1.\" $NetBSD: ftpd.8,v 1.69 2002/02/08 01:30:07 ross Exp $ 2.\" 3.\" Copyright (c) 1997-2001 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. All advertising materials mentioning features or use of this software 18.\" must display the following acknowledgement: 19.\" This product includes software developed by the NetBSD 20.\" Foundation, Inc. and its contributors. 21.\" 4. Neither the name of The NetBSD Foundation nor the names of its 22.\" contributors may be used to endorse or promote products derived 23.\" from this software without specific prior written permission. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35.\" POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" Copyright (c) 1985, 1988, 1991, 1993 38.\" The Regents of the University of California. All rights reserved. 39.\" 40.\" Redistribution and use in source and binary forms, with or without 41.\" modification, are permitted provided that the following conditions 42.\" are met: 43.\" 1. Redistributions of source code must retain the above copyright 44.\" notice, this list of conditions and the following disclaimer. 45.\" 2. Redistributions in binary form must reproduce the above copyright 46.\" notice, this list of conditions and the following disclaimer in the 47.\" documentation and/or other materials provided with the distribution. 48.\" 3. All advertising materials mentioning features or use of this software 49.\" must display the following acknowledgement: 50.\" This product includes software developed by the University of 51.\" California, Berkeley and its contributors. 52.\" 4. Neither the name of the University nor the names of its contributors 53.\" may be used to endorse or promote products derived from this software 54.\" without specific prior written permission. 55.\" 56.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 57.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 58.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 59.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 60.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 61.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 62.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 63.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 64.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 65.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 66.\" SUCH DAMAGE. 67.\" 68.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 69.\" 70.Dd October 13, 2001 71.Dt FTPD 8 72.Os 73.Sh NAME 74.Nm ftpd 75.Nd 76Internet File Transfer Protocol server 77.Sh SYNOPSIS 78.Nm 79.Op Fl dHlqQrsuUwWX 80.Op Fl a Ar anondir 81.Op Fl c Ar confdir 82.Op Fl C Ar user 83.Op Fl e Ar emailaddr 84.Op Fl h Ar hostname 85.Op Fl P Ar dataport 86.Op Fl V Ar version 87.Sh DESCRIPTION 88.Nm 89is the Internet File Transfer Protocol server process. 90The server uses the 91.Tn TCP 92protocol and listens at the port specified in the 93.Dq ftp 94service specification; see 95.Xr services 5 . 96.Pp 97Available options: 98.Bl -tag -width Ds 99.It Fl a Ar anondir 100Define 101.Ar anondir 102as the directory to 103.Xr chroot 2 104into for anonymous logins. 105Default is the home directory for the ftp user. 106This can also be specified with the 107.Xr ftpd.conf 5 108.Sy chroot 109directive. 110.It Fl c Ar confdir 111Change the root directory of the configuration files from 112.Dq Pa /etc 113to 114.Ar confdir . 115This changes the directory for the following files: 116.Pa /etc/ftpchroot , 117.Pa /etc/ftpusers , 118.Pa /etc/ftpwelcome , 119.Pa /etc/motd , 120and the file specified by the 121.Xr ftpd.conf 5 122.Sy limit 123directive. 124.It Fl C Ar user 125Check whether 126.Ar user 127would be granted access under 128the restrictions given in 129.Xr ftpusers 5 130and exit without attempting a connection. 131.Nm 132exits with an exit code of 0 if access would be granted, or 1 otherwise. 