SmbFTPD
SmbFTPD Handbook
Chapter 3 smbftpd.conf
Table of Contents
System Section
Option: ServerName
Syntax:
ServerName "Server Name"
Description:
Define the name of server. This will show when user login:
Connected to localhost.com.
220 Server Name FTP server (SmbFTPD Ver
2.0) ready.
Name (localhost:alex):
If ServerName is not set, we will use hostname which is get by
gethostname(3).
Default:
None (Use hostname)
Option: ShowProgramVersion
Syntax:
ShowProgramVersion Yes|No
Description:
Whether show the SmbFTPD program name and version. You can disable this
to avoid it is showed when login.
Connected to localhost.com.
220 Server Name FTP server (SmbFTPD Ver 2.0) ready.
Name (localhost:alex):
If ServerName is not set, we will use hostname which is get by
gethostname(3).
Default:
ShowProgramVersion Yes
Option: ListenOnAddress
Syntax:
ListenOnAddress 192.168.0.1
Description:
When -D is specified (standalone), accept connections only on the
specified address only. For example, if you have two network address, one is
172.16.1.1, the other is 61.62.63.64. You can set the ListenOnAddress
172.16.1.1 to accept traffic from intranet only.
If you would like to accept traffic from all interface, just remove this
option.
Default:
None (Listen on all interfaces)
Option: Port
Syntax:
Port prot_num|service
Deacription:
Set the FTP port for listening connections. When -D (daemon mode) is
specified, accept connections at port, specified as a numeric value or
service name, instead of at the default ``ftp'' port.
Default:
Port ftp
Option: Umask
Syntax:
Umask umask
Description:
The default file creation mode mask is set to umask, which is expected to
be an octal numeric value.
For example, if you would like file's mode to be 644 on creation, just
set the umask to 022. Refer to umask(2) for details.
Default:
Umask 022
Option: PidFile
Syntax:
PidFile /some/where/file
Description:
The pid file for ftp daemon. When using daemon mode, the ftp daemon will
write it's pid to pid file if set.
Default:
None (don't write pid)
Option: DebugMode
Syntax:
DebugMode Yes|No
Description:
og more information for debug.
Default:
DebugMode No
Option: LogCommand
Syntax:
LogCommand Yes|No
Description:
Each successful and failed ftp(1) session is logged using syslog with a
facility of LOG_FTP. If this option is set to "Yes", the retrieve (get),
store (put), append, delete, make directory, remove directory and rename
operations and their filename arguments are also logged. By default,
syslogd(8) logs these to /var/log/xferlog on FreeBSD.
Default:
LogCommand No
Option: DoWtmpLog
Syntax:
DoWtmpLog Yes|No
Description:
Log FTP session to /var/log/wtmp
Default:
DoWtmpLog No
Option: DisableEPSV
Syntax:
DisableEPSV Yes|No
Description:
Disable the EPSV command. This is useful for servers behind older
firewalls.
Default:
DisableEPSV No
Option: RestrictedPorts
Syntax:
RestrictedPorts Yes|No
Description:
With this option set to "No", ftpd will revert to historical behavior
with regard to security checks on user operations and restrictions on PORT
requests. Currently, ftpd will only honor PORT commands directed to
unprivileged ports (which is > 1024 in most OS) on the remote user's host
(which violates the FTP protocol specification but closes some security
holes).
Default:
RestrictedPorts Yes
Option: PassiveModePortRange
Syntax:
PassiveModePortRange low-high
Description:
Set the port range used in passive mode data connection. If your FTP
server is behind NAT, you might want to forward passive mode port range on
router.
For example, if you would like to use port range 40000 to 50000:
PassiveModePortRange 40000-50000
The range should be >=1024 and <=65535 (1023 < range < 65536).
Default:
Not set
Login Control
Option: MaxConnection
Syntax:
MaxConnection number
Description:
This option allows the number of simultaneous connections to a service to
be limited. If max connections is greater than 0 then connections will be
refused if this number of connections to the service are already open. A
value of zero mean an unlimited number of connections may be made.
