1.\" Copyright (c) 2003 FreeBSD Project 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" 25.\" $FreeBSD: src/libexec/ftpd/ftpchroot.5,v 1.3 2003/06/01 19:52:36 ru Exp $ 26.\" $DragonFly: src/libexec/ftpd/ftpchroot.5,v 1.4 2007/05/17 08:19:01 swildner Exp $ 27.\" 28.Dd January 26, 2003 29.Dt FTPCHROOT 5 30.Os 31.Sh NAME 32.Nm ftpchroot 33.Nd "list users and groups subject to FTP access restrictions" 34.Sh DESCRIPTION 35The file 36.Nm 37is read by 38.Xr ftpd 8 39at the beginning of an FTP session, after having authenticated the user. 40Each line in 41.Nm 42corresponds to a user or group. 43If a line in 44.Nm 45matches the current user or a group he is a member of, 46access restrictions will be applied to this 47session by changing its root directory with 48.Xr chroot 2 49to that specified on the line or to the user's login directory. 50.Pp 51The order of records in 52.Nm 53is important because the first match will be used. 54Fields on each line are separated by tabs or spaces. 55.Pp 56The first field specifies a user or group name. 57If it is prefixed by an 58.Dq at 59sign, 60.Ql @ , 61it specifies a group name; 62the line will match each user who is a member of this group. 63As a special case, a single 64.Ql @ 65in this field will match any user. 66A username is specified otherwise. 67.Pp 68The optional second field describes the directory for the user 69or each member of the group to be locked up in using 70.Xr chroot 2 . 71Be it omitted, the user's login directory will be used. 72If it is not an absolute pathname, then it will be relative 73to the user's login directory. 74If it contains the 75.Pa /./ 76separator, 77.Xr ftpd 8 78will treat its left-hand side as the name of the directory to do 79.Xr chroot 2 80to, and its right-hand side to change the current directory to afterwards. 81.Sh FILES 82.Bl -tag -width ".Pa /etc/ftpchroot" -compact 83.It Pa /etc/ftpchroot 84.El 85.Sh EXAMPLES 86These lines in 87.Nm 88will lock up the user 89.Dq Li webuser 90and each member of the group 91.Dq Li hostee 92in their respective login directories: 93.Bd -literal -offset indent 94webuser 95@hostee 96.Ed 97.Pp 98And this line will tell 99.Xr ftpd 8 100to lock up the user 101.Dq Li joe 102in 103.Pa /var/spool/ftp 104and then to change the current directory to 105.Pa /joe , 106which is relative to the session's new root: 107.Pp 108.Dl "joe /var/spool/ftp/./joe" 109.Pp 110And finally the following line will lock up every user connecting 111through FTP in his respective 112.Pa ~/public_html , 113thus lowering possible impact on the system 114from intrinsic insecurity of FTP: 115.Pp 116.Dl "@ public_html" 117.Sh SEE ALSO 118.Xr chroot 2 , 119.Xr group 5 , 120.Xr passwd 5 , 121.Xr ftpd 8 122