18657b576SYaroslav Tykhiy.\" Copyright (c) 2003 FreeBSD Project 28657b576SYaroslav Tykhiy.\" All rights reserved. 38657b576SYaroslav Tykhiy.\" 48657b576SYaroslav Tykhiy.\" Redistribution and use in source and binary forms, with or without 58657b576SYaroslav Tykhiy.\" modification, are permitted provided that the following conditions 68657b576SYaroslav Tykhiy.\" are met: 78657b576SYaroslav Tykhiy.\" 1. Redistributions of source code must retain the above copyright 88657b576SYaroslav Tykhiy.\" notice, this list of conditions and the following disclaimer. 98657b576SYaroslav Tykhiy.\" 2. Redistributions in binary form must reproduce the above copyright 108657b576SYaroslav Tykhiy.\" notice, this list of conditions and the following disclaimer in the 118657b576SYaroslav Tykhiy.\" documentation and/or other materials provided with the distribution. 128657b576SYaroslav Tykhiy.\" 138657b576SYaroslav Tykhiy.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 148657b576SYaroslav Tykhiy.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 158657b576SYaroslav Tykhiy.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 168657b576SYaroslav Tykhiy.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 178657b576SYaroslav Tykhiy.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 188657b576SYaroslav Tykhiy.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 198657b576SYaroslav Tykhiy.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 208657b576SYaroslav Tykhiy.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 218657b576SYaroslav Tykhiy.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 228657b576SYaroslav Tykhiy.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 238657b576SYaroslav Tykhiy.\" SUCH DAMAGE. 248657b576SYaroslav Tykhiy.\" 258657b576SYaroslav Tykhiy.Dd January 26, 2003 268657b576SYaroslav Tykhiy.Dt FTPCHROOT 5 278657b576SYaroslav Tykhiy.Os 288657b576SYaroslav Tykhiy.Sh NAME 298657b576SYaroslav Tykhiy.Nm ftpchroot 30052a8966SRuslan Ermilov.Nd "list users and groups subject to FTP access restrictions" 318657b576SYaroslav Tykhiy.Sh DESCRIPTION 328657b576SYaroslav TykhiyThe file 338657b576SYaroslav Tykhiy.Nm 348657b576SYaroslav Tykhiyis read by 358657b576SYaroslav Tykhiy.Xr ftpd 8 368657b576SYaroslav Tykhiyat the beginning of an FTP session, after having authenticated the user. 378657b576SYaroslav TykhiyEach line in 388657b576SYaroslav Tykhiy.Nm 39052a8966SRuslan Ermilovcorresponds to a user or group. 40052a8966SRuslan ErmilovIf a line in 418657b576SYaroslav Tykhiy.Nm 428657b576SYaroslav Tykhiymatches the current user or a group he is a member of, 438657b576SYaroslav Tykhiyaccess restrictions will be applied to this 448657b576SYaroslav Tykhiysession by changing its root directory with 458657b576SYaroslav Tykhiy.Xr chroot 2 468657b576SYaroslav Tykhiyto that specified on the line or to the user's login directory. 478657b576SYaroslav Tykhiy.Pp 488657b576SYaroslav TykhiyThe order of records in 498657b576SYaroslav Tykhiy.Nm 508657b576SYaroslav Tykhiyis important because the first match will be used. 518657b576SYaroslav TykhiyFields on each line are separated by tabs or spaces. 