Default:
MaxConnection 0
Option: MaxConnectionPerIP
Syntax:
MaxConnectionPerIP number
Description:
This option set the max connection per ip address. To use this option,
you must set the MaxConnection, too.
Set the value less then 2 is not recommended because many FTP clients
open more then 1 connection in single session.
Default:
MaxConnectionPerIP 0 (unlimited)
Option: VirtualUserMapping
Syntax:
VirtualUserMapping username
Description:
If you do not want to use real system user in the FTP, you have to ask
SmbFTPD to read user/password from somewhere else (set VirtualUserAuthMethod).
After pass authentication, map the user to a real user in the system. The
real user will be the owner when file is uploaded. The option
VirtualUserMapping is used to specify the real user.
For example, you can MySQL for user/password authentication. After user
login, we can map the user to "ftp" user. So the file uploaded by the user
will be owned by "ftp".
Please note that you have to set VirtualUserAuthMethod and
VirtualUserAuthConfig if you enable VirtualUserMapping.
Default:
Not set
Option: VirtualUserAuthMethod
Syntax:
VirtualUserAuthMethod mysql|pgsql|text
Description:
You can use MySQL, PostgreSQL, or text file to store virtual user's data
(home, group, password).
You would have to set the VirtualUserAuthConfig to specify the path of
auth method config.
Default:
Not set
Option: VirtualUserAuthConfig
Syntax:
VirtualUserAuthConfig /path/to/the/VirtualUserAuthMethod.conf
Description:
The config file for the VirtualUserAuthMethod. For example, if you use
MySQL:
VirtualUserAuthConfig /usr/local/etc/smbftpd/smbftpd_mysql.conf
If you use PostgreSQL:
VirtualUserAuthConfig /usr/local/etc/smbftpd/smbftpd_pgsql.conf
If you use text file:
VirtualUserAuthConfig /usr/local/etc/smbftpd/smbftpd_user.conf
If you use text file to store virtual users, you can use the command "smbftpd-user"
to create/edit/delete users.
Default:
Not set
Option: RequireValidShell
Syntax:
RequireValidShell Yes|No
Description:
When RequireValidShare=Yes, The user must have a standard shell returned
by getusershell(3). In most system, the valid shells will appear in
/etc/shells.
Default:
RequireValidShell No
Option: EmptyPasswdLogin
Syntax:
EmptyPasswdLogin Yes|No
Description:
Does the server allow users without password login.
Default:
EmptyPasswdLogin No
Option: NoLoginList
Syntax:
NoLoginList MinUID
NoLoginList /path/to/noo_login_ftp_users
NoLoginList user1,user2,@group1,@group2
Description:
List of unwelcome/restricted users. Users or groups in the list can not
login to the system.
The arguments for NoLoginList can be one of the following format:
- A user/@group string list. When using group, please add an prefix '@'.
- A absolute path to a file that contains no login user/@group.
- Minimum UID allowed. Users whose uid < MinUID is not allowed.
If using a string list, separate multi users/groups by ",". For example:
user1, user2, @group1, @group2, user3
If using file, each user/group is a new line. For example, you can create
a file named /etc/ftpusers which has the following content:
user1
user2
@group1
@group2
Default:
NoLoginList 500
Option: TimeOut
Syntax:
TimeOut seconds
Description:
The inactivity timeout period is set to timeout seconds. The default is
15 minutes.
Default:
TimeOut 900
Option: MaxTimeOut
Syntax:
MaxTimeOut seconds
Description:
A client may also request a different timeout period; the maximum period
allowed may be set to MaxTimeOut. The default limit is 2 hours.
Default:
MaxTimeOut 7200
FTP Folder Control
Option: DefaultMode
Syntax:
DefaultMode SMB|Normal
Description:
here are two modes. The SMB mode or Normal mode. The smbftpd will use the
share access rights in smb.conf under SMB mode. On the contrary, it will be
normal FTP daemon under the Normal mode.
