1.\" $NetBSD: ftpd.8,v 1.76 2005/08/07 11:13:34 wiz Exp $
2.\"
3.\" Copyright (c) 1997-2003 The NetBSD Foundation, Inc.
4.\" All rights reserved.
5.\"
6.\" This code is derived from software contributed to The NetBSD Foundation
7.\" by Luke Mewburn.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\" notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\" notice, this list of conditions and the following disclaimer in the
16.\" documentation and/or other materials provided with the distribution.
17.\" 3. All advertising materials mentioning features or use of this software
18.\" must display the following acknowledgement:
19.\" This product includes software developed by the NetBSD
20.\" Foundation, Inc. and its contributors.
21.\" 4. Neither the name of The NetBSD Foundation nor the names of its
22.\" contributors may be used to endorse or promote products derived
23.\" from this software without specific prior written permission.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35.\" POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" Copyright (c) 1985, 1988, 1991, 1993
38.\" The Regents of the University of California. All rights reserved.
39.\"
40.\" Redistribution and use in source and binary forms, with or without
41.\" modification, are permitted provided that the following conditions
42.\" are met:
43.\" 1. Redistributions of source code must retain the above copyright
44.\" notice, this list of conditions and the following disclaimer.
45.\" 2. Redistributions in binary form must reproduce the above copyright
46.\" notice, this list of conditions and the following disclaimer in the
47.\" documentation and/or other materials provided with the distribution.
48.\" 3. Neither the name of the University nor the names of its contributors
49.\" may be used to endorse or promote products derived from this software
50.\" without specific prior written permission.
51.\"
52.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
55.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
56.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
57.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
58.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
59.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
60.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
61.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62.\" SUCH DAMAGE.
63.\"
64.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
65.\"
66.Dd August 4, 2005
67.Dt FTPD 8
68.Os
69.Sh NAME
70.Nm ftpd
71.Nd
72Internet File Transfer Protocol server
73.Sh SYNOPSIS
74.Nm
75.Op Fl 46DdHlQqrsUuWwX
76.Op Fl a Ar anondir
77.Op Fl C Ar user
78.Op Fl c Ar confdir
79.Op Fl e Ar emailaddr
80.Op Fl h Ar hostname
81.Op Fl L Ar xferlogfile
82.Op Fl P Ar dataport
83.Op Fl V Ar version
84.Sh DESCRIPTION
85.Nm
86is the Internet File Transfer Protocol server process.
87The server uses the
88.Tn TCP
89protocol and listens at the port specified in the
90.Dq ftp
91service specification; see
92.Xr services 5 .
93.Pp
94Available options:
95.Bl -tag -width Ds
96.It Fl 4
97When
98.Fl D
99is specified, bind to IPv4 addresses only.
100.It Fl 6
101When
102.Fl D
103is specified, bind to IPv6 addresses only.
104.It Fl a Ar anondir
105Define
106.Ar anondir
107as the directory to
108.Xr chroot 2
109into for anonymous logins.
110Default is the home directory for the ftp user.
111This can also be specified with the
112.Xr ftpd.conf 5
113.Sy chroot
114directive.
115.It Fl C Ar user
116Check whether
117.Ar user
118would be granted access under
119the restrictions given in
120.Xr ftpusers 5
121and exit without attempting a connection.
122.Nm
123exits with an exit code of 0 if access would be granted, or 1 otherwise.
124This can be useful for testing configurations.
125.It Fl c Ar confdir
126Change the root directory of the configuration files from
127.Dq Pa /etc
128to
129.Ar confdir .
130This changes the directory for the following files:
131.Pa /etc/ftpchroot ,
132.Pa /etc/ftpusers ,
133.Pa /etc/ftpwelcome ,
134.Pa /etc/motd ,
135and the file specified by the
136.Xr ftpd.conf 5
137.Sy limit
138directive.
139.It Fl D
140Run as daemon.
141.Nm
142will listen on the default FTP port for incoming connections
143and fork a child for each connection.
144This is lower overhead than starting
145.Nm
146from
147.Xr inetd 8
148and thus might be useful on busy servers to reduce load.
149.It Fl d
150Debugging information is written to the syslog using a facility of
151.Dv LOG_FTP .
152.It Fl e Ar emailaddr
153Use
154.Ar emailaddr
155for the
156.Dq "\&%E"
157escape sequence (see
158.Sx Display file escape sequences )
159.It Fl H
160Equivalent to
161.Do
162-h
163`hostname`
164.Dc .
165.It Fl h Ar hostname
166Explicitly set the hostname to advertise as to
167.Ar hostname .
168The default is the hostname associated with the IP address that
169.Nm
170is listening on.
171This ability (with or without
172.Fl h ) ,
173in conjunction with
174.Fl c Ar confdir ,
175is useful when configuring
176.Sq virtual
177.Tn FTP
178servers, each listening on separate addresses as separate names.
179Refer to
180.Xr inetd.conf 5
181for more information on starting services to listen on specific IP addresses.
182.It Fl L Ar xferlogfile
183Log
184.Tn wu-ftpd
185style
186.Sq xferlog
187entries to
188.Ar xferlogfile .
189.It Fl l
190Each successful and failed
191.Tn FTP
192session is logged using syslog with a facility of
193.Dv LOG_FTP .
194If this option is specified more than once, the retrieve (get), store (put),
195append, delete, make directory, remove directory and rename operations and
196their file name arguments are also logged.
197.It Fl P Ar dataport
198Use
199.Ar dataport
200as the data port, overriding the default of using the port one less
201that the port
202.Nm
203is listening on.
204.It Fl Q
205Disable the use of pid files for keeping track of the number of logged-in
206users per class.
207This may reduce the load on heavily loaded
208.Tn FTP
209servers.
210.It Fl q
211Enable the use of pid files for keeping track of the number of logged-in
212users per class.
213This is the default.
214.It Fl r
215Permanently drop root privileges once the user is logged in.
