Controlling Access—The /etc/ftpaccess File

The /etc/ftpaccess file is the primary means of controlling who and how many users access your server. Each line in the file controls either defines an attribute or sets its value.

The following commands control access:

• class
• autogroup
• deny
• guestgroup
• limit
• loginfails
• private

The following commands control what information the server tells clients:

• banner
• email
• message
• readme

These commands control logging capabilities:

• log commands
• log transfers

The following are miscellaneous commands:

• alias
• cdpath
• compress
• tar
• shutdown

Permissions controls are set by the following commands:

• chmod
• delete
• overwrite
• rename
• umask
• passwd-check
• path-filter
• upload

Controlling User Access

The ability to control who may and may not enter your site is a critical component in fine-tuning your anonymous FTP server. The following commands define the criteria used to determine in which group each user should be placed.

class

The class command defines a class of users who can access your FTP server. You can define as many classes as you want. Each class line comes in the form

class <classname> <typelist>

<addrglob> [<addrglob> ...]

where <classname> is the name of the class you are defining, <typelist> is the type of user you are allowing into the class, and <addrglob> is the range of IP addresses allowed access to that class.

The <typelist> is a comma-delimited list in which each entry has one of three values: anonymous, guest, or real. Anonymous users are, of course, any users who connect to the server as user anonymous or ftp and want to access only publicly available files. Guest users are special because they do not have accounts on the system per se, but they do have special access to key parts of the guest group. (See the description of the guestgroup command later in this chapter for additional details.) Real users must have accounts on the FTP server and are authenticated accordingly.

<addrglob> takes the form of a regular expression where * implies all sites. Several <addrglob>s can be associated with a particular class.

The line

class anonclass anonymous *

defines the class anonclass, which contains only anonymous users. They can originate their connections from anywhere on the network.

On the other hand, the line

class localclass real 192.168.42.*

allows only real users with accounts on the FTP server access to their accounts via FTP if they are coming from the local area network.

autogroup

The autogroup command is used to control access to anonymous users more tightly by automatically assigning them a certain group permission when they log in. The format of the autogroup line is

autogroup <groupname> <class>

[<class> ...]

where <groupname> is the name of the group to which you want the anonymous users set, and <class> is a name of a class defined using the class command. You can have multiple <class> entries for an autogroup. Only the anonymous users referenced in <class> will be affected by autogroup.

Remember that the group to which you are giving the users permission must be in the /etc/group file.

deny

The deny command allows you to explicitly deny service to certain hosts based on either their names, IP addresses, or whether their hosts' names can be reverse-resolved via DNS. The format of the deny command is

deny <addrglob> <message_file>

where <addrglob> is a regular expression containing the addresses that are to be denied and <message_file> is the filename containing a message that should be displayed to the hosts when they connect.

The following is a sample deny line:

deny evilhacker.domain.com /home/ftp/.message.no.evil.hackers

This line displays the contents of the file /home/ftp/.message.no.evil.hackers to anyone trying to connect via FTP from evilhacker.domain.com. To deny users access based on whether their IP addresses can be reverse-resolved to their hostnames, use the string !nameserved for the <addrglob> entry.

guestgroup

The guestgroup command is useful when you have real users but want them to have only restrictive FTP privileges. The format of the command is

guestgroup <groupname> [<groupname> ...]

where <groupname> is the name of the group (as taken from /etc/group) that you want restricted.

When a user's group is restricted, the user is treated much like an anonymous visitor; hence, the same setups needed for anonymous visitors must be performed in this user's account. The user's password entry is also a little different in the directory field.

The field for the user's home directory is broken up by the /./ characters. Before the split characters is the effective root directory, and after the split characters is the user's relative home directory. For example, consider the following password entry:

user1:encrypted password:500:128:User 1:/ftp/./user1:/bin/ftponly

Here, /ftp is the user's new relative root directory (bin, etc, and lib directories would need to be created under /ftp for the ls command and other necessary libraries), and /ftp/user1 is the user's home directory.

limit

The limit command allows you to control the number of users who log in to the system via FTP by class and time of day. This capability is especially useful if you have a popular archive but the system needs to be available to your users during business hours. The format of the limit command is

limit <class> <n> <times>

<message_file>

where <class> is the class to limit, <n> is the maximum number of people allowed in that class, <times> is the time during which the limit is in effect, and <message_file> is the file that should be displayed to the client when the maximum limit is reached.

The format of the <times> parameter is somewhat complex. The parameter is in the form of a comma-delimited string, where each option is for a separate day. Sunday through Saturday take the form Su, Mo, Tu, We, Th, Fr, and Sa, respectively, and all the weekdays can be referenced as Wk. Time should be kept in military format without a colon separating the hours and minutes. A range is specified by the dash character.

For example, to limit the class anonfolks to 10 from Monday through Thursday, all day, and Friday from midnight to 5:00 p.m., you would use the following limit line:

limit anonfolks 10 MoTuWeTh,Fr0000-1700 /home/ftp/.message.too_many

In this case, if the limit is hit, the contents of the file /home/ftp/.message.too_many are displayed to the connecting user.

loginfails

The loginfails command allows you to set the number of failed login attempts clients can make before disconnecting them. By default, this number is five; however, you can set it by using the command

loginfails <n>