1 .\" $NetBSD: ftpd.8,v 1.85 2009/05/01 10:53:27 wiz Exp $
3 .\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
4 .\" All rights reserved.
6 .\" This code is derived from software contributed to The NetBSD Foundation
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that the following conditions
12 .\" 1. Redistributions of source code must retain the above copyright
13 .\" notice, this list of conditions and the following disclaimer.
14 .\" 2. Redistributions in binary form must reproduce the above copyright
15 .\" notice, this list of conditions and the following disclaimer in the
16 .\" documentation and/or other materials provided with the distribution.
18 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 .\" POSSIBILITY OF SUCH DAMAGE.
30 .\" Copyright (c) 1985, 1988, 1991, 1993
31 .\" The Regents of the University of California. All rights reserved.
33 .\" Redistribution and use in source and binary forms, with or without
34 .\" modification, are permitted provided that the following conditions
36 .\" 1. Redistributions of source code must retain the above copyright
37 .\" notice, this list of conditions and the following disclaimer.
38 .\" 2. Redistributions in binary form must reproduce the above copyright
39 .\" notice, this list of conditions and the following disclaimer in the
40 .\" documentation and/or other materials provided with the distribution.
41 .\" 3. Neither the name of the University nor the names of its contributors
42 .\" may be used to endorse or promote products derived from this software
43 .\" without specific prior written permission.
45 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
46 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
47 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
48 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
49 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
50 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
51 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
53 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
54 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
57 .\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
65 Internet File Transfer Protocol server
68 .Op Fl 46DdHlnQqrsUuWwX
70 .Op Fl C Ar user Ns Op @ Ns Ar host
74 .Op Fl L Ar xferlogfile
79 is the Internet File Transfer Protocol server process.
82 protocol and listens at the port specified in the
84 service specification; see
92 is specified, bind to IPv4 addresses only.
96 is specified, bind to IPv6 addresses only.
102 into for anonymous logins.
103 Default is the home directory for the ftp user.
104 This can also be specified with the
108 .It Fl C Ar user Ns Op @ Ns Ar host
112 as if connecting from
116 would be granted access under
117 the restrictions given in
119 and exit without attempting a connection.
121 exits with an exit code of 0 if access would be granted, or 1 otherwise.
122 This can be useful for testing configurations.
124 Change the root directory of the configuration files from
128 This changes the directory for the following files:
131 .Pa /etc/ftpwelcome ,
133 and the file specified by the
140 will listen on the default FTP port for incoming connections
141 and fork a child for each connection.
142 This is lower overhead than starting
146 and thus might be useful on busy servers to reduce load.
148 Debugging information is written to the syslog using a facility of
150 .It Fl e Ar emailaddr
156 .Sx Display file escape sequences )
164 Explicitly set the hostname to advertise as to
166 The default is the hostname associated with the IP address that
169 This ability (with or without
173 is useful when configuring
176 servers, each listening on separate addresses as separate names.
179 for more information on starting services to listen on specific IP addresses.
180 .It Fl L Ar xferlogfile
188 Each successful and failed
190 session is logged using syslog with a facility of
192 If this option is specified more than once, the retrieve (get), store (put),
193 append, delete, make directory, remove directory and rename operations and
194 their file name arguments are also logged.
196 Don't attempt translation of IP addresses to hostnames.
200 as the data port, overriding the default of using the port one less
205 Disable the use of pid files for keeping track of the number of logged-in
207 This may reduce the load on heavily loaded
211 Enable the use of pid files for keeping track of the number of logged-in
215 Permanently drop root privileges once the user is logged in.
216 The use of this option may result in the server using a port other
217 than the (listening-port - 1) for
219 style commands, which is contrary to the
221 specification, but in practice very few clients rely upon this behaviour.
223 .Sx SECURITY CONSIDERATIONS
224 below for more details.
226 Require a secure authentication mechanism like Kerberos or S/Key to be used.
228 Don't log each concurrent
238 making them visible to commands such as
243 as the version to advertise in the login banner and in the output of
247 instead of the default version information.
252 then don't display any version information.
263 making them visible to commands such as
271 entries to the syslog, prefixed with
275 These syslog entries can be converted to a
279 file suitable for input into a third-party log analysis tool with a command
281 .Dl "sed -ne 's/^.*xferlog: //p' /var/log/xferlog \*[Gt] wuxferlog"
286 can be used to disable
291 displays it and exits.
296 prints it before issuing the
301 exists (under the chroot directory if applicable),
303 prints it after a successful login.
