diff -u libexec/ftpd.orig/ftpd.8 libexec/ftpd/ftpd.8
--- libexec/ftpd.orig/ftpd.8	Wed Mar 20 21:36:12 2002
+++ libexec/ftpd/ftpd.8	Wed Apr 17 16:55:38 2002
@@ -40,7 +40,7 @@
 .Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm
-.Op Fl 46ADEORSUdro
+.Op Fl 46ADEORSUdroc
 .Op Fl l Op Fl l
 .Op Fl T Ar maxtimeout
 .Op Fl a Ar address
@@ -171,6 +171,8 @@
 The inactivity timeout period is set to
 .Ar timeout
 seconds (the default is 15 minutes).
+.It Fl c
+Allow access only to users and groups in /etc/ftpchroot.
 .El
 .Pp
 The file
diff -u libexec/ftpd.orig/ftpd.c libexec/ftpd/ftpd.c
--- libexec/ftpd.orig/ftpd.c	Wed Mar 20 21:36:17 2002
+++ libexec/ftpd/ftpd.c	Wed Apr 17 17:48:36 2002
@@ -133,6 +133,7 @@
 int	timeout = 900;    /* timeout after 15 minutes of inactivity */
 int	maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */
 int	logging;
+int	chkchroot = 0;       /* Only users in /etc/ftpchroot allowed */ 
 int	restricted_data_ports = 1;
 int	paranoid = 1;	  /* be extra careful about security */
 int	anon_only = 0;    /* Only anonymous ftp allowed */
@@ -306,7 +307,7 @@
 #endif /* OLD_SETPROCTITLE */
 
 
-	while ((ch = getopt(argc, argv, "AdlDESURrt:T:u:vOoa:p:46")) != -1) {
+	while ((ch = getopt(argc, argv, "AdlcDESURrt:T:u:vOoa:p:46")) != -1) {
 		switch (ch) {
 		case 'D':
 			daemon_mode++;
@@ -324,6 +325,10 @@
 			logging++;	/* > 1 == extra logging */
 			break;
 
+		case 'c':
+			chkchroot = 1;
+			break;
+
 		case 'r':
 			readonly = 1;
 			break;
@@ -989,6 +994,16 @@
 			if (logging)
 				syslog(LOG_NOTICE,
 				    "FTP LOGIN REFUSED FROM %s, %s",
+				    remotehost, name);
+			pw = (struct passwd *) NULL;
+			return;
+		}
+		if ((chkchroot) && 
+		  (cp == NULL || (! checkuser(_PATH_FTPCHROOT, name, 1)))) {
+			reply(530, "User %s not in ftpchroot.", name);
+			if (logging)
+				syslog(LOG_NOTICE,
+				    "FTPCHROOT LOGIN REFUSED FROM %s, %s",
 				    remotehost, name);
 			pw = (struct passwd *) NULL;
 			return;