1.\" $NetBSD: ftpd.8,v 1.85 2009/05/01 10:53:27 wiz Exp $ 2.\" 3.\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.\" Copyright (c) 1985, 1988, 1991, 1993 31.\" The Regents of the University of California. All rights reserved. 32.\" 33.\" Redistribution and use in source and binary forms, with or without 34.\" modification, are permitted provided that the following conditions 35.\" are met: 36.\" 1. Redistributions of source code must retain the above copyright 37.\" notice, this list of conditions and the following disclaimer. 38.\" 2. Redistributions in binary form must reproduce the above copyright 39.\" notice, this list of conditions and the following disclaimer in the 40.\" documentation and/or other materials provided with the distribution. 41.\" 3. Neither the name of the University nor the names of its contributors 42.\" may be used to endorse or promote products derived from this software 43.\" without specific prior written permission. 44.\" 45.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 46.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 47.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 48.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 49.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 50.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 51.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 52.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 53.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 54.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 55.\" SUCH DAMAGE. 56.\" 57.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 58.\" 59.Dd May 1, 2009 60.Dt FTPD 8 61.Os 62.Sh NAME 63.Nm ftpd 64.Nd 65Internet File Transfer Protocol server 66.Sh SYNOPSIS 67.Nm 68.Op Fl 46DdHlnQqrsUuWwX 69.Op Fl a Ar anondir 70.Op Fl C Ar user Ns Op @ Ns Ar host 71.Op Fl c Ar confdir 72.Op Fl e Ar emailaddr 73.Op Fl h Ar hostname 74.Op Fl L Ar xferlogfile 75.Op Fl P Ar dataport 76.Op Fl V Ar version 77.Sh DESCRIPTION 78.Nm 79is the Internet File Transfer Protocol server process. 80The server uses the 81.Tn TCP 82protocol and listens at the port specified in the 83.Dq ftp 84service specification; see 85.Xr services 5 . 86.Pp 87Available options: 88.Bl -tag -width Ds 89.It Fl 4 90When 91.Fl D 92is specified, bind to IPv4 addresses only. 93.It Fl 6 94When 95.Fl D 96is specified, bind to IPv6 addresses only. 97.It Fl a Ar anondir 98Define 99.Ar anondir 100as the directory to 101.Xr chroot 2 102into for anonymous logins. 103Default is the home directory for the ftp user. 104This can also be specified with the 105.Xr ftpd.conf 5 106.Sy chroot 107directive. 108.It Fl C Ar user Ns Op @ Ns Ar host 109Check whether 110.Ar user 111.Po 112as if connecting from 113.Ar host , 114if provided 115.Pc 116would be granted access under 117the restrictions given in 118.Xr ftpusers 5 , 119and exit without attempting a connection. 120.Nm 121exits with an exit code of 0 if access would be granted, or 1 otherwise. 122This can be useful for testing configurations. 123.It Fl c Ar confdir 124Change the root directory of the configuration files from 125.Dq Pa /etc 126to 127.Ar confdir . 128This changes the directory for the following files: 129.Pa /etc/ftpchroot , 130.Pa /etc/ftpusers , 131.Pa /etc/ftpwelcome , 132.Pa /etc/motd , 133and the file specified by the 134.Xr ftpd.conf 5 135.Sy limit 136directive. 137.It Fl D 138Run as daemon. 139.Nm 140will listen on the default FTP port for incoming connections 141and fork a child for each connection. 142This is lower overhead than starting 143.Nm 144from 145.Xr inetd 8 146and thus might be useful on busy servers to reduce load. 147.It Fl d 148Debugging information is written to the syslog using a facility of 149.Dv LOG_FTP . 150.It Fl e Ar emailaddr 151Use 152.Ar emailaddr 153for the 154.Dq "\&%E" 155escape sequence (see 156.Sx Display file escape sequences ) 157.It Fl H 158Equivalent to 159.Do 160-h 161`hostname` 162.Dc . 