System Administration Guide: Network Services

ProcedureHow to Control Uploads to the FTP Server

Add the directives to the ftpaccess file to specify upload permissions and error messages for upload failures.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Add the following entries to the ftpaccess file.

    To enable users to upload files, add the following entry:


    upload [absolute|relative] [class=<classname>]... [-] root-dir \
    dirglob yes|no owner group mode [dirs|nodirs] [<d_mode>]
    
    path-filter typelist mesg allowed-charset {disallowed regexp...}
    
    upload

    Keyword that is applied to users who have a home directory (the argument to chroot()) of the root-dir. The root-dir can be specified as “*” to match any home directory.

    absolute|relative

    Parameter that specifies whether the root-dir directory paths are interpreted as absolute or relative to the current chroot directory.

    class

    Keyword that is used to specify any number of class=<classname> restrictions. If restrictions are specified, the upload clause only becomes effective if the current user is a member of one of the specified classes.

    root-dir

    User's root directory and the home directory for anonymous users.

    dirglob

    A pattern to match a directory name. An asterisk can be used in any place or alone to signify any directory.

    yes|no

    Variable that allows or disallows upload to the FTP server.

    owner

    Owner of files that are uploaded into dirnames.

    group

    Group that is associated with files that are uploaded into dirnames.

    mode

    Parameter that is used to specify access permissions for uploaded files. The default mode 0440 prevents the anonymous account from reading uploaded files.

    dirs|nodirs

    Keyword that allows or disallows users to create subdirectories in a directory that is listed in dirnames.

    d_mode

    Optional mode that determines the permissions for a newly created directory.

    path-filter

    Keyword that controls the names of uploaded files.

    typelist

    A comma-separated list of any of the keywords anonymous, guest, and real.

    mesg

    Message file that is displayed fails to match the regexp criteria.

    allowed-charset {disallowed regexp...}

    Alphanumeric characters allowed or disallowed in file names.


Example 28–13 Controlling Uploads to the FTP Server


upload /export/home/ftp /incoming yes ftpadm ftpadmin 0440 nodirs
path-filter anonymous /etc/ftpd/filename.msg ^[-A-Za-z0-9._]*$ ^[.-]

The preceding example states the following:

Ownership and permissions on a directory into which anonymous uploads are allowed should be tightly controlled. The FTP Administrator should be the owner of all files uploaded to the FTP server. You need to create an FTP Administrator when anonymous users are allowed to upload files. The directory should be owned by the user ftpadm and group ftpadm with permissions set to 3773.

The access mode for files uploaded to the FTP server should be 0440. The 0440 mode prevents the anonymous account from reading uploaded files. This restriction protects your server from becoming a staging area for third-party file distribution.

To make uploaded files available for distribution, the FTP Administrator can move files to a public directory.