ftpaccess.5

wu-ftpd类unix下的ftp服务器,可用于嵌入式系统

to members of a particular class.  More than one class may be specified.

There can be "magic cookies" in the readme file which cause the ftp server
to replace the cookie with a specified text string:
.nf
    %T      local time (form Thu Nov 15 17:12:42 1990)
    %F      free space in partition of CWD (kbytes)
              [not supported on all systems]
    %C      current working directory
    %E      the maintainer's email address as defined in ftpaccess
    %R      remote host name
    %L      local host name
    %u      username as determined via RFC931 authentication
    %U      username given at login time
    %M      maximum allowed number of users in this class
    %N      current number of users in this class
    %B      absolute limit on disk blocks allocated
    %b      preferred limit on disk blocks
    %Q      current block count
    %I      maximum number of allocated inodes (+1)
    %i      preferred inode limit
    %q      current number of allocated inodes
    %H      time limit for excessive disk use
    %h      time limit for excessive files

 ratios:

    %xu     Uploaded bytes
    %xd     Downloaded bytes
    %xR     Upload/Download ratio (1:n)
    %xc     Credit bytes
    %xT     Time limit (minutes)
    %xE     Elapsed time since login (minutes)
    %xL     Time left
    %xU     Upload limit
    %xD     Download limit

.fi

The message will only be displayed once to avoid annoying the user.
Remember that when MESSAGEs are triggered by an anonymous FTP user, the
<path> must be relative to the base of the anonymous FTP directory tree.

.TP 0.5i
.B readme <path> {<when> {<class>}}

Define a file with <path> such that ftpd will notify user at login time or
upon using the change working directory command that the file exists and
was modified on such-and-such date.  The <when> parameter may be "LOGIN" or
"CWD=<dir>".  If <when> is "CWD=<dir>", <dir> specifies the new default
directory which will trigger the notification.  The message will only be
displayed once, to avoid bothering users.  Remember that when README
messages are triggered by an anonymous FTP user, the <path> must be
relative to the base of the anonymous FTP directory tree.

The optional <class> specification allows the message to be displayed only
to members of a particular class.  More than one class may be specified.

.SH Logging Capabilities

.TP 0.5i
.B log commands <typelist>

Enables logging of individual commands by users.  <typelist> is a
comma-separated list of any of the keywords "anonymous", "guest" and
"real".  If the "real" keyword is included, logging will be done for users
using FTP to access real accounts, and if the "anonymous" keyword is
included logging will done for users using anonymous FTP.  The "guest"
keyword matches guest access accounts (see "guestgroup" for more
information).

.TP 0.5i
.B log transfers <typelist> <directions>

Enables logging of file transfers for either real or anonymous FTP users.
Logging of transfers TO the server (incoming) can be enabled separately
from transfers FROM the server (outbound).  <typelist> is a comma-separated
list of any of the keywords "anonymous", "guest" and "real".  If the "real"
keyword is included, logging will be done for users using FTP to access
real accounts, and if the "anonymous" keyword is included logging will done
for users using anonymous FTP. The "guest" keyword matches guest access
accounts (see "guestgroup" for more information).  <directions> is a
comma-separated list of any of the two keywords "inbound" and "outbound",
and will respectively cause transfers to be logged for files sent to the
server and sent from the server.

.TP 0.5i
.B log security <typelist>

Enables logging of violations of security rules (noretrieve, .notar, ...)
for real, guest and/or anonymous users.  <typelist> is a comma-separated
list of any of the keywords "anonymous", "guest" and "real".  If the "real"
keyword is included, logging will be done for users using FTP to access
real accounts, and if the "anonymous" keyword is included logging will done
for users using anonymous FTP. The "guest" keyword matches guest access
accounts (see "guestgroup" for more information).

.TP 0.5i
.B log syslog
.TP 0.5i
.B log syslog+xferlog

Redirects the logging messages for incoming and outgoing transfers to
syslog.  Without this option the messages are written to xferlog.

syslog+xferlog sends the transfer log messages to both the system log and
the xferlog.

.SH Upload/Download ratios
In order for any of these commands to work, you must compile WU-FTPD with
--enable-ratios.

