xref: /minix/libexec/ftpd/ftpd.8 (revision 62da0113)
1.\"	$NetBSD: ftpd.8,v 1.85 2009/05/01 10:53:27 wiz Exp $
2.\"
3.\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
4.\" All rights reserved.
5.\"
6.\" This code is derived from software contributed to The NetBSD Foundation
7.\" by Luke Mewburn.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\"    notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\"    notice, this list of conditions and the following disclaimer in the
16.\"    documentation and/or other materials provided with the distribution.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28.\" POSSIBILITY OF SUCH DAMAGE.
29.\"
30.\" Copyright (c) 1985, 1988, 1991, 1993
31.\"	The Regents of the University of California.  All rights reserved.
32.\"
33.\" Redistribution and use in source and binary forms, with or without
34.\" modification, are permitted provided that the following conditions
35.\" are met:
36.\" 1. Redistributions of source code must retain the above copyright
37.\"    notice, this list of conditions and the following disclaimer.
38.\" 2. Redistributions in binary form must reproduce the above copyright
39.\"    notice, this list of conditions and the following disclaimer in the
40.\"    documentation and/or other materials provided with the distribution.
41.\" 3. Neither the name of the University nor the names of its contributors
42.\"    may be used to endorse or promote products derived from this software
43.\"    without specific prior written permission.
44.\"
45.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
46.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
49.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
50.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
51.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
53.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
54.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
55.\" SUCH DAMAGE.
56.\"
57.\"     @(#)ftpd.8	8.2 (Berkeley) 4/19/94
58.\"
59.Dd May 1, 2009
60.Dt FTPD 8
61.Os
62.Sh NAME
63.Nm ftpd
64.Nd
65Internet File Transfer Protocol server
66.Sh SYNOPSIS
67.Nm
68.Op Fl 46DdHlnQqrsUuWwX
69.Op Fl a Ar anondir
70.Op Fl C Ar user Ns Op @ Ns Ar host
71.Op Fl c Ar confdir
72.Op Fl e Ar emailaddr
73.Op Fl h Ar hostname
74.Op Fl L Ar xferlogfile
75.Op Fl P Ar dataport
76.Op Fl V Ar version
77.Sh DESCRIPTION
78.Nm
79is the Internet File Transfer Protocol server process.
80The server uses the
81.Tn TCP
82protocol and listens at the port specified in the
83.Dq ftp
84service specification; see
85.Xr services 5 .
86.Pp
87Available options:
88.Bl -tag -width Ds
89.It Fl 4
90When
91.Fl D
92is specified, bind to IPv4 addresses only.
93.It Fl 6
94When
95.Fl D
96is specified, bind to IPv6 addresses only.
97.It Fl a Ar anondir
98Define
99.Ar anondir
100as the directory to
101.Xr chroot 2
102into for anonymous logins.
103Default is the home directory for the ftp user.
104This can also be specified with the
105.Xr ftpd.conf 5
106.Sy chroot
107directive.
108.It Fl C Ar user Ns Op @ Ns Ar host
109Check whether
110.Ar user
111.Po
112as if connecting from
113.Ar host ,
114if provided
115.Pc
116would be granted access under
117the restrictions given in
118.Xr ftpusers 5 ,
119and exit without attempting a connection.
120.Nm
121exits with an exit code of 0 if access would be granted, or 1 otherwise.
122This can be useful for testing configurations.
123.It Fl c Ar confdir
124Change the root directory of the configuration files from
125.Dq Pa /etc
126to
127.Ar confdir .
128This changes the directory for the following files:
129.Pa /etc/ftpchroot ,
130.Pa /etc/ftpusers ,
131.Pa /etc/ftpwelcome ,
132.Pa /etc/motd ,
133and the file specified by the
134.Xr ftpd.conf 5
135.Sy limit
136directive.
137.It Fl D
138Run as daemon.
139.Nm
140will listen on the default FTP port for incoming connections
141and fork a child for each connection.
142This is lower overhead than starting
143.Nm
144from
145.Xr inetd 8
146and thus might be useful on busy servers to reduce load.