216The use of this option may result in the server using a port other
217than the (listening-port - 1) for
218.Sy PORT
219style commands, which is contrary to the
220.Cm RFC 959
221specification, but in practice very few clients rely upon this behaviour.
222See
223.Sx SECURITY CONSIDERATIONS
224below for more details.
225.It Fl s
226Require a secure authentication mechanism like Kerberos or S/Key to be used.
227.It Fl U
228Don't log each concurrent
229.Tn FTP
230session to
231.Pa /var/run/utmp .
232This is the default.
233.It Fl u
234Log each concurrent
235.Tn FTP
236session to
237.Pa /var/run/utmp ,
238making them visible to commands such as
239.Xr who 1 .
240.It Fl V Ar version
241Use
242.Ar version
243as the version to advertise in the login banner and in the output of
244.Sy STAT
245and
246.Sy SYST
247instead of the default version information.
248If
249.Ar version
250is empty or
251.Sq -
252then don't display any version information.
253.It Fl W
254Don't log each
255.Tn FTP
256session to
257.Pa /var/log/wtmp .
258.It Fl w
259Log each
260.Tn FTP
261session to
262.Pa /var/log/wtmp ,
263making them visible to commands such as
264.Xr last 1 .
265This is the default.
266.It Fl X
267Log
268.Tn wu-ftpd
269style
270.Sq xferlog
271entries to the syslog, prefixed with
272.Dq "xferlog:\ " ,
273using a facility of
274.Dv LOG_FTP .
275These syslog entries can be converted to a
276.Tn wu-ftpd
277style
278.Pa xferlog
279file suitable for input into a third-party log analysis tool with a command
280similar to:
281.Dl "grep 'xferlog: ' /var/log/xferlog | \e"
282.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog"
283.El
284.Pp
285The file
286.Pa /etc/nologin
287can be used to disable
288.Tn FTP
289access.
290If the file exists,
291.Nm
292displays it and exits.
293If the file
294.Pa /etc/ftpwelcome
295exists,
296.Nm
297prints it before issuing the
298.Dq ready
299message.
300If the file
301.Pa /etc/motd
302exists (under the chroot directory if applicable),
303.Nm
304prints it after a successful login.
305This may be changed with the
306.Xr ftpd.conf 5
307directive
308.Sy motd .
309.Pp
310The
311.Nm
312server currently supports the following
313.Tn FTP
314requests.
315The case of the requests is ignored.
316.Bl -column "Request" -offset indent
317.It Sy Request Ta Sy Description
318.It ABOR Ta "abort previous command"
319.It ACCT Ta "specify account (ignored)"
320.It ALLO Ta "allocate storage (vacuously)"
321.It APPE Ta "append to a file"
322.It CDUP Ta "change to parent of current working directory"
323.It CWD Ta "change working directory"
324.It DELE Ta "delete a file"
325.It EPSV Ta "prepare for server-to-server transfer"
326.It EPRT Ta "specify data connection port"
327.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
328.It HELP Ta "give help information"
329.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
330.It LPSV Ta "prepare for server-to-server transfer"
331.It LPRT Ta "specify data connection port"
332.It MLSD Ta "list contents of directory in a machine-processable form"
333.It MLST Ta "show a pathname in a machine-processable form"
334.It MKD Ta "make a directory"
335.It MDTM Ta "show last modification time of file"
336.It MODE Ta "specify data transfer" Em mode
337.It NLST Ta "give name list of files in directory"
338.It NOOP Ta "do nothing"
339.It OPTS Ta "define persistent options for a given command"
340.It PASS Ta "specify password"
341.It PASV Ta "prepare for server-to-server transfer"
342.It PORT Ta "specify data connection port"
343.It PWD Ta "print the current working directory"
344.It QUIT Ta "terminate session"
345.It REST Ta "restart incomplete transfer"
346.It RETR Ta "retrieve a file"
347.It RMD Ta "remove a directory"
348.It RNFR Ta "specify rename-from file name"
349.It RNTO Ta "specify rename-to file name"
350.It SITE Ta "non-standard commands (see next section)"
351.It SIZE Ta "return size of file"
352.It STAT Ta "return status of server"
353.It STOR Ta "store a file"
354.It STOU Ta "store a file with a unique name"
355.It STRU Ta "specify data transfer" Em structure
356.It SYST Ta "show operating system type of server system"
357.It TYPE Ta "specify data transfer" Em type
358.It USER Ta "specify user name"
359.It XCUP Ta "change to parent of current working directory (deprecated)"
360.It XCWD Ta "change working directory (deprecated)"
361.It XMKD Ta "make a directory (deprecated)"
362.It XPWD Ta "print the current working directory (deprecated)"
363.It XRMD Ta "remove a directory (deprecated)"
364.El
365.Pp
366The following non-standard or
367.Ux
368specific commands are supported by the SITE request.
369.Pp
370.Bl -column Request -offset indent
371.It Sy Request Ta Sy Description
372.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
373.It HELP Ta "give help information."
374.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
375.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
376.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
377.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
378.El
379.Pp
380The following
381.Tn FTP
382requests (as specified in
383.Cm RFC 959 )
384are recognized, but are not implemented:
385.Sy ACCT ,
386.Sy SMNT ,
387and
388.Sy REIN .
389.Sy MDTM
390and
391.Sy SIZE
392are not specified in
393.Cm RFC 959 ,
394but will appear in the
395next updated
396.Tn FTP
397RFC.
398.Pp
399The
400.Nm
401server will abort an active file transfer only when the
402.Sy ABOR
403command is preceded by a Telnet "Interrupt Process" (IP)
404signal and a Telnet "Synch" signal in the command Telnet stream,
405as described in Internet
406.Cm RFC 959 .
407If a
408.Sy STAT
409command is received during a data transfer, preceded by a Telnet IP
410and Synch, transfer status will be returned.
411.Pp
412.Nm
413interprets file names according to the
414.Dq globbing
415conventions used by
416.Xr csh 1 .
417This allows users to use the metacharacters
418.Dq Li \&*?[]{}~ .
