Caution: This version of this document is no longer maintained. For the latest documentation, see


Access-control file for ftpd




The /etc/ftpusers file provides user access control for ftpd by defining which users may login.

Note: If the /etc/ftpusers file doesn't exist, all users are denied access.

The syntax of each line is:

userglob[:groupglob][@host] [directive [class]]


Match against the username. Calls fnmatch() (e.g. f*).
Match against all the groups that the user is a member of. Calls fnmatch() (e.g. *src).
Either a CIDR address (see inet_net_pton()) to match against the remote address (e.g., or a glob to match against the remote hostname (e.g. *
Allow or deny user access.

If none of the above values are specified, user access is denied.

Use this class in /etc/ftpd.conf. If class isn't specified, it defaults to one of the following:

No further comparisons are attempted after the first successful match. If no match is found, the user is granted access. This syntax is backward-compatable with the old syntax.

If a user requests a guest login, the ftpd server checks to see that both anonymous and ftp have access. If you deny all users by default, you'll need to add both anonymous allow and ftp allow to /etc/ftpusers in order to allow guest logins.

The character: Meaning:
\ Escape character. It can be used to escape the meaning of the comment character, or if it's the last character on a line, it extends a configuration directive across multiple lines.
# Comment character. All characters from it to the end of line are ignored (unless it's escaped with the escape character).

Related files

List of the normal users who should have their session's root directory changed.

See also:

ftpd, /etc/ftpd.conf

fnmatch(), inet_net_pton() in the Library Reference