133This can be useful for testing configurations. 134.It Fl d 135Debugging information is written to the syslog using a facility of 136.Dv LOG_FTP . 137.It Fl e Ar emailaddr 138Use 139.Ar emailaddr 140for the 141.Dq "\&%E" 142escape sequence (see 143.Sx Display file escape sequences ) 144.It Fl h Ar hostname 145Explicitly set the hostname to advertise as to 146.Ar hostname . 147The default is the hostname associated with the IP address that 148.Nm 149is listening on. 150This ability (with or without 151.Fl h ) , 152in conjunction with 153.Fl c Ar confdir , 154is useful when configuring 155.Sq virtual 156.Tn FTP 157servers, each listening on separate addresses as separate names. 158Refer to 159.Xr inetd.conf 5 160for more information on starting services to listen on specific IP addresses. 161.It Fl H 162Equivalent to 163.Do 164-h 165`hostname` 166.Dc . 167.It Fl l 168Each successful and failed 169.Tn FTP 170session is logged using syslog with a facility of 171.Dv LOG_FTP . 172If this option is specified more than once, the retrieve (get), store (put), 173append, delete, make directory, remove directory and rename operations and 174their file name arguments are also logged. 175.It Fl P Ar dataport 176Use 177.Ar dataport 178as the data port, overriding the default of using the port one less 179that the port 180.Nm 181is listening on. 182.It Fl q 183Enable the use of pid files for keeping track of the number of logged-in 184users per class. 185This is the default. 186.It Fl Q 187Disable the use of pid files for keeping track of the number of logged-in 188users per class. 189This may reduce the load on heavily loaded 190.Tn FTP 191servers. 192.It Fl r 193Permanently drop root privileges once the user is logged in. 194The use of this option may result in the server using a port other 195than the (listening-port - 1) for 196.Sy PORT 197style commands, which is contrary to the 198.Cm RFC 959 199specification, but in practice very few clients rely upon this behaviour. 200See 201.Sx SECURITY CONSIDERATIONS 202below for more details. 203.It Fl s 204Require a secure authentication mechanism like Kerberos or S/Key to be used. 205.It Fl u 206Log each concurrent 207.Tn FTP 208session to 209.Pa /var/run/utmp , 210making them visible to commands such as 211.Xr who 1 . 212.It Fl U 213Don't log each concurrent 214.Tn FTP 215session to 216.Pa /var/run/utmp . 217This is the default. 218.It Fl V Ar version 219Use 220.Ar version 221as the version to advertise in the login banner and in the output of 222.Sy STAT 223and 224.Sy SYST 225instead of the default version information. 226If 227.Ar version 228is empty or 229.Sq - 230then don't display any version information. 231.It Fl w 232Log each 233.Tn FTP 234session to 235.Pa /var/log/wtmp , 236making them visible to commands such as 237.Xr last 1 . 238This is the default. 239.It Fl W 240Don't log each 241.Tn FTP 242session to 243.Pa /var/log/wtmp . 244.It Fl X 245Log 246.Tn wu-ftpd 247style 248.Sq xferlog 249entries to the syslog, prefixed with 250.Dq "xferlog:\ " , 251using a facility of 252.Dv LOG_FTP . 253These syslog entries can be converted to a 254.Tn wu-ftpd 255style 256.Pa xferlog 257file suitable for input into a third-party log analysis tool with a command 258similar to: 259.Dl "grep 'xferlog: ' /var/log/xferlog | \e" 260.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog" 261.El 262.Pp 263The file 264.Pa /etc/nologin 265can be used to disable 266.Tn FTP 267access. 268If the file exists, 269.Nm 270displays it and exits. 271If the file 272.Pa /etc/ftpwelcome 273exists, 274.Nm 275prints it before issuing the 276.Dq ready 277message. 278If the file 279.Pa /etc/motd 280exists (under the chroot directory if applicable), 281.Nm 282prints it after a successful login. 