419.Ss User authentication
420.Nm
421authenticates users according to five rules.
422.Pp
423.Bl -enum -offset indent
424.It
425The login name must be in the password data base,
426.Pa /etc/pwd.db ,
427and not have a null password.
428In this case a password must be provided by the client before any
429file operations may be performed.
430If the user has an S/Key key, the response from a successful
431.Sy USER
432command will include an S/Key challenge.
433The client may choose to respond with a
434.Sy PASS
435command giving either
436a standard password or an S/Key one-time password.
437The server will automatically determine which type of password it
438has been given and attempt to authenticate accordingly.
439See
440.Xr skey 1
441for more information on S/Key authentication.
442S/Key is a Trademark of Bellcore.
443.It
444The login name must be allowed based on the information in
445.Xr ftpusers 5 .
446.It
447The user must have a standard shell returned by
448.Xr getusershell 3 .
449If the user's shell field in the password database is empty, the
450shell is assumed to be
451.Pa /bin/sh .
452As per
453.Xr shells 5 ,
454the user's shell must be listed with full path in
455.Pa /etc/shells .
456.It
457If directed by the file
458.Xr ftpchroot 5
459the session's root directory will be changed by
460.Xr chroot 2
461to the directory specified in the
462.Xr ftpd.conf 5
463.Sy chroot
464directive (if set),
465or to the home directory of the user.
466However, the user must still supply a password.
467This feature is intended as a compromise between a fully anonymous account
468and a fully privileged account.
469The account should also be set up as for an anonymous account.
470.It
471If the user name is
472.Dq anonymous
473or
474.Dq ftp ,
475an
476anonymous
477.Tn FTP
478account must be present in the password
479file (user
480.Dq ftp ) .
481In this case the user is allowed
482to log in by specifying any password (by convention an email address for
483the user should be used as the password).
484.Pp
485The server performs a
486.Xr chroot 2
487to the directory specified in the
488.Xr ftpd.conf 5
489.Sy chroot
490directive (if set),
491the
492.Fl a Ar anondir
493directory (if set),
494or to the home directory of the
495.Dq ftp
496user.
497.Pp
498The server then performs a
499.Xr chdir 2
500to the directory specified in the
501.Xr ftpd.conf 5
502.Sy homedir
503directive (if set), otherwise to
504.Pa / .
505.Pp
506If other restrictions are required (such as disabling of certain
507commands and the setting of a specific umask), then appropriate
508entries in
509.Xr ftpd.conf 5
510are required.
511.Pp
512If the first character of the password supplied by an anonymous user
513is
514.Dq - ,
515then the verbose messages displayed at login and upon a
516.Sy CWD
517command are suppressed.
518.El
519.Ss Display file escape sequences
520When
521.Nm
522displays various files back to the client (such as
523.Pa /etc/ftpwelcome
524and
525.Pa /etc/motd ) ,
526various escape strings are replaced with information pertinent
527to the current connection.
528.Pp
529The supported escape strings are:
530.Bl -tag -width "Escape" -offset indent -compact
531.It Sy "Escape"
532.Sy Description
533.It "\&%c"
534Class name.
535.It "\&%C"
536Current working directory.
537.It "\&%E"
538Email address given with
539.Fl e .
540.It "\&%L"
541Local hostname.
542.It "\&%M"
543Maximum number of users for this class.
544Displays
545.Dq unlimited
546if there's no limit.
547.It "\&%N"
548Current number of users for this class.
549.It "\&%R"
550Remote hostname.
551.It "\&%s"
552If the result of the most recent
553.Dq "\&%M"
554or
555.Dq "\&%N"
556was not
557.Dq Li 1 ,
558print an
559.Dq s .
560.It "\&%S"
561If the result of the most recent
562.Dq "\&%M"
563or
564.Dq "\&%N"
565was not
566.Dq Li 1 ,
567print an
568.Dq S .
569.It "\&%T"
570Current time.
571.It "\&%U"
572User name.
573.It "\&%\&%"
574A
575.Dq \&%
576character.
577.El
578.Ss Setting up a restricted ftp subtree
579In order that system security is not breached, it is recommended
580that the
581subtrees for the
582.Dq ftp
583and
584.Dq chroot
585accounts be constructed with care, following these rules
586(replace
587.Dq ftp
588in the following directory names
589with the appropriate account name for
590.Sq chroot
591users):
592.Bl -tag -width "~ftp/incoming" -offset indent
593.It Pa ~ftp
594Make the home directory owned by
595.Dq root
596and unwritable by anyone.
597.It Pa ~ftp/bin
598Make this directory owned by
599.Dq root
600and unwritable by anyone (mode 555).
601Generally any conversion commands should be installed
602here (mode 111).
603.It Pa ~ftp/etc
604Make this directory owned by
605.Dq root
606and unwritable by anyone (mode 555).
607The files
608.Pa pwd.db
609(see
610.Xr passwd 5 )
611and
612.Pa group
613(see
614.Xr group 5 )
615must be present for the
616.Sy LIST
617command to be able to display owner and group names instead of numbers.
618The password field in
619.Xr passwd 5
620is not used, and should not contain real passwords.
621The file
622.Pa motd ,
623if present, will be printed after a successful login.
624These files should be mode 444.
625.It Pa ~ftp/pub
626This directory and the subdirectories beneath it should be owned
627by the users and groups responsible for placing files in them,
628and be writable only by them (mode 755 or 775).
629They should
630.Em not
631be owned or writable by ftp or its group.
632.It Pa ~ftp/incoming
633This directory is where anonymous users place files they upload.
634The owners should be the user
635.Dq ftp
636and an appropriate group.
637Members of this group will be the only users with access to these
638files after they have been uploaded; these should be people who
639know how to deal with them appropriately.
640If you wish anonymous
641.Tn FTP
642users to be able to see the names of the
643files in this directory the permissions should be 770, otherwise
644they should be 370.