147.It Fl d
148Debugging information is written to the syslog using a facility of
149.Dv LOG_FTP .
150.It Fl e Ar emailaddr
151Use
152.Ar emailaddr
153for the
154.Dq "\&%E"
155escape sequence (see
156.Sx Display file escape sequences )
157.It Fl H
158Equivalent to
159.Do
160-h
161`hostname`
162.Dc .
163.It Fl h Ar hostname
164Explicitly set the hostname to advertise as to
165.Ar hostname .
166The default is the hostname associated with the IP address that
167.Nm
168is listening on.
169This ability (with or without
170.Fl h ) ,
171in conjunction with
172.Fl c Ar confdir ,
173is useful when configuring
174.Sq virtual
175.Tn FTP
176servers, each listening on separate addresses as separate names.
177Refer to
178.Xr inetd.conf 5
179for more information on starting services to listen on specific IP addresses.
180.It Fl L Ar xferlogfile
181Log
182.Tn wu-ftpd
183style
184.Sq xferlog
185entries to
186.Ar xferlogfile .
187.It Fl l
188Each successful and failed
189.Tn FTP
190session is logged using syslog with a facility of
191.Dv LOG_FTP .
192If this option is specified more than once, the retrieve (get), store (put),
193append, delete, make directory, remove directory and rename operations and
194their file name arguments are also logged.
195.It Fl n
196Don't attempt translation of IP addresses to hostnames.
197.It Fl P Ar dataport
198Use
199.Ar dataport
200as the data port, overriding the default of using the port one less
201that the port
202.Nm
203is listening on.
204.It Fl Q
205Disable the use of pid files for keeping track of the number of logged-in
206users per class.
207This may reduce the load on heavily loaded
208.Tn FTP
209servers.
210.It Fl q
211Enable the use of pid files for keeping track of the number of logged-in
212users per class.
213This is the default.
214.It Fl r
215Permanently drop root privileges once the user is logged in.
216The use of this option may result in the server using a port other
217than the (listening-port - 1) for
218.Sy PORT
219style commands, which is contrary to the
220.Cm RFC 959
221specification, but in practice very few clients rely upon this behaviour.
222See
223.Sx SECURITY CONSIDERATIONS
224below for more details.
225.It Fl s
226Require a secure authentication mechanism like Kerberos or S/Key to be used.
227.It Fl U
228Don't log each concurrent
229.Tn FTP
230session to
231.Pa /var/run/utmp .
232This is the default.
233.It Fl u
234Log each concurrent
235.Tn FTP
236session to
237.Pa /var/run/utmp ,
238making them visible to commands such as
239.Xr who 1 .
240.It Fl V Ar version
241Use
242.Ar version
243as the version to advertise in the login banner and in the output of
244.Sy STAT
245and
246.Sy SYST
247instead of the default version information.
248If
249.Ar version
250is empty or
251.Sq -
252then don't display any version information.
253.It Fl W
254Don't log each
255.Tn FTP
256session to
257.Pa /var/log/wtmp .
258.It Fl w
259Log each
260.Tn FTP
261session to
262.Pa /var/log/wtmp ,
263making them visible to commands such as
264.Xr last 1 .
265This is the default.
266.It Fl X
267Log
268.Tn wu-ftpd
269style
270.Sq xferlog
271entries to the syslog, prefixed with
272.Dq "xferlog:\ " ,
273using a facility of
274.Dv LOG_FTP .
275These syslog entries can be converted to a
276.Tn wu-ftpd
277style
278.Pa xferlog
279file suitable for input into a third-party log analysis tool with a command
280similar to:
281.Dl "sed -ne 's/^.*xferlog: //p' /var/log/xferlog \*[Gt] wuxferlog"
282.El
283.Pp
284The file
285.Pa /etc/nologin
286can be used to disable
287.Tn FTP
288access.
289If the file exists,
290.Nm
291displays it and exits.
292If the file
293.Pa /etc/ftpwelcome
294exists,
295.Nm
296prints it before issuing the
297.Dq ready
298message.
299If the file
300.Pa /etc/motd
301exists (under the chroot directory if applicable),
302.Nm
303prints it after a successful login.
