1.\" $NetBSD: ftpd.8,v 1.74 2003-08-07 09:46:39 agc Exp $
2.\"
3.\" Copyright (c) 1997-2003 The NetBSD Foundation, Inc.
4.\" All rights reserved.
5.\"
6.\" This code is derived from software contributed to The NetBSD Foundation
7.\" by Luke Mewburn.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\" notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\" notice, this list of conditions and the following disclaimer in the
16.\" documentation and/or other materials provided with the distribution.
17.\" 3. All advertising materials mentioning features or use of this software
18.\" must display the following acknowledgement:
19.\" This product includes software developed by the NetBSD
20.\" Foundation, Inc. and its contributors.
21.\" 4. Neither the name of The NetBSD Foundation nor the names of its
22.\" contributors may be used to endorse or promote products derived
23.\" from this software without specific prior written permission.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35.\" POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" Copyright (c) 1985, 1988, 1991, 1993
38.\" The Regents of the University of California. All rights reserved.
39.\"
40.\" Redistribution and use in source and binary forms, with or without
41.\" modification, are permitted provided that the following conditions
42.\" are met:
43.\" 1. Redistributions of source code must retain the above copyright
44.\" notice, this list of conditions and the following disclaimer.
45.\" 2. Redistributions in binary form must reproduce the above copyright
46.\" notice, this list of conditions and the following disclaimer in the
47.\" documentation and/or other materials provided with the distribution.
48.\" 3. Neither the name of the University nor the names of its contributors
49.\" may be used to endorse or promote products derived from this software
50.\" without specific prior written permission.
51.\"
52.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
55.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
56.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
57.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
58.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
59.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
60.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
61.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62.\" SUCH DAMAGE.
63.\"
64.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
65.\"
66.Dd February 26, 2003
67.Dt FTPD 8
68.Os
69.Sh NAME
70.Nm ftpd
71.Nd
72Internet File Transfer Protocol server
73.Sh SYNOPSIS
74.Nm
75.Op Fl dHlqQrsuUwWX
76.Op Fl a Ar anondir
77.Op Fl c Ar confdir
78.Op Fl C Ar user
79.Op Fl e Ar emailaddr
80.Op Fl h Ar hostname
81.Op Fl L Ar xferlogfile
82.Op Fl P Ar dataport
83.Op Fl V Ar version
84.Sh DESCRIPTION
85.Nm
86is the Internet File Transfer Protocol server process.
87The server uses the
88.Tn TCP
89protocol and listens at the port specified in the
90.Dq ftp
91service specification; see
92.Xr services 5 .
93.Pp
94Available options:
95.Bl -tag -width Ds
96.It Fl a Ar anondir
97Define
98.Ar anondir
99as the directory to
100.Xr chroot 2
101into for anonymous logins.
102Default is the home directory for the ftp user.
103This can also be specified with the
104.Xr ftpd.conf 5
105.Sy chroot
106directive.
107.It Fl c Ar confdir
108Change the root directory of the configuration files from
109.Dq Pa /etc
110to
111.Ar confdir .
112This changes the directory for the following files:
113.Pa /etc/ftpchroot ,
114.Pa /etc/ftpusers ,
115.Pa /etc/ftpwelcome ,
116.Pa /etc/motd ,
117and the file specified by the
118.Xr ftpd.conf 5
119.Sy limit
120directive.
121.It Fl C Ar user
122Check whether
123.Ar user
124would be granted access under
125the restrictions given in
126.Xr ftpusers 5
127and exit without attempting a connection.
128.Nm
129exits with an exit code of 0 if access would be granted, or 1 otherwise.
130This can be useful for testing configurations.
131.It Fl d
132Debugging information is written to the syslog using a facility of
133.Dv LOG_FTP .
134.It Fl e Ar emailaddr
135Use
136.Ar emailaddr
137for the
138.Dq "\&%E"
139escape sequence (see
140.Sx Display file escape sequences )
141.It Fl h Ar hostname
142Explicitly set the hostname to advertise as to
143.Ar hostname .
144The default is the hostname associated with the IP address that
145.Nm
146is listening on.
147This ability (with or without
148.Fl h ) ,
149in conjunction with
150.Fl c Ar confdir ,
151is useful when configuring
152.Sq virtual
153.Tn FTP
154servers, each listening on separate addresses as separate names.
155Refer to
156.Xr inetd.conf 5
157for more information on starting services to listen on specific IP addresses.
158.It Fl H
159Equivalent to
160.Do
161-h
162`hostname`
163.Dc .
164.It Fl l
165Each successful and failed
166.Tn FTP
167session is logged using syslog with a facility of
168.Dv LOG_FTP .
169If this option is specified more than once, the retrieve (get), store (put),
170append, delete, make directory, remove directory and rename operations and
171their file name arguments are also logged.
172.It Fl L Ar xferlogfile
173Log
174.Tn wu-ftpd
175style
176.Sq xferlog
177entries to
178.Ar xferlogfile .
179.It Fl P Ar dataport
180Use
181.Ar dataport
182as the data port, overriding the default of using the port one less
183that the port
184.Nm
185is listening on.
186.It Fl q
187Enable the use of pid files for keeping track of the number of logged-in
188users per class.
189This is the default.
190.It Fl Q
191Disable the use of pid files for keeping track of the number of logged-in
192users per class.
193This may reduce the load on heavily loaded
194.Tn FTP
195servers.
196.It Fl r
197Permanently drop root privileges once the user is logged in.
198The use of this option may result in the server using a port other
199than the (listening-port - 1) for
200.Sy PORT
201style commands, which is contrary to the
202.Cm RFC 959
203specification, but in practice very few clients rely upon this behaviour.
204See
205.Sx SECURITY CONSIDERATIONS
206below for more details.
207.It Fl s
208Require a secure authentication mechanism like Kerberos or S/Key to be used.
