1.\" $NetBSD: tnftpd.manin,v 1.3 2019/01/29 13:35:58 lukem Exp $ 2+.\" from NetBSD: ftpd.8,v 1.87 2018/04/28 13:38:00 riastradh Exp 3.\" 4.\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc. 5.\" All rights reserved. 6.\" 7.\" This code is derived from software contributed to The NetBSD Foundation 8.\" by Luke Mewburn. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.\" Copyright (c) 1985, 1988, 1991, 1993 32.\" The Regents of the University of California. All rights reserved. 33.\" 34.\" Redistribution and use in source and binary forms, with or without 35.\" modification, are permitted provided that the following conditions 36.\" are met: 37.\" 1. Redistributions of source code must retain the above copyright 38.\" notice, this list of conditions and the following disclaimer. 39.\" 2. Redistributions in binary form must reproduce the above copyright 40.\" notice, this list of conditions and the following disclaimer in the 41.\" documentation and/or other materials provided with the distribution. 42.\" 3. Neither the name of the University nor the names of its contributors 43.\" may be used to endorse or promote products derived from this software 44.\" without specific prior written permission. 45.\" 46.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 47.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 48.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 49.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 50.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 51.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 52.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 53.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 54.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 55.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 56.\" SUCH DAMAGE. 57.\" 58.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 59.\" 60.Dd May 1, 2009 61.Dt TNFTPD 8 62.Os 63.Sh NAME 64.Nm tnftpd 65.Nd 66Internet File Transfer Protocol server 67.Sh SYNOPSIS 68.Nm 69.Op Fl 46DdfHlnQqrsUuWwX 70.Op Fl a Ar anondir 71.Op Fl C Ar user Ns Op @ Ns Ar host 72.Op Fl c Ar confdir 73.Op Fl e Ar emailaddr 74.Op Fl h Ar hostname 75.Op Fl L Ar xferlogfile 76.Op Fl P Ar dataport 77.Op Fl V Ar version 78.Sh DESCRIPTION 79.Nm 80is the Internet File Transfer Protocol server process. 81The server uses the 82.Tn TCP 83protocol and listens at the port specified in the 84.Dq ftp 85service specification; see 86.Xr services 5 . 87.Pp 88Available options: 89.Bl -tag -width Ds 90.It Fl 4 91When 92.Fl D 93is specified, bind to IPv4 addresses only. 94.It Fl 6 95When 96.Fl D 97is specified, bind to IPv6 addresses only. 98.It Fl a Ar anondir 99Define 100.Ar anondir 101as the directory to 102.Xr chroot 2 103into for anonymous logins. 104Default is the home directory for the ftp user. 105This can also be specified with the 106.Xr ftpd.conf 5 107.Sy chroot 108directive. 109.It Fl C Ar user Ns Op @ Ns Ar host 110Check whether 111.Ar user 112.Po 113as if connecting from 114.Ar host , 115if provided 116.Pc 117would be granted access under 118the restrictions given in 119.Xr ftpusers 5 , 120and exit without attempting a connection. 121.Nm 122exits with an exit code of 0 if access would be granted, or 1 otherwise. 123This can be useful for testing configurations. 124.It Fl c Ar confdir 125Change the root directory of the configuration files from 126.Dq Pa @sysconfdir@ 127to 128.Ar confdir . 129This changes the directory for the following files: 130.Pa @sysconfdir@/ftpchroot , 131.Pa @sysconfdir@/ftpusers , 132.Pa @sysconfdir@/ftpwelcome , 133.Pa @sysconfdir@/motd , 134and the file specified by the 135.Xr ftpd.conf 5 136.Sy limit 137directive. 138.It Fl D 139Run as daemon. 140.Nm 141will listen on the default FTP port for incoming connections 142and fork a child for each connection. 143This is lower overhead than starting 144.Nm 145from 146.Xr inetd 8 147and thus might be useful on busy servers to reduce load. 148.It Fl d 149Debugging information is written to the syslog using a facility of 150.Dv LOG_FTP . 