163.It Fl h Ar hostname 164Explicitly set the hostname to advertise as to 165.Ar hostname . 166The default is the hostname associated with the IP address that 167.Nm 168is listening on. 169This ability (with or without 170.Fl h ) , 171in conjunction with 172.Fl c Ar confdir , 173is useful when configuring 174.Sq virtual 175.Tn FTP 176servers, each listening on separate addresses as separate names. 177Refer to 178.Xr inetd.conf 5 179for more information on starting services to listen on specific IP addresses. 180.It Fl L Ar xferlogfile 181Log 182.Tn wu-ftpd 183style 184.Sq xferlog 185entries to 186.Ar xferlogfile . 187.It Fl l 188Each successful and failed 189.Tn FTP 190session is logged using syslog with a facility of 191.Dv LOG_FTP . 192If this option is specified more than once, the retrieve (get), store (put), 193append, delete, make directory, remove directory and rename operations and 194their file name arguments are also logged. 195.It Fl n 196Don't attempt translation of IP addresses to hostnames. 197.It Fl P Ar dataport 198Use 199.Ar dataport 200as the data port, overriding the default of using the port one less 201that the port 202.Nm 203is listening on. 204.It Fl Q 205Disable the use of pid files for keeping track of the number of logged-in 206users per class. 207This may reduce the load on heavily loaded 208.Tn FTP 209servers. 210.It Fl q 211Enable the use of pid files for keeping track of the number of logged-in 212users per class. 213This is the default. 214.It Fl r 215Permanently drop root privileges once the user is logged in. 216The use of this option may result in the server using a port other 217than the (listening-port - 1) for 218.Sy PORT 219style commands, which is contrary to the 220.Cm RFC 959 221specification, but in practice very few clients rely upon this behaviour. 222See 223.Sx SECURITY CONSIDERATIONS 224below for more details. 225.It Fl s 226Require a secure authentication mechanism like Kerberos or S/Key to be used. 227.It Fl U 228Don't log each concurrent 229.Tn FTP 230session to 231.Pa /var/run/utmp . 232This is the default. 233.It Fl u 234Log each concurrent 235.Tn FTP 236session to 237.Pa /var/run/utmp , 238making them visible to commands such as 239.Xr who 1 . 240.It Fl V Ar version 241Use 242.Ar version 243as the version to advertise in the login banner and in the output of 244.Sy STAT 245and 246.Sy SYST 247instead of the default version information. 248If 249.Ar version 250is empty or 251.Sq - 252then don't display any version information. 253.It Fl W 254Don't log each 255.Tn FTP 256session to 257.Pa /var/log/wtmp . 258.It Fl w 259Log each 260.Tn FTP 261session to 262.Pa /var/log/wtmp , 263making them visible to commands such as 264.Xr last 1 . 265This is the default. 266.It Fl X 267Log 268.Tn wu-ftpd 269style 270.Sq xferlog 271entries to the syslog, prefixed with 272.Dq "xferlog:\ " , 273using a facility of 274.Dv LOG_FTP . 275These syslog entries can be converted to a 276.Tn wu-ftpd 277style 278.Pa xferlog 279file suitable for input into a third-party log analysis tool with a command 280similar to: 281.Dl "sed -ne 's/^.*xferlog: //p' /var/log/xferlog \*[Gt] wuxferlog" 282.El 283.Pp 284The file 285.Pa /etc/nologin 286can be used to disable 287.Tn FTP 288access. 289If the file exists, 290.Nm 291displays it and exits. 292If the file 293.Pa /etc/ftpwelcome 294exists, 295.Nm 296prints it before issuing the 297.Dq ready 298message. 299If the file 300.Pa /etc/motd 301exists (under the chroot directory if applicable), 302.Nm 303prints it after a successful login. 304This may be changed with the 305.Xr ftpd.conf 5 306directive 307.Sy motd . 308.Pp 309The 310.Nm 311server currently supports the following 312.Tn FTP 313requests. 314The case of the requests is ignored. 