209.It Fl u
210Log each concurrent
211.Tn FTP
212session to
213.Pa /var/run/utmp ,
214making them visible to commands such as
215.Xr who 1 .
216.It Fl U
217Don't log each concurrent
218.Tn FTP
219session to
220.Pa /var/run/utmp .
221This is the default.
222.It Fl V Ar version
223Use
224.Ar version
225as the version to advertise in the login banner and in the output of
226.Sy STAT
227and
228.Sy SYST
229instead of the default version information.
230If
231.Ar version
232is empty or
233.Sq -
234then don't display any version information.
235.It Fl w
236Log each
237.Tn FTP
238session to
239.Pa /var/log/wtmp ,
240making them visible to commands such as
241.Xr last 1 .
242This is the default.
243.It Fl W
244Don't log each
245.Tn FTP
246session to
247.Pa /var/log/wtmp .
248.It Fl X
249Log
250.Tn wu-ftpd
251style
252.Sq xferlog
253entries to the syslog, prefixed with
254.Dq "xferlog:\ " ,
255using a facility of
256.Dv LOG_FTP .
257These syslog entries can be converted to a
258.Tn wu-ftpd
259style
260.Pa xferlog
261file suitable for input into a third-party log analysis tool with a command
262similar to:
263.Dl "grep 'xferlog: ' /var/log/xferlog | \e"
264.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog"
265.El
266.Pp
267The file
268.Pa /etc/nologin
269can be used to disable
270.Tn FTP
271access.
272If the file exists,
273.Nm
274displays it and exits.
275If the file
276.Pa /etc/ftpwelcome
277exists,
278.Nm
279prints it before issuing the
280.Dq ready
281message.
282If the file
283.Pa /etc/motd
284exists (under the chroot directory if applicable),
285.Nm
286prints it after a successful login.
287This may be changed with the
288.Xr ftpd.conf 5
289directive
290.Sy motd .
291.Pp
292The
293.Nm
294server currently supports the following
295.Tn FTP
296requests.
297The case of the requests is ignored.
298.Bl -column "Request" -offset indent
299.It Sy Request Ta Sy Description
300.It ABOR Ta "abort previous command"
301.It ACCT Ta "specify account (ignored)"
302.It ALLO Ta "allocate storage (vacuously)"
303.It APPE Ta "append to a file"
304.It CDUP Ta "change to parent of current working directory"
305.It CWD Ta "change working directory"
306.It DELE Ta "delete a file"
307.It EPSV Ta "prepare for server-to-server transfer"
308.It EPRT Ta "specify data connection port"
309.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
310.It HELP Ta "give help information"
311.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
312.It LPSV Ta "prepare for server-to-server transfer"
313.It LPRT Ta "specify data connection port"
314.It MLSD Ta "list contents of directory in a machine-processable form"
315.It MLST Ta "show a pathname in a machine-processable form"
316.It MKD Ta "make a directory"
317.It MDTM Ta "show last modification time of file"
318.It MODE Ta "specify data transfer" Em mode
319.It NLST Ta "give name list of files in directory"
320.It NOOP Ta "do nothing"
321.It OPTS Ta "define persistent options for a given command"
322.It PASS Ta "specify password"
323.It PASV Ta "prepare for server-to-server transfer"
324.It PORT Ta "specify data connection port"
325.It PWD Ta "print the current working directory"
326.It QUIT Ta "terminate session"
327.It REST Ta "restart incomplete transfer"
328.It RETR Ta "retrieve a file"
329.It RMD Ta "remove a directory"
330.It RNFR Ta "specify rename-from file name"
331.It RNTO Ta "specify rename-to file name"
332.It SITE Ta "non-standard commands (see next section)"
333.It SIZE Ta "return size of file"
334.It STAT Ta "return status of server"
335.It STOR Ta "store a file"
336.It STOU Ta "store a file with a unique name"
337.It STRU Ta "specify data transfer" Em structure
338.It SYST Ta "show operating system type of server system"
339.It TYPE Ta "specify data transfer" Em type
340.It USER Ta "specify user name"
341.It XCUP Ta "change to parent of current working directory (deprecated)"
342.It XCWD Ta "change working directory (deprecated)"
343.It XMKD Ta "make a directory (deprecated)"
344.It XPWD Ta "print the current working directory (deprecated)"
345.It XRMD Ta "remove a directory (deprecated)"
346.El
347.Pp
348The following non-standard or
349.Ux
350specific commands are supported by the SITE request.
351.Pp
352.Bl -column Request -offset indent
353.It Sy Request Ta Sy Description
354.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
355.It HELP Ta "give help information."
356.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
357.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
358.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
359.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
360.El
361.Pp
362The following
363.Tn FTP
364requests (as specified in
365.Cm RFC 959 )
366are recognized, but are not implemented:
367.Sy ACCT ,
368.Sy SMNT ,
369and
370.Sy REIN .
371.Sy MDTM
372and
373.Sy SIZE
374are not specified in
375.Cm RFC 959 ,
376but will appear in the
377next updated
378.Tn FTP
379RFC.
380.Pp
381The
382.Nm
383server will abort an active file transfer only when the
384.Sy ABOR
385command is preceded by a Telnet "Interrupt Process" (IP)
386signal and a Telnet "Synch" signal in the command Telnet stream,
387as described in Internet
388.Cm RFC 959 .
389If a
390.Sy STAT
391command is received during a data transfer, preceded by a Telnet IP
392and Synch, transfer status will be returned.
393.Pp
394.Nm
395interprets file names according to the
396.Dq globbing
397conventions used by
398.Xr csh 1 .
399This allows users to use the metacharacters
400.Dq Li \&*?[]{}~ .
401.Ss User authentication
402.Nm
403authenticates users according to five rules.
404.Pp
405.Bl -enum -offset indent
406.It
407The login name must be in the password data base,
408.Pa /etc/pwd.db ,
409and not have a null password.
410In this case a password must be provided by the client before any
411file operations may be performed.
