2003-08-07 13:46:37 +04:00
|
|
|
.\" $NetBSD: ftpd.8,v 1.74 2003/08/07 09:46:39 agc Exp $
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.\"
|
2003-02-26 15:27:04 +03:00
|
|
|
.\" Copyright (c) 1997-2003 The NetBSD Foundation, Inc.
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
|
|
.\" by Luke Mewburn.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
|
|
.\" must display the following acknowledgement:
|
|
|
|
.\" This product includes software developed by the NetBSD
|
|
|
|
.\" Foundation, Inc. and its contributors.
|
|
|
|
.\" 4. Neither the name of The NetBSD Foundation nor the names of its
|
|
|
|
.\" contributors may be used to endorse or promote products derived
|
|
|
|
.\" from this software without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
1995-04-11 06:44:45 +04:00
|
|
|
.\"
|
1994-06-29 05:49:37 +04:00
|
|
|
.\" Copyright (c) 1985, 1988, 1991, 1993
|
|
|
|
.\" The Regents of the University of California. All rights reserved.
|
1993-03-21 12:45:37 +03:00
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
2003-08-07 13:46:37 +04:00
|
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
1993-03-21 12:45:37 +03:00
|
|
|
.\" may be used to endorse or promote products derived from this software
|
|
|
|
.\" without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
1995-04-11 06:44:45 +04:00
|
|
|
.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
|
1993-03-21 12:45:37 +03:00
|
|
|
.\"
|
2003-02-28 06:06:14 +03:00
|
|
|
.Dd February 26, 2003
|
1993-03-21 12:45:37 +03:00
|
|
|
.Dt FTPD 8
|
1999-03-22 21:25:43 +03:00
|
|
|
.Os
|
1993-03-21 12:45:37 +03:00
|
|
|
.Sh NAME
|
1999-12-16 04:16:04 +03:00
|
|
|
.Nm ftpd
|
1993-03-21 12:45:37 +03:00
|
|
|
.Nd
|
|
|
|
Internet File Transfer Protocol server
|
|
|
|
.Sh SYNOPSIS
|
1997-04-27 07:21:38 +04:00
|
|
|
.Nm
|
2000-12-18 05:32:50 +03:00
|
|
|
.Op Fl dHlqQrsuUwWX
|
1997-05-24 02:09:48 +04:00
|
|
|
.Op Fl a Ar anondir
|
1997-09-23 17:56:39 +04:00
|
|
|
.Op Fl c Ar confdir
|
1997-09-23 18:25:30 +04:00
|
|
|
.Op Fl C Ar user
|
2000-11-16 16:15:13 +03:00
|
|
|
.Op Fl e Ar emailaddr
|
1999-12-19 03:09:31 +03:00
|
|
|
.Op Fl h Ar hostname
|
2003-02-26 15:27:04 +03:00
|
|
|
.Op Fl L Ar xferlogfile
|
2000-11-16 16:15:13 +03:00
|
|
|
.Op Fl P Ar dataport
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Op Fl V Ar version
|
1993-03-21 12:45:37 +03:00
|
|
|
.Sh DESCRIPTION
|
1997-04-27 07:21:38 +04:00
|
|
|
.Nm
|
1998-04-29 12:33:11 +04:00
|
|
|
is the Internet File Transfer Protocol server process.
|
|
|
|
The server uses the
|
1993-03-21 12:45:37 +03:00
|
|
|
.Tn TCP
|
1998-04-29 12:33:11 +04:00
|
|
|
protocol and listens at the port specified in the
|
1993-03-21 12:45:37 +03:00
|
|
|
.Dq ftp
|
|
|
|
service specification; see
|
|
|
|
.Xr services 5 .
|
|
|
|
.Pp
|
|
|
|
Available options:
|
|
|
|
.Bl -tag -width Ds
|
1999-12-16 05:21:37 +03:00
|
|
|
.It Fl a Ar anondir
|
|
|
|
Define
|
|
|
|
.Ar anondir
|
|
|
|
as the directory to
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
.Xr chroot 2
|
|
|
|
into for anonymous logins.
|
1997-05-24 02:09:48 +04:00
|
|
|
Default is the home directory for the ftp user.