Default:
DefaultMode Normal
Option: ExceptionList
Syntax:
ExceptionList user1,user2,@group1,@group2
Description:
You can use the ExceptionList to set users/groups that do not use the
default ftp mode that is set by DefaultMode. For example, if you would like
to use SMB mode for all users execpt wheel group, you can set the
DefaultMode to the SMB and add @wheel to the ExceptionList.
The arguments for ExceptionList can be user or group. When using group,
please add an prefix '@'. When multi users/groups, seperate by ",". For
example:
ExceptionList user1,user2,@group1,@group2
Default:
None
Option: ShareConfPath
Syntax:
ShareConfPath /some/where/smb.conf
Description:
Set the path of share configuration file "smbftp_share.conf". If DefaultMode is SMB or
DefaultMode is Normal with ExceptionList, you must set the path of samba's
config file.
I will check the following keywords in share folder setting:
- path: The path of share.
- rw: users/groups that have write privilege.
- ro: users/groups that have read only privilege.
- browseable: does the share is visible when ls in root directory. If it
is set to "no", users will not be able to see the share. But they can
still "cd" into the it.
- disable_download: Set the users/groups that can perform download
operation. If user has read only privilege on the share, you can also
add the user in "disable_download" list to disable the download
privilege for the user.
- disable_ls: Set users/groups that can see directory contents when
perform LIST command.
- disable_modify: Users/groups in the list will not able to modify
files/directories in the share. If users have read/write privilege and
is in the "disable_modify" list, they can upload files and create new
directories. But can not perform rename, delete, rmdir, chmod.
Example 1:
Here is an example that there is a share named "public" and the path is
/home/public, users in samba group have read privilege, root has write
privilege:
[public]
path = /home/public
rw = root
ro = @samba
Example 2:
Share name is private only wheel group can write, and is not browseable
when LIST, but you can cd to private share even you can see it when ls.
[private]
path = /root/ftp
rw = @wheel
browseable = no
Example 3:
The share name is upload. Users "ftp" and "anonymous" can upload files or
create new directories. But they are not able to see the files in the share.
They can not download nor modify existed files. Users in "wheel" group have
full privileges.
[upload]
path=/home/upload"
rw=ftp,@wheel
disable_ls=ftp
disable_modify=ftp
disable_download=ftp
Notice that the anonymous users "ftp" and "anonymous" are mapped to real
user "ftp". If you would like to set the privilege for these users, you
would have to use user "ftp".
Default:
None
Option: ChrootSet
Syntax:
ChrootSet user path
ChrootSet @group path
ChrootSet @ path
Description:
Users/Groups in the list will be applied to this session by changing its
root directory with chroot(2) to that specified on the "path".
The first field specifies a user or group name. If it is prefixed by an
``at'' sign, `@', it specifies a group name; the line will match each user
who is a member of this group. As a special case, a single `@' in this field
will match any user. A username is specified otherwise.
Notice: The chrooted users will use Normal mode rather then SMB mode even
they are set to use SMB mode. See option "DefaultMode".
Here are some examples:
Example 1:
When user "anonymous" login, chroot to /var/spool/ftp
ChrootSet anonymous /var/spool/ftp
Example 2:
Members in "ftpgroup" group would be changed root directory to their home
directory. For example, user alex's home directory is /home/alex, then it's
root directory would be /home/alex. If user jack's home directory is
/home/jack, its root directory would be /home/jack. We use "~" to represent
user's home directory. The system will transfer it into real path.
ChrootSet @ftpgroup ~
Example 3:
Members of "webusers" group would be changed root directory to the "public_html"
directory under their home directory, thus lowering possible impact on the
system from intrinsic insecurity of FTP.
ChrootSet @webusers ~/public_html
Example 4:
All users (a single `@') will be chroot to their home directory.
ChrootSet @ ~
Default:
None
Option: ShowSymlinks
Syntax:
ShowSymlinks Yes|No
Description:
When ShowSymlinks is No, we won't show symbolic links when listing files.