283This may be changed with the 284.Xr ftpd.conf 5 285directive 286.Sy motd . 287.Pp 288The 289.Nm 290server currently supports the following 291.Tn FTP 292requests. 293The case of the requests is ignored. 294.Bl -column "Request" -offset indent 295.It Sy Request Ta Sy Description 296.It ABOR Ta "abort previous command" 297.It ACCT Ta "specify account (ignored)" 298.It ALLO Ta "allocate storage (vacuously)" 299.It APPE Ta "append to a file" 300.It CDUP Ta "change to parent of current working directory" 301.It CWD Ta "change working directory" 302.It DELE Ta "delete a file" 303.It EPSV Ta "prepare for server-to-server transfer" 304.It EPRT Ta "specify data connection port" 305.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 306.It HELP Ta "give help information" 307.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 308.It LPSV Ta "prepare for server-to-server transfer" 309.It LPRT Ta "specify data connection port" 310.It MLSD Ta "list contents of directory in a machine-processable form" 311.It MLST Ta "show a pathname in a machine-processable form" 312.It MKD Ta "make a directory" 313.It MDTM Ta "show last modification time of file" 314.It MODE Ta "specify data transfer" Em mode 315.It NLST Ta "give name list of files in directory" 316.It NOOP Ta "do nothing" 317.It OPTS Ta "define persistent options for a given command" 318.It PASS Ta "specify password" 319.It PASV Ta "prepare for server-to-server transfer" 320.It PORT Ta "specify data connection port" 321.It PWD Ta "print the current working directory" 322.It QUIT Ta "terminate session" 323.It REST Ta "restart incomplete transfer" 324.It RETR Ta "retrieve a file" 325.It RMD Ta "remove a directory" 326.It RNFR Ta "specify rename-from file name" 327.It RNTO Ta "specify rename-to file name" 328.It SITE Ta "non-standard commands (see next section)" 329.It SIZE Ta "return size of file" 330.It STAT Ta "return status of server" 331.It STOR Ta "store a file" 332.It STOU Ta "store a file with a unique name" 333.It STRU Ta "specify data transfer" Em structure 334.It SYST Ta "show operating system type of server system" 335.It TYPE Ta "specify data transfer" Em type 336.It USER Ta "specify user name" 337.It XCUP Ta "change to parent of current working directory (deprecated)" 338.It XCWD Ta "change working directory (deprecated)" 339.It XMKD Ta "make a directory (deprecated)" 340.It XPWD Ta "print the current working directory (deprecated)" 341.It XRMD Ta "remove a directory (deprecated)" 342.El 343.Pp 344The following non-standard or 345.Ux 346specific commands are supported by the SITE request. 347.Pp 348.Bl -column Request -offset indent 349.It Sy Request Ta Sy Description 350.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 351.It HELP Ta "give help information." 352.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 353.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 354.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 355.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 356.El 357.Pp 358The following 359.Tn FTP 360requests (as specified in 361.Cm RFC 959 ) 362are recognized, but are not implemented: 363.Sy ACCT , 364.Sy SMNT , 365and 366.Sy REIN . 367.Sy MDTM 368and 369.Sy SIZE 370are not specified in 371.Cm RFC 959 , 372but will appear in the 373next updated 374.Tn FTP 375RFC. 376.Pp 377The 378.Nm 379server will abort an active file transfer only when the 380.Sy ABOR 381command is preceded by a Telnet "Interrupt Process" (IP) 382signal and a Telnet "Synch" signal in the command Telnet stream, 383as described in Internet 384.Cm RFC 959 . 385If a 386.Sy STAT 387command is received during a data transfer, preceded by a Telnet IP 388and Synch, transfer status will be returned. 389.Pp 390.Nm 391interprets file names according to the 392.Dq globbing 393conventions used by 394.Xr csh 1 . 395This allows users to utilize the metacharacters 396.Dq Li \&*?