1.\" $OpenBSD: ftpd.8,v 1.76 2019/05/08 23:56:48 tedu Exp $ 2.\" $NetBSD: ftpd.8,v 1.8 1996/01/14 20:55:23 thorpej Exp $ 3.\" 4.\" Copyright (c) 1985, 1988, 1991, 1993 5.\" The Regents of the University of California. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the University nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 32.\" 33.Dd $Mdocdate: May 8 2019 $ 34.Dt FTPD 8 35.Os 36.Sh NAME 37.Nm ftpd 38.Nd Internet File Transfer Protocol server 39.Sh SYNOPSIS 40.Nm ftpd 41.Op Fl 46ADdlMnPSUW 42.Op Fl m Ar minuid 43.Op Fl T Ar maxtimeout 44.Op Fl t Ar timeout 45.Op Fl u Ar mask 46.Sh DESCRIPTION 47.Nm 48is the Internet File Transfer Protocol server process. 49The server uses the TCP protocol 50and listens at the port specified in the 51.Dq ftp 52service specification; see 53.Xr services 5 . 54.Pp 55The options are as follows: 56.Bl -tag -width Ds 57.It Fl 4 58When 59.Fl D 60is specified, forces 61.Nm 62to use IPv4 addresses only. 63.It Fl 6 64When 65.Fl D 66is specified, forces 67.Nm 68to use IPv6 addresses only. 69.It Fl A 70Permit only anonymous FTP connections 71(unless the 72.Fl n 73option is specified), 74accounts listed in 75.Pa /etc/ftpchroot 76or users in a login class with the 77.Dq ftp-chroot 78variable set (see below). 79Other connection attempts are refused. 80.It Fl D 81With this option set, 82.Nm 83will detach and become a daemon, accepting connections on the FTP port and 84forking child processes to handle them. 85This has lower overhead than starting 86.Nm 87from 88.Xr inetd 8 89and is thus useful on busy servers to reduce load. 90.It Fl d 91Debugging information is written to the syslog using 92.Dv LOG_FTP . 93.It Fl l 94Each successful and failed 95FTP session is logged using syslog with a facility of 96.Dv LOG_FTP . 97If this option is specified twice, the retrieve (get), store (put), append, 98delete, make directory, remove directory and rename operations and 99their filename arguments are also logged. 100.It Fl M 101Enables multihomed mode. 102Instead of simply using 103.Pa ~ftp 104for anonymous transfers, a directory matching the fully qualified name of 105the IP number the client connected to, and located inside 106.Pa ~ftp , 107is used instead. 108.It Fl m Ar minuid 109Disallow login to user accounts with a UID below 110.Ar minuid . 111The default is 1000, to prevent access to administrative and daemon accounts. 112Anonymous access is allowed even if the UID of the FTP user is smaller than 113.Ar minuid . 114.It Fl n 115Do not permit anonymous FTP logins. 116Normally they are permitted. 117.It Fl P 118Permit illegal port numbers or addresses for PORT command initiated connects. 119By default 120.Nm 121violates the RFC and thus constrains the PORT command to non-reserved ports 122and requires it use the same source address as the connection came from. 123This prevents the "FTP bounce attack" against services on both the local 124machine and other local machines. 125.It Fl S 126With this option set, 127.Nm 128logs all anonymous downloads to the file 129.Pa /var/log/ftpd 130when this file exists. 131.It Fl T Ar maxtimeout 132A client may also request a different timeout period; 133the maximum period allowed may be set to 134.Ar maxtimeout 135seconds with the 136.Fl T 137option. 138The default limit is 2 hours. 139.It Fl t Ar timeout 140The inactivity timeout period is set to 141.Ar timeout 142seconds (the default is 15 minutes). 143.It Fl U 144Each concurrent 145FTP session is logged to the file 146.Pa /var/run/utmp , 147making them visible to commands such as 148.Xr who 1 . 149.Fl U 150and 151.Fl W 152are mutually exclusive. 153.It Fl u Ar mask 154Force the umask to 155.Ar mask , 156instead of the default specified in 157.Pa /etc/login.conf 158(usually 022). 159Also disallows chmod. 160.It Fl W 161Do not save login records to 162.Pa /var/log/wtmp . 163.Fl W 164and 165.Fl U 166are mutually exclusive. 