304This may be changed with the
305.Xr ftpd.conf 5
306directive
307.Sy motd .
308.Pp
309The
310.Nm
311server currently supports the following
312.Tn FTP
313requests.
314The case of the requests is ignored.
315.Bl -column "Request" "Description" -offset indent
316.It Sy Request Ta Sy Description
317.It ABOR Ta "abort previous command"
318.It ACCT Ta "specify account (ignored)"
319.It ALLO Ta "allocate storage (vacuously)"
320.It APPE Ta "append to a file"
321.It CDUP Ta "change to parent of current working directory"
322.It CWD Ta "change working directory"
323.It DELE Ta "delete a file"
324.It EPSV Ta "prepare for server-to-server transfer"
325.It EPRT Ta "specify data connection port"
326.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
327.It HELP Ta "give help information"
328.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
329.It LPSV Ta "prepare for server-to-server transfer"
330.It LPRT Ta "specify data connection port"
331.It MLSD Ta "list contents of directory in a machine-processable form"
332.It MLST Ta "show a pathname in a machine-processable form"
333.It MKD Ta "make a directory"
334.It MDTM Ta "show last modification time of file"
335.It MODE Ta "specify data transfer" Em mode
336.It NLST Ta "give name list of files in directory"
337.It NOOP Ta "do nothing"
338.It OPTS Ta "define persistent options for a given command"
339.It PASS Ta "specify password"
340.It PASV Ta "prepare for server-to-server transfer"
341.It PORT Ta "specify data connection port"
342.It PWD Ta "print the current working directory"
343.It QUIT Ta "terminate session"
344.It REST Ta "restart incomplete transfer"
345.It RETR Ta "retrieve a file"
346.It RMD Ta "remove a directory"
347.It RNFR Ta "specify rename-from file name"
348.It RNTO Ta "specify rename-to file name"
349.It SITE Ta "non-standard commands (see next section)"
350.It SIZE Ta "return size of file"
351.It STAT Ta "return status of server"
352.It STOR Ta "store a file"
353.It STOU Ta "store a file with a unique name"
354.It STRU Ta "specify data transfer" Em structure
355.It SYST Ta "show operating system type of server system"
356.It TYPE Ta "specify data transfer" Em type
357.It USER Ta "specify user name"
358.It XCUP Ta "change to parent of current working directory (deprecated)"
359.It XCWD Ta "change working directory (deprecated)"
360.It XMKD Ta "make a directory (deprecated)"
361.It XPWD Ta "print the current working directory (deprecated)"
362.It XRMD Ta "remove a directory (deprecated)"
363.El
364.Pp
365The following non-standard or
366.Ux
367specific commands are supported by the SITE request.
368.Pp
369.Bl -column Request Description -offset indent
370.It Sy Request Ta Sy Description
371.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
372.It HELP Ta "give help information."
373.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
374.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
375.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
376.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
377.El
378.Pp
379The following
380.Tn FTP
381requests (as specified in
382.Cm RFC 959
383and
384.Cm RFC 2228 )
385are recognized, but are not implemented:
386.Sy ACCT ,
387.Sy ADAT ,
388.Sy AUTH ,
389.Sy CCC ,
390.Sy CONF ,
391.Sy ENC ,
392.Sy MIC ,
393.Sy PBSZ ,
394.Sy PROT ,
395.Sy REIN ,
396and
397.Sy SMNT .
398.Pp
399The
400.Nm
401server will abort an active file transfer only when the
402.Sy ABOR
403command is preceded by a Telnet "Interrupt Process" (IP)
404signal and a Telnet "Synch" signal in the command Telnet stream,
405as described in Internet
406.Cm RFC 959 .
407If a
408.Sy STAT
409command is received during a data transfer, preceded by a Telnet IP
410and Synch, transfer status will be returned.
411.Pp
412.Nm
413interprets file names according to the
414.Dq globbing
415conventions used by
416.Xr csh 1 .
417This allows users to use the metacharacters
418.Dq Li \&*?[]{}~ .
419.Ss User authentication
420.Nm
421authenticates users according to five rules.