[]{}~ . 397.Ss User authentication 398.Nm 399authenticates users according to five rules. 400.Pp 401.Bl -enum -offset indent 402.It 403The login name must be in the password data base, 404.Pa /etc/pwd.db , 405and not have a null password. 406In this case a password must be provided by the client before any 407file operations may be performed. 408If the user has an S/Key key, the response from a successful 409.Sy USER 410command will include an S/Key challenge. 411The client may choose to respond with a 412.Sy PASS 413command giving either 414a standard password or an S/Key one-time password. 415The server will automatically determine which type of password it 416has been given and attempt to authenticate accordingly. 417See 418.Xr skey 1 419for more information on S/Key authentication. 420S/Key is a Trademark of Bellcore. 421.It 422The login name must be allowed based on the information in 423.Xr ftpusers 5 . 424.It 425The user must have a standard shell returned by 426.Xr getusershell 3 . 427If the user's shell field in the password database is empty, the 428shell is assumed to be 429.Pa /bin/sh . 430As per 431.Xr shells 5 , 432the user's shell must be listed with full path in 433.Pa /etc/shells . 434.It 435If directed by the file 436.Xr ftpchroot 5 437the session's root directory will be changed by 438.Xr chroot 2 439to the directory specified in the 440.Xr ftpd.conf 5 441.Sy chroot 442directive (if set), 443or to the home directory of the user. 444However, the user must still supply a password. 445This feature is intended as a compromise between a fully anonymous account 446and a fully privileged account. 447The account should also be set up as for an anonymous account. 448.It 449If the user name is 450.Dq anonymous 451or 452.Dq ftp , 453an 454anonymous 455.Tn FTP 456account must be present in the password 457file (user 458.Dq ftp ) . 459In this case the user is allowed 460to log in by specifying any password (by convention an email address for 461the user should be used as the password). 462.Pp 463The server performs a 464.Xr chroot 2 465to the directory specified in the 466.Xr ftpd.conf 5 467.Sy chroot 468directive (if set), 469the 470.Fl a Ar anondir 471directory (if set), 472or to the home directory of the 473.Dq ftp 474user. 475.Pp 476The server then performs a 477.Xr chdir 2 478to the directory specified in the 479.Xr ftpd.conf 5 480.Sy homedir 481directive (if set), otherwise to 482.Pa / . 483.Pp 484If other restrictions are required (such as disabling of certain 485commands and the setting of a specific umask), then appropriate 486entries in 487.Xr ftpd.conf 5 488are required. 489.Pp 490If the first character of the password supplied by an anonymous user 491is 492.Dq - , 493then the verbose messages displayed at login and upon a 494.Sy CWD 495command are suppressed. 496.El 497.Ss Display file escape sequences 498When 499.Nm 500displays various files back to the client (such as 501.Pa /etc/ftpwelcome 502and 503.Pa /etc/motd ) , 504various escape strings are replaced with information pertinent 505to the current connection. 506.Pp 507The supported escape strings are: 508.Bl -tag -width "Escape" -offset indent -compact 509.It Sy "Escape" 510.Sy Description 511.It "\&%c" 512Class name. 513.It "\&%C" 514Current working directory. 515.It "\&%E" 516Email address given with 517.Fl e . 518.It "\&%L" 519Local hostname. 520.It "\&%M" 521Maximum number of users for this class. 522Displays 523.Dq unlimited 524if there's no limit. 525.It "\&%N" 526Current number of users for this class. 527.It "\&%R" 528Remote hostname. 529.It "\&%s" 530If the result of the most recent 531.Dq "\&%M" 532or 533.Dq "\&%N" 534was not 535.Dq Li 1 , 536print an 537.Dq s . 538.It "\&%S" 539If the result of the most recent 540.Dq "\&%M" 541or 542.Dq "\&%N" 543was not 544.Dq Li 1 , 545print an 546.Dq S . 