SunTM Internet FTP ServerTM 1.1 man pages.
NAME | DESCRIPTION | LIST OF COMMANDS | EXIT STATUS | ATTRIBUTES | SEE ALSO
The man pages offer detailed instruction and examples on options and subcommands for each utility. The command-line utilities are available to start and run the host configuration tool that installs Solaris for ISPs components and configures the system.
The ftpaddhost command provides an automated procedure to set up a virtual anonymous FTP server.
The ftpconfig command provides an automated procedure to set up anonymous FTP.
The ftpcount command shows the current number of users logged on and the login limit for each class defined in the ftpaccess(4) file.
The ftpshut command provides an automated shutdown procedure that a superuser can use to notify ftp users when the ftp server is shutting down.
in.ftpd is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified in the ``ftp'' service specification. To deny login for a particular user, add the user's login to the /etc/inet/ftpusers file.
Upon termination, each command returns the following exit values:
Successful completion.
An error occurred.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpu |
NAME | DESCRIPTION | LIST OF COMMANDS | EXIT STATUS | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | OPERANDS | EXIT STATUS | FILES | ATTRIBUTES | SEE ALSO
The ftpaddhost command provides an automated procedure to set up a virtual anonymous FTP server. It uses the anonymous FTP area in template_dir to create a cloned tree in a new directory under root_dir. The cloned tree contains hard links to all the system files in template_dir, so they must both reside in the same file system. The template_dir can be the anonymous file area created by the ftpconfig(1M) command. The virtual server to which service is provided is identified by its hostname. The hostname also determines the name of the directory created under root_dir. If the hostname is ftp.corp.com, then the anonymous area created is in virtual_dir/ftp.corp.com. The command copies the file Welcome from the template_dir to the file area for the virtual server, and adds an entry for the new hostname to the ftpservers(4) file.
If ftpaddhost is used in conjunction with an LDAP user connection, the hostname must be a fully qualified domain name.
The following operands are supported:
An existing anonymous FTP setup directory.
The top directory for the virtual host.
The host name of the virtual server. $root_dir/$homename will be the root directory for this virtual host. An IP address can be used for hostname; however, if the LDAP server is being used for authentication, the hostname must be the fully qualified domain name.
The anonymous user's home directory on the virtual host.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpu |
Interface Stability | Evolving |
NAME | SYNOPSIS | DESCRIPTION | OPERANDS | EXIT STATUS | FILES | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | OPERANDS | EXIT STATUS | ATTRIBUTES | SEE ALSO
The ftpconfig command provides an automated procedure to set up anonymous File Transfer Protocol ("FTP").
Anonymous FTP allows users to remotely log on the FTP server by specifying the user name "ftp" or "anonymous" and the user's email address as password. The anonymous users are logged on to the server and given access to a restricted file area with its own file system root. See chroot(1). The FTP area has its own minimal system files.
The ftpconfig command will copy and set up all the components needed to operate an anonymous FTP server, including creating the FTP user account, creating device nodes, copying usr/lib files, copying timezone data, and configuring etc/nsswitch.conf and etc/pam.conf. The passwd and group files set up contain no real user names, to prevent malicious users from finding login names on the server. The anonymous file area is placed in ftpdir. If the FTP user account already exists, then the current FTP area is used, and the system files in it are updated. All other files are left untouched. The ftpconfig command should be run to update the anonymous FTP area's configuration whenever a system patch is installed, or the system is upgraded.
If the -d option is used, ftpconfig creates only an anonymous FTP directory, without adding or updating the FTP user account. This option is useful for creating template directories that can be customized later and used with ftpaddhost(1M) to create virtual servers.
If the -u option is specified, then ftpconfig will only perform an update. If an update is not possible, the command will print an error and exit. The ftpdir argument should be omitted with the -u option.
The anonymous login name is always "ftp".
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpu |
Interface Stability | Evolving |
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | OPERANDS | EXIT STATUS | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | EXIT STATUS | ATTRIBUTES | SEE ALSO
The ftpcount command shows the current number of users logged on and the login limit for each class defined in the ftpaccess(4) file.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpu |
Interface Stability | Evolving |
NAME | SYNOPSIS | DESCRIPTION | EXIT STATUS | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | OPERANDS | EXIT STATUS | ATTRIBUTES | SEE ALSO
The ftpshut command provides an automated shutdown procedure that a superuser can use to notify ftp users when the ftp server is shutting down. The time is the time at which to bring the ftp server down. It may be the word `now,' indicating an immediate shutdown, or specify a future time in one of two formats: + number or HHMM. The first form brings the ftp servers down in number minutes. The second brings the ftp servers down at the time of day indicated, using a 24-hour clock format.
Ten minutes before shutdown, or immediately if time is less than ten minutes, any new ftp access will be disabled. This time may be adjusted through the - l flag. Five minutes before shutdown, or immediately if is timed for less than five minutes, all current ftp connections will be disconnected.This time may be adjusted through the -d flag. The warning-message will be formatted to be 75 characters wide. The following format controls can be embedded in warning-message:
Time system is going to shut down.
Time new connections will be denied.
Time current connections will be dropped.
Current working directory.
The administrator's email address.
Free space in partition of CWD, in kilobytes.
Local host name.
Maximum allowed number of users in the class to which a login was determined to belong. See the CLASS configuration keyword in ftpaccess(4).