304 This may be changed with the
311 server currently supports the following
314 The case of the requests is ignored.
315 .Bl -column "Request" "Description" -offset indent
316 .It Sy Request Ta Sy Description
317 .It ABOR Ta "abort previous command"
318 .It ACCT Ta "specify account (ignored)"
319 .It ALLO Ta "allocate storage (vacuously)"
320 .It APPE Ta "append to a file"
321 .It CDUP Ta "change to parent of current working directory"
322 .It CWD Ta "change working directory"
323 .It DELE Ta "delete a file"
324 .It EPSV Ta "prepare for server-to-server transfer"
325 .It EPRT Ta "specify data connection port"
326 .It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
327 .It HELP Ta "give help information"
328 .It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
329 .It LPSV Ta "prepare for server-to-server transfer"
330 .It LPRT Ta "specify data connection port"
331 .It MLSD Ta "list contents of directory in a machine-processable form"
332 .It MLST Ta "show a pathname in a machine-processable form"
333 .It MKD Ta "make a directory"
334 .It MDTM Ta "show last modification time of file"
335 .It MODE Ta "specify data transfer" Em mode
336 .It NLST Ta "give name list of files in directory"
337 .It NOOP Ta "do nothing"
338 .It OPTS Ta "define persistent options for a given command"
339 .It PASS Ta "specify password"
340 .It PASV Ta "prepare for server-to-server transfer"
341 .It PORT Ta "specify data connection port"
342 .It PWD Ta "print the current working directory"
343 .It QUIT Ta "terminate session"
344 .It REST Ta "restart incomplete transfer"
345 .It RETR Ta "retrieve a file"
346 .It RMD Ta "remove a directory"
347 .It RNFR Ta "specify rename-from file name"
348 .It RNTO Ta "specify rename-to file name"
349 .It SITE Ta "non-standard commands (see next section)"
350 .It SIZE Ta "return size of file"
351 .It STAT Ta "return status of server"
352 .It STOR Ta "store a file"
353 .It STOU Ta "store a file with a unique name"
354 .It STRU Ta "specify data transfer" Em structure
355 .It SYST Ta "show operating system type of server system"
356 .It TYPE Ta "specify data transfer" Em type
357 .It USER Ta "specify user name"
358 .It XCUP Ta "change to parent of current working directory (deprecated)"
359 .It XCWD Ta "change working directory (deprecated)"
360 .It XMKD Ta "make a directory (deprecated)"
361 .It XPWD Ta "print the current working directory (deprecated)"
362 .It XRMD Ta "remove a directory (deprecated)"
365 The following non-standard or
367 specific commands are supported by the SITE request.
369 .Bl -column Request Description -offset indent
370 .It Sy Request Ta Sy Description
371 .It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
372 .It HELP Ta "give help information."
373 .It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
374 .It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
375 .It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
376 .It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
381 requests (as specified in
385 are recognized, but are not implemented:
401 server will abort an active file transfer only when the
403 command is preceded by a Telnet "Interrupt Process" (IP)
404 signal and a Telnet "Synch" signal in the command Telnet stream,
405 as described in Internet
409 command is received during a data transfer, preceded by a Telnet IP
410 and Synch, transfer status will be returned.
413 interprets file names according to the
417 This allows users to use the metacharacters
419 .Ss User authentication
421 authenticates users according to five rules.
423 .Bl -enum -offset indent
425 The login name must be in the password data base,
427 and not have a null password.
428 In this case a password must be provided by the client before any
429 file operations may be performed.
430 If the user has an S/Key key, the response from a successful
432 command will include an S/Key challenge.
433 The client may choose to respond with a
435 command giving either
436 a standard password or an S/Key one-time password.
437 The server will automatically determine which type of password it
438 has been given and attempt to authenticate accordingly.
441 for more information on S/Key authentication.
442 S/Key is a Trademark of Bellcore.
444 The login name must be allowed based on the information in
447 The user must have a standard shell returned by
449 If the user's shell field in the password database is empty, the
450 shell is assumed to be
454 the user's shell must be listed with full path in
457 If directed by the file
459 the session's root directory will be changed by
461 to the directory specified in the
465 or to the home directory of the user.
466 This facility may also be triggered by enabling the boolean
470 However, the user must still supply a password.
471 This feature is intended as a compromise between a fully anonymous account
472 and a fully privileged account.
473 The account should also be set up as for an anonymous account.
482 account must be present in the password
485 In this case the user is allowed
486 to log in by specifying any password (by convention an email address for
487 the user should be used as the password).
489 The server performs a
491 to the directory specified in the
498 or to the home directory of the
502 The server then performs a
504 to the directory specified in the
507 directive (if set), otherwise to
510 If other restrictions are required (such as disabling of certain
511 commands and the setting of a specific umask), then appropriate
516 If the first character of the password supplied by an anonymous user
519 then the verbose messages displayed at login and upon a
521 command are suppressed.
523 .Ss Display file escape sequences
526 displays various files back to the client (such as
530 various escape strings are replaced with information pertinent
531 to the current connection.
