Configuring tnftpd FTP Server Options
You've just turned on your FTP server. If you looked at the /System/Library/LaunchDaemons/ftp.plist file, you noticed that the server runs by default with the -l option (from the
<key>ProgramArguments</key> <array> <string>ftpd</string> <string>-l</string> </array>
section), which is the option that forces the logging of successful and unsuccessful FTP sessions.
Other options are available in the FTP server, and select options are detailed in the command documentation table, Table 22.1. To change FTP server options, add the appropriate strings in /System/Library/LaunchDaemons/ftp.plist, then start and stop the FTP server.
Table 22.1. Command Documentation Table for ftpd
Internet File Transfer Protocol server
ftpd [-dHlqQrsuUwWX] [-a <anondir>] [-c <confdir>] [-C <user>] [-e <emailaddr>]
[-h <hostname>] [-L <xferlogfile>] [-P <dataport>] [-V <version>]
ftpd is the Internet File Transfer Protocol process. It uses the TCP protocol and runs on the port specified as ftp in the /etc/services file.
Defines <anondir> as the directory to chroot into for anonymous logins. Default is the home directory for the ftp user. This can also be specified with the ftpd.conf chroot directive.
Changes the root directory of the configuration files from /etc to <confdir>. This changes the directory for the following files: /etc/ftpchroot, /etc/ftpusers, /etc/ftpwelcome, /etc/motd, and the file specified by the ftpd.conf limit directive.
Explicitly sets the hostname to advertise as <hostname>. Default is the hostname associated with the IP address that ftpd is listening on. This capability (with or without -h), in conjunction with -c <confdir>, is useful when configuring virtual FTP servers, each listening on separate addresses as separate names.
Equivalent to -h <hostname>.
Logs each successful and failed FTP session using syslog with a facility of LOG_FTP.
Uses <dataport> as the data port, overriding the default of using the port one less than the port ftpd is listening on.
Enables the use of PID files for keeping track of the number of logged-in users per class. This is the default.
Doesn't log each concurrent FTP session to /var/run/utmp. This is the default.
Uses <version> as the version to advertise in the login banner and in the output of STAT and SYST instead of the default version information. If version is - or empty, it doesn't display any version information.
Note that whenever you turn the FTP service on or off via the System Preferences pane, any other configuration changes you have made to the service are retained instead of being reset. Nonetheless, it is a good idea to keep a copy of the file with your configuration changes, in case this default behavior ever changes.
The FTP server uses three main configuration files for restricting access: /etc/ftpusers, /etc/ftpchroot, and /etc/ftpd.conf. By using these files, you can place restrictions on who can use FTP to access your machine blocking certain users and allowing others. You can also configure limitations to the type and frequency of access granted by limiting the number of connections, and setting timeouts and other server-related limits on FTP server availability and capability.
An /etc/ftpusers file comes by default. This file contains the list of users who aren't allowed FTP access to the machine. Here's the default file:
brezup:sage Documents $ more /etc/ftpusers # list of users disallowed any ftp access. # read by ftpd(8). Administrator administrator root uucp daemon unknown www
If you have additional users who shouldn't be granted FTP access, include them in this file. Also include any system logins that might not be listed by default in this file. Because the syntax for this file can be more complex, its documentation is included in Table 22.2.
Table 22.2. Documentation for /etc/ftpusers
ftpd access control files
The /etc/ftpusers file provides user access control for ftpd by defining which users may login.
If the /etc/ftpusers file does not exist, all users are denied access.
The syntax of each line is
<userglob>[:<groupglob>][@<host>] [<directive> [<class>]]
These elements are
<userglob> is matched against the username, using fnmatch glob matching (for example, f*).
<groupglob> is matched against all the groups that the user is a member of, using fnmatch glob matching (for example, *src).
<host> is either a CIDR address (refer to inet_net_pton) to match against the remote address (for example, 220.127.116.11/24), or an fnmatch glob to match against the remote hostname (for example, *.netbsd.org).
<directive> allows access to the user if set to allow or yes. Denies access to the user if set to deny or no, or if the directive is not present.
<class> defines the class to use in ftpd.conf.
If <class> isn't given, it defaults to one of the following:
chroot if there's a match in /etc/ftpchroot for the user.
guest if the username is anonymous or ftp.
real if neither of the preceding conditions is true.
No further comparisons are attempted after the first successful match. If no match is found, the user is granted access. This syntax is backward compatible with the old syntax.
If a user requests a guest login, the ftpd server checks to see that both anonymous and ftp have access. So, if you deny all users by default, you must add both anonymous allow and ftp allow to /etc/ftpusers in order to allow guest logins.
The file /etc/ftpchroot is used to determine which users will have their session's root directory changed (using chroot), either to the directory specified in the ftpd.conf chroot directive (if set), or to the home directory of the user. If the file doesn't exist, the root directory change is not performed.
The FTP server also allows for chrooted FTP access, which is a compromise between full access and anonymous-only access. With this compromise access, a user is granted FTP access to only his home directory. List any users who should have this type of access in the /etc/ftpchroot file.
The last major configuration file for the default ftpd is /etc/ftpd.conf. In this file, you can define classes and various types of restrictions for a given class. This FTP server is supposed to understand three classes of user: REAL, CHROOT, and GUEST. A REAL user has full access to your machine. A CHROOT user is restricted to his home directory or a directory otherwise specified in /etc/ftpd.conf. A GUEST user can connect to the machine for anonymous FTP only.