412If the user has an S/Key key, the response from a successful
413.Sy USER
414command will include an S/Key challenge.
415The client may choose to respond with a
416.Sy PASS
417command giving either
418a standard password or an S/Key one-time password.
419The server will automatically determine which type of password it
420has been given and attempt to authenticate accordingly.
421See
422.Xr skey 1
423for more information on S/Key authentication.
424S/Key is a Trademark of Bellcore.
425.It
426The login name must be allowed based on the information in
427.Xr ftpusers 5 .
428.It
429The user must have a standard shell returned by
430.Xr getusershell 3 .
431If the user's shell field in the password database is empty, the
432shell is assumed to be
433.Pa /bin/sh .
434As per
435.Xr shells 5 ,
436the user's shell must be listed with full path in
437.Pa /etc/shells .
438.It
439If directed by the file
440.Xr ftpchroot 5
441the session's root directory will be changed by
442.Xr chroot 2
443to the directory specified in the
444.Xr ftpd.conf 5
445.Sy chroot
446directive (if set),
447or to the home directory of the user.
448However, the user must still supply a password.
449This feature is intended as a compromise between a fully anonymous account
450and a fully privileged account.
451The account should also be set up as for an anonymous account.
452.It
453If the user name is
454.Dq anonymous
455or
456.Dq ftp ,
457an
458anonymous
459.Tn FTP
460account must be present in the password
461file (user
462.Dq ftp ) .
463In this case the user is allowed
464to log in by specifying any password (by convention an email address for
465the user should be used as the password).
466.Pp
467The server performs a
468.Xr chroot 2
469to the directory specified in the
470.Xr ftpd.conf 5
471.Sy chroot
472directive (if set),
473the
474.Fl a Ar anondir
475directory (if set),
476or to the home directory of the
477.Dq ftp
478user.
479.Pp
480The server then performs a
481.Xr chdir 2
482to the directory specified in the
483.Xr ftpd.conf 5
484.Sy homedir
485directive (if set), otherwise to
486.Pa / .
487.Pp
488If other restrictions are required (such as disabling of certain
489commands and the setting of a specific umask), then appropriate
490entries in
491.Xr ftpd.conf 5
492are required.
493.Pp
494If the first character of the password supplied by an anonymous user
495is
496.Dq - ,
497then the verbose messages displayed at login and upon a
498.Sy CWD
499command are suppressed.
500.El
501.Ss Display file escape sequences
502When
503.Nm
504displays various files back to the client (such as
505.Pa /etc/ftpwelcome
506and
507.Pa /etc/motd ) ,
508various escape strings are replaced with information pertinent
509to the current connection.
510.Pp
511The supported escape strings are:
512.Bl -tag -width "Escape" -offset indent -compact
513.It Sy "Escape"
514.Sy Description
515.It "\&%c"
516Class name.
517.It "\&%C"
518Current working directory.
519.It "\&%E"
520Email address given with
521.Fl e .
522.It "\&%L"
523Local hostname.
524.It "\&%M"
525Maximum number of users for this class.
526Displays
527.Dq unlimited
528if there's no limit.
529.It "\&%N"
530Current number of users for this class.
531.It "\&%R"
532Remote hostname.
533.It "\&%s"
534If the result of the most recent
535.Dq "\&%M"
536or
537.Dq "\&%N"
538was not
539.Dq Li 1 ,
540print an
541.Dq s .
542.It "\&%S"
543If the result of the most recent
544.Dq "\&%M"
545or
546.Dq "\&%N"
547was not
548.Dq Li 1 ,
549print an
550.Dq S .
551.It "\&%T"
552Current time.
553.It "\&%U"
554User name.
555.It "\&%\&%"
556A
557.Dq \&%
558character.
559.El
560.Ss Setting up a restricted ftp subtree
561In order that system security is not breached, it is recommended
562that the
563subtrees for the
564.Dq ftp
565and
566.Dq chroot
567accounts be constructed with care, following these rules
568(replace
569.Dq ftp
570in the following directory names
571with the appropriate account name for
572.Sq chroot
573users):
574.Bl -tag -width "~ftp/incoming" -offset indent
575.It Pa ~ftp
576Make the home directory owned by
577.Dq root
578and unwritable by anyone.
579.It Pa ~ftp/bin
580Make this directory owned by
581.Dq root
582and unwritable by anyone (mode 555).
583Generally any conversion commands should be installed
584here (mode 111).
585.It Pa ~ftp/etc
586Make this directory owned by
587.Dq root
588and unwritable by anyone (mode 555).
589The files
590.Pa pwd.db
591(see
592.Xr passwd 5 )
593and
594.Pa group
595(see
596.Xr group 5 )
597must be present for the
598.Sy LIST
599command to be able to display owner and group names instead of numbers.
600The password field in
601.Xr passwd 5
602is not used, and should not contain real passwords.
603The file
604.Pa motd ,
605if present, will be printed after a successful login.
606These files should be mode 444.
607.It Pa ~ftp/pub
608This directory and the subdirectories beneath it should be owned
609by the users and groups responsible for placing files in them,
610and be writable only by them (mode 755 or 775).
611They should
612.Em not
613be owned or writable by ftp or its group.
614.It Pa ~ftp/incoming
615This directory is where anonymous users place files they upload.
616The owners should be the user
617.Dq ftp
618and an appropriate group.
619Members of this group will be the only users with access to these
620files after they have been uploaded; these should be people who
621know how to deal with them appropriately.
622If you wish anonymous
623.Tn FTP
624users to be able to see the names of the
625files in this directory the permissions should be 770, otherwise
626they should be 370.
627.Pp
628The following
629.Xr ftpd.conf 5
630directives should be used:
631.Dl "modify guest off"
632.Dl "umask guest 0707"
633.Dl "upload guest on"
634.Pp
635This will result in anonymous users being able to upload files to this
636directory, but they will not be able to download them, delete them, or
637overwrite them, due to the umask and disabling of the commands mentioned
638above.