|
2000-12-18 05:32:50 +03:00
|
|
|
This can also be specified with the
|
|
|
|
.Xr ftpd.conf 5
|
|
|
|
.Sy chroot
|
|
|
|
directive.
|
1999-12-16 05:21:37 +03:00
|
|
|
.It Fl c Ar confdir
|
1997-09-23 17:56:39 +04:00
|
|
|
Change the root directory of the configuration files from
|
|
|
|
.Dq Pa /etc
|
|
|
|
to
|
1999-12-16 05:21:37 +03:00
|
|
|
.Ar confdir .
|
2000-12-18 05:32:50 +03:00
|
|
|
This changes the directory for the following files:
|
|
|
|
.Pa /etc/ftpchroot ,
|
|
|
|
.Pa /etc/ftpusers ,
|
|
|
|
.Pa /etc/ftpwelcome ,
|
|
|
|
.Pa /etc/motd ,
|
|
|
|
and the file specified by the
|
|
|
|
.Xr ftpd.conf 5
|
|
|
|
.Sy limit
|
|
|
|
directive.
|
1999-12-16 05:21:37 +03:00
|
|
|
.It Fl C Ar user
|
|
|
|
Check whether
|
|
|
|
.Ar user
|
|
|
|
would be granted access under
|
1997-09-23 18:25:30 +04:00
|
|
|
the restrictions given in
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpusers 5
|
1997-09-23 18:25:30 +04:00
|
|
|
and exit without attempting a connection.
|
|
|
|
.Nm
|
|
|
|
exits with an exit code of 0 if access would be granted, or 1 otherwise.
|
|
|
|
This can be useful for testing configurations.
|
1993-03-21 12:45:37 +03:00
|
|
|
.It Fl d
|
2000-12-18 05:32:50 +03:00
|
|
|
Debugging information is written to the syslog using a facility of
|
1999-12-18 08:51:34 +03:00
|
|
|
.Dv LOG_FTP .
|
2000-11-16 16:15:13 +03:00
|
|
|
.It Fl e Ar emailaddr
|
|
|
|
Use
|
|
|
|
.Ar emailaddr
|
|
|
|
for the
|
|
|
|
.Dq "\&%E"
|
|
|
|
escape sequence (see
|
|
|
|
.Sx Display file escape sequences )
|
1999-12-19 03:09:31 +03:00
|
|
|
.It Fl h Ar hostname
|
2001-07-08 11:27:14 +04:00
|
|
|
Explicitly set the hostname to advertise as to
|
2000-07-15 07:45:19 +04:00
|
|
|
.Ar hostname .
|
|
|
|
The default is the hostname associated with the IP address that
|
|
|
|
.Nm
|
1999-12-19 03:09:31 +03:00
|
|
|
is listening on.
|
|
|
|
This ability (with or without
|
|
|
|
.Fl h ) ,
|
2002-01-15 05:20:37 +03:00
|
|
|
in conjunction with
|
1999-12-19 03:09:31 +03:00
|
|
|
.Fl c Ar confdir ,
|
|
|
|
is useful when configuring
|
|
|
|
.Sq virtual
|
|
|
|
.Tn FTP
|
|
|
|
servers, each listening on separate addresses as separate names.
|
|
|
|
Refer to
|
|
|
|
.Xr inetd.conf 5
|
|
|
|
for more information on starting services to listen on specific IP addresses.
|
2000-07-15 07:45:19 +04:00
|
|
|
.It Fl H
|
|
|
|
Equivalent to
|
|
|
|
.Do
|
|
|
|
-h
|
|
|
|
`hostname`
|
|
|
|
.Dc .
|
1993-03-21 12:45:37 +03:00
|
|
|
.It Fl l
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
Each successful and failed
|
1999-12-18 08:51:34 +03:00
|
|
|
.Tn FTP
|
|
|
|
session is logged using syslog with a facility of
|
|
|
|
.Dv LOG_FTP .
|
2000-12-18 05:32:50 +03:00
|
|
|
If this option is specified more than once, the retrieve (get), store (put),
|
|
|
|
append, delete, make directory, remove directory and rename operations and
|
2000-11-16 16:15:13 +03:00
|
|
|
their file name arguments are also logged.