Default:
ShowSymlinks No
Option: ShowDotFiles
Syntax:
ShowDotFiles Yes|No
Description:
Do you want to show dot files (file/dir name start with ., e.g. ".cshrc")
when list files.
Default:
ShowDotFiles Yes
Option: SupportUTF8Client
Syntax:
SupportUTF8Client Yes|No
Description:
Support UTF-8 client or not. Traditional FTP does not support UTF-8. It
uses codepage for the filenames. In RFC 2640, it starts to support UTF-8 FTP
client.
If you enable SupportUTF8Client, we will tell client this FTP server
supports UTF-8. The client can choose to use UTF-8 or not by sending the
OPTS UTF8 command.
You would have to set the CharsetEncoding. We will use the encoding to
convert UTF-8 to codepage or codepage to UTF8.
Default:
SupportUTF8Client No
Option: UsingUTF8FileSystem
Syntax:
UsingUTF8FileSystem Yes|No
Description:
Whether the file system is UTF8 format or not. If the filesystem is using
UTF-8 filename, we don't have to convert the filename from UTF-8 into
codepage when client is using UTF-8 FTP.
If client is using non-UTF-8 FTP but our filesystem is UTF-8, we have to
do some filename conversion. You would have to set the CharsetEncoding. We
will use the encoding to convert UTF-8 to codepage or codepage to UTF8.
Please note that your smbftpd_share.conf should be in UTF-8 format if you
are using UTF-8 filesystem.
Default:
UsingUTF8FileSystem No
Option: CharsetEncoding
Syntax:
CharsetEncoding encoding
Description:
The charset encoding will be used to convert strings between codepage and
utf8. We will have UTF8 or non-UTF8 client and UTF8 or non-UTF8 filesystem.
We have to do some filename conversion.
Here are some suggested values for the encoding:
- For English, French, German, Italian, Spanish, Portuguese, Danish,
Norwegian, Swedish, Dutch, and other western Europe languages: CP1252
- For Traditional Chinese: CP950
- CharsetEncoding CP950
- For Simplified Chinese: CP936
- For Russian: CP1251
- For Japanese: CP932
- For Korean: CP949
- For Greek: CP1253
- For Czech: CP1250
Other posible values:
http://www.gnu.org/software/libiconv/
MS Windows locale:
http://msdn2.microsoft.com/en-us/library/ms903928.aspx
Default:
Not set
Anonymous Control
Option: AnonymousLogin
Syntax:
AnonymousLogin Yes|No
Description:
Does the server allow anonymous users login. The anonymous accounts are
"anonymous" and "ftp". To enable anonymous account, you must add an user
"ftp".
Default:
AnonymousLogin No
Option: AnonymousOnly
Syntax:
AnonymousOnly Yes|No
Description:
Does the server allow ONLY anonymous users login.
Default:
AnonymousOnly No
Option: AnonymousReadOnly
Syntax:
AnonymousReadOnly Yes|No
Description:
When anonymous user login, all commands which may modify the local file
system are disabled.
Default:
AnonymousReadOnly No
File Transfer Control
Option: TransferLog
Syntax:
TransferLog path/to/logfile
Description:
The TransferLog is the file that will record download/upload log. When
TransferLog is specified, we will log all download and upload information in
the file.
We will log the following information: Current time, remote host, user,
command, transfer type(ASCII or Binary), transfer time, bytes, and filename.
Default:
None
Option: MaxDownloadRate
Syntax:
MaxDownloadRate @grou|user rate
Description:
Configure transfer rate for download. The rate is in KB/s. You may set
multiple MaxDownloadRate lines to control rates for different users and
groups.
The first field specifies a user or group name. If it is prefixed by an
``at'' sign, `@', it specifies a group name; the line will match each user
who is a member of this group. As a special case, a single `@' in this field
will match any user. A username is specified otherwise. For example:
MaxDownloadRate @group100 100
MaxDownloadRate anonymous 20
MaxDownloadRate @friends 1000
Default:
unlimited
Option: MaxUploadRate
Syntax:
MaxUploadRate @grou|user rate
Description:
Configure transfer rate for users upload. The rate is in KB/s. You may
set multiple MaxUploadRate lines to control rates for different users and
groups.