315.Bl -column "Request" "Description" -offset indent 316.It Sy Request Ta Sy Description 317.It ABOR Ta "abort previous command" 318.It ACCT Ta "specify account (ignored)" 319.It ALLO Ta "allocate storage (vacuously)" 320.It APPE Ta "append to a file" 321.It CDUP Ta "change to parent of current working directory" 322.It CWD Ta "change working directory" 323.It DELE Ta "delete a file" 324.It EPSV Ta "prepare for server-to-server transfer" 325.It EPRT Ta "specify data connection port" 326.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 327.It HELP Ta "give help information" 328.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 329.It LPSV Ta "prepare for server-to-server transfer" 330.It LPRT Ta "specify data connection port" 331.It MLSD Ta "list contents of directory in a machine-processable form" 332.It MLST Ta "show a pathname in a machine-processable form" 333.It MKD Ta "make a directory" 334.It MDTM Ta "show last modification time of file" 335.It MODE Ta "specify data transfer" Em mode 336.It NLST Ta "give name list of files in directory" 337.It NOOP Ta "do nothing" 338.It OPTS Ta "define persistent options for a given command" 339.It PASS Ta "specify password" 340.It PASV Ta "prepare for server-to-server transfer" 341.It PORT Ta "specify data connection port" 342.It PWD Ta "print the current working directory" 343.It QUIT Ta "terminate session" 344.It REST Ta "restart incomplete transfer" 345.It RETR Ta "retrieve a file" 346.It RMD Ta "remove a directory" 347.It RNFR Ta "specify rename-from file name" 348.It RNTO Ta "specify rename-to file name" 349.It SITE Ta "non-standard commands (see next section)" 350.It SIZE Ta "return size of file" 351.It STAT Ta "return status of server" 352.It STOR Ta "store a file" 353.It STOU Ta "store a file with a unique name" 354.It STRU Ta "specify data transfer" Em structure 355.It SYST Ta "show operating system type of server system" 356.It TYPE Ta "specify data transfer" Em type 357.It USER Ta "specify user name" 358.It XCUP Ta "change to parent of current working directory (deprecated)" 359.It XCWD Ta "change working directory (deprecated)" 360.It XMKD Ta "make a directory (deprecated)" 361.It XPWD Ta "print the current working directory (deprecated)" 362.It XRMD Ta "remove a directory (deprecated)" 363.El 364.Pp 365The following non-standard or 366.Ux 367specific commands are supported by the SITE request. 368.Pp 369.Bl -column Request Description -offset indent 370.It Sy Request Ta Sy Description 371.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 372.It HELP Ta "give help information." 373.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 374.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 375.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 376.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 377.El 378.Pp 379The following 380.Tn FTP 381requests (as specified in 382.Cm RFC 959 383and 384.Cm RFC 2228 ) 385are recognized, but are not implemented: 386.Sy ACCT , 387.Sy ADAT , 388.Sy AUTH , 389.Sy CCC , 390.Sy CONF , 391.Sy ENC , 392.Sy MIC , 393.Sy PBSZ , 394.Sy PROT , 395.Sy REIN , 396and 397.Sy SMNT . 398.Pp 399The 400.Nm 401server will abort an active file transfer only when the 402.Sy ABOR 403command is preceded by a Telnet "Interrupt Process" (IP) 404signal and a Telnet "Synch" signal in the command Telnet stream, 405as described in Internet 406.Cm RFC 959 . 407If a 408.Sy STAT 409command is received during a data transfer, preceded by a Telnet IP 410and Synch, transfer status will be returned. 411.Pp 412.Nm 413interprets file names according to the 414.Dq globbing 415conventions used by 416.Xr csh 1 . 417This allows users to use the metacharacters 418.Dq Li \&*?[]{}~ . 419.Ss User authentication 420.Nm 421authenticates users according to five rules. 422.Pp 423.Bl -enum -offset indent 424.It 425The login name must be in the password data base, 426.Xr passwd 5 , 427and not have a null password. 