547.It "\&%T" 548Current time. 549.It "\&%U" 550User name. 551.It "\&%\&%" 552A 553.Dq \&% 554character. 555.El 556.Ss Setting up a restricted ftp subtree 557In order that system security is not breached, it is recommended 558that the 559subtrees for the 560.Dq ftp 561and 562.Dq chroot 563accounts be constructed with care, following these rules 564(replace 565.Dq ftp 566in the following directory names 567with the appropriate account name for 568.Sq chroot 569users): 570.Bl -tag -width "~ftp/incoming" -offset indent 571.It Pa ~ftp 572Make the home directory owned by 573.Dq root 574and unwritable by anyone. 575.It Pa ~ftp/bin 576Make this directory owned by 577.Dq root 578and unwritable by anyone (mode 555). 579Generally any conversion commands should be installed 580here (mode 111). 581.It Pa ~ftp/etc 582Make this directory owned by 583.Dq root 584and unwritable by anyone (mode 555). 585The files 586.Pa pwd.db 587(see 588.Xr passwd 5 ) 589and 590.Pa group 591(see 592.Xr group 5 ) 593must be present for the 594.Sy LIST 595command to be able to display owner and group names instead of numbers. 596The password field in 597.Xr passwd 5 598is not used, and should not contain real passwords. 599The file 600.Pa motd , 601if present, will be printed after a successful login. 602These files should be mode 444. 603.It Pa ~ftp/pub 604This directory and the subdirectories beneath it should be owned 605by the users and groups responsible for placing files in them, 606and be writable only by them (mode 755 or 775). 607They should 608.Em not 609be owned or writable by ftp or its group. 610.It Pa ~ftp/incoming 611This directory is where anonymous users place files they upload. 612The owners should be the user 613.Dq ftp 614and an appropriate group. 615Members of this group will be the only users with access to these 616files after they have been uploaded; these should be people who 617know how to deal with them appropriately. 618If you wish anonymous 619.Tn FTP 620users to be able to see the names of the 621files in this directory the permissions should be 770, otherwise 622they should be 370. 623.Pp 624The following 625.Xr ftpd.conf 5 626directives should be used: 627.Dl "modify guest off" 628.Dl "umask guest 0707" 629.Dl "upload guest on" 630.Pp 631This will result in anonymous users being able to upload files to this 632directory, but they will not be able to download them, delete them, or 633overwrite them, due to the umask and disabling of the commands mentioned 634above. 635.It Pa ~ftp/tmp 636This directory is used to create temporary files which contain 637the error messages generated by a conversion or 638.Sy LIST 639command. 640The owner should be the user 641.Dq ftp . 642The permissions should be 300. 643.Pp 644If you don't enable conversion commands, or don't want anonymous users 645uploading files here (see 646.Pa ~ftp/incoming 647above), then don't create this directory. 648However, error messages from conversion or 649.Sy LIST 650commands won't be returned to the user. 651(This is the traditional behaviour.) 652Note that the 653.Xr ftpd.conf 5 654directive 655.Sy upload 656can be used to prevent users uploading here. 657.El 658.Pp 659To set up "ftp-only" accounts that provide only 660.Tn FTP , 661but no valid shell 662login, you can copy/link 663.Pa /sbin/nologin 664to 665.Pa /sbin/ftplogin , 666and enter 667.Pa /sbin/ftplogin 668to 669.Pa /etc/shells 670to allow logging-in via 671.Tn FTP 672into the accounts, which must have 673.Pa /sbin/ftplogin 674as login shell. 675.Sh FILES 676.Bl -tag -width /etc/ftpwelcome -compact 677.It Pa /etc/ftpchroot 678List of normal users whose root directory should be changed via 679.Xr chroot 2 . 680.It Pa /etc/ftpd.conf 681Configure file conversions and other settings. 682.It Pa /etc/ftpusers 683List of unwelcome/restricted users. 