is  "none"  or	 size  is  not
	     specified,	use the	default.

       template	class [refclass]
	     Define  refclass  as  the	`template' for class; any reference to
	     refclass in following directives will also	apply  to  members  of
	     class.   This  is useful to define	a template class so that other
	     classes which are to share	common attributes can  be  easily  de-
	     fined  without  unnecessary  duplication.	 There can be only one
	     template defined at a time.  If refclass is not  specified,  dis-
	     able the template for class.

       timeout class [time]
	     Set  the inactivity timeout period.  (the default is fifteen min-
	     utes).  This cannot be less than 30 seconds, or greater than  the
	     value  for	 maxtimeout.  If class is "none" or time is not	speci-
	     fied, use the default.

       umask class [umaskval]
	     Set the umask to umaskval.	 If class is "none" or umaskval	is not
	     specified,	set to the default of 027.

       upload class [off]
	     If	class is "none"	or off is  specified,  disable	the  following
	     commands:	APPE,  STOR, and STOU, as well as the modify commands:
	     CHMOD, DELE, MKD, RMD, RNFR, and UMASK.  Otherwise, enable	them.

       writesize class [size]
	     Limit the number of bytes to write(2) at a	time.  The default  is
	     zero,  which  means all the data available	as a result of mmap(2)
	     or	read(2)	will be	written	at a time.  This option	 affects  only
	     binary  transfers.	  If class is "none" or	size is	not specified,
	     use the default.

   Numeric argument suffix parsing
       Where command arguments are numeric, a decimal number is	expected.  Two
       or more numbers may be separated	by an "x" to indicate a	product.  Each
       number may have one of the following optional suffixes:
	     b	  Block; multiply by 512
	     k	  Kibi;	multiply by 1024 (1 KiB)
	     m	  Mebi;	multiply by 1048576 (1 MiB)
	     g	  Gibi;	multiply by 1073741824 (1 GiB)
	     t	  Tebi;	multiply by 1099511627776 (1 TiB)
	     w	  Word;	multiply by the	number of bytes	in an integer

       See strsuftoll(3) for more information.

DEFAULTS
       The following defaults are used:

	     checkportcmd  all
	     classtype	   chroot CHROOT
	     classtype	   guest  GUEST
	     classtype	   real	  REAL
	     display	   none
	     limit	   all	  -1	 # unlimited connections
	     maxtimeout	   all	  7200	 # 2 hours
	     modify	   all
	     motd	   all	  motd
	     notify	   none
	     passive	   all
	     timeout	   all	  900	 # 15 minutes
	     umask	   all	  027
	     upload	   all
	     modify	   guest  off
	     umask	   guest  0707

FILES
       /usr/local/etc/ftpd.conf			   This	file.
       /usr/local/share/examples/tnftpd/ftpd.conf  A sample ftpd.conf file.

SEE ALSO
       strsuftoll(3), ftpchroot(5), ftpusers(5), tnftpd(8)

HISTORY
       The ftpd.conf functionality was implemented in NetBSD 1.3 and later re-
       leases by Luke Mewburn, based on	work by	Simon Burge.

FreeBSD	14.3			August 22, 2020			  FTPD.CONF(5)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ftpd.conf&sektion=5&manpath=FreeBSD+14.3-RELEASE+and+Ports>

home | help