Current number of users in the class to which a login was determined to belong. See the CLASS configuration keyword in ftpaccess(4).
Remote host name.
Local time (form Thu Nov 15 17:12:42 1990).
Username given at login time.
The name of a file containing access control definitions following the same format of the ftpaccess configuration file. This enables specification of alternate hosts when there are virtual hosts defined on a server.
The time ahead of shutdown, in minutes, that new connections will be refused.
The time ahead of shutdow, in minutes, that existing connections not in file transfer will be disconnected.
The following operands are supported:
The time at which to bring the FTP server down
Message to display that warns of the imminent shutdown.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpu |
Interface Stability | Evolving |
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | OPERANDS | EXIT STATUS | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SECURITY | EXIT STATUS | FILES | ATTRIBUTES | SEE ALSO
in.ftpd is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified in the ``ftp'' service specification. See services(4).
To deny login for a particular user, add the user's login to the /etc/inet/ftpusers file.
ftpaccess(4) is the configuration file. For backward compatibility, umask and banner can be set as follows. The umask, which is used to create files during PUT operations, may be set by adding the following line to /etc/default/ftpd:
UMASK=nnn
The banner returned by in.ftpd in the parenthetical portion of its greeting is configurable. The default is equivalent to 'uname-sr' and will be used if no banner is sent in /etc/default/ftpd. To set the banner, add a line to /etc/default/ftpd of the form:
BANNER="..."Non-empty banner strings are fed to shells for evaluation. The default banner may be obtained by:
BANNER="`uname -s` `uname -r`"No banner will be printed if /etc/default/ftpd contains:
BANNER=""
The FTP server currently supports the following ftp requests; case is not distinguished.
DESCRIPTION
Abort previous command.
Specify account (ignored) .
Allocate storage (vacuously) .
Append to a file.
Change to parent of current working directory.
Change working directory.
Delete a file.
Give help information.
Give list of files in a directory (``ls -la'').
Make a directory.
Show last modification time of file.
Specify data transfer mode.
Give name list of files in directory.
Do nothing.
Specify password.
Prepare for server-to-server transfer.
Specify data connection port.
Print the current working directory.
Terminate session.
Restart incomplete transfer
Retrieve a file.
Remove a directory.
Specify rename-from file name.
Specify rename-to file name.
Non-standard commands (see next section).
Return size of file.
Return status of server.
Store a file.
Store a file with a unique name.
Specify data transfer structure.
Show operating system type of server system.
Specify data transfer type.
Specify user name.
Change to parent of current working directory.
Change working directory (deprecated).
Make a directory (deprecated).
print the current working directory (deprecated).
remove a directory (deprecated).
The following non-standard or UNIX specific commands are supported by the SITE request:
DESCRIPTION
Change umask, for example, SITE UMASK 002.
Set idle-time, for example, SITE IDLE 60.
Change mode of a file, for example, SITE CHMOD 755 filename.
Give help information, for example, SITE HELP.
List files newer than a particular date.
Like SITE NEWER, but gives extra information.
Request special group access, for example, SITE GROUP foo.
Give special group access password, for example, SITE GPASS bar.
Execute a program, for example, SITE EXEC program params.
The remaining ftp requests specified in Internet RFC 959 are recognized but not implemented. MDTM and SIZE are not specified in Internet RFC 959, but they will appear in a future protocol version.
The FTP server will abort an active file transfer only when the ABOR command is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet "Synch" signal in the command Telnet stream, as described in Internet RFC 959. If a STAT command is received during a data transfer, preceded by a Telnet IP and Synch, transfer status will be returned.
in.ftpd interprets file names according to the ``globbing'' conventions used by csh(1). This allows the use of the metacharacters ``*?[]{}~'' in file names.
in.ftpd authenticates users according to four rules.
The user name must be in the password data base, and not have a null password. In this case a password must be provided by the client before any file operations may be performed.
The user name must not appear in the file /etc/inet/ftpusers.
The user must have a standard shell returned by getusershell(3C).
If the user name is ``anonymous'' or ``ftp'', an anonymous ftp account must be present in the password file (user ``ftp''). In this case the user is allowed to log in by specifying any password (by convention this is given as the client host's name).
In the last case, in.ftpd takes special measures to restrict the client's access privileges. The server performs a chroot(2) command to the home directory of the ``ftp'' user. In order that system security not be breached, it is recommended that the ``ftp'' subtree be constructed with care; the following rules are recommended. Note that the ftpconfig(1M ) script will set these up automatically.
Make the home directory owned by superuser and unwritable by anyone.
Make this directory owned by the superuser and unwritable by anyone. The program ls(1) must be present to support the list command. This program should have mode 111.
Make this directory owned by the superuser and unwritable by anyone. The files passwd(5) and group(5) must be present for the ls command to be able to produce owner names rather than numbers. The password field in passwd is not used, and should not contain real encrypted passwords. These files should be mode 444 and owned by the superuser. Do not use th system's /etc/passwd file as the password file or the system's /etc/group file as the group file in the /home/ftp/etc directory.
Create a subdirectory in /home/ftp/pub with the appropriate mode (777 or 733) if you want to allow normal users to upload files.
