1.\" $OpenBSD: ftpd.8,v 1.14 1997/12/15 16:52:10 kstailey Exp $ 2.\" $NetBSD: ftpd.8,v 1.8 1996/01/14 20:55:23 thorpej Exp $ 3.\" 4.\" Copyright (c) 1985, 1988, 1991, 1993 5.\" The Regents of the University of California. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. All advertising materials mentioning features or use of this software 16.\" must display the following acknowledgement: 17.\" This product includes software developed by the University of 18.\" California, Berkeley and its contributors. 19.\" 4. Neither the name of the University nor the names of its contributors 20.\" may be used to endorse or promote products derived from this software 21.\" without specific prior written permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 36.\" 37.Dd June 18, 1996 38.Dt FTPD 8 39.Os BSD 4.2 40.Sh NAME 41.Nm ftpd 42.Nd 43Internet File Transfer Protocol server 44.Sh SYNOPSIS 45.Nm ftpd 46.Op Fl dDhlMPSU 47.Op Fl T Ar maxtimeout 48.Op Fl t Ar timeout 49.Op Fl u Ar mask 50.Sh DESCRIPTION 51.Nm Ftpd 52is the 53Internet File Transfer Protocol 54server process. The server uses the 55.Tn TCP 56protocol 57and listens at the port specified in the 58.Dq ftp 59service specification; see 60.Xr services 5 . 61.Pp 62Available options: 63.Bl -tag -width Ds 64.It Fl A 65Permit only anonymous ftp connections or accounts listed in 66.Pa /etc/ftpchroot. 67Other connection attempts are refused. 68.It Fl d 69Debugging information is written to the syslog using LOG_FTP. 70.It Fl D 71With this option set, 72.Nm ftpd 73will detach and become a daemon, accepting connections on the FTP port and 74forking child processes to handle them. This has lower overhead than 75starting 76.Nm ftpd 77from 78.Xr inetd 8 79and is thus useful on busy servers to reduce load. 80.It Fl h 81The server will use data ports in the high port range (normally 40000..44999) 82for passive connections. 83.It Fl l 84Each successful and failed 85.Xr ftp 1 86session is logged using syslog with a facility of LOG_FTP. 87If this option is specified twice, the retrieve (get), store (put), append, 88delete, make directory, remove directory and rename operations and 89their filename arguments are also logged. 90.It Fl M 91Enables multihomed mode. Instead of simply using 92.Pa ~ftp 93for anonymous transfers, a directory matching the fully qualified name of 94IP number the client connected to, and located inside 95.Pa ~ftp 96is used instead. 97.It Fl P 98Permit illegal port numbers or addresses for PORT command initiated connects. 99By default 100.Xr ftpd 8 101violates the RFC and thus constrains the PORT command to non-reserved ports 102and requires it use the same source address as the connection came from. 103This prevents the "FTP bounce attack" against services on both the local 104machine and other local machines. 105.It Fl S 106With this option set, 107.Nm ftpd 108logs all anonymous transfers to the file 109.Pa /var/log/ftpd 110when this file exists. 111.It Fl U 112Each concurrent 113.Xr ftp 1 114session is logged to the file 115.Pa /var/run/utmp , 116making them visible to commands such as 117.Xr who 1 . 118.It Fl T 119A client may also request a different timeout period; 120the maximum period allowed may be set to 121.Ar timeout 122seconds with the 123.Fl T 124option. 125The default limit is 2 hours. 126.It Fl t 127The inactivity timeout period is set to 128.Ar timeout 129seconds (the default is 15 minutes). 130.It Fl u 131Change the default umask from 027 to 132.Ar mask . 133.El 134.Pp 135The file 136.Pa /etc/nologin 137can be used to disable ftp access. 138If the file exists, 139.Nm 140displays it and exits. 141If the file 142.Pa /etc/ftpwelcome 143exists, 144.Nm 145prints it before issuing the 146.Dq ready 147message. 148If the file 149.Pa /etc/motd 150exists, 151.Nm 152prints it after a successful login. If the file 153.Pa .message 154exists in a directory, 155.Nm 156prints it when that directory is entered. 157.Pp 158The ftp server currently supports the following ftp requests. 159The case of the requests is ignored. 160.Bl -column "Request" -offset indent 161.It Request Ta "Description" 162.It ABOR Ta "abort previous command" 163.It ACCT Ta "specify account (ignored)" 164.It ALLO Ta "allocate storage (vacuously)" 165.It APPE Ta "append to a file" 166.It CDUP Ta "change to parent of current working directory" 167.It CWD Ta "change working directory" 168.It DELE Ta "delete a file" 169.It HELP Ta "give help information" 170.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA" 171.It MKD Ta "make a directory" 172.It MDTM Ta "show last modification time of file" 173.It MODE Ta "specify data transfer" Em mode 174.It NLST Ta "give name list of files in directory" 175.It NOOP Ta "do nothing" 176.It PASS Ta "specify password" 177.It PASV Ta "prepare for server-to-server transfer" 178.It PORT Ta "specify data connection port" 179.It PWD Ta "print the current working directory" 180.It QUIT Ta "terminate session" 181.It REST Ta "restart incomplete transfer" 182.It RETR Ta "retrieve a file" 183.It RMD Ta "remove a directory" 184.It RNFR Ta "specify rename-from file name" 185.It RNTO Ta "specify rename-to file name" 186.It SITE Ta "non-standard commands (see next section)" 187.It SIZE Ta "return size of file" 188.It STAT Ta "return status of server" 189.It STOR Ta "store a file" 190.It STOU Ta "store a file with a unique name" 191.It STRU Ta "specify data transfer" Em structure 192.It SYST Ta "show operating system type of server system" 193.It TYPE Ta "specify data transfer" Em type 194.It USER Ta "specify user name" 195.It XCUP Ta "change to parent of current working directory (deprecated)" 196.It XCWD Ta "change working directory (deprecated)" 197.It XMKD Ta "make a directory (deprecated)" 198.It XPWD Ta "print the current working directory (deprecated)" 199.It XRMD Ta "remove a directory (deprecated)" 200.El 201.Pp 202The following non-standard or 203.Tn UNIX 204specific commands are supported 205by the 206SITE request. 