|
2003-02-26 15:27:04 +03:00
|
|
|
.It Fl L Ar xferlogfile
|
|
|
|
Log
|
|
|
|
.Tn wu-ftpd
|
|
|
|
style
|
|
|
|
.Sq xferlog
|
|
|
|
entries to
|
|
|
|
.Ar xferlogfile .
|
2000-11-16 16:15:13 +03:00
|
|
|
.It Fl P Ar dataport
|
|
|
|
Use
|
|
|
|
.Ar dataport
|
|
|
|
as the data port, overriding the default of using the port one less
|
|
|
|
that the port
|
|
|
|
.Nm
|
|
|
|
is listening on.
|
|
|
|
.It Fl q
|
|
|
|
Enable the use of pid files for keeping track of the number of logged-in
|
|
|
|
users per class.
|
|
|
|
This is the default.
|
|
|
|
.It Fl Q
|
|
|
|
Disable the use of pid files for keeping track of the number of logged-in
|
|
|
|
users per class.
|
|
|
|
This may reduce the load on heavily loaded
|
|
|
|
.Tn FTP
|
|
|
|
servers.
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.It Fl r
|
|
|
|
Permanently drop root privileges once the user is logged in.
|
|
|
|
The use of this option may result in the server using a port other
|
|
|
|
than the (listening-port - 1) for
|
|
|
|
.Sy PORT
|
|
|
|
style commands, which is contrary to the
|
|
|
|
.Cm RFC 959
|
|
|
|
specification, but in practice very few clients rely upon this behaviour.
|
|
|
|
See
|
|
|
|
.Sx SECURITY CONSIDERATIONS
|
|
|
|
below for more details.
|
1998-06-26 22:12:00 +04:00
|
|
|
.It Fl s
|
|
|
|
Require a secure authentication mechanism like Kerberos or S/Key to be used.
|
2000-11-16 16:15:13 +03:00
|
|
|
.It Fl u
|
|
|
|
Log each concurrent
|
1999-12-18 08:51:34 +03:00
|
|
|
.Tn FTP
|
2000-11-16 16:15:13 +03:00
|
|
|
session to
|
1999-12-18 08:51:34 +03:00
|
|
|
.Pa /var/run/utmp ,
|
|
|
|
making them visible to commands such as
|
|
|
|
.Xr who 1 .
|
2000-11-16 16:15:13 +03:00
|
|
|
.It Fl U
|
|
|
|
Don't log each concurrent
|
|
|
|
.Tn FTP
|
|
|
|
session to
|
|
|
|
.Pa /var/run/utmp .
|
|
|
|
This is the default.
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.It Fl V Ar version
|
|
|
|
Use
|
|
|
|
.Ar version
|
2001-07-08 11:27:14 +04:00
|
|
|
as the version to advertise in the login banner and in the output of
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy STAT
|
|
|
|
and
|
|
|
|
.Sy SYST
|
|
|
|
instead of the default version information.
|
|
|
|
If
|
|
|
|
.Ar version
|
|
|
|
is empty or
|
|
|
|
.Sq -
|
|
|
|
then don't display any version information.
|
2000-11-16 16:15:13 +03:00
|
|
|
.It Fl w
|
|
|
|
Log each
|
2000-07-26 17:53:33 +04:00
|
|
|
.Tn FTP
|
2000-11-16 16:15:13 +03:00
|
|
|
session to
|
2000-07-28 16:54:01 +04:00
|
|
|
.Pa /var/log/wtmp ,
|
2000-07-26 17:53:33 +04:00
|
|
|
making them visible to commands such as
|
|
|
|
.Xr last 1 .
|
2000-11-16 16:15:13 +03:00
|
|
|
This is the default.
|
|
|
|
.It Fl W
|
|
|
|
Don't log each
|
|
|
|
.Tn FTP
|
|
|
|
session to
|
|
|
|
.Pa /var/log/wtmp .
|
2000-12-18 05:32:50 +03:00
|
|
|
.It Fl X
|
|
|
|
Log
|
|
|
|
.Tn wu-ftpd
|
|
|
|
style
|
|
|
|
.Sq xferlog
|
|
|
|
entries to the syslog, prefixed with
|
|
|
|
.Dq "xferlog:\ " ,
|
|
|
|
using a facility of
|
|
|
|
.Dv LOG_FTP .