428In this case a password must be provided by the client before any 429file operations may be performed. 430If the user has an S/Key key, the response from a successful 431.Sy USER 432command will include an S/Key challenge. 433The client may choose to respond with a 434.Sy PASS 435command giving either 436a standard password or an S/Key one-time password. 437The server will automatically determine which type of password it 438has been given and attempt to authenticate accordingly. 439See 440.Xr skey 1 441for more information on S/Key authentication. 442S/Key is a Trademark of Bellcore. 443.It 444The login name must be allowed based on the information in 445.Xr ftpusers 5 . 446.It 447The user must have a standard shell returned by 448.Xr getusershell 3 . 449If the user's shell field in the password database is empty, the 450shell is assumed to be 451.Pa /bin/sh . 452As per 453.Xr shells 5 , 454the user's shell must be listed with full path in 455.Pa /etc/shells . 456.It 457If directed by the file 458.Xr ftpchroot 5 459the session's root directory will be changed by 460.Xr chroot 2 461to the directory specified in the 462.Xr ftpd.conf 5 463.Sy chroot 464directive (if set), 465or to the home directory of the user. 466This facility may also be triggered by enabling the boolean 467.Sy ftp-chroot 468in 469.Xr login.conf 5 . 470However, the user must still supply a password. 471This feature is intended as a compromise between a fully anonymous account 472and a fully privileged account. 473The account should also be set up as for an anonymous account. 474.It 475If the user name is 476.Dq anonymous 477or 478.Dq ftp , 479an 480anonymous 481.Tn FTP 482account must be present in the password 483file (user 484.Dq ftp ) . 485In this case the user is allowed 486to log in by specifying any password (by convention an email address for 487the user should be used as the password). 488.Pp 489The server performs a 490.Xr chroot 2 491to the directory specified in the 492.Xr ftpd.conf 5 493.Sy chroot 494directive (if set), 495the 496.Fl a Ar anondir 497directory (if set), 498or to the home directory of the 499.Dq ftp 500user. 501.Pp 502The server then performs a 503.Xr chdir 2 504to the directory specified in the 505.Xr ftpd.conf 5 506.Sy homedir 507directive (if set), otherwise to 508.Pa / . 509.Pp 510If other restrictions are required (such as disabling of certain 511commands and the setting of a specific umask), then appropriate 512entries in 513.Xr ftpd.conf 5 514are required. 515.Pp 516If the first character of the password supplied by an anonymous user 517is 518.Dq - , 519then the verbose messages displayed at login and upon a 520.Sy CWD 521command are suppressed. 522.El 523.Ss Display file escape sequences 524When 525.Nm 526displays various files back to the client (such as 527.Pa /etc/ftpwelcome 528and 529.Pa /etc/motd ) , 530various escape strings are replaced with information pertinent 531to the current connection. 532.Pp 533The supported escape strings are: 534.Bl -tag -width "Escape" -offset indent -compact 535.It Sy "Escape" 536.Sy Description 537.It "\&%c" 538Class name. 539.It "\&%C" 540Current working directory. 541.It "\&%E" 542Email address given with 543.Fl e . 544.It "\&%L" 545Local hostname. 546.It "\&%M" 547Maximum number of users for this class. 548Displays 549.Dq unlimited 550if there's no limit. 551.It "\&%N" 552Current number of users for this class. 553.It "\&%R" 554Remote hostname. 555.It "\&%s" 556If the result of the most recent 557.Dq "\&%M" 558or 559.Dq "\&%N" 560was not 561.Dq Li 1 , 562print an 563.Dq s . 564.It "\&%S" 565If the result of the most recent 566.Dq "\&%M" 567or 568.Dq "\&%N" 569was not 570.Dq Li 1 , 571print an 572.Dq S . 573.It "\&%T" 574Current time. 575.It "\&%U" 576User name. 577.It "\&%\&%" 578A 579.Dq \&% 580character. 