The first field specifies a user or group name. If it is prefixed by an
``at'' sign, `@', it specifies a group name; the line will match each user
who is a member of this group. As a special case, a single `@' in this field
will match any user. A username is specified otherwise. For example:
MaxUploadRate @group100 100
MaxUploadRate anonymous 20
MaxUploadRate @friends 1000
Default:
unlimited
SSL/TLS Control
Option: SecurityPolicy
Syntax:
SecurityPolicy secure|nosecure|both
Description:
This option allow you to enable/disable SSL/TLS. There are three options
- secure, nosecure, and both.
- secure - Don't fall back into the non-secure mode if the TLS/SSL
handshake fails.
- nosecure - Disable the TLS/SSL encryption at all and allow only
non-secure clients.
- both - Allow both SSL/TLS encryption and non-secure clients.
The default is to allow both secure and non-secure connections.
Default:
SecurityPolicy nosecure
Option: EncryptionType
Syntax:
EncryptionType tls|ssl|both
Description:
We support TLS (RFC2228) and SSL encryptions. This option allow you to
set the which encryption protocol you would like to use.
- tls - Use only the RFC2228-compliant FTP-TLS negotiation mode; don't
try to negotiate something different.
- ssl - Use only the FTP-SSL compatibility mode (for early
implementations of the FTP-SSL upgrade); don't try to negotiate something
different.
- both - Accept both FTP-TLS and FTP-SSL security extensions.
Default:
EncryptionType both
Option: NormalUserMustSecure
Syntax:
NormalUserMustSecure Yes|No
Description:
When NormalUserMustSecure is set to "Yes", it require the TLS/SSL
encryption for non-anonymous users.
The propose of SSL/TLS encryption is to protect user's password and data
travel in network. Set this option on to force users using secure connection
is a good idea.
Default:
NormalUserMustSecure No
Option: AnonymDisableSecure
Syntax:
AnonymDisableSecure Yes|No
Description:
Set the AnonymDisableSecure to "Yes" if you would like to disable the
TLS/SSL encryption for anonymous users. Since the SSL/TLS is used to protect
private data, there is no reason to apply data encryption on anonymous
users.
Set this to "Yes" to save CPU resource and speed up anonymous
connections.
Default:
AnonymDisableSecure No
Option: SSLCertFile
Syntax:
SSLCertFile /path/to/server.crt
Description:
The certificate to use. This certificate will be passed to the client. If
it is not specified, it will be default to /usr/local/etc/smbftpd/ssl.crt/server.crt.
You may use the Apache+SSL's certificate which is normally located in /usr/local/apache/conf/ssl.crt/server.crt.
Default:
SSLCertFile /usr/local/etc/smbftpd/ssl.crt/server.crt
Option: SSLKeyFile
Syntax:
SSLKeyFile /path/to/server.key
Description:
The private key that matches the certificate specified by the SSLCertFile
option. Both SSLCertFile and SSLKeyFile files are assumed to be in PEM
format. Default is /usr/local/etc/smbftpd/ssl.key/server.key
You may use the Apache+SSL's private key if you are using its
certificate. The Apache+SSL's private key is usually in: /usr/local/apache/conf/ssl.key/server.key
Default:
SSLKeyFile /usr/local/etc/smbftpd/ssl.key/server.key
Option: SSLCACertFile
Syntax:
SSLCACertFile /path/to/ca-bundle.crt
Description:
Set the CA certificate verification file path. Same with Apache SSLCACertificateFile. Put your intermediate cert here.
Default:
None
Option: SSLCipherSuite
Syntax:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Description:
List the ciphers that the client is permitted to negotiate. See the Apach mod_ssl documentation for a complete list.
Default:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
|