422.Pp
423.Bl -enum -offset indent
424.It
425The login name must be in the password data base,
426.Xr passwd 5 ,
427and not have a null password.
428In this case a password must be provided by the client before any
429file operations may be performed.
430If the user has an S/Key key, the response from a successful
431.Sy USER
432command will include an S/Key challenge.
433The client may choose to respond with a
434.Sy PASS
435command giving either
436a standard password or an S/Key one-time password.
437The server will automatically determine which type of password it
438has been given and attempt to authenticate accordingly.
439See
440.Xr skey 1
441for more information on S/Key authentication.
442S/Key is a Trademark of Bellcore.
443.It
444The login name must be allowed based on the information in
445.Xr ftpusers 5 .
446.It
447The user must have a standard shell returned by
448.Xr getusershell 3 .
449If the user's shell field in the password database is empty, the
450shell is assumed to be
451.Pa /bin/sh .
452As per
453.Xr shells 5 ,
454the user's shell must be listed with full path in
455.Pa /etc/shells .
456.It
457If directed by the file
458.Xr ftpchroot 5
459the session's root directory will be changed by
460.Xr chroot 2
461to the directory specified in the
462.Xr ftpd.conf 5
463.Sy chroot
464directive (if set),
465or to the home directory of the user.
466This facility may also be triggered by enabling the boolean
467.Sy ftp-chroot
468in
469.Xr login.conf 5 .
470However, the user must still supply a password.
471This feature is intended as a compromise between a fully anonymous account
472and a fully privileged account.
473The account should also be set up as for an anonymous account.
474.It
475If the user name is
476.Dq anonymous
477or
478.Dq ftp ,
479an
480anonymous
481.Tn FTP
482account must be present in the password
483file (user
484.Dq ftp ) .
485In this case the user is allowed
486to log in by specifying any password (by convention an email address for
487the user should be used as the password).
488.Pp
489The server performs a
490.Xr chroot 2
491to the directory specified in the
492.Xr ftpd.conf 5
493.Sy chroot
494directive (if set),
495the
496.Fl a Ar anondir
497directory (if set),
498or to the home directory of the
499.Dq ftp
500user.
501.Pp
502The server then performs a
503.Xr chdir 2
504to the directory specified in the
505.Xr ftpd.conf 5
506.Sy homedir
507directive (if set), otherwise to
508.Pa / .
509.Pp
510If other restrictions are required (such as disabling of certain
511commands and the setting of a specific umask), then appropriate
512entries in
513.Xr ftpd.conf 5
514are required.
515.Pp
516If the first character of the password supplied by an anonymous user
517is
518.Dq - ,
519then the verbose messages displayed at login and upon a
520.Sy CWD
521command are suppressed.
522.El
523.Ss Display file escape sequences
524When
525.Nm
526displays various files back to the client (such as
527.Pa /etc/ftpwelcome
528and
529.Pa /etc/motd ) ,
530various escape strings are replaced with information pertinent
531to the current connection.
532.Pp
533The supported escape strings are:
534.Bl -tag -width "Escape" -offset indent -compact
535.It Sy "Escape"
536.Sy Description
537.It "\&%c"
538Class name.
539.It "\&%C"
540Current working directory.
541.It "\&%E"
542Email address given with
543.Fl e .
544.It "\&%L"
545Local hostname.
546.It "\&%M"
547Maximum number of users for this class.
548Displays
549.Dq unlimited
550if there's no limit.
551.It "\&%N"
552Current number of users for this class.
553.It "\&%R"
554Remote hostname.
555.It "\&%s"
556If the result of the most recent
557.Dq "\&%M"
558or
559.Dq "\&%N"
560was not
561.Dq Li 1 ,
562print an
563.Dq s .
564.It "\&%S"
565If the result of the most recent
566.Dq "\&%M"
567or
568.Dq "\&%N"
569was not
570.Dq Li 1 ,
571print an
572.Dq S .
573.It "\&%T"
574Current time.
575.It "\&%U"
576User name.
577.It "\&%\&%"
578A
579.Dq \&%
580character.