The FTP server has functionality to allow a client to request automatic file type conversion. See ftpconversions(4). If the client asks for Specified Filename below, it gets True Filename with Action performed on it. For instance, if there is a directory name "src," the client can download "src.tar;" it gets the "src" directory with the action "tar" performed. In short, it gets a tar file of the directory.
True Filename | Specified Filename | Action |
---|---|---|
<filename>.Z | <filename> | uncompress file before transmitting. |
<filename> | <filename>.Z | compress <filename> before transmitting. |
<filename> | <filename>.tar | tar <filename> before transmitting. |
<filename> | <filename>.tar.Z | tar and compress <filename> before transmitting |
The FTP server will check passwords supplied with anonymous logins for valid e-mail addresses and produce a chiding message if the password does not pass the test. A dash as the first character of the password can be used to disable multiline message in anonymous logins, and it is useful with a few older clients that get confused by these.
The FTP server can also log all file transmission and reception, keeping the following information for each file transmission that takes place:
Mon Dec 3 18:52:41 1990 1 wuarchive.wustl.edu 568881 /files.lst.Z a _ o a chris@wugate.wustl.edu ftp 0 * %.24s %d %s %d %s %c %s %c %c %s %s %d %s 1 2 3 4 5 6 7 8 9 10 11 12 13 |
Description
Current time in the form DDD MMM dd hh:mm:ss YYYY.
Transfer time in seconds.
Remote host name.
File size in bytes.
Name of file.
Transfer type (a>scii, b>inary).
Special action flags (concatenated as needed):
File was compressed.
File was uncompressed.
File was tar file.
No action taken.
File was sent to user (o>utgoing) or received from user (i>ncoming).
Accessed anonymously (r>eal, a>nonymous); mostly for FTP.
Local username or, if guest, ID string given (anonymous FTP password)
Service name ('ftp', other).
Authentication method (bitmask) . Always zero (0).
None.
Always "*".
Debugging information is written to the syslog.
Each ftpsession is logged in the syslog. The ftp server will timeout after 15 minutes if the session is inactive.
Set the maximum inactive period to timeout seconds. A client may also request a different timeout period.
Set the maximum inactive period to maxtimeout seconds. The default limit is 2 hours.
Set the default umask for file creation to mask. The default umask is 022.
Disable all file modification and writing. Files are read-only. This option is available to all tuser types, whether real, guest, or anonymous, and it overrides the readonly keyword in the ftpaccess(4) file.
Run in standalone mode. Instead of being invoked from inetd(1M), in.ftpd permanently listens for connections itself. For a very busy server this greatly reduces overhead by eliminating unnecessary exec(2) operations.
Run as an inetd(1M) wait server. This is variant of standalone; manages its own connections, but after a timeout period exits and returns, control to inetd timeout is specified in seconds. This is system default.
Log commands sent to the in.ftpd to the syslog. The ftpaccess(4) file overrides this option. If the -L flag is used, command logging will be on by default as soon as the FTP server is invoked.This will cause the server to log all USER commands, which if a user accidentally enters a password for that command insteadof the username, will cause passwords to be logged by way of syslog.
Log files received by the in.ftpd server to /var/ftp/xferlog.data. The ftpaccess(4) file overrides this option.
Log files transmitted by the in.ftpd server to the syslog. The ftpaccess(4) file overrides this option.
in.ftpd uses pam(3) for authentication, account management, and session management. The PAM configuration policy, listed through /etc/pam.conf, specifies the module to be used for in.ftpd. The following is a partical pam.conf file with entries for the in.ftpd command, using the UNIX authentication, account management, and session management modules:
ftp auth required /usr/lib/security/pam_unix.so.1 ftp account required /usr/lib/security/pam_unix.so.1 ftp session required /usr/lib/security/pam_unix.so.1
If there are no entries for the ftp service, then the entried for the "other" service will be used. Unlike login, passwd, and other commands, the ftp protocol will only support a single password. Using multiple modules will prevent in.ftpd from working properly.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpu |
Interface Stability | Evolving |
ftp(1M),ftpaddhost(1M),ftpcount(1M),ftpshut(1M),syslogd(1M),getusershell(3C),ftpaccess(4),ftpconfig(4),ftpconversions(4),ftphosts(4),ftpservers(4),shells(4),attributes(5)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SECURITY | EXIT STATUS | FILES | ATTRIBUTES | SEE ALSO
NAME | DESCRIPTION | LIST OF FILES | ATTRIBUTES | SEE ALSO
The man pages offer detailed instruction and examples on keywords and parameters for each configuration file.
The ftpaccess file is used to configure the operation of the FTP server.
The ftpd file-conversions database, used to specify the prefix, postfix, type, and conversion command to iin.ftpd(1M).
The ftphosts file is used to deny access to certain accounts from various hosts.
The ftpservers file contains a list of virtual servers. Each virtual server listed has its own configuration file that completely replaces ftpaccess(4).
The xferlog file contains logging information from the FTP server daemon, in.ftpd(1M)
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpr |
Interface Stability | Evolving |
ftpIntro(1M),attributes(5)
NAME | DESCRIPTION | LIST OF FILES | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | SEE ALSO
/etc/inet/ftpaccess
The ftpaccess file is used to configure the operation of the File Transfer Protocol ("FTP ") server.