|
|
|
|
These syslog entries can be converted to a
|
|
|
|
.Tn wu-ftpd
|
|
|
|
style
|
|
|
|
.Pa xferlog
|
|
|
|
file suitable for input into a third-party log analysis tool with a command
|
|
|
|
similar to:
|
|
|
|
.Dl "grep 'xferlog: ' /var/log/xferlog | \e"
|
2002-02-08 04:21:55 +03:00
|
|
|
.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog"
|
1998-06-26 22:12:00 +04:00
|
|
|
.El
|
1993-03-21 12:45:37 +03:00
|
|
|
.Pp
|
1994-06-29 05:49:37 +04:00
|
|
|
The file
|
|
|
|
.Pa /etc/nologin
|
1999-12-18 08:51:34 +03:00
|
|
|
can be used to disable
|
|
|
|
.Tn FTP
|
|
|
|
access.
|
1994-06-29 05:49:37 +04:00
|
|
|
If the file exists,
|
|
|
|
.Nm
|
|
|
|
displays it and exits.
|
|
|
|
If the file
|
|
|
|
.Pa /etc/ftpwelcome
|
|
|
|
exists,
|
|
|
|
.Nm
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
prints it before issuing the
|
1994-06-29 05:49:37 +04:00
|
|
|
.Dq ready
|
|
|
|
message.
|
|
|
|
If the file
|
|
|
|
.Pa /etc/motd
|
2000-12-18 05:32:50 +03:00
|
|
|
exists (under the chroot directory if applicable),
|
1994-06-29 05:49:37 +04:00
|
|
|
.Nm
|
|
|
|
prints it after a successful login.
|
2000-12-18 05:32:50 +03:00
|
|
|
This may be changed with the
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpd.conf 5
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
directive
|
2000-12-18 05:32:50 +03:00
|
|
|
.Sy motd .
|
1994-06-29 05:49:37 +04:00
|
|
|
.Pp
|
1999-12-18 08:51:34 +03:00
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
server currently supports the following
|
|
|
|
.Tn FTP
|
|
|
|
requests.
|
1994-06-29 05:49:37 +04:00
|
|
|
The case of the requests is ignored.
|
1993-03-21 12:45:37 +03:00
|
|
|
.Bl -column "Request" -offset indent
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.It Sy Request Ta Sy Description
|
1993-03-21 12:45:37 +03:00
|
|
|
.It ABOR Ta "abort previous command"
|
|
|
|
.It ACCT Ta "specify account (ignored)"
|
|
|
|
.It ALLO Ta "allocate storage (vacuously)"
|
|
|
|
.It APPE Ta "append to a file"
|
|
|
|
.It CDUP Ta "change to parent of current working directory"
|
|
|
|
.It CWD Ta "change working directory"
|
|
|
|
.It DELE Ta "delete a file"
|
1999-07-02 09:52:14 +04:00
|
|
|
.It EPSV Ta "prepare for server-to-server transfer"
|
|
|
|
.It EPRT Ta "specify data connection port"
|
1998-09-07 12:11:20 +04:00
|
|
|
.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
|
1993-03-21 12:45:37 +03:00
|
|
|
.It HELP Ta "give help information"
|
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()
other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
|
|
|
.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
|
1999-07-02 09:52:14 +04:00
|
|
|
.It LPSV Ta "prepare for server-to-server transfer"
|
|
|
|
.It LPRT Ta "specify data connection port"
|
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()
other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
|
|
|
.It MLSD Ta "list contents of directory in a machine-processable form"
|
|
|
|
.It MLST Ta "show a pathname in a machine-processable form"
|
1993-03-21 12:45:37 +03:00
|
|
|
.It MKD Ta "make a directory"
|
|
|
|
.It MDTM Ta "show last modification time of file"
|
|
|
|
.It MODE Ta "specify data transfer" Em mode
|
|
|
|
.It NLST Ta "give name list of files in directory"
|
|
|
|
.It NOOP Ta "do nothing"
|
1998-09-07 12:11:20 +04:00