645.Pp
646The following
647.Xr ftpd.conf 5
648directives should be used:
649.Dl "modify guest off"
650.Dl "umask guest 0707"
651.Dl "upload guest on"
652.Pp
653This will result in anonymous users being able to upload files to this
654directory, but they will not be able to download them, delete them, or
655overwrite them, due to the umask and disabling of the commands mentioned
656above.
657.It Pa ~ftp/tmp
658This directory is used to create temporary files which contain
659the error messages generated by a conversion or
660.Sy LIST
661command.
662The owner should be the user
663.Dq ftp .
664The permissions should be 300.
665.Pp
666If you don't enable conversion commands, or don't want anonymous users
667uploading files here (see
668.Pa ~ftp/incoming
669above), then don't create this directory.
670However, error messages from conversion or
671.Sy LIST
672commands won't be returned to the user.
673(This is the traditional behaviour.)
674Note that the
675.Xr ftpd.conf 5
676directive
677.Sy upload
678can be used to prevent users uploading here.
679.El
680.Pp
681To set up "ftp-only" accounts that provide only
682.Tn FTP ,
683but no valid shell
684login, you can copy/link
685.Pa /sbin/nologin
686to
687.Pa /sbin/ftplogin ,
688and enter
689.Pa /sbin/ftplogin
690to
691.Pa /etc/shells
692to allow logging-in via
693.Tn FTP
694into the accounts, which must have
695.Pa /sbin/ftplogin
696as login shell.
697.Sh FILES
698.Bl -tag -width /etc/ftpwelcome -compact
699.It Pa /etc/ftpchroot
700List of normal users whose root directory should be changed via
701.Xr chroot 2 .
702.It Pa /etc/ftpd.conf
703Configure file conversions and other settings.
704.It Pa /etc/ftpusers
705List of unwelcome/restricted users.
706.It Pa /etc/ftpwelcome
707Welcome notice before login.
708.It Pa /etc/motd
709Welcome notice after login.
710.It Pa /etc/nologin
711If it exists, displayed and access is refused.
712.It Pa /var/run/ftpd.pids-CLASS
713State file of logged-in processes for the
714.Nm
715class
716.Sq CLASS .
717.It Pa /var/run/utmp
718List of logged-in users on the system.
719.It Pa /var/log/wtmp
720Login history database.
721.El
722.Sh SEE ALSO
723.Xr ftp 1 ,
724.Xr skey 1 ,
725.Xr who 1 ,
726.Xr getusershell 3 ,
727.Xr ftpchroot 5 ,
728.Xr ftpd.conf 5 ,
729.Xr ftpusers 5 ,
730.Xr syslogd 8
731.Sh STANDARDS
732.Nm
733recognizes all commands in
734.Cm RFC 959 ,
735follows the guidelines in
736.Cm RFC 1123 ,
737recognizes all commands in
738.Cm RFC 2228
739(although they are not supported yet),
740and supports the extensions from
741.Cm RFC 2389 ,
742.Cm RFC 2428
743and
744.Cm draft-ietf-ftpext-mlst-11 .
745.Sh HISTORY
746The
747.Nm
748command appeared in
749.Bx 4.2 .
750.Pp
751Various features such as the
752.Xr ftpd.conf 5
753functionality,
754.Cm RFC 2389 ,
755and
756.Cm draft-ietf-ftpext-mlst-11
757support was implemented in
758.Nx 1.3
759and later releases by Luke Mewburn.
760.Sh BUGS
761The server must run as the super-user to create sockets with
762privileged port numbers (i.e, those less than
763.Dv IPPORT_RESERVED ,
764which is 1024).
765If
766.Nm
767is listening on a privileged port
768it maintains an effective user id of the logged in user, reverting
769to the super-user only when binding addresses to privileged sockets.
770The
771.Fl r
772option can be used to override this behaviour and force privileges to
773be permanently revoked; see
774.Sx SECURITY CONSIDERATIONS
775below for more details.
776.Pp
777.Nm
778may have trouble handling connections from scoped IPv6 addresses, or
779IPv4 mapped addresses
780.Po
781IPv4 connection on
782.Dv AF_INET6
783socket
784.Pc .
785For the latter case, running two daemons,
786one for IPv4 and one for IPv6, will avoid the problem.
787.Sh SECURITY CONSIDERATIONS
788.Cm RFC 959
789provides no restrictions on the
790.Sy PORT
791command, and this can lead to security problems, as
792.Nm
793can be fooled into connecting to any service on any host.
794With the
795.Dq checkportcmd
796feature of the
797.Xr ftpd.conf 5 ,
798.Sy PORT
799commands with different host addresses, or TCP ports lower than
800.Dv IPPORT_RESERVED
801will be rejected.
802This also prevents
803.Sq third-party proxy ftp
804from working.
805Use of this option is
806.Em strongly
807recommended, and enabled by default.
808.Pp
809By default
810.Nm
811uses a port that is one less than the port it is listening on to
812communicate back to the client for the
813.Sy EPRT ,
814.Sy LPRT ,
815and
816.Sy PORT
817commands, unless overridden with
818.Fl P Ar dataport .
819As the default port for
820.Nm
821(21) is a privileged port below
822.Dv IPPORT_RESERVED ,
823.Nm
824retains the ability to switch back to root privileges to bind these
825ports.
826In order to increase security by reducing the potential for a bug in
827.Nm
828providing a remote root compromise,
829.Nm
830will permanently drop root privileges if one of the following is true:
831.Bl -enum -offset indent
832.It
833.Nm
834is running on a port greater than
835.Dv IPPORT_RESERVED
836and the user has logged in as a
837.Sq guest
838or
839.Sq chroot
840user.
841.It
842.Nm
843was invoked with
844.Fl r .
845.El
846.Pp
847Don't create
848.Pa ~ftp/tmp
849if you don't want anonymous users to upload files there.
850That directory is only necessary if you want to display the error
851messages of conversion commands to the user.
852Note that if uploads are disabled with the
853.Xr ftpd.conf 5
854directive
855.Sy upload ,
856then this directory cannot be abused by the user in this way, so it
857should be safe to create.