167.El 168.Pp 169The file 170.Pa /etc/nologin 171can be used to disable FTP access. 172If the file exists, 173.Nm 174displays it and exits. 175Note: this method will disable 176.Em all 177non-root logins; see 178.Xr login 1 179for further details. 180If the file 181.Pa /etc/ftpwelcome 182exists, 183.Nm 184prints it before issuing the 185.Dq ready 186message. 187If the welcome file exists 188.Pa ( /etc/motd 189by default), 190.Nm 191prints it after a successful login. 192If the file 193.Pa .message 194exists in a directory, 195.Nm 196prints it when that directory is entered. 197.Pp 198The FTP server currently supports the following FTP requests. 199The case of the requests is ignored. 200.Bl -column "Request" -offset indent 201.It Sy Request Ta Sy Description 202.It ABOR Ta "abort previous command" 203.It ACCT Ta "specify account (not implemented)" 204.It ALLO Ta "allocate storage (vacuously)" 205.It APPE Ta "append to a file" 206.It CDUP Ta "change to parent of current working directory" 207.It CWD Ta "change working directory" 208.It DELE Ta "delete a file" 209.It EPRT Ta "specify data connection port" 210.It EPSV Ta "prepare for server-to-server transfer" 211.It HELP Ta "give help information" 212.It LIST Ta "give list of files in a directory" Pq Li "ls -lgA" 213.It LPRT Ta "specify data connection port" 214.It LPSV Ta "prepare for server-to-server transfer" 215.It MDTM Ta "show last modification time of file" 216.It MKD Ta "make a directory" 217.It MODE Ta "specify data transfer" Em mode 218.It NLST Ta "give name list of files in directory" 219.It NOOP Ta "do nothing" 220.It PASS Ta "specify password" 221.It PASV Ta "prepare for server-to-server transfer" 222.It PORT Ta "specify data connection port" 223.It PWD Ta "print the current working directory" 224.It QUIT Ta "terminate session" 225.It REIN Ta "reinitialize (not implemented)" 226.It REST Ta "restart incomplete transfer" 227.It RETR Ta "retrieve a file" 228.It RMD Ta "remove a directory" 229.It RNFR Ta "specify rename-from file name" 230.It RNTO Ta "specify rename-to file name" 231.It SITE Ta "non-standard commands (see next section)" 232.It SIZE Ta "return size of file" 233.It SMNT Ta "structure mount (not implemented)" 234.It STAT Ta "return status of server" 235.It STOR Ta "store a file" 236.It STOU Ta "store a file with a unique name" 237.It STRU Ta "specify data transfer" Em structure 238.It SYST Ta "show operating system type of server system" 239.It TYPE Ta "specify data transfer" Em type 240.It USER Ta "specify user name; not valid after login" 241.It XCUP Ta "change to parent of current working directory (deprec.)" 242.It XCWD Ta "change working directory (deprecated)" 243.It XMKD Ta "make a directory (deprecated)" 244.It XPWD Ta "print the current working directory (deprecated)" 245.It XRMD Ta "remove a directory (deprecated)" 246.El 247.Pp 248The following non-standard or UNIX specific commands 249are supported by the SITE request: 250.Bl -column Request -offset indent 251.It Sy Request Ta Sy Description 252.It CHMOD Ta "change mode of a file, e.g., SITE CHMOD 755 filename" 253.It HELP Ta "give help information" 254.It IDLE Ta "set idle-timer, e.g., SITE IDLE 60" 255.It UMASK Ta "change umask, e.g., SITE UMASK 002" 256.El 257.Pp 258The remaining FTP requests specified in Internet RFC 959 are recognized, 259but not implemented. 260MDTM and SIZE are specified in RFC 3659. 261.Pp 262The FTP server will abort an active file transfer only when the 263ABOR 264command is preceded by a Telnet "Interrupt Process" (IP) 265signal and a Telnet "Synch" signal in the command Telnet stream, 266as described in Internet RFC 959. 267If a 268STAT 269command is received during a data transfer, preceded by a Telnet IP 270and Synch, transfer status will be returned. 271.Pp 272.Nm 273interprets file names according to the 274.Dq globbing 275conventions used by 276.Xr csh 1 . 