ftpd(8)

NAME

ftpd - Internet File Transfer Protocol server

SYNOPSIS

ftpd [-dHlqQrsuUwWX] [-a anondir] [-c confdir] [-C user] [-e
emailaddr]
     [-h   hostname]  [-L  xferlogfile]  [-P  dataport]  [-V
version]

DESCRIPTION

ftpd is the Internet File Transfer Protocol server process.

The server
uses the TCP protocol and listens at the port specified in

the ``ftp''
service specification; see services(5).

Available options:

-a anondir

Define anondir as the directory to chroot(2) into

for anonymous
logins. Default is the home directory for the ftp

user. This
can also be specified with the ftpd.conf(5) chroot

directive.

-c confdir

Change the root directory of the configuration files

from
``/etc'' to confdir. This changes the directory for

the following files: /etc/ftpchroot, /etc/ftpusers,

/etc/ftpwelcome,
/etc/motd, and the file specified by the ft

pd.conf(5) limit
directive.

-C user

Check whether user would be granted access under the

restrictions
given in ftpusers(5) and exit without attempting a

connection.
ftpd exits with an exit code of 0 if access would be

granted, or
1 otherwise. This can be useful for testing config

urations.

-d Debugging information is written to the syslog using

a facility

of LOG_FTP.

-e emailaddr

Use emailaddr for the ``%E'' escape sequence (see

Display file
escape sequences)

-h hostname

Explicitly set the hostname to advertise as to

hostname. The
default is the hostname associated with the IP ad

dress that ftpd
is listening on. This ability (with or without -h),

in conjunction with -c confdir, is useful when configuring

`virtual' FTP
servers, each listening on separate addresses as

separate names.
Refer to inetd.conf(5) for more information on

starting services
to listen on specific IP addresses.

-H Equivalent to ``-h `hostname`''.

-l Each successful and failed FTP session is logged us

ing syslog

with a facility of LOG_FTP. If this option is spec

ified more
than once, the retrieve (get), store (put), append,

delete, make
directory, remove directory and rename operations

and their file
name arguments are also logged.

-L xferlogfile

Log wu-ftpd style `xferlog' entries to xferlogfile.

-P dataport

Use dataport as the data port, overriding the de

fault of using
the port one less that the port ftpd is listening

on.

-q Enable the use of pid files for keeping track of the

number of

logged-in users per class. This is the default.

-Q Disable the use of pid files for keeping track of

the number of

logged-in users per class. This may reduce the load

on heavily
loaded FTP servers.

-r Permanently drop root privileges once the user is

logged in. The

use of this option may result in the server using a

port other
than the (listening-port - 1) for PORT style com

mands, which is
contrary to the RFC 959 specification, but in prac

tice very few
clients rely upon this behaviour. See SECURITY

CONSIDERATIONS
below for more details.

-s Require a secure authentication mechanism like Ker

beros or S/Key

to be used.

-u Log each concurrent FTP session to /var/run/utmp,

making them

visible to commands such as who(1).

-U Don't log each concurrent FTP session to

/var/run/utmp. This is

the default.

-V version

Use version as the version to advertise in the login

banner and
in the output of STAT and SYST instead of the de

fault version
information. If version is empty or `-' then don't

display any
version information.

-w Log each FTP session to /var/log/wtmp, making them

visible to

commands such as last(1). This is the default.

-W Don't log each FTP session to /var/log/wtmp.

-X Log wu-ftpd style `xferlog' entries to the syslog,

prefixed with

``xferlog: '', using a facility of LOG_FTP. These

syslog entries
can be converted to a wu-ftpd style xferlog file

suitable for
input into a third-party log analysis tool with a

command similar
to:

grep 'xferlog: ' /var/log/xferlog sed

-e 's/^.*xferlog: //' > wuxferlog

The file /etc/nologin can be used to disable FTP access. If

the file
exists, ftpd displays it and exits. If the file

/etc/ftpwelcome exists,
ftpd prints it before issuing the ``ready'' message. If the

file
/etc/motd exists (under the chroot directory if applicable),

ftpd prints
it after a successful login. This may be changed with the

ftpd.conf(5)
directive motd.