151.It Fl e Ar emailaddr 152Use 153.Ar emailaddr 154for the 155.Dq "\&%E" 156escape sequence (see 157.Sx Display file escape sequences ) 158.It Fl f 159Stops the 160.Fl D 161flag from detaching from the tty and going into the background. 162.It Fl H 163Equivalent to 164.Do 165-h 166`hostname` 167.Dc . 168.It Fl h Ar hostname 169Explicitly set the hostname to advertise as to 170.Ar hostname . 171The default is the hostname associated with the IP address that 172.Nm 173is listening on. 174This ability (with or without 175.Fl h ) , 176in conjunction with 177.Fl c Ar confdir , 178is useful when configuring 179.Sq virtual 180.Tn FTP 181servers, each listening on separate addresses as separate names. 182Refer to 183.Xr inetd.conf 5 184for more information on starting services to listen on specific IP addresses. 185.It Fl L Ar xferlogfile 186Log 187.Tn wu-ftpd 188style 189.Sq xferlog 190entries to 191.Ar xferlogfile . 192.It Fl l 193Each successful and failed 194.Tn FTP 195session is logged using syslog with a facility of 196.Dv LOG_FTP . 197If this option is specified more than once, the retrieve (get), store (put), 198append, delete, make directory, remove directory and rename operations and 199their file name arguments are also logged. 200.It Fl n 201Don't attempt translation of IP addresses to hostnames. 202.It Fl P Ar dataport 203Use 204.Ar dataport 205as the data port, overriding the default of using the port one less 206that the port 207.Nm 208is listening on. 209.It Fl Q 210Disable the use of pid files for keeping track of the number of logged-in 211users per class. 212This may reduce the load on heavily loaded 213.Tn FTP 214servers. 215.It Fl q 216Enable the use of pid files for keeping track of the number of logged-in 217users per class. 218This is the default. 219.It Fl r 220Permanently drop root privileges once the user is logged in. 221The use of this option may result in the server using a port other 222than the (listening-port - 1) for 223.Sy PORT 224style commands, which is contrary to the 225.Cm RFC 959 226specification, but in practice very few clients rely upon this behaviour. 227See 228.Sx SECURITY CONSIDERATIONS 229below for more details. 230.It Fl s 231Require a secure authentication mechanism like Kerberos or S/Key to be used. 232.It Fl U 233Don't log each concurrent 234.Tn FTP 235session to 236.Pa /var/run/utmp . 237This is the default. 238.It Fl u 239Log each concurrent 240.Tn FTP 241session to 242.Pa /var/run/utmp , 243making them visible to commands such as 244.Xr who 1 . 245.It Fl V Ar version 246Use 247.Ar version 248as the version to advertise in the login banner and in the output of 249.Sy STAT 250and 251.Sy SYST 252instead of the default version information. 253If 254.Ar version 255is empty or 256.Sq - 257then don't display any version information. 258.It Fl W 259Don't log each 260.Tn FTP 261session to 262.Pa /var/log/wtmp . 263.It Fl w 264Log each 265.Tn FTP 266session to 267.Pa /var/log/wtmp , 268making them visible to commands such as 269.Xr last 1 . 270This is the default. 271.It Fl X 272Log 273.Tn wu-ftpd 274style 275.Sq xferlog 276entries to the syslog, prefixed with 277.Dq "xferlog:\ " , 278using a facility of 279.Dv LOG_FTP . 280These syslog entries can be converted to a 281.Tn wu-ftpd 282style 283.Pa xferlog 284file suitable for input into a third-party log analysis tool with a command 285similar to: 286.Dl "sed -ne 's/^.*xferlog: //p' /var/log/xferlog > wuxferlog" 287.El 288.Pp 289The file 290.Pa /etc/nologin 291can be used to disable 292.Tn FTP 293access. 294If the file exists, 295.Nm 296displays it and exits. 297If the file 298.Pa @sysconfdir@/ftpwelcome 299exists, 300.Nm 301prints it before issuing the 302.Dq ready 303message. 304If the file 305.Pa @sysconfdir@/motd 306exists (under the chroot directory if applicable), 307.Nm 308prints it after a successful login. 