639.It Pa ~ftp/tmp
640This directory is used to create temporary files which contain
641the error messages generated by a conversion or
642.Sy LIST
643command.
644The owner should be the user
645.Dq ftp .
646The permissions should be 300.
647.Pp
648If you don't enable conversion commands, or don't want anonymous users
649uploading files here (see
650.Pa ~ftp/incoming
651above), then don't create this directory.
652However, error messages from conversion or
653.Sy LIST
654commands won't be returned to the user.
655(This is the traditional behaviour.)
656Note that the
657.Xr ftpd.conf 5
658directive
659.Sy upload
660can be used to prevent users uploading here.
661.El
662.Pp
663To set up "ftp-only" accounts that provide only
664.Tn FTP ,
665but no valid shell
666login, you can copy/link
667.Pa /sbin/nologin
668to
669.Pa /sbin/ftplogin ,
670and enter
671.Pa /sbin/ftplogin
672to
673.Pa /etc/shells
674to allow logging-in via
675.Tn FTP
676into the accounts, which must have
677.Pa /sbin/ftplogin
678as login shell.
679.Sh FILES
680.Bl -tag -width /etc/ftpwelcome -compact
681.It Pa /etc/ftpchroot
682List of normal users whose root directory should be changed via
683.Xr chroot 2 .
684.It Pa /etc/ftpd.conf
685Configure file conversions and other settings.
686.It Pa /etc/ftpusers
687List of unwelcome/restricted users.
688.It Pa /etc/ftpwelcome
689Welcome notice before login.
690.It Pa /etc/motd
691Welcome notice after login.
692.It Pa /etc/nologin
693If it exists, displayed and access is refused.
694.It Pa /var/run/ftpd.pids-CLASS
695State file of logged-in processes for the
696.Nm
697class
698.Sq CLASS .
699.It Pa /var/run/utmp
700List of logged-in users on the system.
701.It Pa /var/log/wtmp
702Login history database.
703.El
704.Sh SEE ALSO
705.Xr ftp 1 ,
706.Xr skey 1 ,
707.Xr who 1 ,
708.Xr getusershell 3 ,
709.Xr ftpchroot 5 ,
710.Xr ftpd.conf 5 ,
711.Xr ftpusers 5 ,
712.Xr syslogd 8
713.Sh STANDARDS
714.Nm
715recognizes all commands in
716.Cm RFC 959 ,
717follows the guidelines in
718.Cm RFC 1123 ,
719recognizes all commands in
720.Cm RFC 2228
721(although they are not supported yet),
722and supports the extensions from
723.Cm RFC 2389 ,
724.Cm RFC 2428
725and
726.Cm draft-ietf-ftpext-mlst-11 .
727.Sh HISTORY
728The
729.Nm
730command appeared in
731.Bx 4.2 .
732.Pp
733Various features such as the
734.Xr ftpd.conf 5
735functionality,
736.Cm RFC 2389 ,
737and
738.Cm draft-ietf-ftpext-mlst-11
739support was implemented in
740.Nx 1.3
741and later releases by Luke Mewburn.
742.Sh BUGS
743The server must run as the super-user to create sockets with
744privileged port numbers (i.e, those less than
745.Dv IPPORT_RESERVED ,
746which is 1024).
747If
748.Nm
749is listening on a privileged port
750it maintains an effective user id of the logged in user, reverting
751to the super-user only when binding addresses to privileged sockets.
752The
753.Fl r
754option can be used to override this behaviour and force privileges to
755be permanently revoked; see
756.Sx SECURITY CONSIDERATIONS
757below for more details.
758.Pp
759.Nm
760may have trouble handling connections from scoped IPv6 addresses, or
761IPv4 mapped addresses
762.Po
763IPv4 connection on
764.Dv AF_INET6
765socket
766.Pc .
767For the latter case, running two daemons,
768one for IPv4 and one for IPv6, will avoid the problem.
769.Sh SECURITY CONSIDERATIONS
770.Cm RFC 959
771provides no restrictions on the
772.Sy PORT
773command, and this can lead to security problems, as
774.Nm
775can be fooled into connecting to any service on any host.
776With the
777.Dq checkportcmd
778feature of the
779.Xr ftpd.conf 5 ,
780.Sy PORT
781commands with different host addresses, or TCP ports lower than
782.Dv IPPORT_RESERVED
783will be rejected.
784This also prevents
785.Sq third-party proxy ftp
786from working.
787Use of this option is
788.Em strongly
789recommended, and enabled by default.
790.Pp
791By default
792.Nm
793uses a port that is one less than the port it is listening on to
794communicate back to the client for the
795.Sy EPRT ,
796.Sy LPRT ,
797and
798.Sy PORT
799commands, unless overridden with
800.Fl P Ar dataport .
801As the default port for
802.Nm
803(21) is a privileged port below
804.Dv IPPORT_RESERVED ,
805.Nm
806retains the ability to switch back to root privileges to bind these
807ports.
808In order to increase security by reducing the potential for a bug in
809.Nm
810providing a remote root compromise,
811.Nm
812will permanently drop root privileges if one of the following is true:
813.Bl -enum -offset indent
814.It
815.Nm
816is running on a port greater than
817.Dv IPPORT_RESERVED
818and the user has logged in as a
819.Sq guest
820or
821.Sq chroot
822user.
823.It
824.Nm
825was invoked with
826.Fl r .
827.El
828.Pp
829Don't create
830.Pa ~ftp/tmp
831if you don't want anonymous users to upload files there.
832That directory is only necessary if you want to display the error
833messages of conversion commands to the user.
834Note that if uploads are disabled with the
835.Xr ftpd.conf 5
836directive
837.Sy upload ,
838then this directory cannot be abused by the user in this way, so it
839should be safe to create.
2.\"
3.\" Copyright (c) 1997-2003 The NetBSD Foundation, Inc.
4.\" All rights reserved.