In the keyword descriptions below, the following general parameters are used:
A pattern to match a host name of the form host.subdomain.domain. An asterisk ("*") can be put first to match only the tail of a host name; it can be put in the middle to match exactly one component between two dots; or it can be put last to match only initial components. Examples are: "*.domain", "host.*", and "host.*.domain". Note that if reverse lookups are disabled, the host names are based on the IP address (for example, 10.207.82.135), and there are exactly four components separated by dots.
A class name, defined by the CLASS keyword. Each login is matched against the defined classes, and considered to belong to the class it first matches.
A pattern to match against a class name as defined by the CLASS keyword.The pattern is as described in fnmatch(5).
A command to execute, for example, /bin/ls.
A directory name, for example, /etc.
A filename, for example, /etc/Welcome.
A system group, as defined in /etc/group or equivalent.
The location of a file containing a message to be output.
Any sequence of printable characters. Matching pairs of single or double quotes can be used to include blanks. Backslash can be used to quote any single character or include the special characters CR (\\r) and LF (\\n).
One or more of the words, "real," "guest," or "anonymous," separated by commas.
One of the words "yes" or "no". The words "on"/"off" are equivalent.
If an ANONYMOUS user is a member of any of <class> the ftp server will perform a setegid(2) to <groupname>. This allows access to group-and-owner-read-only files and directories to a particular class of anonymous users. <groupname> is a valid group from /etc/group.
Define a class of users, with source addresses of the form <addrglob> . Multiple members of <class> may be defined. There may be multiple "class" commands listing additional members of the class. If multiple "class" definitions can apply to a session, the first one listed in the access file is used. Failing to define a valid class for a host will cause access to be denied. <typelist> is a comma-separated list of any of the keywords "anonymous," "guest," and "real."
If the "real" keyword is included, the class can match users using FTP to access real accounts, and if the "anonymous" keyword is included the class can match users using anonymous FTP. The "guest" keyword matches guest access accounts. See "guestgroup" for more information.
<addrglob> may be a globbed domain name or a globbed numeric address.
Always deny access to host(s) matching <addrglob>. <message_file> is displayed. <addrglob> may be "!nameserved" to deny access to sites without a working nameserver.
If a real user is a member, the session is set up exactly as with anonymous FTP. In other words, chroot(1M) is done, and the user is no longer permitted to issue the USER and PASS commands.
The user's home directory must be properly set up, exactly as anonymous FTP would be. The home directory field of the passwd entry is divided into two directories.
The first field is the root directory which will be the argument to the chroot(1M) command. The second field is the user's home directory relative to the root directory. The two fields are separated by a "/./".
For example, in /etc/passwd, the real entry is: guest1::100:92:GuestAccount:/ftp/./incoming:/etc/ftponly . When guest1 successfully logs in, the FTP server will chroot ("/ftp") and then chdir(1M) ("/incoming"). The guest user will only be able to access the directory structure under /ftp, which will look and act as / to guest1, just as an anonymous FTP user would.
Limit <class> to <n> users at times <times>, displaying <message_file> if user is denied access. Limit check is performed at login time only. If multiple "limit" commands can apply to the current session, the first applicable one is used. Failing to define a valid limit, or a limit of -1, is equivalent to unlimited. <times> is day-of-week and time-of-day when this class may connect, for example, MoTuTh0800-1700. Use "Any" for any day. Use "Never" for classes that may never login. If a day is specified but no time, then any time that day is assumed.
After login failures, log a "repeated login failures" message and terminate the FTP connection.The default value is 5.
Sets the bound on the total number of users of all classes logged on simultaneously to <n>.
Always deny retrievability of these files. If the files are an absolute path specification, then only those files are marked ungettable, otherwise all files with matching filename are refused transfer. For example, "noretrieve /etc/passwd core" specifies no one will be able to get the file /etc/passwd whereas a file `passwd' may be transferred if it is not in /etc. On the other hand, no one will be able to get files named `core' regardless of where they are. No globbing is done.
After user logs in, the SITE GROUP and SITE GPASS commands may be used to specify an enhanced access group and associated password. If the group name and pass word are valid, the user becomes (by way of setegid(2)) a member of the group specified in the group access file /etc/inet/ftpgroups.The format of the group access file is
access_group_name:encrypted_password:real_group_name
Works similarly to the message command, except that the banner is displayed before the user enters the username/password. The <message_file> is relative to the real system root, not the base of the anonymous FTP directory.
Use of this command can completely prevent non-compliant FTP clients from making use of the FTP server. Not all clients can handle multi-line responses, which is how the banner is displayed.
Defines the email address of the FTP archive maintainer. This string will be printed every time the %E magic cookie is used in message files.
Specifies that the FTP server should identify itself with <string>. The default is a hostname that resolves to the address of an interface on the server host.
Define a file with <message_file> that that in.ftpd(1M) will display to the user at login time or upon using the change working directory command. The <when> parameter may be "LOGIN" or "CWD=". If <when> is "CWD=" then <dir> specifies the new default directory which will trigger the notification.
The optional specification allows the message to be displayed only to members of a particular class. More than one class may be specified.
There can be "magic cookies" in the readme file which cause the FTP server to replace the cookie with a specified text string:
Local time; for example, Thu Nov 15 17:12:42.
Free space in partition of CWD, in megabytes.
Current working directory.
The maintainer's email address as defined in ftpaccess.
Remote host name.
Local host name.
Username given at login time.
Same as %U.
Maximum allowed number of users in this class.
