1.\" Copyright (c) 1985, 1988, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 29.\" $FreeBSD: src/libexec/ftpd/ftpd.8,v 1.74 2007/04/20 09:08:20 trhodes Exp $ 30.\" 31.Dd September 11, 2019 32.Dt FTPD 8 33.Os 34.Sh NAME 35.Nm ftpd 36.Nd Internet File Transfer Protocol server 37.Sh SYNOPSIS 38.Nm 39.Op Fl 468ADdEhMmOoRrSUvW 40.Op Fl l Op Fl l 41.Op Fl a Ar address 42.Op Fl H Ar host 43.Op Fl P Ar port 44.Op Fl p Ar file 45.Op Fl T Ar maxtimeout 46.Op Fl t Ar timeout 47.Op Fl u Ar umask 48.Sh DESCRIPTION 49The 50.Nm 51utility is the 52Internet File Transfer Protocol 53server process. 54The server uses the 55.Tn TCP 56protocol 57and listens at the port specified with the 58.Fl P 59option or in the 60.Dq ftp 61service specification; see 62.Xr services 5 . 63.Pp 64Available options: 65.Bl -tag -width indent 66.It Fl 4 67When 68.Fl D 69is specified, accept connections via 70.Dv AF_INET 71socket. 72.It Fl 6 73When 74.Fl D 75is specified, accept connections via 76.Dv AF_INET6 77socket. 78.It Fl 8 79Enable transparent UTF-8 mode. 80RFC\ 2640 compliant clients will be told that the character encoding 81used by the server is UTF-8, which is the only effect of the option. 82.Pp 83This option does not enable any encoding conversion for server file names; 84it implies instead that the names of files on the server are encoded 85in UTF-8. 86As for files uploaded via FTP, it is the duty of the RFC\ 2640 compliant 87client to convert their names from the client's local encoding to UTF-8. 88FTP command names and own 89.Nm 90messages are always encoded in ASCII, which is a subset of UTF-8. 91Hence no need for server-side conversion at all. 92.It Fl A 93Allow only anonymous ftp access. 94.It Fl a 95When 96.Fl D 97is specified, accept connections only on the specified 98.Ar address . 99.It Fl D 100With this option set, 101.Nm 102will detach and become a daemon, accepting connections on the FTP port and 103forking children processes to handle them. 104This is lower overhead than starting 105.Nm 106from 107.Xr inetd 8 108and is thus useful on busy servers to reduce load. 109.It Fl d 110Debugging information is written to the syslog using 111.Dv LOG_FTP . 112.It Fl E 113Disable the EPSV command. 114This is useful for servers behind older firewalls. 115.It Fl h 116Disable printing host-specific information, such as the 117server software version or hostname, in server messages. 118.It Fl H 119Advertise the hostname as 120.Ar host 121instead of using the value of 122.Xr gethostname 3 . 123.It Fl l 124Each successful and failed 125.Xr ftp 1 126session is logged using syslog with a facility of 127.Dv LOG_FTP . 128If this option is specified twice, the retrieve (get), store (put), append, 129delete, make directory, remove directory and rename operations and 130their filename arguments are also logged. 131By default, 132.Xr syslogd 8 133logs these to 134.Pa /var/log/xferlog . 135.It Fl M 136Prevent anonymous users from creating directories. 137.It Fl m 138Permit anonymous users to overwrite or modify 139existing files if allowed by file system permissions. 140By default, anonymous users cannot modify existing files; 141in particular, files to upload will be created under a unique name. 142.It Fl O 143Put server in write-only mode for anonymous users only. 144RETR is disabled for anonymous users, preventing anonymous downloads. 145This has no effect if 146.Fl o 147is also specified. 148.It Fl o 149Put server in write-only mode. 150RETR is disabled, preventing downloads. 151.It Fl P 152When 153.Fl D 154is specified, accept connections at 155.Ar port , 156specified as a numeric value or service name, instead of at the default 157.Dq ftp 158port. 159.It Fl p 160When 161.Fl D 162is specified, write the daemon's process ID to 163.Ar file 164instead of the default pid file, 165.Pa /var/run/ftpd.pid . 166.It Fl R 167With this option set, 168.Nm 169will revert to historical behavior with regard to security checks on 170user operations and restrictions on PORT requests. 171Currently, 172.Nm 173will only honor PORT commands directed to unprivileged ports on the 174remote user's host (which violates the FTP protocol specification but 175closes some security holes). 