207.Pp 208.Bl -column Request -offset indent 209.It Sy Request Ta Sy Description 210.It UMASK Ta change umask, e.g. ``SITE UMASK 002'' 211.It IDLE Ta set idle-timer, e.g. ``SITE IDLE 60'' 212.It CHMOD Ta change mode of a file, e.g. ``SITE CHMOD 755 filename'' 213.It HELP Ta give help information. 214.El 215.Pp 216The remaining ftp requests specified in Internet RFC 959 217are 218recognized, but not implemented. 219MDTM and SIZE are not specified in RFC 959, but will appear in the 220next updated FTP RFC. 221.Pp 222The ftp server will abort an active file transfer only when the 223ABOR 224command is preceded by a Telnet "Interrupt Process" (IP) 225signal and a Telnet "Synch" signal in the command Telnet stream, 226as described in Internet RFC 959. 227If a 228STAT 229command is received during a data transfer, preceded by a Telnet IP 230and Synch, transfer status will be returned. 231.Pp 232.Nm Ftpd 233interprets file names according to the 234.Dq globbing 235conventions used by 236.Xr csh 1 . 237This allows users to utilize the metacharacters 238.Dq Li \&*?[]{}~ . 239.Pp 240.Nm Ftpd 241authenticates users according to five rules. 242.Pp 243.Bl -enum -offset indent 244.It 245The login name must be in the password data base, 246.Pa /etc/pwd.db , 247and not have a null password. 248In this case a password must be provided by the client before any 249file operations may be performed. 250If the user has an S/Key key, the response from a successful USER 251command will include an S/Key challenge. The client may choose to respond 252with a PASS command giving either a standard password or an S/Key 253one-time password. The server will automatically determine which type of 254password it has been given and attempt to authenticate accordingly. See 255.Xr skey 1 256for more information on S/Key authentication. S/Key is a Trademark of 257Bellcore. 258.It 259The login name must not appear in the file 260.Pa /etc/ftpusers . 261.It 262The user must have a standard shell returned by 263.Xr getusershell 3 . 264.It 265If the user name appears in the file 266.Pa /etc/ftpchroot 267the session's root will be changed to the user's login directory by 268.Xr chroot 2 269as for an 270.Dq anonymous 271or 272.Dq ftp 273account (see next item). However, the user must still supply a password. 274This feature is intended as a compromise between a fully anonymous account 275and a fully privileged account. The account should also be set up as for an 276anonymous account. 277.It 278If the user name is 279.Dq anonymous 280or 281.Dq ftp , 282an 283anonymous ftp account must be present in the password 284file (user 285.Dq ftp ) . 286In this case the user is allowed 287to log in by specifying any password (by convention an email address for 288the user should be used as the password). 289.El 290.Pp 291In the last case, 292.Nm ftpd 293takes special measures to restrict the client's access privileges. 294The server performs a 295.Xr chroot 2 296to the home directory of the 297.Dq ftp 298user. 299In order that system security is not breached, it is recommended 300that the 301.Dq ftp 302subtree be constructed with care, following these rules: 303.Bl -tag -width "~ftp/pub" -offset indent 304.It Pa ~ftp 305Make the home directory owned by 306.Dq root 307and unwritable by anyone (mode 555). 308.It Pa ~ftp/bin 309Make this directory owned by 310.Dq root 311and unwritable by anyone (mode 511). 312The program 313.Xr ls 1 314must be present to support the list command. 315This program should be mode 111 (executable only). 316.It Pa ~ftp/etc 317Make this directory owned by 318.Dq root 319and unwritable by anyone (mode 511). 320The files pwd.db (see 321.Xr pwd_mkdb 8 ) 322and 323.Xr group 5 324must be present for the 325.Xr ls 326command to be able to produce owner names rather than numbers. 327The password field in 328.Xr pwd.db 329is not used, and should not contain real passwords. 330The file 331.Pa motd , 332if present, will be printed after a successful login. 333These files should be mode 444. 334.It Pa ~ftp/pub 335Make this directory mode 555 and owned by 336.Dq root . 337This is traditionally where publically accessible files are 338stored for download. 339.El 340.Sh FILES 341.Bl -tag -width /etc/ftpwelcome -compact 342.It Pa /etc/ftpusers 343List of unwelcome/restricted users. 344.It Pa /etc/ftpchroot 345List of normal users who should be chroot'd. 346.It Pa /etc/ftpwelcome 347Welcome notice. 348.It Pa /etc/motd 349Welcome notice after login. 350.It Pa /etc/nologin 351Displayed and access refused. 352.It Pa /var/run/utmp 353List of users on the system. 354.It Pa /var/log/ftpd 355Log file for anonymous transfers. 356.El 357.Sh SEE ALSO 358.Xr ftp 1 , 359.Xr skey 1 , 360.Xr who 1 , 361.Xr getusershell 3 , 362.Xr syslogd 8 363.Sh BUGS 364The server must run as the super-user 365to create sockets with privileged port numbers. It maintains 366an effective user id of the logged in user, reverting to 367the super-user only when binding addresses to sockets. The 368possible security holes have been extensively 369scrutinized, but are possibly incomplete. 370.Sh HISTORY 371The 372.Nm 373command appeared in 374.Bx 4.2 . 375