5.\"
6.\" This code is derived from software contributed to The NetBSD Foundation
7.\" by Luke Mewburn.
8.\"
9.\" Redistribution and use in source and binary forms, with or without
10.\" modification, are permitted provided that the following conditions
11.\" are met:
12.\" 1. Redistributions of source code must retain the above copyright
13.\" notice, this list of conditions and the following disclaimer.
14.\" 2. Redistributions in binary form must reproduce the above copyright
15.\" notice, this list of conditions and the following disclaimer in the
16.\" documentation and/or other materials provided with the distribution.
17.\" 3. All advertising materials mentioning features or use of this software
18.\" must display the following acknowledgement:
19.\" This product includes software developed by the NetBSD
20.\" Foundation, Inc. and its contributors.
21.\" 4. Neither the name of The NetBSD Foundation nor the names of its
22.\" contributors may be used to endorse or promote products derived
23.\" from this software without specific prior written permission.
24.\"
25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
35.\" POSSIBILITY OF SUCH DAMAGE.
36.\"
37.\" Copyright (c) 1985, 1988, 1991, 1993
38.\" The Regents of the University of California. All rights reserved.
39.\"
40.\" Redistribution and use in source and binary forms, with or without
41.\" modification, are permitted provided that the following conditions
42.\" are met:
43.\" 1. Redistributions of source code must retain the above copyright
44.\" notice, this list of conditions and the following disclaimer.
45.\" 2. Redistributions in binary form must reproduce the above copyright
46.\" notice, this list of conditions and the following disclaimer in the
47.\" documentation and/or other materials provided with the distribution.
48.\" 3. Neither the name of the University nor the names of its contributors
49.\" may be used to endorse or promote products derived from this software
50.\" without specific prior written permission.
51.\"
52.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
55.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
56.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
57.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
58.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
59.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
60.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
61.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62.\" SUCH DAMAGE.
63.\"
64.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
65.\"
66.Dd February 26, 2003
67.Dt FTPD 8
68.Os
69.Sh NAME
70.Nm ftpd
71.Nd
72Internet File Transfer Protocol server
73.Sh SYNOPSIS
74.Nm
75.Op Fl dHlqQrsuUwWX
76.Op Fl a Ar anondir
77.Op Fl c Ar confdir
78.Op Fl C Ar user
79.Op Fl e Ar emailaddr
80.Op Fl h Ar hostname
81.Op Fl L Ar xferlogfile
82.Op Fl P Ar dataport
83.Op Fl V Ar version
84.Sh DESCRIPTION
85.Nm
86is the Internet File Transfer Protocol server process.
87The server uses the
88.Tn TCP
89protocol and listens at the port specified in the
90.Dq ftp
91service specification; see
92.Xr services 5 .
93.Pp
94Available options:
95.Bl -tag -width Ds
96.It Fl a Ar anondir
97Define
98.Ar anondir
99as the directory to
100.Xr chroot 2
101into for anonymous logins.
102Default is the home directory for the ftp user.
103This can also be specified with the
104.Xr ftpd.conf 5
105.Sy chroot
106directive.
107.It Fl c Ar confdir
108Change the root directory of the configuration files from
109.Dq Pa /etc
110to
111.Ar confdir .
112This changes the directory for the following files:
113.Pa /etc/ftpchroot ,
114.Pa /etc/ftpusers ,
115.Pa /etc/ftpwelcome ,
116.Pa /etc/motd ,
117and the file specified by the
118.Xr ftpd.conf 5
119.Sy limit
120directive.
121.It Fl C Ar user
122Check whether
123.Ar user
124would be granted access under
125the restrictions given in
126.Xr ftpusers 5
127and exit without attempting a connection.
128.Nm
129exits with an exit code of 0 if access would be granted, or 1 otherwise.
130This can be useful for testing configurations.
131.It Fl d
132Debugging information is written to the syslog using a facility of
133.Dv LOG_FTP .
134.It Fl e Ar emailaddr
135Use
136.Ar emailaddr
137for the
138.Dq "\&%E"
139escape sequence (see
140.Sx Display file escape sequences )
141.It Fl h Ar hostname
142Explicitly set the hostname to advertise as to
143.Ar hostname .
144The default is the hostname associated with the IP address that
145.Nm
146is listening on.
147This ability (with or without
148.Fl h ) ,
149in conjunction with
150.Fl c Ar confdir ,
151is useful when configuring
152.Sq virtual
153.Tn FTP
154servers, each listening on separate addresses as separate names.
155Refer to
156.Xr inetd.conf 5
157for more information on starting services to listen on specific IP addresses.
158.It Fl H
159Equivalent to
160.Do
161-h
162`hostname`
163.Dc .
164.It Fl l
165Each successful and failed
166.Tn FTP
167session is logged using syslog with a facility of
168.Dv LOG_FTP .
169If this option is specified more than once, the retrieve (get), store (put),
170append, delete, make directory, remove directory and rename operations and
171their file name arguments are also logged.
172.It Fl L Ar xferlogfile
173Log
174.Tn wu-ftpd
175style
176.Sq xferlog
177entries to
178.Ar xferlogfile .
179.It Fl P Ar dataport
180Use
181.Ar dataport
182as the data port, overriding the default of using the port one less
183that the port
184.Nm
185is listening on.
186.It Fl q
187Enable the use of pid files for keeping track of the number of logged-in
188users per class.
189This is the default.
190.It Fl Q
191Disable the use of pid files for keeping track of the number of logged-in
192users per class.
193This may reduce the load on heavily loaded
194.Tn FTP
195servers.
196.It Fl r
197Permanently drop root privileges once the user is logged in.
198The use of this option may result in the server using a port other
199than the (listening-port - 1) for
200.Sy PORT
201style commands, which is contrary to the
202.Cm RFC 959
203specification, but in practice very few clients rely upon this behaviour.
204See
205.Sx SECURITY CONSIDERATIONS
206below for more details.