176.It Fl r 177Put server in read-only mode. 178All commands which may modify the local file system are disabled. 179.It Fl S 180With this option set, 181.Nm 182logs all anonymous file downloads to the file 183.Pa /var/log/ftpd 184when this file exists. 185.It Fl T 186A client may also request a different timeout period; 187the maximum period allowed may be set to 188.Ar timeout 189seconds with the 190.Fl T 191option. 192The default limit is 2 hours. 193.It Fl t 194The inactivity timeout period is set to 195.Ar timeout 196seconds (the default is 15 minutes). 197.It Fl U 198This option instructs ftpd to use data ports in the range of 199.Dv IP_PORTRANGE_DEFAULT 200instead of in the range of 201.Dv IP_PORTRANGE_HIGH . 202Such a change may be useful for some specific firewall configurations; 203see 204.Xr ip 4 205for more information. 206.Pp 207Note that option is a virtual no-op in 208.Fx 5.0 209and above; both port 210ranges are identical by default. 211.It Fl u 212The default file creation mode mask is set to 213.Ar umask , 214which is expected to be an octal numeric value. 215Refer to 216.Xr umask 2 217for details. 218This option may be overridden by 219.Xr login.conf 5 . 220.It Fl v 221A synonym for 222.Fl d . 223.It Fl W 224Do not log FTP sessions to 225.Pa /var/log/wtmpx . 226.El 227.Pp 228The file 229.Pa /var/run/nologin 230can be used to disable ftp access. 231If the file exists, 232.Nm 233displays it and exits. 234If the file 235.Pa /etc/ftpwelcome 236exists, 237.Nm 238prints it before issuing the 239.Dq ready 240message. 241If the file 242.Pa /etc/ftpmotd 243exists, 244.Nm 245prints it after a successful login. 246Note the motd file used is the one 247relative to the login environment. 248This means the one in 249.Pa ~ftp/etc 250in the anonymous user's case. 251.Pp 252The ftp server currently supports the following ftp requests. 253The case of the requests is ignored. 254Requests marked [RW] are 255disabled if 256.Fl r 257is specified. 258.Bl -column "Request" -offset indent 259.It Sy Request Ta Sy "Description" 260.It ABOR Ta "abort previous command" 261.It ACCT Ta "specify account (ignored)" 262.It ALLO Ta "allocate storage (vacuously)" 263.It APPE Ta "append to a file [RW]" 264.It CDUP Ta "change to parent of current working directory" 265.It CWD Ta "change working directory" 266.It DELE Ta "delete a file [RW]" 267.It EPRT Ta "specify data connection port, multiprotocol" 268.It EPSV Ta "prepare for server-to-server transfer, multiprotocol" 269.It FEAT Ta "give information on extended features of server" 270.It HELP Ta "give help information" 271.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA" 272.It LPRT Ta "specify data connection port, multiprotocol" 273.It LPSV Ta "prepare for server-to-server transfer, multiprotocol" 274.It MDTM Ta "show last modification time of file" 275.It MKD Ta "make a directory [RW]" 276.It MODE Ta "specify data transfer" Em mode 277.It NLST Ta "give name list of files in directory" 278.It NOOP Ta "do nothing" 279.It PASS Ta "specify password" 280.It PASV Ta "prepare for server-to-server transfer" 281.It PORT Ta "specify data connection port" 282.It PWD Ta "print the current working directory" 283.It QUIT Ta "terminate session" 284.It REST Ta "restart incomplete transfer" 285.It RETR Ta "retrieve a file" 286.It RMD Ta "remove a directory [RW]" 287.It RNFR Ta "specify rename-from file name [RW]" 288.It RNTO Ta "specify rename-to file name [RW]" 289.It SITE Ta "non-standard commands (see next section)" 290.It SIZE Ta "return size of file" 291.It STAT Ta "return status of server" 292.It STOR Ta "store a file [RW]" 293.It STOU Ta "store a file with a unique name [RW]" 294.It STRU Ta "specify data transfer" Em structure 295.It SYST Ta "show operating system type of server system" 296.It TYPE Ta "specify data transfer" Em type 297.It USER Ta "specify user name" 298.It XCUP Ta "change to parent of current working directory (deprecated)" 299.It XCWD Ta "change working directory (deprecated)" 300.It XMKD Ta "make a directory (deprecated) [RW]" 301.It XPWD Ta "print the current working directory (deprecated)" 302.It XRMD Ta "remove a directory (deprecated) [RW]" 303.El 304.Pp 305The following non-standard or 306.Ux 307specific commands are supported 308by the 309SITE request. 