2.\"
3.\" Copyright (c) 1997-2003 The NetBSD Foundation, Inc.
4.\" All rights reserved.
5.\"
6.\" This code is derived from software contributed to The NetBSD Foundation
7.\" by Luke Mewburn.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\" notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\" notice, this list of conditions and the following disclaimer in the
16.\" documentation and/or other materials provided with the distribution.
17.\" 3. All advertising materials mentioning features or use of this software
18.\" must display the following acknowledgement:
19.\" This product includes software developed by the NetBSD
20.\" Foundation, Inc. and its contributors.
21.\" 4. Neither the name of The NetBSD Foundation nor the names of its
22.\" contributors may be used to endorse or promote products derived
23.\" from this software without specific prior written permission.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35.\" POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" Copyright (c) 1985, 1988, 1991, 1993
38.\" The Regents of the University of California. All rights reserved.
39.\"
40.\" Redistribution and use in source and binary forms, with or without
41.\" modification, are permitted provided that the following conditions
42.\" are met:
43.\" 1. Redistributions of source code must retain the above copyright
44.\" notice, this list of conditions and the following disclaimer.
45.\" 2. Redistributions in binary form must reproduce the above copyright
46.\" notice, this list of conditions and the following disclaimer in the
47.\" documentation and/or other materials provided with the distribution.
48.\" 3. Neither the name of the University nor the names of its contributors
49.\" may be used to endorse or promote products derived from this software
50.\" without specific prior written permission.
51.\"
52.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
55.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
56.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
57.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
58.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
59.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
60.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
61.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62.\" SUCH DAMAGE.
63.\"
64.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
65.\"
66.Dd August 4, 2005
67.Dt FTPD 8
68.Os
69.Sh NAME
70.Nm ftpd
71.Nd
72Internet File Transfer Protocol server
73.Sh SYNOPSIS
74.Nm
75.Op Fl 46DdHlQqrsUuWwX
76.Op Fl a Ar anondir
77.Op Fl C Ar user
78.Op Fl c Ar confdir
79.Op Fl e Ar emailaddr
80.Op Fl h Ar hostname
81.Op Fl L Ar xferlogfile
82.Op Fl P Ar dataport
83.Op Fl V Ar version
84.Sh DESCRIPTION
85.Nm
86is the Internet File Transfer Protocol server process.
87The server uses the
88.Tn TCP
89protocol and listens at the port specified in the
90.Dq ftp
91service specification; see
92.Xr services 5 .
93.Pp
94Available options:
95.Bl -tag -width Ds
96.It Fl 4
97When
98.Fl D
99is specified, bind to IPv4 addresses only.
100.It Fl 6
101When
102.Fl D
103is specified, bind to IPv6 addresses only.
104.It Fl a Ar anondir
105Define
106.Ar anondir
107as the directory to
108.Xr chroot 2
109into for anonymous logins.
110Default is the home directory for the ftp user.
111This can also be specified with the
112.Xr ftpd.conf 5
113.Sy chroot
114directive.
115.It Fl C Ar user
116Check whether
117.Ar user
118would be granted access under
119the restrictions given in
120.Xr ftpusers 5
121and exit without attempting a connection.
122.Nm
123exits with an exit code of 0 if access would be granted, or 1 otherwise.
124This can be useful for testing configurations.
125.It Fl c Ar confdir
126Change the root directory of the configuration files from
127.Dq Pa /etc
128to
129.Ar confdir .
130This changes the directory for the following files:
131.Pa /etc/ftpchroot ,
132.Pa /etc/ftpusers ,
133.Pa /etc/ftpwelcome ,
134.Pa /etc/motd ,
135and the file specified by the
136.Xr ftpd.conf 5
137.Sy limit
138directive.
139.It Fl D
140Run as daemon.
141.Nm
142will listen on the default FTP port for incoming connections
143and fork a child for each connection.
144This is lower overhead than starting
145.Nm
146from
147.Xr inetd 8
148and thus might be useful on busy servers to reduce load.
149.It Fl d
150Debugging information is written to the syslog using a facility of
151.Dv LOG_FTP .
152.It Fl e Ar emailaddr
153Use
154.Ar emailaddr
155for the
156.Dq "\&%E"
157escape sequence (see
158.Sx Display file escape sequences )
159.It Fl H
160Equivalent to
161.Do
162-h
163`hostname`
164.Dc .
165.It Fl h Ar hostname
166Explicitly set the hostname to advertise as to
167.Ar hostname .
168The default is the hostname associated with the IP address that
169.Nm
170is listening on.
171This ability (with or without
172.Fl h ) ,
173in conjunction with
174.Fl c Ar confdir ,
175is useful when configuring
176.Sq virtual
177.Tn FTP
178servers, each listening on separate addresses as separate names.
179Refer to
180.Xr inetd.conf 5
181for more information on starting services to listen on specific IP addresses.
182.It Fl L Ar xferlogfile
183Log
184.Tn wu-ftpd
185style
186.Sq xferlog
187entries to
188.Ar xferlogfile .
189.It Fl l
190Each successful and failed
191.Tn FTP
192session is logged using syslog with a facility of
193.Dv LOG_FTP .
194If this option is specified more than once, the retrieve (get), store (put),
195append, delete, make directory, remove directory and rename operations and
196their file name arguments are also logged.
197.It Fl P Ar dataport
198Use
199.Ar dataport
200as the data port, overriding the default of using the port one less
201that the port
202.Nm
203is listening on.
204.It Fl Q
205Disable the use of pid files for keeping track of the number of logged-in
206users per class.
207This may reduce the load on heavily loaded
208.Tn FTP
209servers.
210.It Fl q
211Enable the use of pid files for keeping track of the number of logged-in
212users per class.
213This is the default.
214.It Fl r
215Permanently drop root privileges once the user is logged in.
216The use of this option may result in the server using a port other
217than the (listening-port - 1) for
218.Sy PORT
219style commands, which is contrary to the
220.Cm RFC 959
221specification, but in practice very few clients rely upon this behaviour.