533 The supported escape strings are:
534 .Bl -tag -width "Escape" -offset indent -compact
540 Current working directory.
542 Email address given with
547 Maximum number of users for this class.
552 Current number of users for this class.
556 If the result of the most recent
565 If the result of the most recent
582 .Ss Setting up a restricted ftp subtree
583 In order that system security is not breached, it is recommended
589 accounts be constructed with care, following these rules
592 in the following directory names
593 with the appropriate account name for
596 .Bl -tag -width "~ftp/incoming" -offset indent
598 Make the home directory owned by
600 and unwritable by anyone.
602 Make this directory owned by
604 and unwritable by anyone (mode 555).
605 Generally any conversion commands should be installed
608 Make this directory owned by
610 and unwritable by anyone (mode 555).
619 must be present for the
621 command to be able to display owner and group names instead of numbers.
622 The password field in
624 is not used, and should not contain real passwords.
627 if present, will be printed after a successful login.
628 These files should be mode 444.
630 This directory and the subdirectories beneath it should be owned
631 by the users and groups responsible for placing files in them,
632 and be writable only by them (mode 755 or 775).
635 be owned or writable by ftp or its group.
637 This directory is where anonymous users place files they upload.
638 The owners should be the user
640 and an appropriate group.
641 Members of this group will be the only users with access to these
642 files after they have been uploaded; these should be people who
643 know how to deal with them appropriately.
644 If you wish anonymous
646 users to be able to see the names of the
647 files in this directory the permissions should be 770, otherwise
652 directives should be used:
653 .Dl "modify guest off"
654 .Dl "umask guest 0707"
655 .Dl "upload guest on"
657 This will result in anonymous users being able to upload files to this
658 directory, but they will not be able to download them, delete them, or
659 overwrite them, due to the umask and disabling of the commands mentioned
662 This directory is used to create temporary files which contain
663 the error messages generated by a conversion or
666 The owner should be the user
668 The permissions should be 300.
670 If you don't enable conversion commands, or don't want anonymous users
671 uploading files here (see
673 above), then don't create this directory.
674 However, error messages from conversion or
676 commands won't be returned to the user.
677 (This is the traditional behaviour.)
682 can be used to prevent users uploading here.
685 To set up "ftp-only" accounts that provide only
688 login, you can copy/link
696 to allow logging-in via
698 into the accounts, which must have
702 .Bl -tag -width /etc/ftpwelcome -compact
703 .It Pa /etc/ftpchroot
704 List of normal users whose root directory should be changed via
706 .It Pa /etc/ftpd.conf
707 Configure file conversions and other settings.
709 List of unwelcome/restricted users.
710 .It Pa /etc/ftpwelcome
711 Welcome notice before login.
713 Welcome notice after login.
715 If it exists, displayed and access is refused.
716 .It Pa /var/run/ftpd.pids-CLASS
717 State file of logged-in processes for the
722 List of logged-in users on the system.
724 Login history database.
738 recognizes all commands in
740 follows the guidelines in
742 recognizes all commands in
744 (although they are not supported yet),
745 and supports the extensions from
756 Various features such as the
762 support was implemented in
764 and later releases by Luke Mewburn.
766 The server must run as the super-user to create sockets with
767 privileged port numbers (i.e, those less than
768 .Dv IPPORT_RESERVED ,
772 is listening on a privileged port
773 it maintains an effective user id of the logged in user, reverting
774 to the super-user only when binding addresses to privileged sockets.
777 option can be used to override this behaviour and force privileges to
778 be permanently revoked; see
779 .Sx SECURITY CONSIDERATIONS
780 below for more details.
783 may have trouble handling connections from scoped IPv6 addresses, or
784 IPv4 mapped addresses
790 For the latter case, running two daemons,
791 one for IPv4 and one for IPv6, will avoid the problem.
792 .Sh SECURITY CONSIDERATIONS
794 provides no restrictions on the
796 command, and this can lead to security problems, as
798 can be fooled into connecting to any service on any host.
804 commands with different host addresses, or TCP ports lower than
808 .Sq third-party proxy ftp
810 Use of this option is
812 recommended, and enabled by default.
816 uses a port that is one less than the port it is listening on to
817 communicate back to the client for the
822 commands, unless overridden with
824 As the default port for
826 (21) is a privileged port below
827 .Dv IPPORT_RESERVED ,
829 retains the ability to switch back to root privileges to bind these
831 In order to increase security by reducing the potential for a bug in
833 providing a remote root compromise,
835 will permanently drop root privileges if one of the following is true:
836 .Bl -enum -offset indent
839 is running on a port greater than
841 and the user has logged in as a
854 if you don't want anonymous users to upload files there.
855 That directory is only necessary if you want to display the error
856 messages of conversion commands to the user.
857 Note that if uploads are disabled with the
861 then this directory cannot be abused by the user in this way, so it
862 should be safe to create.
864 To avoid possible denial-of-service attacks,
866 requests against files larger than 10240 bytes will be denied if