310.Bl -column Request -offset indent 311.It Sy Request Ta Sy Description 312.It UMASK Ta change umask, e.g. ``SITE UMASK 002'' 313.It IDLE Ta set idle-timer, e.g. ``SITE IDLE 60'' 314.It CHMOD Ta "change mode of a file [RW], e.g. ``SITE CHMOD 755 filename''" 315.It MD5 Ta "report the files MD5 checksum, e.g. ``SITE MD5 filename''" 316.It HELP Ta give help information 317.El 318.Pp 319Note: SITE requests are disabled in case of anonymous logins. 320.Pp 321The remaining ftp requests specified in Internet RFC 959 322are 323recognized, but not implemented. 324MDTM and SIZE are not specified in RFC 959, but will appear in the 325next updated FTP RFC. 326To avoid possible denial-of-service attacks, SIZE requests against 327files larger than 10240 bytes will be denied if the current transfer 328type is ASCII. 329.Pp 330The ftp server will abort an active file transfer only when the 331ABOR 332command is preceded by a Telnet "Interrupt Process" (IP) 333signal and a Telnet "Synch" signal in the command Telnet stream, 334as described in Internet RFC 959. 335If a 336STAT 337command is received during a data transfer, preceded by a Telnet IP 338and Synch, transfer status will be returned. 339.Pp 340The 341.Nm 342utility interprets file names according to the 343.Dq globbing 344conventions used by 345.Xr csh 1 . 346This allows users to utilize the metacharacters 347.Dq Li \&*?[]{}~ . 348.Pp 349The 350.Nm 351utility authenticates users according to six rules. 352.Bl -enum -offset indent 353.It 354The login name must be in the password data base 355and not have a null password. 356In this case a password must be provided by the client before any 357file operations may be performed. 358.It 359The login name must not appear in the file 360.Pa /etc/ftpusers . 361.It 362The login name must not be a member of a group specified in the file 363.Pa /etc/ftpusers . 364Entries in this file interpreted as group names are prefixed by an "at" 365.Ql \&@ 366sign. 367.It 368The user must have a standard shell returned by 369.Xr getusershell 3 . 370.It 371If the user name appears in the file 372.Pa /etc/ftpchroot , 373or the user is a member of a group with a group entry in this file, 374i.e., one prefixed with 375.Ql \&@ , 376the session's root will be changed to the directory specified 377in this file or to the user's login directory by 378.Xr chroot 2 379as for an 380.Dq anonymous 381or 382.Dq ftp 383account (see next item). 384See 385.Xr ftpchroot 5 386for a detailed description of the format of this file. 387This facility may also be triggered by enabling the boolean "ftp-chroot" 388capability in 389.Xr login.conf 5 . 390However, the user must still supply a password. 391This feature is intended as a compromise between a fully anonymous 392account and a fully privileged account. 393The account should also be set up as for an anonymous account. 394.It 395If the user name is 396.Dq anonymous 397or 398.Dq ftp , 399an 400anonymous ftp account must be present in the password 401file (user 402.Dq ftp ) . 403In this case the user is allowed 404to log in by specifying any password (by convention an email address for 405the user should be used as the password). 406When the 407.Fl S 408option is set, all transfers are logged as well. 409.El 410.Pp 411In the last case, 412.Nm 413takes special measures to restrict the client's access privileges. 414The server performs a 415.Xr chroot 2 416to the home directory of the 417.Dq ftp 418user. 419As a special case if the 420.Dq ftp 421user's home directory pathname contains the 422.Pa /./ 423separator, 424.Nm 425uses its left-hand side as the name of the directory to do 426.Xr chroot 2 427to, and its right-hand side to change the current directory to afterwards. 428A typical example for this case would be 429.Pa /usr/local/ftp/./pub . 430In order that system security is not breached, it is recommended 431that the 432.Dq ftp 433subtree be constructed with care, following these rules: 434.Bl -tag -width "~ftp/pub" -offset indent 435.It Pa ~ftp 436Make the home directory owned by 437.Dq root 438and unwritable by anyone. 