222See
223.Sx SECURITY CONSIDERATIONS
224below for more details.
225.It Fl s
226Require a secure authentication mechanism like Kerberos or S/Key to be used.
227.It Fl U
228Don't log each concurrent
229.Tn FTP
230session to
231.Pa /var/run/utmp .
232This is the default.
233.It Fl u
234Log each concurrent
235.Tn FTP
236session to
237.Pa /var/run/utmp ,
238making them visible to commands such as
239.Xr who 1 .
240.It Fl V Ar version
241Use
242.Ar version
243as the version to advertise in the login banner and in the output of
244.Sy STAT
245and
246.Sy SYST
247instead of the default version information.
248If
249.Ar version
250is empty or
251.Sq -
252then don't display any version information.
253.It Fl W
254Don't log each
255.Tn FTP
256session to
257.Pa /var/log/wtmp .
258.It Fl w
259Log each
260.Tn FTP
261session to
262.Pa /var/log/wtmp ,
263making them visible to commands such as
264.Xr last 1 .
265This is the default.
266.It Fl X
267Log
268.Tn wu-ftpd
269style
270.Sq xferlog
271entries to the syslog, prefixed with
272.Dq "xferlog:\ " ,
273using a facility of
274.Dv LOG_FTP .
275These syslog entries can be converted to a
276.Tn wu-ftpd
277style
278.Pa xferlog
279file suitable for input into a third-party log analysis tool with a command
280similar to:
281.Dl "grep 'xferlog: ' /var/log/xferlog | \e"
282.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog"
283.El
284.Pp
285The file
286.Pa /etc/nologin
287can be used to disable
288.Tn FTP
289access.
290If the file exists,
291.Nm
292displays it and exits.
293If the file
294.Pa /etc/ftpwelcome
295exists,
296.Nm
297prints it before issuing the
298.Dq ready
299message.
300If the file
301.Pa /etc/motd
302exists (under the chroot directory if applicable),
303.Nm
304prints it after a successful login.
305This may be changed with the
306.Xr ftpd.conf 5
307directive
308.Sy motd .
309.Pp
310The
311.Nm
312server currently supports the following
313.Tn FTP
314requests.
315The case of the requests is ignored.
316.Bl -column "Request" -offset indent
317.It Sy Request Ta Sy Description
318.It ABOR Ta "abort previous command"
319.It ACCT Ta "specify account (ignored)"
320.It ALLO Ta "allocate storage (vacuously)"
321.It APPE Ta "append to a file"
322.It CDUP Ta "change to parent of current working directory"
323.It CWD Ta "change working directory"
324.It DELE Ta "delete a file"
325.It EPSV Ta "prepare for server-to-server transfer"
326.It EPRT Ta "specify data connection port"
327.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
328.It HELP Ta "give help information"
329.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
330.It LPSV Ta "prepare for server-to-server transfer"
331.It LPRT Ta "specify data connection port"
332.It MLSD Ta "list contents of directory in a machine-processable form"
333.It MLST Ta "show a pathname in a machine-processable form"
334.It MKD Ta "make a directory"
335.It MDTM Ta "show last modification time of file"
336.It MODE Ta "specify data transfer" Em mode
337.It NLST Ta "give name list of files in directory"
338.It NOOP Ta "do nothing"
339.It OPTS Ta "define persistent options for a given command"
340.It PASS Ta "specify password"
341.It PASV Ta "prepare for server-to-server transfer"
342.It PORT Ta "specify data connection port"
343.It PWD Ta "print the current working directory"
344.It QUIT Ta "terminate session"
345.It REST Ta "restart incomplete transfer"
346.It RETR Ta "retrieve a file"
347.It RMD Ta "remove a directory"
348.It RNFR Ta "specify rename-from file name"
349.It RNTO Ta "specify rename-to file name"
350.It SITE Ta "non-standard commands (see next section)"
351.It SIZE Ta "return size of file"
352.It STAT Ta "return status of server"
353.It STOR Ta "store a file"
354.It STOU Ta "store a file with a unique name"
355.It STRU Ta "specify data transfer" Em structure
356.It SYST Ta "show operating system type of server system"
357.It TYPE Ta "specify data transfer" Em type
358.It USER Ta "specify user name"
359.It XCUP Ta "change to parent of current working directory (deprecated)"
360.It XCWD Ta "change working directory (deprecated)"
361.It XMKD Ta "make a directory (deprecated)"
362.It XPWD Ta "print the current working directory (deprecated)"
363.It XRMD Ta "remove a directory (deprecated)"
364.El
365.Pp
366The following non-standard or
367.Ux
368specific commands are supported by the SITE request.
369.Pp
370.Bl -column Request -offset indent
371.It Sy Request Ta Sy Description
372.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
373.It HELP Ta "give help information."
374.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
375.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
376.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
377.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
378.El
379.Pp
380The following
381.Tn FTP
382requests (as specified in
383.Cm RFC 959 )
384are recognized, but are not implemented:
385.Sy ACCT ,
386.Sy SMNT ,
387and
388.Sy REIN .
389.Sy MDTM
390and
391.Sy SIZE
392are not specified in
393.Cm RFC 959 ,
394but will appear in the
395next updated
396.Tn FTP
397RFC.
398.Pp
399The
400.Nm
401server will abort an active file transfer only when the
402.Sy ABOR
403command is preceded by a Telnet "Interrupt Process" (IP)
404signal and a Telnet "Synch" signal in the command Telnet stream,
405as described in Internet
406.Cm RFC 959 .
407If a
408.Sy STAT
409command is received during a data transfer, preceded by a Telnet IP
410and Synch, transfer status will be returned.
411.Pp
412.Nm
413interprets file names according to the
414.Dq globbing
415conventions used by
416.Xr csh 1 .
417This allows users to use the metacharacters
418.Dq Li \&*?[]{}~ .
419.Ss User authentication
420.Nm
421authenticates users according to five rules.