309This may be changed with the 310.Xr ftpd.conf 5 311directive 312.Sy motd . 313.Pp 314The 315.Nm 316server currently supports the following 317.Tn FTP 318requests. 319The case of the requests is ignored. 320.Bl -column "Request" "Description" -offset indent 321.It Sy Request Ta Sy Description 322.It ABOR Ta "abort previous command" 323.It ACCT Ta "specify account (ignored)" 324.It ALLO Ta "allocate storage (vacuously)" 325.It APPE Ta "append to a file" 326.It CDUP Ta "change to parent of current working directory" 327.It CWD Ta "change working directory" 328.It DELE Ta "delete a file" 329.It EPSV Ta "prepare for server-to-server transfer" 330.It EPRT Ta "specify data connection port" 331.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 332.It HELP Ta "give help information" 333.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 334.It LPSV Ta "prepare for server-to-server transfer" 335.It LPRT Ta "specify data connection port" 336.It MLSD Ta "list contents of directory in a machine-processable form" 337.It MLST Ta "show a pathname in a machine-processable form" 338.It MKD Ta "make a directory" 339.It MDTM Ta "show last modification time of file" 340.It MODE Ta "specify data transfer" Em mode 341.It NLST Ta "give name list of files in directory" 342.It NOOP Ta "do nothing" 343.It OPTS Ta "define persistent options for a given command" 344.It PASS Ta "specify password" 345.It PASV Ta "prepare for server-to-server transfer" 346.It PORT Ta "specify data connection port" 347.It PWD Ta "print the current working directory" 348.It QUIT Ta "terminate session" 349.It REST Ta "restart incomplete transfer" 350.It RETR Ta "retrieve a file" 351.It RMD Ta "remove a directory" 352.It RNFR Ta "specify rename-from file name" 353.It RNTO Ta "specify rename-to file name" 354.It SITE Ta "non-standard commands (see next section)" 355.It SIZE Ta "return size of file" 356.It STAT Ta "return status of server" 357.It STOR Ta "store a file" 358.It STOU Ta "store a file with a unique name" 359.It STRU Ta "specify data transfer" Em structure 360.It SYST Ta "show operating system type of server system" 361.It TYPE Ta "specify data transfer" Em type 362.It USER Ta "specify user name" 363.It XCUP Ta "change to parent of current working directory (deprecated)" 364.It XCWD Ta "change working directory (deprecated)" 365.It XMKD Ta "make a directory (deprecated)" 366.It XPWD Ta "print the current working directory (deprecated)" 367.It XRMD Ta "remove a directory (deprecated)" 368.El 369.Pp 370The following non-standard or 371.Ux 372specific commands are supported by the SITE request. 373.Pp 374.Bl -column Request Description -offset indent 375.It Sy Request Ta Sy Description 376.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 377.It HELP Ta "give help information." 378.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 379.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 380.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 381.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 382.El 383.Pp 384The following 385.Tn FTP 386requests (as specified in 387.Cm RFC 959 388and 389.Cm RFC 2228 ) 390are recognized, but are not implemented: 391.Sy ACCT , 392.Sy ADAT , 393.Sy AUTH , 394.Sy CCC , 395.Sy CONF , 396.Sy ENC , 397.Sy MIC , 398.Sy PBSZ , 399.Sy PROT , 400.Sy REIN , 401and 402.Sy SMNT . 403.Pp 404The 405.Nm 406server will abort an active file transfer only when the 407.Sy ABOR 408command is preceded by a Telnet "Interrupt Process" (IP) 409signal and a Telnet "Synch" signal in the command Telnet stream, 410as described in Internet 411.Cm RFC 959 . 412If a 413.Sy STAT 414command is received during a data transfer, preceded by a Telnet IP 415and Synch, transfer status will be returned. 416.Pp 417.Nm 418interprets file names according to the 419.Dq globbing 420conventions used by 421.Xr csh 1 . 422This allows users to use the metacharacters 423.Dq Li \&*?[]{}~ . 