581.El
582.Ss Setting up a restricted ftp subtree
583In order that system security is not breached, it is recommended
584that the
585subtrees for the
586.Dq ftp
587and
588.Dq chroot
589accounts be constructed with care, following these rules
590(replace
591.Dq ftp
592in the following directory names
593with the appropriate account name for
594.Sq chroot
595users):
596.Bl -tag -width "~ftp/incoming" -offset indent
597.It Pa ~ftp
598Make the home directory owned by
599.Dq root
600and unwritable by anyone.
601.It Pa ~ftp/bin
602Make this directory owned by
603.Dq root
604and unwritable by anyone (mode 555).
605Generally any conversion commands should be installed
606here (mode 111).
607.It Pa ~ftp/etc
608Make this directory owned by
609.Dq root
610and unwritable by anyone (mode 555).
611The files
612.Pa pwd.db
613(see
614.Xr passwd 5 )
615and
616.Pa group
617(see
618.Xr group 5 )
619must be present for the
620.Sy LIST
621command to be able to display owner and group names instead of numbers.
622The password field in
623.Xr passwd 5
624is not used, and should not contain real passwords.
625The file
626.Pa motd ,
627if present, will be printed after a successful login.
628These files should be mode 444.
629.It Pa ~ftp/pub
630This directory and the subdirectories beneath it should be owned
631by the users and groups responsible for placing files in them,
632and be writable only by them (mode 755 or 775).
633They should
634.Em not
635be owned or writable by ftp or its group.
636.It Pa ~ftp/incoming
637This directory is where anonymous users place files they upload.
638The owners should be the user
639.Dq ftp
640and an appropriate group.
641Members of this group will be the only users with access to these
642files after they have been uploaded; these should be people who
643know how to deal with them appropriately.
644If you wish anonymous
645.Tn FTP
646users to be able to see the names of the
647files in this directory the permissions should be 770, otherwise
648they should be 370.
649.Pp
650The following
651.Xr ftpd.conf 5
652directives should be used:
653.Dl "modify guest off"
654.Dl "umask  guest 0707"
655.Dl "upload guest on"
656.Pp
657This will result in anonymous users being able to upload files to this
658directory, but they will not be able to download them, delete them, or
659overwrite them, due to the umask and disabling of the commands mentioned
660above.
661.It Pa ~ftp/tmp
662This directory is used to create temporary files which contain
663the error messages generated by a conversion or
664.Sy LIST
665command.
666The owner should be the user
667.Dq ftp .
668The permissions should be 300.
669.Pp
670If you don't enable conversion commands, or don't want anonymous users
671uploading files here (see
672.Pa ~ftp/incoming
673above), then don't create this directory.
674However, error messages from conversion or
675.Sy LIST
676commands won't be returned to the user.
677(This is the traditional behaviour.)
678Note that the
679.Xr ftpd.conf 5
680directive
681.Sy upload
682can be used to prevent users uploading here.
683.El
684.Pp
685To set up "ftp-only" accounts that provide only
686.Tn FTP ,
687but no valid shell
688login, you can copy/link
689.Pa /sbin/nologin
690to
691.Pa /sbin/ftplogin ,
692and enter
693.Pa /sbin/ftplogin
694to
695.Pa /etc/shells
696to allow logging-in via
697.Tn FTP
698into the accounts, which must have
699.Pa /sbin/ftplogin
700as login shell.
701.Sh FILES
702.Bl -tag -width /etc/ftpwelcome -compact
703.It Pa /etc/ftpchroot
704List of normal users whose root directory should be changed via
705.Xr chroot 2 .
706.It Pa /etc/ftpd.conf
707Configure file conversions and other settings.
708.It Pa /etc/ftpusers
709List of unwelcome/restricted users.
710.It Pa /etc/ftpwelcome
711Welcome notice before login.
712.It Pa /etc/motd
713Welcome notice after login.
714.It Pa /etc/nologin
715If it exists, displayed and access is refused.
716.It Pa /var/run/ftpd.pids-CLASS
717State file of logged-in processes for the
718.Nm
719class
720.Sq CLASS .
721.It Pa /var/run/utmp
722List of logged-in users on the system.