422.Pp
423.Bl -enum -offset indent
424.It
425The login name must be in the password data base,
426.Pa /etc/pwd.db ,
427and not have a null password.
428In this case a password must be provided by the client before any
429file operations may be performed.
430If the user has an S/Key key, the response from a successful
431.Sy USER
432command will include an S/Key challenge.
433The client may choose to respond with a
434.Sy PASS
435command giving either
436a standard password or an S/Key one-time password.
437The server will automatically determine which type of password it
438has been given and attempt to authenticate accordingly.
439See
440.Xr skey 1
441for more information on S/Key authentication.
442S/Key is a Trademark of Bellcore.
443.It
444The login name must be allowed based on the information in
445.Xr ftpusers 5 .
446.It
447The user must have a standard shell returned by
448.Xr getusershell 3 .
449If the user's shell field in the password database is empty, the
450shell is assumed to be
451.Pa /bin/sh .
452As per
453.Xr shells 5 ,
454the user's shell must be listed with full path in
455.Pa /etc/shells .
456.It
457If directed by the file
458.Xr ftpchroot 5
459the session's root directory will be changed by
460.Xr chroot 2
461to the directory specified in the
462.Xr ftpd.conf 5
463.Sy chroot
464directive (if set),
465or to the home directory of the user.
466However, the user must still supply a password.
467This feature is intended as a compromise between a fully anonymous account
468and a fully privileged account.
469The account should also be set up as for an anonymous account.
470.It
471If the user name is
472.Dq anonymous
473or
474.Dq ftp ,
475an
476anonymous
477.Tn FTP
478account must be present in the password
479file (user
480.Dq ftp ) .
481In this case the user is allowed
482to log in by specifying any password (by convention an email address for
483the user should be used as the password).
484.Pp
485The server performs a
486.Xr chroot 2
487to the directory specified in the
488.Xr ftpd.conf 5
489.Sy chroot
490directive (if set),
491the
492.Fl a Ar anondir
493directory (if set),
494or to the home directory of the
495.Dq ftp
496user.
497.Pp
498The server then performs a
499.Xr chdir 2
500to the directory specified in the
501.Xr ftpd.conf 5
502.Sy homedir
503directive (if set), otherwise to
504.Pa / .
505.Pp
506If other restrictions are required (such as disabling of certain
507commands and the setting of a specific umask), then appropriate
508entries in
509.Xr ftpd.conf 5
510are required.
511.Pp
512If the first character of the password supplied by an anonymous user
513is
514.Dq - ,
515then the verbose messages displayed at login and upon a
516.Sy CWD
517command are suppressed.
518.El
519.Ss Display file escape sequences
520When
521.Nm
522displays various files back to the client (such as
523.Pa /etc/ftpwelcome
524and
525.Pa /etc/motd ) ,
526various escape strings are replaced with information pertinent
527to the current connection.
528.Pp
529The supported escape strings are:
530.Bl -tag -width "Escape" -offset indent -compact
531.It Sy "Escape"
532.Sy Description
533.It "\&%c"
534Class name.
535.It "\&%C"
536Current working directory.
537.It "\&%E"
538Email address given with
539.Fl e .
540.It "\&%L"
541Local hostname.
542.It "\&%M"
543Maximum number of users for this class.
544Displays
545.Dq unlimited
546if there's no limit.
547.It "\&%N"
548Current number of users for this class.
549.It "\&%R"
550Remote hostname.
551.It "\&%s"
552If the result of the most recent
553.Dq "\&%M"
554or
555.Dq "\&%N"
556was not
557.Dq Li 1 ,
558print an
559.Dq s .
560.It "\&%S"
561If the result of the most recent
562.Dq "\&%M"
563or
564.Dq "\&%N"
565was not
566.Dq Li 1 ,
567print an
568.Dq S .
569.It "\&%T"
570Current time.
571.It "\&%U"
572User name.
573.It "\&%\&%"
574A
575.Dq \&%
576character.
577.El
578.Ss Setting up a restricted ftp subtree
579In order that system security is not breached, it is recommended
580that the
581subtrees for the
582.Dq ftp
583and
584.Dq chroot
585accounts be constructed with care, following these rules
586(replace
587.Dq ftp
588in the following directory names
589with the appropriate account name for
590.Sq chroot
591users):
592.Bl -tag -width "~ftp/incoming" -offset indent
593.It Pa ~ftp
594Make the home directory owned by
595.Dq root
596and unwritable by anyone.
597.It Pa ~ftp/bin
598Make this directory owned by
599.Dq root
600and unwritable by anyone (mode 555).
601Generally any conversion commands should be installed
602here (mode 111).
603.It Pa ~ftp/etc
604Make this directory owned by
605.Dq root
606and unwritable by anyone (mode 555).
607The files
608.Pa pwd.db
609(see
610.Xr passwd 5 )
611and
612.Pa group
613(see
614.Xr group 5 )
615must be present for the
616.Sy LIST
617command to be able to display owner and group names instead of numbers.
618The password field in
619.Xr passwd 5
620is not used, and should not contain real passwords.
621The file
622.Pa motd ,
623if present, will be printed after a successful login.
624These files should be mode 444.
625.It Pa ~ftp/pub
626This directory and the subdirectories beneath it should be owned
627by the users and groups responsible for placing files in them,
628and be writable only by them (mode 755 or 775).
629They should
630.Em not
631be owned or writable by ftp or its group.
632.It Pa ~ftp/incoming
633This directory is where anonymous users place files they upload.
634The owners should be the user
635.Dq ftp
636and an appropriate group.
637Members of this group will be the only users with access to these
638files after they have been uploaded; these should be people who
639know how to deal with them appropriately.
640If you wish anonymous
641.Tn FTP
642users to be able to see the names of the
643files in this directory the permissions should be 770, otherwise
644they should be 370.
