/etc/ftpd.conf

Updated: April 19, 2023

Configuration file for ftpd

Name:

/etc/ftpd.conf

Description:

The /etc/ftpd.conf file specifies various configuration options for ftpd that apply once a user has authenticated their connection.

Each authenticated user is a member of a class (determined by the /etc/ftpusers file) that associates which entries in this file apply to the user. When parsing entries the following special classes are available:

all
Match any class.
none
Match no class.

The /etc/ftpd.conf file consists of a series of lines, each of which may contain a configuration directive, a comment, or a blank line. Directives that appear later in the file override settings by previous directives. This allows “wildcard” entries to define defaults, and then have class-specific overrides.

A \ is the escape character; it can be used to escape the meaning of the comment character, or if it's the last character on a line, extends a configuration directive across multiple lines. A # is the comment character, and all characters from it to the end of line are ignored (unless it's escaped with the escape character).

The ftpd STAT command returns the class settings for the current user as defined by /etc/ftpd.conf.

Each configuration line may be one of:

checkportcmd class [off]
Check the PORT command for validity. The PORT command fails if the IP address specified doesn't match the FTP command connection, or if the remote TCP port number is less than IPPORT_RESERVED. It's strongly encouraged that this option be used, espcially for sites concerned with potential security problems with FTP bounce attacks. If class is none, or if off is specified, this feature is disabled.
chroot class [pathformat]
Specify the root directory to use with chroot() at login. The directory name is created by parsing pathformat; the following escape strings may be used:
Escape: Description:
%c Class name
%d Home directory of user
%u Username
%% A % character

If pathformat isn't specified, or if class is none then the default root directory is / for REAL users, or the user's home directory for GUEST and CHROOT users.

classtype class type
Set the class type of class to type, where type is one of:
CHROOT
chroot()ed users (as per /etc/ftpchroot). A chroot() is performed after login.
GUEST
Guests (as per the anonymous and ftp logins). A chroot() is performed after login.
REAL
Normal users.
conversion class suffix [type disable command]
Define an automatic inline file conversion. If the file to be retrieved ends in suffix, and a real file (without a suffix) exists, then the output of the command is returned instead of the contents of the file.
suffix
The suffix to initiate the conversion.
type
A list of valid filetypes for the conversion. Valid types are: f (file) and d (directory).
disable
A file that prevents a conversion if it exists. A filename of . prevents this action (that is, the conversion is always permitted).
command
A command to run for the conversion. The first word should be the full pathname of the command as execv() is used to execute the command. All instances of the word %s in the command are replaced with the requested file (without the suffix).

Conversion directives specified later on in the file override earlier conversions with the same suffix.

display class [file]
Display the contents of file (if it exists) each time the user enters a new directory. Escape sequences are supported; for more information, see the “Display file escape sequences” section in the NetBSD documentation for ftpd.

If file isn't specified, or class is none, disable this.

limit class count [file]
Limit the maximum number of concurrent connections for class to count, with 0 indicating unlimited connections. If the limit is exceeded, and file is specified, display its contents to the user. This line is ignored if class is none or if count isn't specified.
homedir class [pathformat]
Specify the directory to change into at login, and use as the “home” directory of the user for tilde expansion in pathnames, etc. The pathformat argument is parsed as per the chroot directive.

If pathformat isn't specified, or if class is none then the default home directory is the home directory of the user for REAL users, or / for GUEST and CHROOT users.

maxtimeout class time
Set the maximum timeout period that a client may request (default is 2 hours). The period can't be less than 30 seconds, or be equal to the value of the timeout directive. This line is ignored if class is none or time isn't specified.
modify class [off]
If class is none, or if off is specified, disable these commands: CHMOD, DELE, MKD, RMD, RNFR, and UMASK. Otherwise, enable them.
motd class [file]
Display the contents of file after login as the “message of the day.” Escape sequences are supported; for more information, see the “Display file escape sequences” section in the NetBSD documentation for ftpd.

If file isn't specified, or class is none, disable this.

notify class [fileglob]
Notify the user of any files matching fileglob. each time the user enters a new directory.

If fileglob isn't specified, or class is none, disable this.

passive class [off]
If class is none, or if off is specified, disallow passive (PASV/LPSV/EPSV) connections.
portrange class min max
Set the range of port numbers which are used for the passive data port. The value of max must be greater than min, and both numbers must be be between IPPORT_RESERVED and IPPORT_ANONMAX.
rateget class rate
Set the maximum get (RETR) transfer rate throttle for class to rate bytes per second. If rate is 0, the throttle is disabled.

An optional suffix may be provided, which changes the intrepretation of rate as follows:

  • b —Don't modify (optional).
  • k —Kilo. Multiply the argument by 1024.
  • m —Mega. Multiply the argument by 1048576.
  • g —Giga. Multiply the argument by 1073741824.
rateput class rate
Set the maximum put (STOR) transfer rate throttle for class to rate bytes per second. The rate argument is parsed as described in rateget.
template class [refclass]
Define refclass as the template for class. All subsequent references to refclass in the directives also apply to members of class. You'd define a class template so that other classes, which share common attributes, can be easily defined without unnecessary duplication. There can be only one template defined at a time. If refclass isn't specified, disable the template for class.
timeout class time
Set the timeout period for inactivity (default is 15 minutes). It can't be less than 30 seconds, or greater than the value for maxtimeout. This line is ignored if class is none or time isn't specified.
umask class umaskval
Set the umask to umaskval. This line is ignored if class is none or umaskval isn't specified.
upload class [off]
If class is none, or if off is specified: disable these commands: APPE, STOR, STOU; and modify these: CHMOD, DELE, MKD, RMD, RNFR, UMASK.

Otherwise, enable them.

Default settings

The following defaults are used:

checkportcmd  all
classtype     chroot CHROOT
classtype     guest  GUEST
classtype     real   REAL
display       none
limit         all    -1     # unlimited connections
maxtimeout    all    7200   # 2 hours
modify        all
motd          all    motd
notify        none
passive       all
timeout       all    900    # 15 minutes
umask         all    027
upload        all
modify        guest  off
umask         guest  0707