439.It Pa ~ftp/etc 440Make this directory owned by 441.Dq root 442and unwritable by anyone (mode 555). 443The files pwd.db (see 444.Xr passwd 5 ) 445and 446.Xr group 5 447must be present for the 448.Xr ls 1 449command to be able to produce owner names rather than numbers. 450The password field in 451.Xr passwd 5 452is not used, and should not contain real passwords. 453The file 454.Pa ftpmotd , 455if present, will be printed after a successful login. 456These files should be mode 444. 457.It Pa ~ftp/pub 458This directory and the subdirectories beneath it should be owned 459by the users and groups responsible for placing files in them, 460and be writable only by them (mode 755 or 775). 461They should 462.Em not 463be owned or writable by 464.Dq ftp 465or its group, otherwise guest users 466can fill the drive with unwanted files. 467.El 468.Pp 469If the system has multiple IP addresses, 470.Nm 471supports the idea of virtual hosts, which provides the ability to 472define multiple anonymous ftp areas, each one allocated to a different 473internet address. 474The file 475.Pa /etc/ftphosts 476contains information pertaining to each of the virtual hosts. 477Each host is defined on its own line which contains a number of 478fields separated by whitespace: 479.Bl -tag -offset indent -width hostname 480.It hostname 481Contains the hostname or IP address of the virtual host. 482.It user 483Contains a user record in the system password file. 484As with normal anonymous ftp, this user's access uid, gid and group 485memberships determine file access to the anonymous ftp area. 486The anonymous ftp area (to which any user is chrooted on login) 487is determined by the home directory defined for the account. 488User id and group for any ftp account may be the same as for the 489standard ftp user. 490.It statfile 491File to which all file transfers are logged, which 492defaults to 493.Pa /var/log/ftpd . 494.It welcome 495This file is the welcome message displayed before the server ready 496prompt. 497It defaults to 498.Pa /etc/ftpwelcome . 499.It motd 500This file is displayed after the user logs in. 501It defaults to 502.Pa /etc/ftpmotd . 503.El 504.Pp 505Lines beginning with a '#' are ignored and can be used to include 506comments. 507.Pp 508Defining a virtual host for the primary IP address or hostname 509changes the default for ftp logins to that address. 510The 'user', 'statfile', 'welcome' and 'motd' fields may be left 511blank, or a single hyphen '-' used to indicate that the default 512value is to be used. 513.Pp 514As with any anonymous login configuration, due care must be given 515to setup and maintenance to guard against security related problems. 516.Pp 517The 518.Nm 519utility has internal support for handling remote requests to list 520files, and will not execute 521.Pa /bin/ls 522in either a chrooted or non-chrooted environment. 523The 524.Pa ~/bin/ls 525executable need not be placed into the chrooted tree, nor need the 526.Pa ~/bin 527directory exist. 528.Sh FILES 529.Bl -tag -width ".Pa /var/run/ftpd.pid" -compact 530.It Pa /etc/ftpusers 531List of unwelcome/restricted users. 532.It Pa /etc/ftpchroot 533List of normal users who should be chroot'd. 534.It Pa /etc/ftphosts 535Virtual hosting configuration file. 536.It Pa /etc/ftpwelcome 537Welcome notice. 538.It Pa /etc/ftpmotd 539Welcome notice after login. 540.It Pa /var/run/ftpd.pid 541Default pid file for daemon mode. 542.It Pa /var/run/nologin 543Displayed and access refused. 544.It Pa /var/log/ftpd 545Log file for anonymous transfers. 546.It Pa /var/log/xferlog 547Default place for session logs. 548.El 549.Sh SEE ALSO 550.Xr ftp 1 , 551.Xr umask 2 , 552.Xr getusershell 3 , 553.Xr ftpchroot 5 , 554.Xr login.conf 5 , 555.Xr inetd 8 , 556.Xr syslogd 8 557.Sh HISTORY 558The 559.Nm 560utility appeared in 561.Bx 4.2 . 562IPv6 support was added in WIDE Hydrangea IPv6 stack kit. 563.Sh BUGS 564The server must run as the super-user 565to create sockets with privileged port numbers. 566It maintains 567an effective user id of the logged in user, reverting to 568the super-user only when binding addresses to sockets. 569The 570possible security holes have been extensively 571scrutinized, but are possibly incomplete. 572