645.Pp
646The following
647.Xr ftpd.conf 5
648directives should be used:
649.Dl "modify guest off"
650.Dl "umask guest 0707"
651.Dl "upload guest on"
652.Pp
653This will result in anonymous users being able to upload files to this
654directory, but they will not be able to download them, delete them, or
655overwrite them, due to the umask and disabling of the commands mentioned
656above.
657.It Pa ~ftp/tmp
658This directory is used to create temporary files which contain
659the error messages generated by a conversion or
660.Sy LIST
661command.
662The owner should be the user
663.Dq ftp .
664The permissions should be 300.
665.Pp
666If you don't enable conversion commands, or don't want anonymous users
667uploading files here (see
668.Pa ~ftp/incoming
669above), then don't create this directory.
670However, error messages from conversion or
671.Sy LIST
672commands won't be returned to the user.
673(This is the traditional behaviour.)
674Note that the
675.Xr ftpd.conf 5
676directive
677.Sy upload
678can be used to prevent users uploading here.
679.El
680.Pp
681To set up "ftp-only" accounts that provide only
682.Tn FTP ,
683but no valid shell
684login, you can copy/link
685.Pa /sbin/nologin
686to
687.Pa /sbin/ftplogin ,
688and enter
689.Pa /sbin/ftplogin
690to
691.Pa /etc/shells
692to allow logging-in via
693.Tn FTP
694into the accounts, which must have
695.Pa /sbin/ftplogin
696as login shell.
697.Sh FILES
698.Bl -tag -width /etc/ftpwelcome -compact
699.It Pa /etc/ftpchroot
700List of normal users whose root directory should be changed via
701.Xr chroot 2 .
702.It Pa /etc/ftpd.conf
703Configure file conversions and other settings.
704.It Pa /etc/ftpusers
705List of unwelcome/restricted users.
706.It Pa /etc/ftpwelcome
707Welcome notice before login.
708.It Pa /etc/motd
709Welcome notice after login.
710.It Pa /etc/nologin
711If it exists, displayed and access is refused.
712.It Pa /var/run/ftpd.pids-CLASS
713State file of logged-in processes for the
714.Nm
715class
716.Sq CLASS .
717.It Pa /var/run/utmp
718List of logged-in users on the system.
719.It Pa /var/log/wtmp
720Login history database.
721.El
722.Sh SEE ALSO
723.Xr ftp 1 ,
724.Xr skey 1 ,
725.Xr who 1 ,
726.Xr getusershell 3 ,
727.Xr ftpchroot 5 ,
728.Xr ftpd.conf 5 ,
729.Xr ftpusers 5 ,
730.Xr syslogd 8
731.Sh STANDARDS
732.Nm
733recognizes all commands in
734.Cm RFC 959 ,
735follows the guidelines in
736.Cm RFC 1123 ,
737recognizes all commands in
738.Cm RFC 2228
739(although they are not supported yet),
740and supports the extensions from
741.Cm RFC 2389 ,
742.Cm RFC 2428
743and
744.Cm draft-ietf-ftpext-mlst-11 .
745.Sh HISTORY
746The
747.Nm
748command appeared in
749.Bx 4.2 .
750.Pp
751Various features such as the
752.Xr ftpd.conf 5
753functionality,
754.Cm RFC 2389 ,
755and
756.Cm draft-ietf-ftpext-mlst-11
757support was implemented in
758.Nx 1.3
759and later releases by Luke Mewburn.
760.Sh BUGS
761The server must run as the super-user to create sockets with
762privileged port numbers (i.e, those less than
763.Dv IPPORT_RESERVED ,
764which is 1024).
765If
766.Nm
767is listening on a privileged port
768it maintains an effective user id of the logged in user, reverting
769to the super-user only when binding addresses to privileged sockets.
770The
771.Fl r
772option can be used to override this behaviour and force privileges to
773be permanently revoked; see
774.Sx SECURITY CONSIDERATIONS
775below for more details.
776.Pp
777.Nm
778may have trouble handling connections from scoped IPv6 addresses, or
779IPv4 mapped addresses
780.Po
781IPv4 connection on
782.Dv AF_INET6
783socket
784.Pc .
785For the latter case, running two daemons,
786one for IPv4 and one for IPv6, will avoid the problem.
787.Sh SECURITY CONSIDERATIONS
788.Cm RFC 959
789provides no restrictions on the
790.Sy PORT
791command, and this can lead to security problems, as
792.Nm
793can be fooled into connecting to any service on any host.
794With the
795.Dq checkportcmd
796feature of the
797.Xr ftpd.conf 5 ,
798.Sy PORT
799commands with different host addresses, or TCP ports lower than
800.Dv IPPORT_RESERVED
801will be rejected.
802This also prevents
803.Sq third-party proxy ftp
804from working.
805Use of this option is
806.Em strongly
807recommended, and enabled by default.
808.Pp
809By default
810.Nm
811uses a port that is one less than the port it is listening on to
812communicate back to the client for the
813.Sy EPRT ,
814.Sy LPRT ,
815and
816.Sy PORT
817commands, unless overridden with
818.Fl P Ar dataport .
819As the default port for
820.Nm
821(21) is a privileged port below
822.Dv IPPORT_RESERVED ,
823.Nm
824retains the ability to switch back to root privileges to bind these
825ports.
826In order to increase security by reducing the potential for a bug in
827.Nm
828providing a remote root compromise,
829.Nm
830will permanently drop root privileges if one of the following is true:
831.Bl -enum -offset indent
832.It
833.Nm
834is running on a port greater than
835.Dv IPPORT_RESERVED
836and the user has logged in as a
837.Sq guest
838or
839.Sq chroot
840user.
841.It
842.Nm
843was invoked with
844.Fl r .
845.El
846.Pp
847Don't create
848.Pa ~ftp/tmp
849if you don't want anonymous users to upload files there.
850That directory is only necessary if you want to display the error
851messages of conversion commands to the user.
852Note that if uploads are disabled with the
853.Xr ftpd.conf 5
854directive
855.Sy upload ,
856then this directory cannot be abused by the user in this way, so it
857should be safe to create.