The basic form of a line in ftpd.conf is
<directive> <class> <argument>
Although there's no default /etc/ftpd.conf file, these are the defaults that the FTP server uses:
checkportcmd all classtype chroot CHROOT classtype guest GUEST classtype real REAL display none limit all -1 # unlimited connections maxtimeout all 7200 # 2 hours modify all motd all motd notify none passive all timeout all 900 # 15 minutes umask all 027 upload all modify guest off umask guest 0707
Directives that appear later in the file override directives that appear earlier. This gives you the opportunity to define defaults as wildcards. In addition to the defaults you see listed in the preceding file, other available controls include ones for limiting the upload and download storage rates, maximum uploadable file size, and port ranges. The last control can be useful for setting up your FTP server to work while a firewall is also running on your machine. Table 22.3 details select directives for the /etc/ftpd.conf file.
Table 22.3. Documentation for /etc/ftpd.conf
ftpd configuration file
The ftpd.conf file specifies various configuration options for ftpd that apply after a user has authenticated his connection.
ftpd.conf consists of a series of lines, each of which may contain a configuration directive, a comment, or a blank line. Directives that appear later in the file override settings by previous directives. This allows wildcard entries to define defaults and then have class-specific overrides.
A directive line has the format:
<command> <class> [<arguments>]
Each authenticated user is a member of a class, which is determined by ftpusers. class is used to determine which ftpd.conf entries apply to the user. The following special classes exist when parsing in entries:
all matches any class
none matches no class
Each class has a type, which may be one of the following:
GUEST Guests (as per the anonymous and ftp logins). A chroot is performed after login.
CHROOT chrooted users (as per ftpchroot). A chroot is performed after login.
REAL Normal users.
The ftpd STAT command returns the class settings for the current user, unless the private directive is set for the class.
advertise <class> host
Sets the address to advertise in the response to the PASV and LPSV commands to the address for host (which may be either a hostname or IP address).
chroot <class> [<pathformat>]
If <pathformat> is not given or <class> is none, uses the default behavior. Otherwise, <pathformat> is parsed to create a directory to create as the root directory with chroot into upon login.
The default root directory is
The user's home directory.
If -a <anondir> is given, uses <anondir>; otherwise, uses the home directory of the FTP user.
By default, no chroot is performed.
classtype <class> <type>
Sets the class type of <class> to <type>.
conversion <class> <suffix>
Defines an automatic in-line file conversion.
[<type> <disable> <command>]
homedir <class> [<pathformat>]
If <pathformat> isn't given or <class> is none, uses the default behavior. Otherwise, <pathformat> is parsed to create a directory to change to on login, and to use as the home directory of the user for tilde expansion in pathnames, and so on.
limit <class> <count> [<file>]
Limits the maximum number of concurrent connections for <class> to <count>, with 0 meaning unlimited connections.
maxfilesize <class> <size>
Sets the maximum size of an uploaded file to size.
maxtimeout <class> <time>
Sets the maximum timeout period that a client may request, defaulting to two hours. This cannot be less than 30 seconds or the value for timeout. If <class> is none or time is not specified, sets to default of two hours.
passive <class> [off]
If <class> is none or off is given, prevents passive (PASV, LPSV, and EPSV) connections. Otherwise, enables them.
portrange <class> <min> <max>
Sets the range of port numbers that are used for the passive data port.
rateget <class> <rate>
Sets the maximum get (RETR) TRansfer rate throttle for <class> to rate bytes per second.
rateput <class> <rate>
Sets the maximum put (STOR) TRansfer rate throttle for <class> to <rate> bytes per second, which is parsed as per rateget rate.
timeout <class> <time>
Sets the inactivity timeout period.
upload <class> [off]
If <class> is none or off is given, disables the following commands: APPE, STOR, and STOU, as well as the modify commands: CHMOD, DELE, MKD, RMD, RNFR, and UMASK. Otherwise, enables them.
The FTP server logs connections to /var/log/ftp.log. Typical entries in the log look like this:
Dec 28 16:13:11 ryoohki ftpd: connection from rosalyn.biosci.ohio-state.edu toryoohki.biosci.ohio-state.edu Dec 28 16:13:22 ryoohki ftpd: FTP LOGIN FROM rosalyn.biosci.ohio-state.edu as joray (class: real, type: REAL) Dec 28 16:13:30 ryoohki ftpd: Data traffic: 83085 bytes in 1 file Dec 28 16:13:30 ryoohki ftpd: Total traffic: 84246 bytes in 2 transfers Dec 28 18:04:17 ryoohki ftpd: connection from rosalyn.biosci.ohio-state.edu to ryoohki.biosci.ohio-state.edu Dec 28 18:04:22 ryoohki ftpd: ANONYMOUS FTP LOGIN FROM rosalyn.biosci.ohio-state .edu, joray@ (class: guest, type: GUEST) Dec 28 18:04:33 ryoohki ftpd: Data traffic: 1415 bytes in 1 file Dec 28 18:04:33 ryoohki ftpd: Total traffic: 2228 bytes in 2 transfers Jan 23 21:29:15 ryoohki ftpd: connection from ? to ryoohki.biosci.ohio-state.edu Jan 23 21:29:22 ryoohki ftpd: FTP LOGIN FROM ? as miwa (class: chroot, type: CHROOT) Jan 23 21:29:57 ryoohki ftpd: Data traffic: 2485381 bytes in 2 files Jan 23 21:29:57 ryoohki ftpd: Total traffic: 2488561 bytes in 3 transfers
The ftp.log file shows who logged in, where the user logged in from, and what FTP class the user belongs to. In the case of an anonymous connection, the password used can identify the user. The file logs data size, the number of files transferred, the total amount of data, and the total number of files for a given session. Please note that some versions of this FTP server show the IP address for where the user logged in from, but this version shows ?.