Current number of users in this class.
Time when FTP shutdown began.
Time when new logins will be refused because of shutdown.
Time when current logins will be disconnected.
Local timezone.
A single percent (%) character.
The message will only be displayed once to avoid annoying the user. Remember that when messages are triggered by an anonymous FTP user, they must be relative to the base of the anonymous FTP directory tree.
Define a file <message_file> that in.ftpd(1M) will display at login time or upon using the change working directory command that indicates the file exists and was modified on the specified date. The <when> parameter may be "LOGIN" or "CWD=". If <when> is "CWD=", <dir> specifies the new default directory which will trigger the notification. The message will only be displayed once, to avoid bothering users. Remember that when README messages are triggered by an anonymous FTP user, the <message_file> must be relative to the base of the anonymous FTP directory tree.
The optional specification allows the message to be displayed only to members of a particular class. More than one class may be specified.
Sets the system identification returned in the banner string. Overrides any value set in /etc/default/ftp.
Enables logging of individual commands by users. <typelist> is a comma-separated list of any of the keywords "anonymous," "guest" and "real." If the "real" keyword is included, logging will be done for users using FTP to access real accounts, and if the "anonymous" keyword is included logging will done for users using anonymous FTP. The "guest" keyword specifies guest access accounts. See "guestgroup" for more information.
Enables logging of file transfers for either real or anonymous FTP users. Logging of transfers to the server (incoming) can be enabled separately from transfers from the server (outbound).
<typelist> is a comma-separated list of any of the keywords "anonymous", "guest" and "real". If the "real" keyword is included, logging will be done for users using FTP to access real accounts, and if the "anonymous" keyword is included logging will done for users using anonymous FTP. The "guest" keyword matches guest access accounts. See "guestgroup" for more information. <directions> is a comma-separated list of any of the two keywords "inbound" and "outbound," and will respectively cause transfers to be logged for files sent to the server and sent from the server.
Sets the file to which to log file transfers. <filename> is an absolute path on the server.
Defines an alias, <string>, for a directory. It can be used to add the concept of logical directories. For example: alias rfc: /pub/doc/rfc would allow the user to access /pub/doc/rfc from any directory by the command "cd rfc:".
Aliases only apply to the cd command. NOTE: This functionality is provided for compatibility with wu-ftpd and is obsolete. Use symlinks instead.
Defines an entry in the cdpath. This defines a search path that is used when changing directories. For example:
example% cdpath /pub/packages example%cdpath /.aliases |
would allow the user to move into any directory directly under either the /pub/packages or the /.aliases directories. The search path is defined by the order the lines appear in the ftpaccess file.
If the user were to give the command:
example% cd foo |
the directory will be searched for in the following order:
./foo ( an alias called "foo" )
/pub/packages/foo
/.aliases/foo
Enables compress (1) or tar(1) capabilities for any class matching any of <classglob>. The actual conversions are defined in the external file /etc/inet/ftpconversions.
Specifies that anonymous logins do not have to be proper logins. Instead, only the uid, group, and fs root are set up. Does not perform a keylogin, update utmp or wtmp, or do any of the other usual login processing.
Sets the time in seconds after which an idle login is disconnected. The default is 900.
Specifies the command and arguments used for a "long" file listing. It can be "*ls", in which case a built-in function is used. The built-in command knows the options- 1, -C, -F, -l, -a, and-d, and it produces output similar to ls(1).
Specifies the command and arguments used for a "short" file listing. It can be "*ls", in which case a built-in function is used. The built-in command knows the options- 1, -C, -F, -l, -a, and-d, and it produces output similar to ls(1).
Sets the contents of PATH environment variable as passed down to the program run (for example, ls, tar, or compress). The default path is "/bin".
"Readonly yes" specifies that a server is readonly. No files can be changed, deleted, renamed, or uploaded; no directories can be created. All operations that would modify a file or directory are effectively disabled, and they fail with a cause message of "readonly server". This configuration command can be overridden by the -r option to in.ftpd(1M).
Turns on/off reverse IP addr-to-hostname lookups. With "rlookup no", the "remote host" name becomes its IP address in decimal dot notation. This will then appear in logs, and it can be used for access control in place of the host name. The default is "no".
Specifies the root directory of a virtual server. Use only in server-specific configuration files referenced from ftpservers(4); elsewhere, it is ignored.
Sets the value of the SHELL environment variable as passed down to exec'd programs. The default path is /bin/sh.
If the file pointed to by <message_file> exists, the server will check the file regularly to see if the server is going to be shut down. If a shutdown is planned, the user is notified, new connections are denied after a specified time before shutdown and current connections are dropped at a specified time before shutdown. The external program ftpshut(1M) uses this file to communicate shutdown data.
Enables compress(1) or tar(1) capabilities for any class matching any of .of <classglob>. The actual conversions are defined in the external file /etc/inet/ftpconversions.
Sets the timezone for the network daemon process and all children. This affects the time output in file listings. Note that for anonymous FTP, the timezone description file must be found in ~ftp/usr/share/lib/timezone. Unless specified, this is inherited from the parent used to start in.ftpd(1M).
Specifies that file locking is used during uploads. When an upload begins, the file is locked and write-only; when the upload finishes, the file mode bits are set to their final value and the file is unlocked.