723.It Pa /var/log/wtmp
724Login history database.
725.El
726.Sh SEE ALSO
727.Xr ftp 1 ,
728.Xr skey 1 ,
729.Xr who 1 ,
730.Xr getusershell 3 ,
731.Xr ftpchroot 5 ,
732.Xr ftpd.conf 5 ,
733.Xr ftpusers 5 ,
734.Xr login.conf 5 ,
735.Xr syslogd 8
736.Sh STANDARDS
737.Nm
738recognizes all commands in
739.Cm RFC 959 ,
740follows the guidelines in
741.Cm RFC 1123 ,
742recognizes all commands in
743.Cm RFC 2228
744(although they are not supported yet),
745and supports the extensions from
746.Cm RFC 2389 ,
747.Cm RFC 2428 ,
748and
749.Cm RFC 3659 .
750.Sh HISTORY
751The
752.Nm
753command appeared in
754.Bx 4.2 .
755.Pp
756Various features such as the
757.Xr ftpd.conf 5
758functionality,
759.Cm RFC 2389 ,
760and
761.Cm RFC 3659
762support was implemented in
763.Nx 1.3
764and later releases by Luke Mewburn.
765.Sh BUGS
766The server must run as the super-user to create sockets with
767privileged port numbers (i.e, those less than
768.Dv IPPORT_RESERVED ,
769which is 1024).
770If
771.Nm
772is listening on a privileged port
773it maintains an effective user id of the logged in user, reverting
774to the super-user only when binding addresses to privileged sockets.
775The
776.Fl r
777option can be used to override this behaviour and force privileges to
778be permanently revoked; see
779.Sx SECURITY CONSIDERATIONS
780below for more details.
781.Pp
782.Nm
783may have trouble handling connections from scoped IPv6 addresses, or
784IPv4 mapped addresses
785.Po
786IPv4 connection on
787.Dv AF_INET6
788socket
789.Pc .
790For the latter case, running two daemons,
791one for IPv4 and one for IPv6, will avoid the problem.
792.Sh SECURITY CONSIDERATIONS
793.Cm RFC 959
794provides no restrictions on the
795.Sy PORT
796command, and this can lead to security problems, as
797.Nm
798can be fooled into connecting to any service on any host.
799With the
800.Dq checkportcmd
801feature of the
802.Xr ftpd.conf 5 ,
803.Sy PORT
804commands with different host addresses, or TCP ports lower than
805.Dv IPPORT_RESERVED
806will be rejected.
807This also prevents
808.Sq third-party proxy ftp
809from working.
810Use of this option is
811.Em strongly
812recommended, and enabled by default.
813.Pp
814By default
815.Nm
816uses a port that is one less than the port it is listening on to
817communicate back to the client for the
818.Sy EPRT ,
819.Sy LPRT ,
820and
821.Sy PORT
822commands, unless overridden with
823.Fl P Ar dataport .
824As the default port for
825.Nm
826(21) is a privileged port below
827.Dv IPPORT_RESERVED ,
828.Nm
829retains the ability to switch back to root privileges to bind these
830ports.
831In order to increase security by reducing the potential for a bug in
832.Nm
833providing a remote root compromise,
834.Nm
835will permanently drop root privileges if one of the following is true:
836.Bl -enum -offset indent
837.It
838.Nm
839is running on a port greater than
840.Dv IPPORT_RESERVED
841and the user has logged in as a
842.Sq guest
843or
844.Sq chroot
845user.
846.It
847.Nm
848was invoked with
849.Fl r .
850.El
851.Pp
852Don't create
853.Pa ~ftp/tmp
854if you don't want anonymous users to upload files there.
855That directory is only necessary if you want to display the error
856messages of conversion commands to the user.
857Note that if uploads are disabled with the
858.Xr ftpd.conf 5
859directive
860.Sy upload ,
861then this directory cannot be abused by the user in this way, so it
862should be safe to create.
863.Pp
864To avoid possible denial-of-service attacks,
865.Sy SIZE
866requests against files larger than 10240 bytes will be denied if
867the current transfer
868.Sy TYPE
869is
870.Sq Li A
871(ASCII).
872