277This allows users to utilize the metacharacters 278.Dq Li \&*?[]{}~ . 279.Pp 280.Nm 281authenticates users by using the service and type of 282.Ar ftp , 283as defined in the 284.Pa /etc/login.conf 285file (see 286.Xr login.conf 5 ) . 287An authentication style 288may be specified by appending with a colon 289.Pq Sq :\& 290following the authentication style, i.e.\& 291.Dq joe:skey . 292The allowed authentication styles for 293.Nm 294may be explicitly specified by the 295.Dq auth-ftp 296entry in 297.Pa /etc/login.conf . 298.Pp 299.Nm 300authenticates users according to the following rules. 301.Bl -enum -offset indent 302.It 303The login name must be in the password database and not have a null password. 304In this case a password must be provided by the client before any 305file operations may be performed. 306.It 307The login name must not appear in the file 308.Pa /etc/ftpusers . 309.It 310The user account must have a UID not less than 311.Ar minuid . 312.It 313The user must have a standard shell as described by 314.Xr shells 5 . 315.It 316If the user name appears in the file 317.Pa /etc/ftpchroot , 318which is a text file containing one user name per line, 319the session's root will be changed to the user's login directory by 320.Xr chroot 2 321as for an 322.Dq anonymous 323or 324.Dq ftp 325account (see next item). 326However, the user must still supply a password. 327This feature is intended as a compromise between a fully anonymous account 328and a fully privileged account. 329The account should also be set up as for an anonymous account. 330.It 331If the user name is 332.Dq anonymous 333or 334.Dq ftp , 335an 336anonymous FTP account must be present in the password 337file (user 338.Dq ftp ) . 339In this case the user is allowed 340to log in by specifying any password (by convention an email address for 341the user should be used as the password). 342.El 343.Pp 344Once a user is authenticated the user must be approved by any approval 345script defined (see 346.Xr login.conf 5 ) . 347If a valid approval script (by either :approve=...: or :approve-ftp=...: 348for the user's class) is defined then it is run and must exit with a 0 349(success) status. 350When 351.Nm 352is running under the 353.Fl D 354flag (and debugging is not turned on) then the approval script will be 355called with at least the following variables specified via the 356.Fl v 357option (see 358.Xr login.conf 5 ) 359to the approve script: 360.Bl -column "Variable" -offset indent 361.It Sy Variable Ta Sy Description 362.It FTPD_HOST Ta "The server's (virtual) hostname" 363.El 364.Pp 365For example (the line is broken to fit the page): 366.Bd -literal -offset indent 367/usr/libexec/auth/approve_ftpd -v FTPD_HOST=ftp.mycompany.com \e 368 username class service 369.Ed 370.Pp 371When the user logs in to the anonymous FTP account, 372.Nm 373takes special measures to restrict the client's access privileges. 374The server performs a 375.Xr chroot 2 376to the home directory of the 377.Dq ftp 378user. 379In order that system security is not breached, it is recommended 380that the 381.Dq ftp 382subtree be constructed with care, following these rules: 383.Bl -tag -width "~ftp/pub" -offset indent 384.It Pa ~ftp 385Make the home directory owned by 386.Dq root 387and unwritable by anyone (mode 555). 388.It Pa ~ftp/etc 389Make this directory owned by 390.Dq root 391and unwritable by anyone (mode 511). 392The files pwd.db (see 393.Xr pwd_mkdb 8 ) 394and 395.Xr group 5 396must be present for the 397.Xr ls 1 398command to be able to produce owner names rather than numbers. 399The password field in 400.Pa pwd.db 401is not used, and should not contain real passwords. 402The file 403.Pa motd , 404if present, will be printed after a successful login. 405These files should be mode 444. 406.It Pa ~ftp/pub 407Make this directory mode 555 and owned by 408.Dq root . 