424.Ss User authentication 425.Nm 426authenticates users according to five rules. 427.Pp 428.Bl -enum -offset indent 429.It 430The login name must be in the password data base, 431.Xr passwd 5 , 432and not have a null password. 433In this case a password must be provided by the client before any 434file operations may be performed. 435If the user has an S/Key key, the response from a successful 436.Sy USER 437command will include an S/Key challenge. 438The client may choose to respond with a 439.Sy PASS 440command giving either 441a standard password or an S/Key one-time password. 442The server will automatically determine which type of password it 443has been given and attempt to authenticate accordingly. 444See 445.Xr skey 1 446for more information on S/Key authentication. 447S/Key is a Trademark of Bellcore. 448.It 449The login name must be allowed based on the information in 450.Xr ftpusers 5 . 451.It 452The user must have a standard shell returned by 453.Xr getusershell 3 . 454If the user's shell field in the password database is empty, the 455shell is assumed to be 456.Pa /bin/sh . 457As per 458.Xr shells 5 , 459the user's shell must be listed with full path in 460.Pa /etc/shells . 461.It 462If directed by the file 463.Xr ftpchroot 5 464the session's root directory will be changed by 465.Xr chroot 2 466to the directory specified in the 467.Xr ftpd.conf 5 468.Sy chroot 469directive (if set), 470or to the home directory of the user. 471This facility may also be triggered by enabling the boolean 472.Sy ftp-chroot 473in 474.Xr login.conf 5 . 475However, the user must still supply a password. 476This feature is intended as a compromise between a fully anonymous account 477and a fully privileged account. 478The account should also be set up as for an anonymous account. 479.It 480If the user name is 481.Dq anonymous 482or 483.Dq ftp , 484an 485anonymous 486.Tn FTP 487account must be present in the password 488file (user 489.Dq ftp ) . 490In this case the user is allowed 491to log in by specifying any password (by convention an email address for 492the user should be used as the password). 493.Pp 494The server performs a 495.Xr chroot 2 496to the directory specified in the 497.Xr ftpd.conf 5 498.Sy chroot 499directive (if set), 500the 501.Fl a Ar anondir 502directory (if set), 503or to the home directory of the 504.Dq ftp 505user. 506.Pp 507The server then performs a 508.Xr chdir 2 509to the directory specified in the 510.Xr ftpd.conf 5 511.Sy homedir 512directive (if set), otherwise to 513.Pa / . 514.Pp 515If other restrictions are required (such as disabling of certain 516commands and the setting of a specific umask), then appropriate 517entries in 518.Xr ftpd.conf 5 519are required. 520.Pp 521If the first character of the password supplied by an anonymous user 522is 523.Dq - , 524then the verbose messages displayed at login and upon a 525.Sy CWD 526command are suppressed. 527.El 528.Ss Display file escape sequences 529When 530.Nm 531displays various files back to the client (such as 532.Pa @sysconfdir@/ftpwelcome 533and 534.Pa @sysconfdir@/motd ) , 535various escape strings are replaced with information pertinent 536to the current connection. 537.Pp 538The supported escape strings are: 539.Bl -tag -width "Escape" -offset indent -compact 540.It Sy "Escape" 541.Sy Description 542.It "\&%c" 543Class name. 544.It "\&%C" 545Current working directory. 546.It "\&%E" 547Email address given with 548.Fl e . 549.It "\&%L" 550Local hostname. 551.It "\&%M" 552Maximum number of users for this class. 553Displays 554.Dq unlimited 555if there's no limit. 556.It "\&%N" 557Current number of users for this class. 558.It "\&%R" 559Remote hostname. 560.It "\&%s" 561If the result of the most recent 562.Dq "\&%M" 563or 564.Dq "\&%N" 565was not 566.Dq Li 1 , 567print an 568.Dq s . 569.It "\&%S" 570If the result of the most recent 571.Dq "\&%M" 572or 573.Dq "\&%N" 574was not 575.Dq Li 1 , 576print an 577.Dq S . 