581.El 582.Ss Setting up a restricted ftp subtree 583In order that system security is not breached, it is recommended 584that the 585subtrees for the 586.Dq ftp 587and 588.Dq chroot 589accounts be constructed with care, following these rules 590(replace 591.Dq ftp 592in the following directory names 593with the appropriate account name for 594.Sq chroot 595users): 596.Bl -tag -width "~ftp/incoming" -offset indent 597.It Pa ~ftp 598Make the home directory owned by 599.Dq root 600and unwritable by anyone. 601.It Pa ~ftp/bin 602Make this directory owned by 603.Dq root 604and unwritable by anyone (mode 555). 605Generally any conversion commands should be installed 606here (mode 111). 607.It Pa ~ftp/etc 608Make this directory owned by 609.Dq root 610and unwritable by anyone (mode 555). 611The files 612.Pa pwd.db 613(see 614.Xr passwd 5 ) 615and 616.Pa group 617(see 618.Xr group 5 ) 619must be present for the 620.Sy LIST 621command to be able to display owner and group names instead of numbers. 622The password field in 623.Xr passwd 5 624is not used, and should not contain real passwords. 625The file 626.Pa motd , 627if present, will be printed after a successful login. 628These files should be mode 444. 629.It Pa ~ftp/pub 630This directory and the subdirectories beneath it should be owned 631by the users and groups responsible for placing files in them, 632and be writable only by them (mode 755 or 775). 633They should 634.Em not 635be owned or writable by ftp or its group. 636.It Pa ~ftp/incoming 637This directory is where anonymous users place files they upload. 638The owners should be the user 639.Dq ftp 640and an appropriate group. 641Members of this group will be the only users with access to these 642files after they have been uploaded; these should be people who 643know how to deal with them appropriately. 644If you wish anonymous 645.Tn FTP 646users to be able to see the names of the 647files in this directory the permissions should be 770, otherwise 648they should be 370. 649.Pp 650The following 651.Xr ftpd.conf 5 652directives should be used: 653.Dl "modify guest off" 654.Dl "umask guest 0707" 655.Dl "upload guest on" 656.Pp 657This will result in anonymous users being able to upload files to this 658directory, but they will not be able to download them, delete them, or 659overwrite them, due to the umask and disabling of the commands mentioned 660above. 661.It Pa ~ftp/tmp 662This directory is used to create temporary files which contain 663the error messages generated by a conversion or 664.Sy LIST 665command. 666The owner should be the user 667.Dq ftp . 668The permissions should be 300. 669.Pp 670If you don't enable conversion commands, or don't want anonymous users 671uploading files here (see 672.Pa ~ftp/incoming 673above), then don't create this directory. 674However, error messages from conversion or 675.Sy LIST 676commands won't be returned to the user. 677(This is the traditional behaviour.) 678Note that the 679.Xr ftpd.conf 5 680directive 681.Sy upload 682can be used to prevent users uploading here. 683.El 684.Pp 685To set up "ftp-only" accounts that provide only 686.Tn FTP , 687but no valid shell 688login, you can copy/link 689.Pa /sbin/nologin 690to 691.Pa /sbin/ftplogin , 692and enter 693.Pa /sbin/ftplogin 694to 695.Pa /etc/shells 696to allow logging-in via 697.Tn FTP 698into the accounts, which must have 699.Pa /sbin/ftplogin 700as login shell. 701.Sh FILES 702.Bl -tag -width /etc/ftpwelcome -compact 703.It Pa /etc/ftpchroot 704List of normal users whose root directory should be changed via 705.Xr chroot 2 . 706.It Pa /etc/ftpd.conf 707Configure file conversions and other settings. 708.It Pa /etc/ftpusers 709List of unwelcome/restricted users. 710.It Pa /etc/ftpwelcome 711Welcome notice before login. 712.It Pa /etc/motd 713Welcome notice after login. 