|
|
|
.It OPTS Ta "define persistent options for a given command"
|
1993-03-21 12:45:37 +03:00
|
|
|
.It PASS Ta "specify password"
|
|
|
|
.It PASV Ta "prepare for server-to-server transfer"
|
|
|
|
.It PORT Ta "specify data connection port"
|
|
|
|
.It PWD Ta "print the current working directory"
|
|
|
|
.It QUIT Ta "terminate session"
|
|
|
|
.It REST Ta "restart incomplete transfer"
|
|
|
|
.It RETR Ta "retrieve a file"
|
|
|
|
.It RMD Ta "remove a directory"
|
|
|
|
.It RNFR Ta "specify rename-from file name"
|
|
|
|
.It RNTO Ta "specify rename-to file name"
|
|
|
|
.It SITE Ta "non-standard commands (see next section)"
|
|
|
|
.It SIZE Ta "return size of file"
|
|
|
|
.It STAT Ta "return status of server"
|
|
|
|
.It STOR Ta "store a file"
|
|
|
|
.It STOU Ta "store a file with a unique name"
|
|
|
|
.It STRU Ta "specify data transfer" Em structure
|
|
|
|
.It SYST Ta "show operating system type of server system"
|
|
|
|
.It TYPE Ta "specify data transfer" Em type
|
|
|
|
.It USER Ta "specify user name"
|
|
|
|
.It XCUP Ta "change to parent of current working directory (deprecated)"
|
|
|
|
.It XCWD Ta "change working directory (deprecated)"
|
|
|
|
.It XMKD Ta "make a directory (deprecated)"
|
|
|
|
.It XPWD Ta "print the current working directory (deprecated)"
|
|
|
|
.It XRMD Ta "remove a directory (deprecated)"
|
|
|
|
.El
|
|
|
|
.Pp
|
|
|
|
The following non-standard or
|
1998-04-28 10:00:51 +04:00
|
|
|
.Ux
|
|
|
|
specific commands are supported by the SITE request.
|
1993-03-21 12:45:37 +03:00
|
|
|
.Pp
|
|
|
|
.Bl -column Request -offset indent
|
|
|
|
.It Sy Request Ta Sy Description
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
|
|
|
|
.It HELP Ta "give help information."
|
|
|
|
.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
|
2000-06-20 11:39:46 +04:00
|
|
|
.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
|
|
|
|
.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
|
1993-03-21 12:45:37 +03:00
|
|
|
.El
|
|
|
|
.Pp
|
1999-12-18 08:51:34 +03:00
|
|
|
The following
|
|
|
|
.Tn FTP
|
|
|
|
requests (as specified in
|
1998-09-07 12:11:20 +04:00
|
|
|
.Cm RFC 959 )
|
|
|
|
are recognized, but are not implemented:
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy ACCT ,
|
|
|
|
.Sy SMNT ,
|
|
|
|
and
|
|
|
|
.Sy REIN .
|
|
|
|
.Sy MDTM
|
|
|
|
and
|
|
|
|
.Sy SIZE
|
|
|
|
are not specified in
|
1998-09-07 12:11:20 +04:00
|
|
|
.Cm RFC 959 ,
|
1998-09-05 21:33:00 +04:00
|
|
|
but will appear in the
|
1999-12-18 08:51:34 +03:00
|
|
|
next updated
|
|
|
|
.Tn FTP
|
|
|
|
RFC.
|
1993-03-21 12:45:37 +03:00
|
|
|
.Pp
|
1999-12-18 08:51:34 +03:00
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
server will abort an active file transfer only when the
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy ABOR
|
1993-03-21 12:45:37 +03:00
|
|
|
command is preceded by a Telnet "Interrupt Process" (IP)
|
|
|
|
signal and a Telnet "Synch" signal in the command Telnet stream,
|
1998-09-05 21:33:00 +04:00
|
|
|
as described in Internet
|
|
|
|
.Cm RFC 959 .
|
1993-03-21 12:45:37 +03:00
|
|
|
If a
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy STAT
|
1993-03-21 12:45:37 +03:00
|
|
|
command is received during a data transfer, preceded by a Telnet IP
|
|
|
|
and Synch, transfer status will be returned.