An interrupted transfer leaves a partially uploaded file that is not readable. The upload can then later be restarted and finished.
The purpose is to prevent anonymous users from downloading files which are in progress of being uploaded, or files for which the upload was interrupted or failed due to an error on the server. The default is yes.
Enables the virtual FTP server capabilities. The <address> is the IP address of the virtual server. The <dir> parameter defines the root of the anonymous FTP area for the virtual server, and <message_file> is the banner to print on connection.
Note that all virtual servers defined this way share the same ftpaccess file.
Allows or disallows the ability to perform the specified function. By default, all users are allowed.
Allows or disallows the ability to perform the specified function. By default, all users are allowed.
Allows or disallows the ability to perform the specified function. By default, all users are allowed.
Allows or disallows the ability to perform the specified function. By default, all users are allowed.
Define the level and enforcement of password checking done by the server for anonymous FTP.
No password checking performed.
password must contain an '@'.
password must be RFC 822 compliant.
warn, but permit login.
notify and deny login.
For users in <typelist>, path-filter defines regular expressions that control what a filename can or cannot be. There may be multiple disallowed regular expressions.
If a filename is invalid due to failure to match the regexp criteria, <message_file> will be displayed to the user. For example:
path-filter anonymous /etc/inet/ftp.pathmsg ^[-A-Za-z0-9._]*$ ^\\. ^- |
Allows or disallows the ability to perform the specified function. By default, all users are allowed.
Define a directory with <dirglob> that permits or denies uploads. <dirglob> is a pattern as described in fnmatch(5) .
If it does permit uploads, all files will be owned by <owner> and <group> and will have the permissions set according to <mode>.
Directories are matched on a best-match basis. For example:
example% upload /var/ftp * no example% upload /var/ftp /incoming yes ftp daemon 0666 example% upload /var/ftp /incoming/gifs yes jlc guest 0600 nodirs |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpr |
Interface Stability | Evolving |
ls(1),ftpaddhost(1M),ftpshut(1M)in.ftpd(1M),ftpconversions(4),ftpservers(4)timezone(4),attributes(5),fnmatch(5)
NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | ATTRIBUTES | SEE ALSO
/etc/inet/ftpconversions
The conversions known by in.ftpd(1M) and its attributes are stored in an ASCII file that is structured as below. Each line in the file provides a description for a single conversion. Fields are separated by colons (:). Note that comments cannot be put in this file.
%s:%s:%s:%s:%s:%s:%s:%s 1 2 3 4 5 6 7 8 |
Description
Strip prefix.
Strip postfix. A postfix (one or more file name extensions) that is removed by running the external command. For example, the external command "tar xf %s" would remove ".tar".
Addon prefix.
Addon postfix. Similar to the strip postfix above, except the external command adds it instead. For example, the external command "tar cf %s" would add ".tar".
External command. This is a command to run to produce an output file from an input file. It may contain exactly one "%s", which is replaced with the input file name. It must automatically create a correctly name output file. If no "%s" is used, the file name is appended to the command, separated by a blank.
Types. This specifies what file types this conversion can be performed on. It can be T_REG for any regular file, T_DIR for a directory, and T_ASCII that it can be performed in ASCII transfer mode. See in.ftpd(1M). If T_ASCII is not specified, it is assumed the conversion requires a binary (Image) transfer mode.
Multiple values can be combined with a vertical bar, for example,T_REG|T_DIR would specify either a regular file or a directory are acceptable, and that the transfer mode cannot be ASCII.
Options. This explains to the FTP server what allow or deny the operation. See the keywords COMPRESS and TAR in ftpaccess(4). The value of this field is one of the words O_TAR, O_COMPRESS, or O_UNCOMPRESS. If O_TAR is specified, the TAR keyword in the ftpaccess file specifies whether to permit the operation. In addition, if a directory contains a file named ".notar", then to tar that directory is always denied. O_COMPRESS and O_UNCOMPRESS are equivalent, and are allowed or denied according to the COMPRESS keyword in the ftpaccess file.
Description. This part is not used by the FTP server, and is available to store a comment.
The line
:::.tar:tar -cf %s:T_REG|T_DIR:O_TAR: Tar file or dir |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpr |
Interface Stability | Evolving |
in.ftpd(1M),ftpaccess(4),attributes(5)
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | SEE ALSO
/etc/inet
The ftphosts file is used to deny access to certain accounts from various hosts.
The following illustrates the usage for the ftphosts file:
Only allow host(s) matching <addrglob> to log in as <usrname>.
Always deny hosts() matching <addrglob> to log in as <username>.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpr |
Interface Stability | Evolving |
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | SEE ALSO
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | ATTRIBUTES | SEE ALSO | NOTES
/etc/inet/ftpservers
The ftpservers file contains a list of virtual servers. Each virtual server listed has its own configuration file that completely replaces ftpaccess(4). The difference between a virtual server created through a "virtual "statement in ftpaccess(4) and one that is created by an entry in the ftpservers file is that the former shares the system's default ftpaccess(4) file and configuration.
Each non-blank line in the ftpservers file defines one virtual server. The format of the line is:
<hostname> <config file>
Anything following a hash mark is a comment in the ftpservers file. Single and double quotes and the backslash can be used as they are used in ftpaccess(4), to include blanks or special characters in either <hostname> or <config file>.