207.It Fl s
208Require a secure authentication mechanism like Kerberos or S/Key to be used.
209.It Fl u
210Log each concurrent
211.Tn FTP
212session to
213.Pa /var/run/utmp ,
214making them visible to commands such as
215.Xr who 1 .
216.It Fl U
217Don't log each concurrent
218.Tn FTP
219session to
220.Pa /var/run/utmp .
221This is the default.
222.It Fl V Ar version
223Use
224.Ar version
225as the version to advertise in the login banner and in the output of
226.Sy STAT
227and
228.Sy SYST
229instead of the default version information.
230If
231.Ar version
232is empty or
233.Sq -
234then don't display any version information.
235.It Fl w
236Log each
237.Tn FTP
238session to
239.Pa /var/log/wtmp ,
240making them visible to commands such as
241.Xr last 1 .
242This is the default.
243.It Fl W
244Don't log each
245.Tn FTP
246session to
247.Pa /var/log/wtmp .
248.It Fl X
249Log
250.Tn wu-ftpd
251style
252.Sq xferlog
253entries to the syslog, prefixed with
254.Dq "xferlog:\ " ,
255using a facility of
256.Dv LOG_FTP .
257These syslog entries can be converted to a
258.Tn wu-ftpd
259style
260.Pa xferlog
261file suitable for input into a third-party log analysis tool with a command
262similar to:
263.Dl "grep 'xferlog: ' /var/log/xferlog | \e"
264.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog"
265.El
266.Pp
267The file
268.Pa /etc/nologin
269can be used to disable
270.Tn FTP
271access.
272If the file exists,
273.Nm
274displays it and exits.
275If the file
276.Pa /etc/ftpwelcome
277exists,
278.Nm
279prints it before issuing the
280.Dq ready
281message.
282If the file
283.Pa /etc/motd
284exists (under the chroot directory if applicable),
285.Nm
286prints it after a successful login.
287This may be changed with the
288.Xr ftpd.conf 5
289directive
290.Sy motd .
291.Pp
292The
293.Nm
294server currently supports the following
295.Tn FTP
296requests.
297The case of the requests is ignored.
298.Bl -column "Request" -offset indent
299.It Sy Request Ta Sy Description
300.It ABOR Ta "abort previous command"
301.It ACCT Ta "specify account (ignored)"
302.It ALLO Ta "allocate storage (vacuously)"
303.It APPE Ta "append to a file"
304.It CDUP Ta "change to parent of current working directory"
305.It CWD Ta "change working directory"
306.It DELE Ta "delete a file"
307.It EPSV Ta "prepare for server-to-server transfer"
308.It EPRT Ta "specify data connection port"
309.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
310.It HELP Ta "give help information"
311.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
312.It LPSV Ta "prepare for server-to-server transfer"
313.It LPRT Ta "specify data connection port"
314.It MLSD Ta "list contents of directory in a machine-processable form"
315.It MLST Ta "show a pathname in a machine-processable form"
316.It MKD Ta "make a directory"
317.It MDTM Ta "show last modification time of file"
318.It MODE Ta "specify data transfer" Em mode
319.It NLST Ta "give name list of files in directory"
320.It NOOP Ta "do nothing"
321.It OPTS Ta "define persistent options for a given command"
322.It PASS Ta "specify password"
323.It PASV Ta "prepare for server-to-server transfer"
324.It PORT Ta "specify data connection port"
325.It PWD Ta "print the current working directory"
326.It QUIT Ta "terminate session"
327.It REST Ta "restart incomplete transfer"
328.It RETR Ta "retrieve a file"
329.It RMD Ta "remove a directory"
330.It RNFR Ta "specify rename-from file name"
331.It RNTO Ta "specify rename-to file name"
332.It SITE Ta "non-standard commands (see next section)"
333.It SIZE Ta "return size of file"
334.It STAT Ta "return status of server"
335.It STOR Ta "store a file"
336.It STOU Ta "store a file with a unique name"
337.It STRU Ta "specify data transfer" Em structure
338.It SYST Ta "show operating system type of server system"
339.It TYPE Ta "specify data transfer" Em type
340.It USER Ta "specify user name"
341.It XCUP Ta "change to parent of current working directory (deprecated)"
342.It XCWD Ta "change working directory (deprecated)"
343.It XMKD Ta "make a directory (deprecated)"
344.It XPWD Ta "print the current working directory (deprecated)"
345.It XRMD Ta "remove a directory (deprecated)"
346.El
347.Pp
348The following non-standard or
349.Ux
350specific commands are supported by the SITE request.
351.Pp
352.Bl -column Request -offset indent
353.It Sy Request Ta Sy Description
354.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
355.It HELP Ta "give help information."
356.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
357.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
358.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
359.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
360.El
361.Pp
362The following
363.Tn FTP
364requests (as specified in
365.Cm RFC 959 )
366are recognized, but are not implemented:
367.Sy ACCT ,
368.Sy SMNT ,
369and
370.Sy REIN .
371.Sy MDTM
372and
373.Sy SIZE
374are not specified in
375.Cm RFC 959 ,
376but will appear in the
377next updated
378.Tn FTP
379RFC.
380.Pp
381The
382.Nm
383server will abort an active file transfer only when the
384.Sy ABOR
385command is preceded by a Telnet "Interrupt Process" (IP)
386signal and a Telnet "Synch" signal in the command Telnet stream,
387as described in Internet
388.Cm RFC 959 .
389If a
390.Sy STAT
391command is received during a data transfer, preceded by a Telnet IP
392and Synch, transfer status will be returned.
393.Pp
394.Nm
395interprets file names according to the
396.Dq globbing
397conventions used by
398.Xr csh 1 .
399This allows users to use the metacharacters
400.Dq Li \&*?[]{}~ .
401.Ss User authentication
402.Nm
403authenticates users according to five rules.
404.Pp
405.Bl -enum -offset indent
406.It
407The login name must be in the password data base,
408.Pa /etc/pwd.db ,
409and not have a null password.