The ftpd server currently supports the following FTP re

quests. The case
of the requests is ignored.

Request Description
ABOR abort previous command
ACCT specify account (ignored)
ALLO allocate storage (vacuously)
APPE append to a file
CDUP change to parent of current working direc

tory
CWD change working directory
DELE delete a file
EPSV prepare for server-to-server transfer
EPRT specify data connection port
FEAT list extra features that are not defined in

RFC 959

HELP give help information
LIST give list files in a directory (``ls -lA'')
LPSV prepare for server-to-server transfer
LPRT specify data connection port
MLSD list contents of directory in a machine

processable form
MLST show a pathname in a machine-processable

form
MKD make a directory
MDTM show last modification time of file
MODE specify data transfer mode
NLST give name list of files in directory
NOOP do nothing
OPTS define persistent options for a given com

mand
PASS specify password
PASV prepare for server-to-server transfer
PORT specify data connection port
PWD print the current working directory
QUIT terminate session
REST restart incomplete transfer
RETR retrieve a file
RMD remove a directory
RNFR specify rename-from file name
RNTO specify rename-to file name
SITE non-standard commands (see next section)
SIZE return size of file
STAT return status of server
STOR store a file
STOU store a file with a unique name
STRU specify data transfer structure
SYST show operating system type of server system
TYPE specify data transfer type
USER specify user name
XCUP change to parent of current working direc

tory

(deprecated)

XCWD change working directory (deprecated)
XMKD make a directory (deprecated)
XPWD print the current working directory (depre

cated)
XRMD remove a directory (deprecated)

The following non-standard or UNIX specific commands are

supported by the
SITE request.

Request Description
CHMOD change mode of a file, e.g. ``SITE CHMOD

755 filename''
HELP give help information.
IDLE set idle-timer, e.g. ``SITE IDLE 60''
RATEGET set maximum get rate throttle in bytes/sec

ond, e.g.

``SITE RATEGET 5k''

RATEPUT set maximum put rate throttle in bytes/sec

ond, e.g.

``SITE RATEPUT 5k''

UMASK change umask, e.g. ``SITE UMASK 002''

The following FTP requests (as specified in RFC 959) are

recognized, but
are not implemented: ACCT, SMNT, and REIN. MDTM and SIZE

are not specified in RFC 959, but will appear in the next updated FTP

RFC.

The ftpd server will abort an active file transfer only when

the ABOR
command is preceded by a Telnet "Interrupt Process" (IP)

signal and a
Telnet "Synch" signal in the command Telnet stream, as de

scribed in
Internet RFC 959. If a STAT command is received during a

data transfer,
preceded by a Telnet IP and Synch, transfer status will be

returned.

ftpd interprets file names according to the ``globbing''

conventions used
by csh(1). This allows users to use the metacharacters

``*?[]{}~''.

User authentication

ftpd authenticates users according to five rules.

1. The login name must be in the password data base,

/etc/pwd.db,
and not have a null password. In this case a

password must be
provided by the client before any file operations

may be performed. If the user has an S/Key key, the re

sponse from a
successful USER command will include an S/Key

challenge. The
client may choose to respond with a PASS command

giving either
a standard password or an S/Key one-time pass

word. The server
will automatically determine which type of pass

word it has
been given and attempt to authenticate according

ly. See
skey(1) for more information on S/Key authentica

tion. S/Key
is a Trademark of Bellcore.

2. The login name must be allowed based on the in

formation in
ftpusers(5).

3. The user must have a standard shell returned by
getusershell(3). If the user's shell field in

the password
database is empty, the shell is assumed to be

/bin/sh. As per
shells(5), the user's shell must be listed with

full path in
/etc/shells.