.TP 0.5i
.B ul-dl-rate <rate> [<class> ...]

Specify Upload/Download ratio (1:rate).
When ftp user uploaded 1 bytes, (s)he can take <rate> bytes.
By default, there is no ratio.

.TP 0.5i
.B dl-free <filename> [<class> ...]

The file <filename> can be downloaded freely (=ignoring the ratio)

.TP 0.5i
.B dl-free-dir <dirname> [<class> ...]

All files in the directory <dirname> and its subdirectories can be
downloaded freely (=ignoring the ratio)
Note that both dl-free and dl-free-dir are relative to the system's
root, not the chroot environment.


.SH Miscellaneous Capabilities

.TP 0.5i
.B alias <string> <dir>

Defines an alias, <string>, for a directory.  Can be used to add the
concept of logical directories.

For example:
.nf
    alias rfc: /pub/doc/rfc
.fi
would allow the user to access /pub/doc/rfc from any directory by the
command "cd rfc:".  Aliases only apply to the cd command.

.TP 0.5i
.B cdpath <dir>

Defines an entry in the cdpath. This defines a search path that is used
when changing directories.

For example:
.nf
    cdpath /pub/packages
    cdpath /.aliases
.fi
would allow the user to cd into any directory directly under /pub/packages
or /.aliases directories. The search path is defined by the order the lines
appear in the ftpaccess file.

If the user were to give the command:
.nf
    cd foo
.fi
the directory will be searched for in the following order:
.nf
    ./foo
    an alias called "foo"
    /pub/packages/foo
    /.aliases/foo
.fi

The cd path is only available with the cd command. If you have a large
number of aliases you might want to set up an aliases directory with links
to all of the areas you wish to make available to users.

.TP 0.5i
.B compress <yes|no> <classglob> [<classglob> ...]
.TP 0.5i
.B tar <yes|no> <classglob> [<classglob> ...]

Enables compress or tar capabilities for any class matching any of
<classglob>.  The actual conversions are defined in the external file
FTPLIB/ftpconversions.

.TP 0.5i
.B shutdown <path>

If the file pointed to by <path> exists, the server will check the file
regularly to see if the server is going to be shut down.  If a shutdown is
planned, the user is notified, new connections are denied after a specified
time before shutdown and current connections are dropped at a specified
time before shutdown.  <path> points to a file structured as follows:
.nf
    <year> <month> <day> <hour> <minute> <deny_offset> <disc_offset>
    <text>
.fi
where
.nf
    <year> is any year > 1970
    <month> 0-11 <---- LOOK!
    <hour> 0-23
    <minute> 0-59
.fi

<deny_offset> and <disc_offset> are the offsets in HHMM format
before the shutdown time that new connections will be denied and existing
connections will be disconnected.

<text> follows the normal rules for any message (see "message"), with the
following additional magic cookies available:
.nf
    %s      time system is going to shut down
    %r      time new connections will be denied
    %d      time current connections will be dropped
.fi
all times are in the form: ddd MMM DD hh:mm:ss YYYY.  There can be only one
"shutdown" command in the configuration file.

The external program ftpshut(8) can be used to automate the process of
generating this file.

.TP 0.5i
.B daemonaddress <address>

If the value is not set, then the server will listen for connections on
every IP addresses, otherwise it will only listen on the IP address
specified.

Use of this clause is discouraged.  It was added to support a single site's
needs.  It will completely break virtual hosting and the syntax is likely
to change in a future version of the daemon.

.TP 0.5i
.B virtual <address> <root|banner|logfile> <path>

Enables the virtual ftp server capabilities. The <address> is the ip
address of the virtual server. The second argument specifies that the
<path> is either the path to the
.B root
of the filesystem for this virtual server, the
.B banner
presented to the user when connecting to this virtual server, or the
.B logfile
where transfers are recorded for this virtual server. If the
.B logfile
is not specified the default logfile will be used.  All other message
files and permissions as well as any other settings in this file apply to
all virtual servers.

NOTE: Your operating system may not support this feature. It has been
tested on BSD/OS, Solaris 2.X and Linux.