|
|
|
|
.Pp
|
1997-04-27 07:21:38 +04:00
|
|
|
.Nm
|
1993-03-21 12:45:37 +03:00
|
|
|
interprets file names according to the
|
|
|
|
.Dq globbing
|
|
|
|
conventions used by
|
|
|
|
.Xr csh 1 .
|
2003-02-05 02:07:28 +03:00
|
|
|
This allows users to use the metacharacters
|
1993-03-21 12:45:37 +03:00
|
|
|
.Dq Li \&*?[]{}~ .
|
2002-01-15 05:20:37 +03:00
|
|
|
.Ss User authentication
|
1997-04-27 07:21:38 +04:00
|
|
|
.Nm
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
authenticates users according to five rules.
|
1993-03-21 12:45:37 +03:00
|
|
|
.Pp
|
|
|
|
.Bl -enum -offset indent
|
|
|
|
.It
|
1994-06-29 05:49:37 +04:00
|
|
|
The login name must be in the password data base,
|
1995-02-17 12:19:45 +03:00
|
|
|
.Pa /etc/pwd.db ,
|
1994-06-29 05:49:37 +04:00
|
|
|
and not have a null password.
|
|
|
|
In this case a password must be provided by the client before any
|
|
|
|
file operations may be performed.
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
If the user has an S/Key key, the response from a successful
|
|
|
|
.Sy USER
|
1998-04-29 12:33:11 +04:00
|
|
|
command will include an S/Key challenge.
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
The client may choose to respond with a
|
|
|
|
.Sy PASS
|
|
|
|
command giving either
|
1998-04-29 12:33:11 +04:00
|
|
|
a standard password or an S/Key one-time password.
|
|
|
|
The server will automatically determine which type of password it
|
|
|
|
has been given and attempt to authenticate accordingly.
|
|
|
|
See
|
1994-05-24 10:52:17 +04:00
|
|
|
.Xr skey 1
|
1998-04-29 12:33:11 +04:00
|
|
|
for more information on S/Key authentication.
|
|
|
|
S/Key is a Trademark of Bellcore.
|
1993-03-21 12:45:37 +03:00
|
|
|
.It
|
1997-04-06 11:53:10 +04:00
|
|
|
The login name must be allowed based on the information in
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpusers 5 .
|
1993-03-21 12:45:37 +03:00
|
|
|
.It
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
The user must have a standard shell returned by
|
1993-03-21 12:45:37 +03:00
|
|
|
.Xr getusershell 3 .
|
1998-04-29 12:33:11 +04:00
|
|
|
If the user's shell field in the password database is empty, the
|
1997-09-22 02:59:03 +04:00
|
|
|
shell is assumed to be
|
1998-04-29 12:33:11 +04:00
|
|
|
.Pa /bin/sh .
|
2001-08-31 04:05:31 +04:00
|
|
|
As per
|
|
|
|
.Xr shells 5 ,
|
|
|
|
the user's shell must be listed with full path in
|
|
|
|
.Pa /etc/shells .
|
1993-03-21 12:45:37 +03:00
|
|
|
.It
|
1998-11-18 16:32:17 +03:00
|
|
|
If directed by the file
|
1999-12-16 10:05:18 +03:00
|
|
|
.Xr ftpchroot 5
|
2000-07-17 06:30:52 +04:00
|
|
|
the session's root directory will be changed by
|
1994-04-07 00:49:52 +04:00
|
|
|
.Xr chroot 2
|
2000-07-17 06:30:52 +04:00
|
|
|
to the directory specified in the
|
|
|
|
.Xr ftpd.conf 5
|
|
|
|
.Sy chroot
|
|
|
|
directive (if set),
|
|
|
|
or to the home directory of the user.
|
1998-04-29 12:33:11 +04:00
|
|
|
However, the user must still supply a password.