4. If directed by the file ftpchroot(5) the ses

sion's root directory will be changed by chroot(2) to the directo

ry specified
in the ftpd.conf(5) chroot directive (if set), or

to the home
directory of the user. However, the user must

still supply a
password. This feature is intended as a compro

mise between a
fully anonymous account and a fully privileged

account. The
account should also be set up as for an anonymous

account.

5. If the user name is ``anonymous'' or ``ftp'', an

anonymous FTPaccount must be present in the password file (us

er ``ftp'').
In this case the user is allowed to log in by

specifying any
password (by convention an email address for the

user should
be used as the password).

The server performs a chroot(2) to the directory

specified in
the ftpd.conf(5) chroot directive (if set), the

-a anondir
directory (if set), or to the home directory of

the ``ftp''
user.

The server then performs a chdir(2) to the direc

tory specified
in the ftpd.conf(5) homedir directive (if set),

otherwise to
/.

If other restrictions are required (such as dis

abling of certain commands and the setting of a specific

umask), then
appropriate entries in ftpd.conf(5) are required.

If the first character of the password supplied

by an anonymous user is ``-'', then the verbose messages

displayed at
login and upon a CWD command are suppressed.

Display file escape sequences When ftpd displays various files back to the client (such as
/etc/ftpwelcome and /etc/motd), various escape strings are

replaced with
information pertinent to the current connection.

The supported escape strings are:
Escape Description
%c Class name.
%C Current working directory.
%E Email address given with -e.
%L Local hostname.
%M Maximum number of users for this class. Dis

plays
``unlimited'' if there's no limit.

%N Current number of users for this class.
%R Remote hostname.
%s If the result of the most recent ``%M'' or

``%N'' was not
``1'', print an ``s''.

%S If the result of the most recent ``%M'' or

``%N'' was not
``1'', print an ``S''.

%T Current time.
%U User name.
%% A ``%'' character.

Setting up a restricted ftp subtreeIn order that system security is not breached, it is recom

mended that the
subtrees for the ``ftp'' and ``chroot'' accounts be con

structed with
care, following these rules (replace ``ftp'' in the follow

ing directory
names with the appropriate account name for `chroot' users):

~ftp Make the home directory owned by

``root'' and
unwritable by anyone.

~ftp/bin Make this directory owned by ``root''

and unwritable
by anyone (mode 555). Generally any

conversion commands should be installed here (mode

111).

~ftp/etc Make this directory owned by ``root''

and unwritable
by anyone (mode 555). The files pwd.db

(see
passwd(5)) and group (see group(5))

must be present
for the LIST command to be able to dis

play owner and
group names instead of numbers. The

password field
in passwd(5) is not used, and should

not contain
real passwords. The file motd, if pre

sent, will be
printed after a successful login.

These files
should be mode 444.

~ftp/pub This directory and the subdirectories

beneath it
should be owned by the users and groups

responsible
for placing files in them, and be

writable only by
them (mode 755 or 775). They should

not be owned or
writable by ftp or its group.

~ftp/incoming This directory is where anonymous users

place files
they upload. The owners should be the

user ``ftp''
and an appropriate group. Members of

this group
will be the only users with access to

these files
after they have been uploaded; these

should be people who know how to deal with them ap

propriately.
If you wish anonymous FTP users to be

able to see
the names of the files in this directo

ry the permissions should be 770, otherwise they

should be 370.

The following ftpd.conf(5) directives

should be
used:
modify guest off
umask guest 0707
upload guest on

This will result in anonymous users be

ing able to
upload files to this directory, but

they will not be
able to download them, delete them, or

overwrite
them, due to the umask and disabling of

the commands
mentioned above.

~ftp/tmp This directory is used to create tempo

rary fileswhich contain the error messages gener

ated by a conversion or LIST command. The owner

should be the
user ``ftp''. The permissions should

be 300.