578.It "\&%T" 579Current time. 580.It "\&%U" 581User name. 582.It "\&%\&%" 583A 584.Dq \&% 585character. 586.El 587.Ss Setting up a restricted ftp subtree 588In order that system security is not breached, it is recommended 589that the 590subtrees for the 591.Dq ftp 592and 593.Dq chroot 594accounts be constructed with care, following these rules 595(replace 596.Dq ftp 597in the following directory names 598with the appropriate account name for 599.Sq chroot 600users): 601.Bl -tag -width "~ftp/incoming" -offset indent 602.It Pa ~ftp 603Make the home directory owned by 604.Dq root 605and unwritable by anyone. 606.It Pa ~ftp/bin 607Make this directory owned by 608.Dq root 609and unwritable by anyone (mode 555). 610Generally any conversion commands should be installed 611here (mode 111). 612.It Pa ~ftp/etc 613Make this directory owned by 614.Dq root 615and unwritable by anyone (mode 555). 616The files 617.Pa pwd.db 618(see 619.Xr passwd 5 ) 620and 621.Pa group 622(see 623.Xr group 5 ) 624must be present for the 625.Sy LIST 626command to be able to display owner and group names instead of numbers. 627The password field in 628.Xr passwd 5 629is not used, and should not contain real passwords. 630The file 631.Pa motd , 632if present, will be printed after a successful login. 633These files should be mode 444. 634.It Pa ~ftp/pub 635This directory and the subdirectories beneath it should be owned 636by the users and groups responsible for placing files in them, 637and be writable only by them (mode 755 or 775). 638They should 639.Em not 640be owned or writable by ftp or its group. 641.It Pa ~ftp/incoming 642This directory is where anonymous users place files they upload. 643The owners should be the user 644.Dq ftp 645and an appropriate group. 646Members of this group will be the only users with access to these 647files after they have been uploaded; these should be people who 648know how to deal with them appropriately. 649If you wish anonymous 650.Tn FTP 651users to be able to see the names of the 652files in this directory the permissions should be 770, otherwise 653they should be 370. 654.Pp 655The following 656.Xr ftpd.conf 5 657directives should be used: 658.Dl "modify guest off" 659.Dl "umask guest 0707" 660.Dl "upload guest on" 661.Pp 662This will result in anonymous users being able to upload files to this 663directory, but they will not be able to download them, delete them, or 664overwrite them, due to the umask and disabling of the commands mentioned 665above. 666.It Pa ~ftp/tmp 667This directory is used to create temporary files which contain 668the error messages generated by a conversion or 669.Sy LIST 670command. 671The owner should be the user 672.Dq ftp . 673The permissions should be 300. 674.Pp 675If you don't enable conversion commands, or don't want anonymous users 676uploading files here (see 677.Pa ~ftp/incoming 678above), then don't create this directory. 679However, error messages from conversion or 680.Sy LIST 681commands won't be returned to the user. 682(This is the traditional behaviour.) 683Note that the 684.Xr ftpd.conf 5 685directive 686.Sy upload 687can be used to prevent users uploading here. 688.El 689.Pp 690To set up "ftp-only" accounts that provide only 691.Tn FTP , 692but no valid shell 693login, you can copy/link 694.Pa /sbin/nologin 695to 696.Pa /sbin/ftplogin , 697and enter 698.Pa /sbin/ftplogin 699to 700.Pa /etc/shells 701to allow logging-in via 702.Tn FTP 703into the accounts, which must have 704.Pa /sbin/ftplogin 705as login shell. 706.Sh FILES 707.Bl -tag -width @sysconfdir@/ftpwelcome -compact 708.It Pa @sysconfdir@/ftpchroot 709List of normal users whose root directory should be changed via 710.Xr chroot 2 . 711.It Pa @sysconfdir@/ftpd.conf 712Configure file conversions and other settings. 713.It Pa @sysconfdir@/ftpusers 714List of unwelcome/restricted users. 715.It Pa @sysconfdir@/ftpwelcome 716Welcome notice before login. 