The following entries from the ftpservers file shows a list of virtual FTP servers and their private configuration files:
ftp.gadgets.com /etc/inet/gadgets.conf ftp.sprockets.com /etc/inet/sprockets.conf
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpr |
Interface Stability | Evolving |
in.ftpd(1M),ftpaccess(4),attributes(5)
A "virtual" statement in a virtual server's private configuration file has no effect and is silently ignored. It is not possible to have virtual servers within virtual servers.
A readonly yes statement in the system default configuration file cannot be undone in a virtual server's configuration file. The virtual server will also be readonly. The same applies to the -r option to in.ftpd(1M). A virtual server can only be made readonly by making the system default non-readonly and putting "readonly yes" in the virtual server's configuration file.
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | ATTRIBUTES | SEE ALSO | NOTES
NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | SEE ALSO
/usr/adm/xferlog
The xferlog file contains logging information from the FTP server daemon, in.ftpd(1M). Each server entry is composed of a single line of the following form, with all fields separated by spaces.
current-time transfer-time remote-host file- size filename transfer-type special-action-flag directionaccess-mode username service-name authentication-method authenticated-user-id |
The current local time in the form "DDD MMM dd hh:mm:ss YYYY". Where DDD is the day of the week, MMM is the month, dd is the day of the month, hh is the hour, mm is the minutes, ss is the seconds, and YYYY is the year.
The total time in seconds for the transfer.
The remote host name.
The size of the transfered file in bytes.
The name of the transfered file.
A single character indicating the type of transfer:
For an ascii transfer.
For a binary transfer.
One or more single character flags indicating any special action taken. These flags include:
File was compressed.
File was uncompressed.
File was a tar file.
No action was taken.
The direction of the transfer:
Outgoing.
Incoming.
The method by which the user is logged in. Can be one of:
For an anonymous guest user.
For a passworded guest user. See the description of the guestgroup command in ftpaccess(4).
For a local, authenticated (real) user.
The local username, or if guest, the ID string given.
The name of the service being invoked, usually FTP.
None.
Always "*".
/usr/adm/xferlog
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWftpr |
Interface Stability | Evolving |
in.ftpd(1M),attributes(5),ftpaccess(4),attributes(5)
NAME | SYNOPSIS | DESCRIPTION | FILES | ATTRIBUTES | SEE ALSO
This section provides the SunTM Internet FTP ServerTM command line procedures for configuration. subscriber authentication, and maintenance.
FTP configuration is comprised of the following steps:
Create the anonymous FTP directory. This directory contains the subdirectories and binaries required for FTP support, and is cloned to create each virtual host's root FTP directory.
Create the virtual host directory structure: This contains a cloned tree of the anonymous FTP directory as well as the FTP access file for the virtual host.
Solaris ISP Services installation has been completed
FTP has been registered with the Sun Internet Admistrator (see the online help for the Sun Internet Administrator Register Services Screen)
Sun Internet FTP Server is installed, but not configured
The virtual host has not been created
The directories /usr/sbin and /usr/lib are in your root $PATH.
The ISP anonymous FTP directory will be created as /opt/IspFtpDir. This is an example only; you need to determine the actual name and location
The FTP virtual host is myVH.org.This is an example only; you need to provide the actual virtual host name
The FTP virtual host root directory will be created in/export/home
Use ftpconfig(1m) to create the anonymous FTP directory:
ftpconfig -d /opt/IspFtpDir
This creates the following in the specified directory: bin/, dev/, etc/, pub/, usr/, var/, and Welcome. The directory bin/ is a symbolic link to /usr/bin, and Welcome is the welcome message displayed to the FTP user on successful login.
The ftpconfig(1m) command only needs to be run once regardless of the number of virtual hosts you need to create. Ensure you do not create the ISP anonymous FTP directory in /tmp.
Use ftpaddhost(1m) to create the virtual host directory:
ftpaddhost /opt/IspFtpDir /export/home/ myVH.org
This creates the directory /export/home/myVH.org. The contents of the anonymous FTP directory /opt/IspFtpDir are cloned to create the required file hierarchy within /export/home/myVH.org: dev/, etc/, pub/, usr/, var/, and the file Welcome .
The FTP access configuration file /etc/inet/ftpaccess is copied to the virtual host etc/ directory (/etc/inet/hostname/). Thus, each virtual host you define using ftpaddhost(1m) inherits the configuration defined in /etc/inet/ftpaccess.
Create the subscriber (real user) account in /etc/passwd. See passwd(4) and admintool(1M) for further information. Make note of the user ID associated with the user login name.
Edit /etc/group and enter a unique group ID for the subscriber (real user) account in the file, then add the user login name to the newly created group. See group(4) for further information.
The following procedures for configures the virtual host for LDAP authentication.
Determine the UID and GID you will assign to the FTP subscriber and subscriber directories.
Create an LDIF file defining the virtual host type (org, net, com, edu, and so on), virtual host name, country code, subscriber directory, UID, and GID.
You can use the following example as a template, replacing:
country_code with the two-letter code for your country, for example us, de, ca, and so on.
virtual_host_type with the virtual host type.
For example if the virtual host is accessed via myVH.org, you would replace virtual_host__type with org
Your_ISP_Name with the name of your ISP.
Virtual_host_Name with the name of the virtual host.
For example if the virtual host is accessed via myVH.org, you would replace virtual_host__name with myVH.
virtual_host_dir with the full path name to the virtual host root directory.