If you don't enable conversion com

mands, or don't
want anonymous users uploading files

here (see
~ftp/incoming above), then don't create

this directory. However, error messages from

conversion or
LIST commands won't be returned to the

user. (This
is the traditional behaviour.) Note

that the
ftpd.conf(5) directive upload can be

used to prevent
users uploading here.

To set up "ftp-only" accounts that provide only FTP, but no

valid shell
login, you can copy/link /sbin/nologin to /sbin/ftplogin,

and enter
/sbin/ftplogin to /etc/shells to allow logging-in via FTP

into the
accounts, which must have /sbin/ftplogin as login shell.

FILES

/etc/ftpchroot List of normal users whose root directory

should be
changed via chroot(2).

/etc/ftpd.conf Configure file conversions and other set

tings.
/etc/ftpusers List of unwelcome/restricted users.
/etc/ftpwelcome Welcome notice before login.
/etc/motd Welcome notice after login.
/etc/nologin If it exists, displayed and access is re

fused.
/var/run/ftpd.pids-CLASS
State file of logged-in processes for the

ftpd class
`CLASS'.

/var/run/utmp List of logged-in users on the system.
/var/log/wtmp Login history database.

SEE ALSO

ftp(1), skey(1), who(1), getusershell(3), ftpchroot(5), ft

pd.conf(5),
ftpusers(5), syslogd(8)

STANDARDS

ftpd recognizes all commands in RFC 959, follows the guide

lines in RFC
1123, recognizes all commands in RFC 2228 (although they are

not supported yet), and supports the extensions from RFC 2389, RFC

2428 and
draft-ietf-ftpext-mlst-11.

HISTORY

The ftpd command appeared in 4.2BSD.

Various features such as the ftpd.conf(5) functionality, RFC

2389, and
draft-ietf-ftpext-mlst-11 support was implemented in NetBSD

1.3 and later
releases by Luke Mewburn.

BUGS

The server must run as the super-user to create sockets with

privileged
port numbers (i.e, those less than IPPORT_RESERVED, which is

1024). If
ftpd is listening on a privileged port it maintains an ef

fective user id
of the logged in user, reverting to the super-user only when

binding
addresses to privileged sockets. The -r option can be used

to override
this behaviour and force privileges to be permanently re

voked; see
SECURITY CONSIDERATIONS below for more details.

ftpd may have trouble handling connections from scoped IPv6

addresses, or
IPv4 mapped addresses (IPv4 connection on AF_INET6 socket).

For the latter case, running two daemons, one for IPv4 and one for

IPv6, will avoid
the problem.

SECURITY CONSIDERATIONS

RFC 959 provides no restrictions on the PORT command, and

this can lead
to security problems, as ftpd can be fooled into connecting

to any service on any host. With the ``checkportcmd'' feature of the

ftpd.conf(5),
PORT commands with different host addresses, or TCP ports

lower than
IPPORT_RESERVED will be rejected. This also prevents

`third-party proxy
ftp' from working. Use of this option is strongly recom

mended, and
enabled by default.

By default ftpd uses a port that is one less than the port

it is listening on to communicate back to the client for the EPRT, LPRT,

and PORT
commands, unless overridden with -P dataport. As the de

fault port for
ftpd (21) is a privileged port below IPPORT_RESERVED, ftpd

retains the
ability to switch back to root privileges to bind these

ports. In order
to increase security by reducing the potential for a bug in

ftpd providing a remote root compromise, ftpd will permanently drop

root privileges
if one of the following is true:

1. ftpd is running on a port greater than IPPORT_RE

SERVED and the
user has logged in as a `guest' or `chroot' user.

2. ftpd was invoked with -r.

Don't create ~ftp/tmp if you don't want anonymous users to

upload files
there. That directory is only necessary if you want to dis

play the error
messages of conversion commands to the user. Note that if

uploads are
disabled with the ftpd.conf(5) directive upload, then this

directory cannot be abused by the user in this way, so it should be safe

to create.

BSD February 26, 2003

BSD