The <address> may also be specified as the hostname rather than the IP
number.  This is strongly discouraged since, if DNS is not available at the
time the FTP session begins, the hostname will not be matched.

.TP 0.5i
.B virtual <address> <hostname|email> <string>

Sets the hostname shown in the greeting message and STATus command, or the
email address used in message files and on the HELP command, to the given
<string>.

.TP 0.5i
.B virtual <address> allow <username> [<username> ...]
.TP 0.5i
.B virtual <address> deny <username> [<username> ...]

Normally, real and guest users are not allowed to log in on the vitual
server unless they are guests and chroot'd to the virtual root.  The users
listed on the virtual allow line(s) will be granted access.  All users can
be granted access by giving '*' as the username.  The virtual deny clauses
are processed after the virtual allow clauses and are used to deny access
to specific users when all users were allowed.

.TP 0.5i
.B virtual <address> private

Normally, anonymous users are allowed to log in on the virtual server.
This option denies them access.

.TP 0.5i
.B virtual <address> passwd <file>

Use a different passwd file for the virtual domain. The daemon needs to be
compiled with --enable-passwd (or OTHER_PASSWD) for this option to work.

.TP 0.5i
.B virtual <address> shadow <file>

Use a different shadow file for this virtual domain. The daemon needs to be
compiled with --enable-passwd (or OTHER_PASSWD) for this option to work.

.TP 0.5i
.B defaultserver deny <username> [<username> ...]
.TP 0.5i
.B defaultserver allow <username> [<username> ...]

Normally, all users are allowed access to the default (non-virtual) FTP
server.  Use defaultserver deny to revoke access for specific users;
specify '*' to deny access to all users.  Specific users can then be
allowed using defaultserver allow.

.TP 0.5i
.B defaultserver private

Normally, anonymous users are allowed on the default (non-virtual) FTP
server.  This statement disallows anonymous access.

The virtual and defaultserver allow, deny and private clauses provide a
means to control which users are allowed access on which FTP servers.

.TP 0.5i
.B passive address <externalip> <cidr>

Allows control of the address reported in response to a PASV command.  When
any control connection matching the
.B <cidr>
requests a passive data connection (PASV), the
.B <externalip>
address is reported.  NOTE: this does not change the address the daemone
actually listens on, only the address reported to the client.  This feature
allows the daemon to operate correctly behind IP-renumbering firewalls.

For example:
.nf
    passive address 10.0.1.15   10.0.0.0/8
    passive address 192.168.1.5 0.0.0.0/0
.fi
Clients connecting from the class-A network 10 will be told the passive
connection is listening on IP-address 10.0.1.15 while all others will be
told the connection is listening on 192.168.1.5

Multiple passive addresses may be specified to handle complex, or
multi-gatewayed, networks.

.TP 0.5i
.B passive ports <cidr> <min> <max>

Allows control of the TCP port numbers which may be used for a passive data
connection.  If the control connection matches the
.B <cidr>
a port in the range
.B <min>
to
.B <max>
will be randomly selected for the daemon to listen on.  This feature allows
firewalls to limit the ports which remote clients may use to connect into
the protected network.

.B <cidr>
is shorthand for an IP address in dotted-quad notation followed by a slash
and the number of left-most bits which represent the network address (as
opposed to the machine address).  For example, if you're using the reserved
class-A network 10, instead of a netmask of 255.0.0.0 use a CIDR of /8 as
in 10.0.0.0/8 to represent your network.

.TP 0.5i
.B pasv-allow <class> [<addrglob> ...]
.TP 0.5i
.B port-allow <class> [<addrglob> ...]

Normally, the daemon does not allow a PORT command to specify an address
different than that of the control connection.  And it does not allow a
PASV connection from another address.

The port-allow clause provides a list of addresses which the specified
class of user may give on a PORT command.  These addresses will be allowed
even if they do not match the IP-address of the client-side of the control
connection.

The pasv-allow clause provides a list of addresses which the specified
class of user may make data connections from.  These addresses will be
allowed even if they do not match the IP-address of the client-side of the
control connection.

.TP 0.5i
.B lslong <command> [<options> ...]
.TP 0.5i
.B lsshort <command> [<options> ...]
.TP 0.5i