528657b576SYaroslav Tykhiy.Pp 538657b576SYaroslav TykhiyThe first field specifies a user or group name. 548657b576SYaroslav TykhiyIf it is prefixed by an 55052a8966SRuslan Ermilov.Dq at 568657b576SYaroslav Tykhiysign, 57052a8966SRuslan Ermilov.Ql @ , 588657b576SYaroslav Tykhiyit specifies a group name; 598657b576SYaroslav Tykhiythe line will match each user who is a member of this group. 608657b576SYaroslav TykhiyAs a special case, a single 61052a8966SRuslan Ermilov.Ql @ 628657b576SYaroslav Tykhiyin this field will match any user. 638657b576SYaroslav TykhiyA username is specified otherwise. 648657b576SYaroslav Tykhiy.Pp 658657b576SYaroslav TykhiyThe optional second field describes the directory for the user 668657b576SYaroslav Tykhiyor each member of the group to be locked up in using 678657b576SYaroslav Tykhiy.Xr chroot 2 . 68ce9287fcSYaroslav TykhiyBe it omitted, the user's login directory will be used. 698657b576SYaroslav TykhiyIf it is not an absolute pathname, then it will be relative 708657b576SYaroslav Tykhiyto the user's login directory. 71ce9287fcSYaroslav TykhiyIf it contains the 72052a8966SRuslan Ermilov.Pa /./ 73052a8966SRuslan Ermilovseparator, 74ce9287fcSYaroslav Tykhiy.Xr ftpd 8 75ce9287fcSYaroslav Tykhiywill treat its left-hand side as the name of the directory to do 76ce9287fcSYaroslav Tykhiy.Xr chroot 2 77ce9287fcSYaroslav Tykhiyto, and its right-hand side to change the current directory to afterwards. 788657b576SYaroslav Tykhiy.Sh FILES 79052a8966SRuslan Ermilov.Bl -tag -width ".Pa /etc/ftpchroot" -compact 808657b576SYaroslav Tykhiy.It Pa /etc/ftpchroot 818657b576SYaroslav Tykhiy.El 828657b576SYaroslav Tykhiy.Sh EXAMPLES 838657b576SYaroslav TykhiyThese lines in 848657b576SYaroslav Tykhiy.Nm 858657b576SYaroslav Tykhiywill lock up the user 86052a8966SRuslan Ermilov.Dq Li webuser 878657b576SYaroslav Tykhiyand each member of the group 88052a8966SRuslan Ermilov.Dq Li hostee 898657b576SYaroslav Tykhiyin their respective login directories: 908657b576SYaroslav Tykhiy.Bd -literal -offset indent 918657b576SYaroslav Tykhiywebuser 928657b576SYaroslav Tykhiy@hostee 938657b576SYaroslav Tykhiy.Ed 948657b576SYaroslav Tykhiy.Pp 95ce9287fcSYaroslav TykhiyAnd this line will tell 96ce9287fcSYaroslav Tykhiy.Xr ftpd 8 97ce9287fcSYaroslav Tykhiyto lock up the user 98052a8966SRuslan Ermilov.Dq Li joe 998657b576SYaroslav Tykhiyin 100ce9287fcSYaroslav Tykhiy.Pa /var/spool/ftp 101ce9287fcSYaroslav Tykhiyand then to change the current directory to 102ce9287fcSYaroslav Tykhiy.Pa /joe , 103ce9287fcSYaroslav Tykhiywhich is relative to the session's new root: 104052a8966SRuslan Ermilov.Pp 105052a8966SRuslan Ermilov.Dl "joe /var/spool/ftp/./joe" 1068657b576SYaroslav Tykhiy.Pp 1078657b576SYaroslav TykhiyAnd finally the following line will lock up every user connecting 1088657b576SYaroslav Tykhiythrough FTP in his respective 109052a8966SRuslan Ermilov.Pa ~/public_html , 1108657b576SYaroslav Tykhiythus lowering possible impact on the system 1118657b576SYaroslav Tykhiyfrom intrinsic insecurity of FTP: 112052a8966SRuslan Ermilov.Pp 113052a8966SRuslan Ermilov.Dl "@ public_html" 1148657b576SYaroslav Tykhiy.Sh SEE ALSO 1158657b576SYaroslav Tykhiy.Xr chroot 2 , 1168657b576SYaroslav Tykhiy.Xr group 5 , 1178657b576SYaroslav Tykhiy.Xr passwd 5 , 118052a8966SRuslan Ermilov.Xr ftpd 8 119