410In this case a password must be provided by the client before any
411file operations may be performed.
412If the user has an S/Key key, the response from a successful
413.Sy USER
414command will include an S/Key challenge.
415The client may choose to respond with a
416.Sy PASS
417command giving either
418a standard password or an S/Key one-time password.
419The server will automatically determine which type of password it
420has been given and attempt to authenticate accordingly.
421See
422.Xr skey 1
423for more information on S/Key authentication.
424S/Key is a Trademark of Bellcore.
425.It
426The login name must be allowed based on the information in
427.Xr ftpusers 5 .
428.It
429The user must have a standard shell returned by
430.Xr getusershell 3 .
431If the user's shell field in the password database is empty, the
432shell is assumed to be
433.Pa /bin/sh .
434As per
435.Xr shells 5 ,
436the user's shell must be listed with full path in
437.Pa /etc/shells .
438.It
439If directed by the file
440.Xr ftpchroot 5
441the session's root directory will be changed by
442.Xr chroot 2
443to the directory specified in the
444.Xr ftpd.conf 5
445.Sy chroot
446directive (if set),
447or to the home directory of the user.
448However, the user must still supply a password.
449This feature is intended as a compromise between a fully anonymous account
450and a fully privileged account.
451The account should also be set up as for an anonymous account.
452.It
453If the user name is
454.Dq anonymous
455or
456.Dq ftp ,
457an
458anonymous
459.Tn FTP
460account must be present in the password
461file (user
462.Dq ftp ) .
463In this case the user is allowed
464to log in by specifying any password (by convention an email address for
465the user should be used as the password).
466.Pp
467The server performs a
468.Xr chroot 2
469to the directory specified in the
470.Xr ftpd.conf 5
471.Sy chroot
472directive (if set),
473the
474.Fl a Ar anondir
475directory (if set),
476or to the home directory of the
477.Dq ftp
478user.
479.Pp
480The server then performs a
481.Xr chdir 2
482to the directory specified in the
483.Xr ftpd.conf 5
484.Sy homedir
485directive (if set), otherwise to
486.Pa / .
487.Pp
488If other restrictions are required (such as disabling of certain
489commands and the setting of a specific umask), then appropriate
490entries in
491.Xr ftpd.conf 5
492are required.
493.Pp
494If the first character of the password supplied by an anonymous user
495is
496.Dq - ,
497then the verbose messages displayed at login and upon a
498.Sy CWD
499command are suppressed.
500.El
501.Ss Display file escape sequences
502When
503.Nm
504displays various files back to the client (such as
505.Pa /etc/ftpwelcome
506and
507.Pa /etc/motd ) ,
508various escape strings are replaced with information pertinent
509to the current connection.
510.Pp
511The supported escape strings are:
512.Bl -tag -width "Escape" -offset indent -compact
513.It Sy "Escape"
514.Sy Description
515.It "\&%c"
516Class name.
517.It "\&%C"
518Current working directory.
519.It "\&%E"
520Email address given with
521.Fl e .
522.It "\&%L"
523Local hostname.
524.It "\&%M"
525Maximum number of users for this class.
526Displays
527.Dq unlimited
528if there's no limit.
529.It "\&%N"
530Current number of users for this class.
531.It "\&%R"
532Remote hostname.
533.It "\&%s"
534If the result of the most recent
535.Dq "\&%M"
536or
537.Dq "\&%N"
538was not
539.Dq Li 1 ,
540print an
541.Dq s .
542.It "\&%S"
543If the result of the most recent
544.Dq "\&%M"
545or
546.Dq "\&%N"
547was not
548.Dq Li 1 ,
549print an
550.Dq S .
551.It "\&%T"
552Current time.
553.It "\&%U"
554User name.
555.It "\&%\&%"
556A
557.Dq \&%
558character.
559.El
560.Ss Setting up a restricted ftp subtree
561In order that system security is not breached, it is recommended
562that the
563subtrees for the
564.Dq ftp
565and
566.Dq chroot
567accounts be constructed with care, following these rules
568(replace
569.Dq ftp
570in the following directory names
571with the appropriate account name for
572.Sq chroot
573users):
574.Bl -tag -width "~ftp/incoming" -offset indent
575.It Pa ~ftp
576Make the home directory owned by
577.Dq root
578and unwritable by anyone.
579.It Pa ~ftp/bin
580Make this directory owned by
581.Dq root
582and unwritable by anyone (mode 555).
583Generally any conversion commands should be installed
584here (mode 111).
585.It Pa ~ftp/etc
586Make this directory owned by
587.Dq root
588and unwritable by anyone (mode 555).
589The files
590.Pa pwd.db
591(see
592.Xr passwd 5 )
593and
594.Pa group
595(see
596.Xr group 5 )
597must be present for the
598.Sy LIST
599command to be able to display owner and group names instead of numbers.
600The password field in
601.Xr passwd 5
602is not used, and should not contain real passwords.
603The file
604.Pa motd ,
605if present, will be printed after a successful login.
606These files should be mode 444.
607.It Pa ~ftp/pub
608This directory and the subdirectories beneath it should be owned
609by the users and groups responsible for placing files in them,
610and be writable only by them (mode 755 or 775).
611They should
612.Em not
613be owned or writable by ftp or its group.
614.It Pa ~ftp/incoming
615This directory is where anonymous users place files they upload.
616The owners should be the user
617.Dq ftp
618and an appropriate group.
619Members of this group will be the only users with access to these
620files after they have been uploaded; these should be people who
621know how to deal with them appropriately.
622If you wish anonymous
623.Tn FTP
624users to be able to see the names of the
625files in this directory the permissions should be 770, otherwise
626they should be 370.
627.Pp
628The following
629.Xr ftpd.conf 5
630directives should be used:
631.Dl "modify guest off"
632.Dl "umask guest 0707"
633.Dl "upload guest on"
634.Pp
635This will result in anonymous users being able to upload files to this
636directory, but they will not be able to download them, delete them, or
637overwrite them, due to the umask and disabling of the commands mentioned
638above.