714.It Pa /etc/nologin 715If it exists, displayed and access is refused. 716.It Pa /var/run/ftpd.pids-CLASS 717State file of logged-in processes for the 718.Nm 719class 720.Sq CLASS . 721.It Pa /var/run/utmp 722List of logged-in users on the system. 723.It Pa /var/log/wtmp 724Login history database. 725.El 726.Sh SEE ALSO 727.Xr ftp 1 , 728.Xr skey 1 , 729.Xr who 1 , 730.Xr getusershell 3 , 731.Xr ftpchroot 5 , 732.Xr ftpd.conf 5 , 733.Xr ftpusers 5 , 734.Xr login.conf 5 , 735.Xr syslogd 8 736.Sh STANDARDS 737.Nm 738recognizes all commands in 739.Cm RFC 959 , 740follows the guidelines in 741.Cm RFC 1123 , 742recognizes all commands in 743.Cm RFC 2228 744(although they are not supported yet), 745and supports the extensions from 746.Cm RFC 2389 , 747.Cm RFC 2428 , 748and 749.Cm RFC 3659 . 750.Sh HISTORY 751The 752.Nm 753command appeared in 754.Bx 4.2 . 755.Pp 756Various features such as the 757.Xr ftpd.conf 5 758functionality, 759.Cm RFC 2389 , 760and 761.Cm RFC 3659 762support was implemented in 763.Nx 1.3 764and later releases by Luke Mewburn. 765.Sh BUGS 766The server must run as the super-user to create sockets with 767privileged port numbers (i.e, those less than 768.Dv IPPORT_RESERVED , 769which is 1024). 770If 771.Nm 772is listening on a privileged port 773it maintains an effective user id of the logged in user, reverting 774to the super-user only when binding addresses to privileged sockets. 775The 776.Fl r 777option can be used to override this behaviour and force privileges to 778be permanently revoked; see 779.Sx SECURITY CONSIDERATIONS 780below for more details. 781.Pp 782.Nm 783may have trouble handling connections from scoped IPv6 addresses, or 784IPv4 mapped addresses 785.Po 786IPv4 connection on 787.Dv AF_INET6 788socket 789.Pc . 790For the latter case, running two daemons, 791one for IPv4 and one for IPv6, will avoid the problem. 792.Sh SECURITY CONSIDERATIONS 793.Cm RFC 959 794provides no restrictions on the 795.Sy PORT 796command, and this can lead to security problems, as 797.Nm 798can be fooled into connecting to any service on any host. 799With the 800.Dq checkportcmd 801feature of the 802.Xr ftpd.conf 5 , 803.Sy PORT 804commands with different host addresses, or TCP ports lower than 805.Dv IPPORT_RESERVED 806will be rejected. 807This also prevents 808.Sq third-party proxy ftp 809from working. 810Use of this option is 811.Em strongly 812recommended, and enabled by default. 813.Pp 814By default 815.Nm 816uses a port that is one less than the port it is listening on to 817communicate back to the client for the 818.Sy EPRT , 819.Sy LPRT , 820and 821.Sy PORT 822commands, unless overridden with 823.Fl P Ar dataport . 824As the default port for 825.Nm 826(21) is a privileged port below 827.Dv IPPORT_RESERVED , 828.Nm 829retains the ability to switch back to root privileges to bind these 830ports. 831In order to increase security by reducing the potential for a bug in 832.Nm 833providing a remote root compromise, 834.Nm 835will permanently drop root privileges if one of the following is true: 836.Bl -enum -offset indent 837.It 838.Nm 839is running on a port greater than 840.Dv IPPORT_RESERVED 841and the user has logged in as a 842.Sq guest 843or 844.Sq chroot 845user. 846.It 847.Nm 848was invoked with 849.Fl r . 850.El 851.Pp 852Don't create 853.Pa ~ftp/tmp 854if you don't want anonymous users to upload files there. 855That directory is only necessary if you want to display the error 856messages of conversion commands to the user. 857Note that if uploads are disabled with the 858.Xr ftpd.conf 5 859directive 860.Sy upload , 861then this directory cannot be abused by the user in this way, so it 862should be safe to create. 863.Pp 864To avoid possible denial-of-service attacks, 865.Sy SIZE 866requests against files larger than 10240 bytes will be denied if 867the current transfer 868.Sy TYPE 869is 870.Sq Li A 871(ASCII). 872