ftpusers File Purpose Now Implemented in ftpaccessCertain accounts for the system to segment and separate tasks with specific permissions are created during Linux installation. The ftpusers file (located in /etc/ftpusers) is where accounts for system purposes are listed. It is possible that the version of wu-ftp you use with Fedora deprecates the use of this file, and instead implements the specific functionality of this file in the ftpaccess file with the commands of deny-uid/deny-gid.
The guestgroup line assigns a given group name or group names to behave exactly like the anonymous user. Here is the command:
guestgroup <groupname> [<groupname>]
This command confines the users to a specific directory structure in the same way anonymous users are confined to /var/ftp. This command also limits these users to access files for which their assigned group has permissions.
The groupname parameter can be the name of a group or that group's corresponding group ID (GID). If you use a GID as the groupname parameter, put a percentage symbol (%) in front of it. You can use this command to assign permissions to a range of group IDs, as in this example:
guestgroup %500-550
This entry restricts all users with the group IDs 500-550 to being treated as a guest group, rather than individual users. For guestgroup to work, you must set up the users' home directories with the correct permissions, exactly like the anonymous FTP user.
The guestuser line works exactly like the guestgroup command you just read about, except it specifies a user ID (UID) instead of a group ID. Here's the command:
guestuser <username> [<username>]
This command limits the guest user to files for which the user has privileges. Generally, a user has more privileges than a group, so this type of assignment can be less restrictive than the guestgroup line.
The limit command restricts the number of users in a class during given times. Here is the command, which contains fields for specifying a class, a number of users, a time range, and the name of a text file that contains an appropriate message:
limit <class> <n> <times> <message_file>
If the specified number of users from the listed class is exceeded during the given time period, the user sees the contents of the file given in the message_file parameter.
The times parameter is somewhat terse. Its format is a comma-delimited string in the form of days, hours. Valid day strings are Su, Mo, Tu, We, Th, Fr, Sa, and Any. The hours string is formatted in a 24-hour format. An example is as follows:
limit anonymous 10 MoTuWeThFr,Sa0000-2300 /home/ftp/.message_limit_anon_class
This line limits the anonymous class to 10 concurrent connections on Monday through Friday, and on Saturday from midnight to 11:00 p.m. For example, if the number of concurrent connections is exceeded at 11:00 p.m. on Saturday, the users will see the contents of the file /home/ftp/.message_limit_anon_class.
Syntax for finer control over limiting user connections can be found in the ftpaccess man page.
This line allows control over how many times a user can enter an invalid password before the FTP server terminates the session:
loginfails <number>
The default for loginfails is set to 5. This command prevents users without valid passwords from experimenting until they get it right.
Configure User Information
Providing users with information about the server and its use is a good practice for any administrator of a public FTP server. Adequate user information can help prevent user problems and eliminate tech support calls. You also can use this information to inform users of restrictions governing the use of your FTP server. User information gives you an excellent way to document how your FTP server should be used.
You can use the commands detailed in the following sections to display messages to users as they log in to the server and as they perform specific actions. The following commands enable messages to be displayed to users when logging in to the server and when an action is performed.
This command is a reference to a file that is displayed before the user receives a login prompt from the FTP server:
banner <path>
This file generally contains information to identify the server. The path is an absolute pathname relative to the system root (/), not the base of the anonymous FTP user's home. The entry might look like this:
banner /etc/rh8ftp.banner
This example uses the file named rh8ftp.banner under the /etc directory. The file can contain one or more lines of text, such as:
Welcome to Widget, Inc.'s Red Hat Linux FTP server.
This server is only for use of authorized users.
Third-party developers should use a mirror site.
When an FTP user attempts to log in, the banner is displayed like so:
$ ftp shuttle2
Connected to shuttle2.home.org.
220-Welcome to Widget, Inc.'s Red Hat Linux FTP server.
220-This server is only for use of authorized users.
220-Third-party developers should use a mirror site.
220-
220-
220 shuttle2 FTP server (Version wu-2.6.2-8) ready.
504 AUTH GSSAPI not supported.
504 AUTH KERBEROS_V4 not supported.
KERBEROS_V4 rejected as an authentication type
Name (shuttle2:phudson):
Note that the banner does not replace the greeting text that, by default, displays the hostname and server information, such as:
220 shuttle2 FTP server (Version wu-2.6.2-8) ready.
To hide version information, use the greeting command in ftpaccess with a keyword, such as terse, like so:
greeting terse
