Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Network Services Oracle Solaris 10 8/11 Information Library |
Part I Network Services Topics
Part II Accessing Network File Systems Topics
4. Managing Network File Systems (Overview)
5. Network File System Administration (Tasks)
6. Accessing Network File Systems (Reference)
8. Planning and Enabling SLP (Tasks)
10. Incorporating Legacy Services
Part V Serial Networking Topics
15. Solaris PPP 4.0 (Overview)
16. Planning for the PPP Link (Tasks)
17. Setting Up a Dial-up PPP Link (Tasks)
18. Setting Up a Leased-Line PPP Link (Tasks)
19. Setting Up PPP Authentication (Tasks)
20. Setting Up a PPPoE Tunnel (Tasks)
21. Fixing Common PPP Problems (Tasks)
22. Solaris PPP 4.0 (Reference)
23. Migrating From Asynchronous Solaris PPP to Solaris PPP 4.0 (Tasks)
25. Administering UUCP (Tasks)
Part VI Working With Remote Systems Topics
27. Working With Remote Systems (Overview)
28. Administering the FTP Server (Tasks)
Administering the FTP Server (Task Map)
How to Define FTP Server Classes
How to Control the Number of Invalid Login Attempts
How to Disallow FTP Server Access to Particular Users
How to Restrict Access to the Default FTP Server
How to Set Up Anonymous FTP Users
How to Create the /etc/shells file
How to Customize Message Files
How to Create Messages to Be Sent to Users
How to Configure the README Option
Controlling Access to Files on the FTP Server
How to Control File Access Commands
How to Enable Limited Virtual Hosting
How to Enable Complete Virtual Hosting
Starting the FTP Server Automatically
How to Start an FTP Server Using SMF
How to Start a Standalone FTP Server in the Background
How to Start a Standalone FTP Server in the Foreground
How to Shut Down the FTP Server
How to Check syslogd for FTP Server Messages
How to Use greeting text to Verify ftpaccess
How to Check the Commands Executed by FTP Users
Configuration Help for Busy Sites
29. Accessing Remote Systems (Tasks)
Part VII Monitoring Network Services Topics
You can control uploads and downloads that are started to and from the FTP server by setting permissions on directories on the server. By default, uploads are not allowed for anonymous users. Be very careful when enabling anonymous uploads.
Add the directives to the ftpaccess file to specify upload permissions and error messages for upload failures.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
To enable users to upload files, add the following entry:
upload [absolute|relative] [class=<classname>]... [-] root-dir \ dirglob yes|no owner group mode [dirs|nodirs] [<d_mode>] path-filter typelist mesg allowed-charset {disallowed regexp...}
Keyword that is applied to users who have a home directory (the argument to chroot()) of the root-dir. The root-dir can be specified as “*” to match any home directory.
Parameter that specifies whether the root-dir directory paths are interpreted as absolute or relative to the current chroot directory.
Keyword that is used to specify any number of class=<classname> restrictions. If restrictions are specified, the upload clause only becomes effective if the current user is a member of one of the specified classes.
User's root directory and the home directory for anonymous users.
A pattern to match a directory name. An asterisk can be used in any place or alone to signify any directory.
Variable that allows or disallows upload to the FTP server.
Owner of files that are uploaded into dirnames.
Group that is associated with files that are uploaded into dirnames.
Parameter that is used to specify access permissions for uploaded files. The default mode 0440 prevents the anonymous account from reading uploaded files.
Keyword that allows or disallows users to create subdirectories in a directory that is listed in dirnames.
Optional mode that determines the permissions for a newly created directory.
Keyword that controls the names of uploaded files.
A comma-separated list of any of the keywords anonymous, guest, and real.
Message file that is displayed fails to match the regexp criteria.
Alphanumeric characters allowed or disallowed in file names.
Example 28-13 Controlling Uploads to the FTP Server
upload /export/home/ftp /incoming yes ftpadm ftpadmin 0440 nodirs path-filter anonymous /etc/ftpd/filename.msg ^[-A-Za-z0-9._]*$ ^[.-]
The preceding example states the following:
FTP user accounts that use chroot to /export/home/ftp can upload to the /incoming directory. Uploaded files are owned by user ftpadm and the group ftpadmin. The mode is set to 0440 with the nodirs keyword to prevent anonymous users from creating subdirectories.
For anonymous users, a file name is any sequence of A-Z, a-z, 0-9, . (dot), - (dash), or _ (underline). File names cannot start with a . (dot) or - (dash). If a file name fails this filter, the /etc/ftpd/filename.msg message is displayed if the FTP Administrator has created the message file. This message is followed by an FTP server error message.
Ownership and permissions on a directory into which anonymous uploads are allowed should be tightly controlled. The FTP Administrator should be the owner of all files uploaded to the FTP server. You need to create an FTP Administrator when anonymous users are allowed to upload files. The directory should be owned by the user ftpadm and group ftpadm with permissions set to 3773.
The access mode for files uploaded to the FTP server should be 0440. The 0440 mode prevents the anonymous account from reading uploaded files. This restriction protects your server from becoming a staging area for third-party file distribution.
To make uploaded files available for distribution, the FTP Administrator can move files to a public directory.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
noretrieve [absolute|relative] [class=classname]... [-] filename ...
Keyword that is used to deny retrieval of a particular file or files
Parameter that specifies whether the root-dir directory paths are interpreted as absolute or relative to the current chroot directory
Keyword that is used to specify class=<classname> of users to which noretrieve restrictions apply
Name of file the user is not permitted to retrieve
Example 28-14 Controlling Downloads to the FTP Server
noretrieve /etc/passwd
The preceding example states that all users are prevented from retrieving the /etc/passwd file.