Provided by: isdneurofile_3.12.20071127-0ubuntu11_amd64 bug

Name

       eftaccess - eftd configuration file

Description

       The eftaccess file is used to configure the operation of eftd(1).

Access Capabilities

       autogroup <groupname> <class> [<class> ...]
            If  an  ANONYMOUS  user  is a member of any of <class>, the ftp server will perform a
            setegid() to <groupname>.  This allows access to group-and-owner-read-only files  and
            directories  to  a  particular class of anonymous users. <groupname> is a valid group
            from /etc/group (or wherever mechanism your getgrent(2) library routine uses).

       class <class> <typelist> <addrglob> [<addrglob> ...]
            Define <class> of users, with source addresses  of  the  form  <addrglob>.   Multiple
            members  of  <class>  may be defined.  There may be multiple "class" commands listing
            additional members of the class.  If multiple  "class"  commands  can  apply  to  the
            current  session, the first one listed in the access file is used.  Failing to define
            a valid class for a host will cause access to be  denied.   <typelist>  is  a  comma-
            separated list of any of the keywords "anonymous", "guest" and "real".  If the "real"
            keyword is included, the class can match users using FTP to access real accounts, and
            if the "anonymous" keyword is included the class can match users using anonymous FTP.
            The "guest"  keyword  matches  guest  access  accounts  (see  "guestgroup"  for  more
            information)

            <addrglob> may be a globbed isdn number.

       deny <addrglob> <message_file>
            Always deny access to host(s) matching <addrglob>.  <message_file> is displayed.

       guestgroup <groupname> [<groupname> ...]
            If  a  REAL  user is a member of any of <groupname>, the session is set up exactly as
            with anonymous FTP.  In other words, a chroot() is done, and the user  is  no  longer
            permitted  to  issue  the  USER and PASS commands.  <groupname> is a valid group from
            /etc/group (or whatever mechanism your getgrent(3) library routine uses).

            The user's home directory must be properly set up, exactly as anonymous FTP would be.
            The  home  directory  field of the passwd entry is divided into two directories.  The
            first field is the root directory which will be the argument to the  chroot(2)  call.
            The second half is the user's home directory relative to the root directory.  The two
            halves are separated by a "/./".

            Example:

            in /etc/passwd, the real entry:

            guest1:<passwd>:100:92:Guest Account:/ftp/./incoming:/etc/ftponly

            When guest1 successfully logs  in,  the  ftp  server  will  chroot("/ftp")  and  then
            chdir("/incoming").   The  guest  user  will  only  be  able  to access the directory
            structure under /ftp (which will look and act as / to guest1), just as  an  anonymous
            FTP user would.

       limit <class> <n> <times> <message_file>
            (currently not applicable to eftd)

       Limit  <class>  to <n> users at times <times>, displaying <message_file> if user is denied
       access.  Limit check is performed at login time only.  If multiple  "limit"  commands  can
       apply to the current session, the first applicable one is used.  Failing to define a valid
       limit, or a limit of -1, is equivalent to unlimited. <times> is  in  same  format  as  the
       times in the UUCP L.sys file.

       noretrieve <filename> <filename> ....
            (currently not applicable to eftd)

       Always  deny  retrieve-ability  of  these  files.  If  the  files  are  an  absolute  path
       specification (i.e. begins with '/' character)  then  only  those  files  are  marked  un-
       gettable, otherwise all files with matching the filename are refused transfer. Example:

            noretrieve /etc/passwd core

       specifies  no one will be able to get the file /etc/passwd whereas they will be allowed to
       transfer a file `passwd' if it is not in /etc. On the other hand no one will  be  able  to
       get files named `core' wherever it is.

       No globbing is done.

       loginfails <number>
            (currently not applicable to eftd)

       After  <number>  login failures, log a "repeated login failures" message and terminate the
       FTP connection.  Default value is 5.

       Informational Capabilities

       banner <path>
            Works similarly to the message command, except that the banner  is  displayed  before
            the  user  enters  the  username/password.  The <path> is relative to the real system
            root, not the base of the anonymous FTP directory.

       email <name>
            Defines the email address of the ftp archive maintainer.  This string will be printed
            every time the %E magic cookie is used.

       message <path> {<when> {<class> ...}}
            (currently not applicable to eftd)

       Define a file with <path> such that ftpd will display the contents of the file to the user
       login time or upon using the change working directory command.  The <when>  parameter  may
       be  "LOGIN"  or  "CWD=<dir>".   If  <when> is "CWD=<dir>", <dir> specifies the new default
       directory which will trigger the notification.

       The optional <class> specification allows the message to be displayed only to members of a
       particular class.  More than one class may be specified.

       There  can be "magic cookies" in the readme file which cause the ftp server to replace the
       cookie with a specified text string:

             %T      local time (form Thu Nov 15 17:12:42 1990)
             %F      free space in partition of CWD (kbytes)
                     [not supported on all systems]
             %C      current working directory
             %E      the maintainer's email address as defined in ftpaccess
             %R      remote host name
             %L      local host name
             %u      username as determined via RFC931 authentication
             %U      username given at login time
             %M      maximum allowed number of users in this class
             %N      current number of users in this class

       The message will only be displayed once to avoid annoying the user.   Remember  that  when
       MESSAGEs  are  triggered by an anonymous FTP user, the <path> must be relative to the base
       of the anonymous FTP directory tree.

       readme <path> {<when> {<class>}}
            Define a file with <path> such that ftpd will notify user at login time or upon using
            the  change  working directory command that the file exists and was modified on such-
            and-such date.  The <when> parameter may be "LOGIN" or  "CWD=<dir>".   If  <when>  is
            "CWD=<dir>",  <dir>  specifies  the  new  default  directory  which  will trigger the
            notification.  The message will only be displayed once,  to  avoid  bothering  users.
            Remember that when README messages are triggered by an anonymous FTP user, the <path>
            must be relative to the base of the anonymous FTP directory tree.

