xref: /freebsd/libexec/ftpd/ftpchroot.5 (revision 59c8e88e72633afbc47a4ace0d2170d00d51f7dc)
1.\" Copyright (c) 2003 FreeBSD Project
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd January 26, 2003
26.Dt FTPCHROOT 5
27.Os
28.Sh NAME
29.Nm ftpchroot
30.Nd "list users and groups subject to FTP access restrictions"
31.Sh DESCRIPTION
32The file
33.Nm
34is read by
35.Xr ftpd 8
36at the beginning of an FTP session, after having authenticated the user.
37Each line in
38.Nm
39corresponds to a user or group.
40If a line in
41.Nm
42matches the current user or a group he is a member of,
43access restrictions will be applied to this
44session by changing its root directory with
45.Xr chroot 2
46to that specified on the line or to the user's login directory.
47.Pp
48The order of records in
49.Nm
50is important because the first match will be used.
51Fields on each line are separated by tabs or spaces.
52.Pp
53The first field specifies a user or group name.
54If it is prefixed by an
55.Dq at
56sign,
57.Ql @ ,
58it specifies a group name;
59the line will match each user who is a member of this group.
60As a special case, a single
61.Ql @
62in this field will match any user.
63A username is specified otherwise.
64.Pp
65The optional second field describes the directory for the user
66or each member of the group to be locked up in using
67.Xr chroot 2 .
68Be it omitted, the user's login directory will be used.
69If it is not an absolute pathname, then it will be relative
70to the user's login directory.
71If it contains the
72.Pa /./
73separator,
74.Xr ftpd 8
75will treat its left-hand side as the name of the directory to do
76.Xr chroot 2
77to, and its right-hand side to change the current directory to afterwards.
78.Sh FILES
79.Bl -tag -width ".Pa /etc/ftpchroot" -compact
80.It Pa /etc/ftpchroot
81.El
82.Sh EXAMPLES
83These lines in
84.Nm
85will lock up the user
86.Dq Li webuser
87and each member of the group
88.Dq Li hostee
89in their respective login directories:
90.Bd -literal -offset indent
91webuser
92@hostee
93.Ed
94.Pp
95And this line will tell
96.Xr ftpd 8
97to lock up the user
98.Dq Li joe
99in
100.Pa /var/spool/ftp
101and then to change the current directory to
102.Pa /joe ,
103which is relative to the session's new root:
104.Pp
105.Dl "joe	/var/spool/ftp/./joe"
106.Pp
107And finally the following line will lock up every user connecting
108through FTP in his respective
109.Pa ~/public_html ,
110thus lowering possible impact on the system
111from intrinsic insecurity of FTP:
112.Pp
113.Dl "@	public_html"
114.Sh SEE ALSO
115.Xr chroot 2 ,
116.Xr group 5 ,
117.Xr passwd 5 ,
118.Xr ftpd 8
119