639.It Pa ~ftp/tmp
640This directory is used to create temporary files which contain
641the error messages generated by a conversion or
642.Sy LIST
643command.
644The owner should be the user
645.Dq ftp .
646The permissions should be 300.
647.Pp
648If you don't enable conversion commands, or don't want anonymous users
649uploading files here (see
650.Pa ~ftp/incoming
651above), then don't create this directory.
652However, error messages from conversion or
653.Sy LIST
654commands won't be returned to the user.
655(This is the traditional behaviour.)
656Note that the
657.Xr ftpd.conf 5
658directive
659.Sy upload
660can be used to prevent users uploading here.
661.El
662.Pp
663To set up "ftp-only" accounts that provide only
664.Tn FTP ,
665but no valid shell
666login, you can copy/link
667.Pa /sbin/nologin
668to
669.Pa /sbin/ftplogin ,
670and enter
671.Pa /sbin/ftplogin
672to
673.Pa /etc/shells
674to allow logging-in via
675.Tn FTP
676into the accounts, which must have
677.Pa /sbin/ftplogin
678as login shell.
679.Sh FILES
680.Bl -tag -width /etc/ftpwelcome -compact
681.It Pa /etc/ftpchroot
682List of normal users whose root directory should be changed via
683.Xr chroot 2 .
684.It Pa /etc/ftpd.conf
685Configure file conversions and other settings.
686.It Pa /etc/ftpusers
687List of unwelcome/restricted users.
688.It Pa /etc/ftpwelcome
689Welcome notice before login.
690.It Pa /etc/motd
691Welcome notice after login.
692.It Pa /etc/nologin
693If it exists, displayed and access is refused.
694.It Pa /var/run/ftpd.pids-CLASS
695State file of logged-in processes for the
696.Nm
697class
698.Sq CLASS .
699.It Pa /var/run/utmp
700List of logged-in users on the system.
701.It Pa /var/log/wtmp
702Login history database.
703.El
704.Sh SEE ALSO
705.Xr ftp 1 ,
706.Xr skey 1 ,
707.Xr who 1 ,
708.Xr getusershell 3 ,
709.Xr ftpchroot 5 ,
710.Xr ftpd.conf 5 ,
711.Xr ftpusers 5 ,
712.Xr syslogd 8
713.Sh STANDARDS
714.Nm
715recognizes all commands in
716.Cm RFC 959 ,
717follows the guidelines in
718.Cm RFC 1123 ,
719recognizes all commands in
720.Cm RFC 2228
721(although they are not supported yet),
722and supports the extensions from
723.Cm RFC 2389 ,
724.Cm RFC 2428
725and
726.Cm draft-ietf-ftpext-mlst-11 .
727.Sh HISTORY
728The
729.Nm
730command appeared in
731.Bx 4.2 .
732.Pp
733Various features such as the
734.Xr ftpd.conf 5
735functionality,
736.Cm RFC 2389 ,
737and
738.Cm draft-ietf-ftpext-mlst-11
739support was implemented in
740.Nx 1.3
741and later releases by Luke Mewburn.
742.Sh BUGS
743The server must run as the super-user to create sockets with
744privileged port numbers (i.e, those less than
745.Dv IPPORT_RESERVED ,
746which is 1024).
747If
748.Nm
749is listening on a privileged port
750it maintains an effective user id of the logged in user, reverting
751to the super-user only when binding addresses to privileged sockets.
752The
753.Fl r
754option can be used to override this behaviour and force privileges to
755be permanently revoked; see
756.Sx SECURITY CONSIDERATIONS
757below for more details.
758.Pp
759.Nm
760may have trouble handling connections from scoped IPv6 addresses, or
761IPv4 mapped addresses
762.Po
763IPv4 connection on
764.Dv AF_INET6
765socket
766.Pc .
767For the latter case, running two daemons,
768one for IPv4 and one for IPv6, will avoid the problem.
769.Sh SECURITY CONSIDERATIONS
770.Cm RFC 959
771provides no restrictions on the
772.Sy PORT
773command, and this can lead to security problems, as
774.Nm
775can be fooled into connecting to any service on any host.
776With the
777.Dq checkportcmd
778feature of the
779.Xr ftpd.conf 5 ,
780.Sy PORT
781commands with different host addresses, or TCP ports lower than
782.Dv IPPORT_RESERVED
783will be rejected.
784This also prevents
785.Sq third-party proxy ftp
786from working.
787Use of this option is
788.Em strongly
789recommended, and enabled by default.
790.Pp
791By default
792.Nm
793uses a port that is one less than the port it is listening on to
794communicate back to the client for the
795.Sy EPRT ,
796.Sy LPRT ,
797and
798.Sy PORT
799commands, unless overridden with
800.Fl P Ar dataport .
801As the default port for
802.Nm
803(21) is a privileged port below
804.Dv IPPORT_RESERVED ,
805.Nm
806retains the ability to switch back to root privileges to bind these
807ports.
808In order to increase security by reducing the potential for a bug in
809.Nm
810providing a remote root compromise,
811.Nm
812will permanently drop root privileges if one of the following is true:
813.Bl -enum -offset indent
814.It
815.Nm
816is running on a port greater than
817.Dv IPPORT_RESERVED
818and the user has logged in as a
819.Sq guest
820or
821.Sq chroot
822user.
823.It
824.Nm
825was invoked with
826.Fl r .
827.El
828.Pp
829Don't create
830.Pa ~ftp/tmp
831if you don't want anonymous users to upload files there.
832That directory is only necessary if you want to display the error
833messages of conversion commands to the user.
834Note that if uploads are disabled with the
835.Xr ftpd.conf 5
836directive
837.Sy upload ,
838then this directory cannot be abused by the user in this way, so it
839should be safe to create.