684.It Pa /etc/ftpwelcome 685Welcome notice before login. 686.It Pa /etc/motd 687Welcome notice after login. 688.It Pa /etc/nologin 689If it exists, displayed and access is refused. 690.It Pa /var/run/ftpd.pids-CLASS 691State file of logged-in processes for the 692.Nm 693class 694.Sq CLASS . 695.It Pa /var/run/utmp 696List of logged-in users on the system. 697.It Pa /var/log/wtmp 698Login history database. 699.El 700.Sh SEE ALSO 701.Xr ftp 1 , 702.Xr skey 1 , 703.Xr who 1 , 704.Xr getusershell 3 , 705.Xr ftpchroot 5 , 706.Xr ftpd.conf 5 , 707.Xr ftpusers 5 , 708.Xr syslogd 8 709.Sh STANDARDS 710.Nm 711recognizes all commands in 712.Cm RFC 959 , 713follows the guidelines in 714.Cm RFC 1123 , 715recognizes all commands in 716.Cm RFC 2228 717(although they are not supported yet), 718and supports the extensions from 719.Cm RFC 2389 , 720.Cm RFC 2428 721and 722.Cm draft-ietf-ftpext-mlst-11 . 723.Sh HISTORY 724The 725.Nm 726command appeared in 727.Bx 4.2 . 728.Pp 729Various features such as the 730.Xr ftpd.conf 5 731functionality, 732.Cm RFC 2389 , 733and 734.Cm draft-ietf-ftpext-mlst-11 735support was implemented in 736.Nx 1.3 737and later releases by Luke Mewburn \*[Lt]lukem@netbsd.org\*[Gt]. 738.Sh BUGS 739The server must run as the super-user to create sockets with 740privileged port numbers (i.e, those less than 741.Dv IPPORT_RESERVED , 742which is 1024). 743If 744.Nm 745is listening on a privileged port 746it maintains an effective user id of the logged in user, reverting 747to the super-user only when binding addresses to privileged sockets. 748The 749.Fl r 750option can be used to override this behaviour and force privileges to 751be permanently revoked; see 752.Sx SECURITY CONSIDERATIONS 753below for more details. 754.Pp 755.Nm 756may have trouble handling connections from scoped IPv6 addresses, or 757IPv4 mapped addresses 758.Po 759IPv4 connection on 760.Dv AF_INET6 761socket 762.Pc . 763For the latter case, running two daemons, 764one for IPv4 and one for IPv6, will avoid the problem. 765.Sh SECURITY CONSIDERATIONS 766.Cm RFC 959 767provides no restrictions on the 768.Sy PORT 769command, and this can lead to security problems, as 770.Nm 771can be fooled into connecting to any service on any host. 772With the 773.Dq checkportcmd 774feature of the 775.Xr ftpd.conf 5 , 776.Sy PORT 777commands with different host addresses, or TCP ports lower than 778.Dv IPPORT_RESERVED 779will be rejected. 780This also prevents 781.Sq third-party proxy ftp 782from working. 783Use of this option is 784.Em strongly 785recommended, and enabled by default. 786.Pp 787By default 788.Nm 789uses a port that is one less than the port it is listening on to 790communicate back to the client for the 791.Sy EPRT , 792.Sy LPRT , 793and 794.Sy PORT 795commands, unless overridden with 796.Fl P Ar dataport . 797As the default port for 798.Nm 799(21) is a privileged port below 800.Dv IPPORT_RESERVED , 801.Nm 802retains the ability to switch back to root privileges to bind these 803ports. 804In order to increase security by reducing the potential for a bug in 805.Nm 806providing a remote root compromise, 807.Nm 808will permanently drop root privileges if one of the following is true: 809.Bl -enum -offset indent 810.It 811.Nm 812is running on a port greater than 813.Dv IPPORT_RESERVED 814and the user has logged in as a 815.Sq guest 816or 817.Sq chroot 818user. 819.It 820.Nm 821was invoked with 822.Fl r . 823.El 824.Pp 825Don't create 826.Pa ~ftp/tmp 827if you don't want anonymous users to upload files there. 828That directory is only necessary if you want to display the error 829messages of conversion commands to the user. 830Note that if uploads are disabled with the 831.Xr ftpd.conf 5 832directive 833.Sy upload , 834then this directory cannot be abused by the user in this way, so it 835should be safe to create. 836