409This is traditionally where publicly accessible files are 410stored for download. 411.El 412.Pp 413If logging to the 414.Pa /var/log/ftpd 415file is enabled, information will be written in the following format: 416.Pp 417.Bl -tag -width XXXXXXXXXXXXXX -offset indent -compact 418.It time 419The time and date of the download, in 420.Xr ctime 3 421format. 422.It elapsed time 423The elapsed time, in seconds. 424.It remote host 425The remote host (or IP number). 426.It bytes 427The number of bytes transferred. 428.It path 429The full path (relative to the FTP chroot space) of the file transferred. 430.It type 431The type of transfer; either 432.Sq a 433for ASCII or 434.Sq b 435for binary. 436.It unused 437Unused field containing a 438.Sq * , 439for compatibility. 440.It unused 441Unused field containing an 442.Sq o , 443for compatibility. 444.It user type 445The type of user; either 446.Sq a 447for anonymous or 448.Sq r 449for a real user (should always be anonymous). 450.It name 451Either a system login name or the value given for 452.Dq email address 453if an anonymous user. 454.It service name 455The network service name (always ftp). 456.It unused 457Unused field containing a 458.Sq 0 , 459for compatibility. 460.It real name 461The system login name if the connection is not anonymous, or a 462.Sq * 463if it is. 464.\" .It virtual host 465.\" The virtual host that the connection was made to. 466.El 467.Pp 468Although fields exist for logging information on real users, this file is 469only used for anonymous downloads. 470Unused fields exist only for compatibility with other 471.Nm 472implementations. 473.Sh LOGIN.CONF VARIABLES 474The 475.Nm 476daemon uses the following FTP-specific parameters: 477.Bl -tag -width ftp-chroot 478.It Pa auth-ftp 479The list of authentication types available to this class. 480See 481.Xr login.conf 5 . 482.It Pa ftp-chroot 483A boolean value. 484If set, users in this class will be automatically chrooted to 485the user's login directory. 486.It Pa ftp-dir 487A path to a directory. 488This value overrides the login directory for users in this class. 489A leading tilde 490.Pq Ql ~ 491in 492.Pa ftp-dir 493will be expanded to the user's home directory based on the 494contents of the password database. 495.It Pa welcome 496The path of the file containing the welcome message. 497If this variable is not set, 498.Pa /etc/motd 499is used. 500.El 501.Sh PORT ALLOCATION 502For passive mode data connections, 503.Nm 504will listen to a random high TCP port. 505The interval of ports used are configurable using 506.Xr sysctl 8 507variables 508.Va net.inet.ip.porthifirst 509and 510.Va net.inet.ip.porthilast . 511.Sh FILES 512.Bl -tag -width /etc/ftpwelcome -compact 513.It Pa /etc/ftpchroot 514list of normal users who should be chrooted 515.It Pa /etc/ftpusers 516list of unwelcome/restricted users 517.It Pa /etc/ftpwelcome 518welcome notice 519.It Pa /etc/login.conf 520authentication styles 521.It Pa /etc/motd 522printed after a successful login 523.It Pa /etc/nologin 524displayed and access refused 525.It Pa /var/log/ftpd 526log file for anonymous downloads 527.It Pa /var/log/wtmp 528login account records 529.It Pa /var/run/utmp 530list of users on the system 531.El 532.Sh SEE ALSO 533.Xr ftp 1 , 534.Xr login 1 , 535.Xr skey 1 , 536.Xr who 1 , 537.Xr chroot 2 , 538.Xr ctime 3 , 539.Xr group 5 , 540.Xr login.conf 5 , 541.Xr motd 5 , 542.Xr services 5 , 543.Xr shells 5 , 544.Xr ftp-proxy 8 , 545.Xr inetd 8 , 546.Xr pwd_mkdb 8 , 547.Xr sysctl 8 , 548.Xr syslogd 8 549.Sh STANDARDS 550.Rs 551.%A J. Postel 552.%A J. Reynolds 553.%D October 1985 554.%R RFC 959 555.%T FILE TRANSFER PROTOCOL (FTP) 556.Re 557.Pp 558.Rs 559.%A P. Hethmon 560.%D March 2007 561.%R RFC 3659 562.%T Extensions to FTP 563.Re 564.Sh HISTORY 565The 566.Nm 567command appeared in 568.Bx 4.2 . 569