For example if the virtual host myVH.org is located in /export/home/myVH.org, you would replace virtual_host__dir with /export/home/myVH.org.
dn: dc=virtual_host_type dc: virtual_host_type objectclass: domain dn: ou=virtual_host_name,o=Your_ISP_Name,c=country_code ou: virtual_host_name associateddomain: virtual_host_name.virtual_host_type objectclass: organizationalUnit objectclass: domainRelatedObject objectclass: top dn: dc=virtual_host_name,dc=virtual_host_type dc: virtual_host_name objectclass: domain objectclass: labeledURIObject associatedname: ou=virtual_host_name,o=Your_ISP_Name,c=country_code description: DNS to DN mapping for virtual_host_name.virtual_host_type labeleduri: ldap:///ou=virtual_host_name,o=Your_ISP_Name,c=country_code??sub dn: ou=Services,ou=virtual_host_name,o=Your_ISP_Name,c=country_code ou: Services objectclass: organizationalUnit dn: ou=Groups,ou=virtual_host_name,o=Your_ISP_Name,c=country_code ou: Groups objectclass: organizationalUnit dn: ou=People,ou=virtual_host_name,o=Your_ISP_Name,c=country_code ou: People objectclass: organizationalUnit dn: ou=SUNWftp,ou=Services,ou=virtual_host_name,o=Your_ISP_Name,c=country_code ou: SUNWftp objectclass: organizationalUnit dn: ispversion=1.0,ou=SUNWftp,ou=Services,ou=virtual_host_name,o=Your_ISP_Name,c=country_code ispversion: 1.0 cn: SUNWftp objectclass: ispservice ispdirectoryroot:virtual_host_dirdn: cn=ftp,ou=People,ou=virtual_host_name,o=Your_ISP_Name,c=country_codecommonname: ftp uid: ftp sn: ftp userpassword: ftp objectclass: ispSubscriber uidnumber: 60001 gidnumber: 70001 ispcontentdirectory: virtual_host_dir |
Before saving the file, ensure there are no trailing blanks. If there are any trailing blanks, ldapadd will report a syntax error.
Save the file as virtual_host_name.ldif, for example, myVH.ldif
The virtual host and subscriber information is added using the ldappadd command syntax:
# ldapadd -v -D"bindDN" -w bindPassword -f filename.ldif
You are logged in as root on the computer where Sun Directory Services and the Solaris FTP server are installed.
The password of the Directory Service administrator is ftp555.
The country code is us.
The Directory Service administrator distinguished name is "cn=admin,o=intra,c=us".
Your corporate domain name is intra.net.
You have created and saved the LDAP configuration file as myVH.ldif.
The command to add the virtual host and subscriber information to LDAP would then be:
# ldapadd -v -D"cn=admin,o=intra,c=us" -w ftp555 -f myVH.ldif
The standard FTP installation places an entry in /etc/inetd.conf, thereby automatically starting the FTP server when an FTP connection is made.
The ftpshut(1m) command creates the file /var/ftp/shutdown which disables FTP.
To reenable FTP, enter the command:
ftpshut enable
This deletes the /var/ftp/shutdown file, allowing subsequent FTP connections to automatically start the FTP daemon.
The ftpshut(1m) command is used to shut down the FTP server. You can optionally specify the number of minutes to new user lockout and disconnect of existing users as well as the logout message, or you can specify a configuration file containing this information.
The ftpshut(1m) command creates the file/var/ftp/shutdown. This blocks the restart of the FTP server until you enter the command ftpshut enable.
Shut down FTP immediately:
ftpshut now
Shut down FTP in 15 minutes, deny access to new users in 5 minutes, disconnect users not in file transfer mode in 10 minutes:
root# ftpshut -l 5 -d 10 15 System going down in 15 minutes
The shutdown message is limited to 76 characters maximum.
Please refer to the ftpshut(1m) man page for information on creating and using a shutdown configuration file.
Refer to ftpaccess(4) for the definition of class and procedures for defining new classes.
Use the ftpcount(1m) to display the number of active users per class:
/usr/sbin/ftpcount
The number of users per class and the class maximums are displayed:
root# ftpcount Service class anon - 2 users ( 10 maximum) Service class guest - 0 users ( 10 maximum) Service class real - 0 users root# |
Removal of an FTP virtual host depends on the type of subscriber authentication; and whether or not the virtual host is also serving as a web hosting site.
The following procedure uses the examples:
The FTP virtual host is myVH.org.
the FTP virtual host chroot directory is/export/home/myVH.org.
Remove the FTP virtual host entry from /etc/inet/ftpservers. For example, you would delete the line myVH.org /etc/inet/myVH.org/ftpaccess.
If this is an FTP-only virtual host:
Remove the FTP virtual host entry from /etc/inet/hosts. For example, you would delete the line containing myVH.org from /etc/inet/hosts.
Remove the virtual host chroot directory; in this example, /export/home/myVH.org.
If this is an FTP/web site host:
Change directory to the virtual host chroot directory, in this example /export/home/myVH.org.
Remove the file Welcome, and remove the following directories only if they do not contain web data:dev/, etc/, pub/, usr/, and var/.
Remove the FTP virtual host entries from LDAP using Deja, or via the command line as described by ldapdelete(1m).