717.It Pa @sysconfdir@/motd 718Welcome notice after login. 719.It Pa /etc/nologin 720If it exists, displayed and access is refused. 721.It Pa /var/run/ftpd.pids-CLASS 722State file of logged-in processes for the 723.Nm 724class 725.Sq CLASS . 726.It Pa /var/run/utmp 727List of logged-in users on the system. 728.It Pa /var/log/wtmp 729Login history database. 730.El 731.Sh SEE ALSO 732.Xr ftp 1 , 733.Xr skey 1 , 734.Xr who 1 , 735.Xr getusershell 3 , 736.Xr ftpchroot 5 , 737.Xr ftpd.conf 5 , 738.Xr ftpusers 5 , 739.Xr login.conf 5 , 740.Xr syslogd 8 741.Sh STANDARDS 742.Nm 743recognizes all commands in 744.Cm RFC 959 , 745follows the guidelines in 746.Cm RFC 1123 , 747recognizes all commands in 748.Cm RFC 2228 749(although they are not supported yet), 750and supports the extensions from 751.Cm RFC 2389 , 752.Cm RFC 2428 , 753and 754.Cm RFC 3659 . 755.Sh HISTORY 756The 757.Nm 758command appeared in 759.Bx 4.2 . 760.Pp 761Various features such as the 762.Xr ftpd.conf 5 763functionality, 764.Cm RFC 2389 , 765and 766.Cm RFC 3659 767support was implemented in 768.Nx 1.3 769and later releases by Luke Mewburn. 770.Sh BUGS 771The server must run as the super-user to create sockets with 772privileged port numbers (i.e, those less than 773.Dv IPPORT_RESERVED , 774which is 1024). 775If 776.Nm 777is listening on a privileged port 778it maintains an effective user id of the logged in user, reverting 779to the super-user only when binding addresses to privileged sockets. 780The 781.Fl r 782option can be used to override this behaviour and force privileges to 783be permanently revoked; see 784.Sx SECURITY CONSIDERATIONS 785below for more details. 786.Pp 787.Nm 788may have trouble handling connections from scoped IPv6 addresses, or 789IPv4 mapped addresses 790.Po 791IPv4 connection on 792.Dv AF_INET6 793socket 794.Pc . 795For the latter case, running two daemons, 796one for IPv4 and one for IPv6, will avoid the problem. 797.Sh SECURITY CONSIDERATIONS 798.Cm RFC 959 799provides no restrictions on the 800.Sy PORT 801command, and this can lead to security problems, as 802.Nm 803can be fooled into connecting to any service on any host. 804With the 805.Dq checkportcmd 806feature of the 807.Xr ftpd.conf 5 , 808.Sy PORT 809commands with different host addresses, or TCP ports lower than 810.Dv IPPORT_RESERVED 811will be rejected. 812This also prevents 813.Sq third-party proxy ftp 814from working. 815Use of this option is 816.Em strongly 817recommended, and enabled by default. 818.Pp 819By default 820.Nm 821uses a port that is one less than the port it is listening on to 822communicate back to the client for the 823.Sy EPRT , 824.Sy LPRT , 825and 826.Sy PORT 827commands, unless overridden with 828.Fl P Ar dataport . 829As the default port for 830.Nm 831(21) is a privileged port below 832.Dv IPPORT_RESERVED , 833.Nm 834retains the ability to switch back to root privileges to bind these 835ports. 836In order to increase security by reducing the potential for a bug in 837.Nm 838providing a remote root compromise, 839.Nm 840will permanently drop root privileges if one of the following is true: 841.Bl -enum -offset indent 842.It 843.Nm 844is running on a port greater than 845.Dv IPPORT_RESERVED 846and the user has logged in as a 847.Sq guest 848or 849.Sq chroot 850user. 851.It 852.Nm 853was invoked with 854.Fl r . 855.El 856.Pp 857Don't create 858.Pa ~ftp/tmp 859if you don't want anonymous users to upload files there. 860That directory is only necessary if you want to display the error 861messages of conversion commands to the user. 862Note that if uploads are disabled with the 863.Xr ftpd.conf 5 864directive 865.Sy upload , 866then this directory cannot be abused by the user in this way, so it 867should be safe to create. 868.Pp 869To avoid possible denial-of-service attacks, 870.Sy SIZE 871requests against files larger than 10240 bytes will be denied if 872the current transfer 873.Sy TYPE 874is 875.Sq Li A 876(ASCII). 877