            The optional <class> specification allows the message to be displayed only to members
            of a particular class.  More than one class may be specified.

Logging Capabilities

       log commands <typelist>
            Enables  logging  of  individual  commands by users.  <typelist> is a comma-separated
            list of any of the keywords "anonymous", "guest" and "real".  If the  "real"  keyword
            is included, logging will be done for users using FTP to access real accounts, and if
            the "anonymous" keyword is included logging will done for users using anonymous  FTP.
            The  "guest"  keyword  matches  guest  access  accounts  (see  "guestgroup"  for more
            information).

       log transfers <typelist> <directions>
            Enables logging of file transfers for either real or anonymous FTP users.  Logging of
            transfers  TO the server (incoming) can be enabled separately from transfers FROM the
            server (outbound).  <typelist> is a comma-separated  list  of  any  of  the  keywords
            "anonymous",  "guest" and "real".  If the "real" keyword is included, logging will be
            done for users using FTP to access real accounts, and if the "anonymous"  keyword  is
            included logging will done for users using anonymous FTP. The "guest" keyword matches
            guest access accounts (see "guestgroup" for more  information).   <directions>  is  a
            comma-separated  list  of  any of the two keywords "inbound" and "outbound", and will
            respectively cause transfers to be logged for files sent to the server and sent  from
            the server.

Miscellaneous Capabilities

       alias <string> <dir>
            Defines  an  alias,  <string>,  for  a  directory.  Can be used to add the concept of
            logical directories.

            For example:
              alias   rfc:    /pub/doc/rfc

            would allow the user to access /pub/doc/rfc from any directory  by  the  command  "cd
            rfc:".  Aliases only apply to the cd command.

       cdpath <dir>
            Defines an entry in the cdpath. This defines a search path that is used when changing
            directories.

            For example:

              cdpath /pub/packages
              cdpath /.aliases

            would allow the user to  cd  into  any  directory  directly  under  /pub/packages  or
            /.aliases  directories.  The  search path is defined by the order the lines appear in
            the ftpaccess file.

            If the user were to give the command:

              cd foo

            The directory will be searched for in the following order:

              ./foo
              an alias called "foo"
              /pub/packages/foo
              /.aliases/foo

            The cd path is only available with the cd command. If you  have  a  large  number  of
            aliases  you might want to set up an aliases directory with links to all of the areas
            you wish to make available to users.

       Permission Capabilities
              (currently not applicable to eftd)

       chmod <yes|no> <typelist>

       delete <yes|no> <typelist>

       overwrite <yes|no> <typelist>

       rename <yes|no> <typelist>

       umask <yes|no> <typelist>
            Allows or disallows the ability to perform the specified function.  By  default,  all
            users are allowed.

            <typelist>  is a comma-separated list of any of the keywords "anonymous", "guest" and
            "real".

       passwd-check <none|trivial|rfc822> (<enforce|warn>)
            Define the level and  enforcement  of  password  checking  done  by  the  server  for
            anonymous ftp.

              none      no password checking performed.
              trivial   password must contain an '@'.
              rfc822    password must be an rfc822 compliant address.

              warn      warn the user, but allow them to log in.
              enforce   warn the user, and then log them out.

       path-filter <typelist> <mesg> <allowed_charset> {<disallowed regexp> ...}
            (currently not applicable to eftd)

       For  users  in  <typelist>,  path-filter  defines  regular expressions that control what a
       filename can or can not be.  There may be multiple disallowed regexps.  If a  filename  is
       invalid due to failure to match the regexp criteria, <mesg> will be displayed to the user.
       For example:

         path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^. ^-

       specifies that all upload  filenames  for  anonymous  users  must  be  made  of  only  the
       characters  A-Z,  a-z,  0-9,  and  "._-"  and  may  not begin with a "." or a "-".  If the
       filename is invalid, /etc/pathmsg will be displayed to the user.

       upload <root-dir> <dirglob> <yes|no> <owner> <group> <mode> ["dirs"|"nodirs"]
            Define a directory with <dirglob> that permits or denies uploads.

            If it does permit uploads, all files will be owned by <owner> and  <group>  and  will
            have the permissions set according to <mode>.

            Directories are matched on a best-match basis.

            For example:
              upload  /var/ftp  *               no
              upload  /var/ftp  /incoming       yes  ftp  daemon  0666
              upload  /var/ftp  /incoming/gifs  yes  jlc  guest   0600  nodirs

            This  would  only  allow  uploads into /incoming and /incoming/gifs.  Files that were
            uploaded to /incoming would be owned by ftp/daemon  and  would  have  permissions  of
            0666.   File  uploaded  to  /incoming/gifs  would  be  owned  by  jlc/guest  and have
            permissions of 0600. Note that the <root-dir> here  must  match  the  home  directory
            specified in the password database for the "ftp" user.

            The  optional  "dirs" and "nodirs" keywords can be specified to allow or disallow the
            creation of new subdirectories using the mkdir command.

            The upload keyword only applies to users who have a home directory (the  argument  to
            the chroot() ) of <root-dir>.

Files

       FTPLIB/ftpaccess

See Also

       ftpd(8), umask(2), ftplog(5), ftpconversions(5), ftpshut(8)

BUGS

       The  eftaccess  features  are  mainly  untested. Most of this man page is not finished. In
       particular, don't expect  any  feature  to  work  that  is  used  for  anything  else  but
       authenticating a user logging in.

                                                                                     eftaccess(5)