xref: /freebsd/libexec/ftpd/ftpchroot.5 (revision f4b37ed0f8b307b1f3f0f630ca725d68f1dff30d)
1.\" Copyright (c) 2003 FreeBSD Project
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd January 26, 2003
28.Dt FTPCHROOT 5
29.Os
30.Sh NAME
31.Nm ftpchroot
32.Nd "list users and groups subject to FTP access restrictions"
33.Sh DESCRIPTION
34The file
35.Nm
36is read by
37.Xr ftpd 8
38at the beginning of an FTP session, after having authenticated the user.
39Each line in
40.Nm
41corresponds to a user or group.
42If a line in
43.Nm
44matches the current user or a group he is a member of,
45access restrictions will be applied to this
46session by changing its root directory with
47.Xr chroot 2
48to that specified on the line or to the user's login directory.
49.Pp
50The order of records in
51.Nm
52is important because the first match will be used.
53Fields on each line are separated by tabs or spaces.
54.Pp
55The first field specifies a user or group name.
56If it is prefixed by an
57.Dq at
58sign,
59.Ql @ ,
60it specifies a group name;
61the line will match each user who is a member of this group.
62As a special case, a single
63.Ql @
64in this field will match any user.
65A username is specified otherwise.
66.Pp
67The optional second field describes the directory for the user
68or each member of the group to be locked up in using
69.Xr chroot 2 .
70Be it omitted, the user's login directory will be used.
71If it is not an absolute pathname, then it will be relative
72to the user's login directory.
73If it contains the
74.Pa /./
75separator,
76.Xr ftpd 8
77will treat its left-hand side as the name of the directory to do
78.Xr chroot 2
79to, and its right-hand side to change the current directory to afterwards.
80.Sh FILES
81.Bl -tag -width ".Pa /etc/ftpchroot" -compact
82.It Pa /etc/ftpchroot
83.El
84.Sh EXAMPLES
85These lines in
86.Nm
87will lock up the user
88.Dq Li webuser
89and each member of the group
90.Dq Li hostee
91in their respective login directories:
92.Bd -literal -offset indent
93webuser
94@hostee
95.Ed
96.Pp
97And this line will tell
98.Xr ftpd 8
99to lock up the user
100.Dq Li joe
101in
102.Pa /var/spool/ftp
103and then to change the current directory to
104.Pa /joe ,
105which is relative to the session's new root:
106.Pp
107.Dl "joe	/var/spool/ftp/./joe"
108.Pp
109And finally the following line will lock up every user connecting
110through FTP in his respective
111.Pa ~/public_html ,
112thus lowering possible impact on the system
113from intrinsic insecurity of FTP:
114.Pp
115.Dl "@	public_html"
116.Sh SEE ALSO
117.Xr chroot 2 ,
118.Xr group 5 ,
119.Xr passwd 5 ,
120.Xr ftpd 8
121