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
This feature is intended as a compromise between a fully anonymous account
|
1998-04-29 12:33:11 +04:00
|
|
|
and a fully privileged account.
|
|
|
|
The account should also be set up as for an anonymous account.
|
1994-04-07 00:49:52 +04:00
|
|
|
.It
|
1993-03-21 12:45:37 +03:00
|
|
|
If the user name is
|
|
|
|
.Dq anonymous
|
|
|
|
or
|
|
|
|
.Dq ftp ,
|
|
|
|
an
|
1999-12-18 08:51:34 +03:00
|
|
|
anonymous
|
|
|
|
.Tn FTP
|
|
|
|
account must be present in the password
|
1993-03-21 12:45:37 +03:00
|
|
|
file (user
|
|
|
|
.Dq ftp ) .
|
|
|
|
In this case the user is allowed
|
1994-06-29 05:49:37 +04:00
|
|
|
to log in by specifying any password (by convention an email address for
|
|
|
|
the user should be used as the password).
|
2000-07-17 06:30:52 +04:00
|
|
|
.Pp
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
The server performs a
|
1993-03-21 12:45:37 +03:00
|
|
|
.Xr chroot 2
|
2000-07-17 06:30:52 +04:00
|
|
|
to the directory specified in the
|
|
|
|
.Xr ftpd.conf 5
|
|
|
|
.Sy chroot
|
|
|
|
directive (if set),
|
|
|
|
the
|
|
|
|
.Fl a Ar anondir
|
|
|
|
directory (if set),
|
|
|
|
or to the home directory of the
|
1993-03-21 12:45:37 +03:00
|
|
|
.Dq ftp
|
|
|
|
user.
|
2000-07-17 06:30:52 +04:00
|
|
|
.Pp
|
|
|
|
The server then performs a
|
|
|
|
.Xr chdir 2
|
|
|
|
to the directory specified in the
|
|
|
|
.Xr ftpd.conf 5
|
|
|
|
.Sy homedir
|
|
|
|
directive (if set), otherwise to
|
|
|
|
.Pa / .
|
|
|
|
.Pp
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
If other restrictions are required (such as disabling of certain
|
|
|
|
commands and the setting of a specific umask), then appropriate
|
|
|
|
entries in
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpd.conf 5
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
are required.
|
2000-01-13 03:04:31 +03:00
|
|
|
.Pp
|
|
|
|
If the first character of the password supplied by an anonymous user
|
|
|
|
is
|
|
|
|
.Dq - ,
|
|
|
|
then the verbose messages displayed at login and upon a
|
|
|
|
.Sy CWD
|
|
|
|
command are suppressed.
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
.El
|
2002-01-15 05:20:37 +03:00
|
|
|
.Ss Display file escape sequences
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
When
|
|
|
|
.Nm
|
|
|
|
displays various files back to the client (such as
|
|
|
|
.Pa /etc/ftpwelcome
|
|
|
|
and
|
|
|
|
.Pa /etc/motd ) ,
|
|
|
|
various escape strings are replaced with information pertinent
|
|
|
|
to the current connection.
|
|
|
|
.Pp
|
|
|
|
The supported escape strings are:
|
|
|
|
.Bl -tag -width "Escape" -offset indent -compact
|
|
|
|
.It Sy "Escape"
|
|
|
|
.Sy Description
|
2000-01-08 14:09:56 +03:00
|
|
|
.It "\&%c"
|
|
|
|
Class name.
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.It "\&%C"
|
|
|
|
Current working directory.
|
2000-11-16 16:15:13 +03:00
|
|
|
.It "\&%E"
|
|
|
|
Email address given with
|
|
|
|
.Fl e .
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.It "\&%L"
|
|
|
|
Local hostname.
|
2000-01-08 14:09:56 +03:00
|
|
|
.It "\&%M"
|
|
|
|
Maximum number of users for this class.
|
|
|
|
Displays
|
|
|
|
.Dq unlimited
|
|
|
|
if there's no limit.
|
|
|
|
.It "\&%N"
|
|
|
|
Current number of users for this class.
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.It "\&%R"
|
|
|
|
Remote hostname.
|
2000-11-16 16:15:13 +03:00
|
|
|
.It "\&%s"
|
|
|
|
If the result of the most recent
|
|
|
|
.Dq "\&%M"
|
|
|
|
or
|
|
|
|
.Dq "\&%N"
|
|
|
|
was not
|
|
|
|
.Dq Li 1 ,
|
|
|
|
print an
|
|
|
|
.Dq s .
|
|
|
|
.It "\&%S"
|
|
|
|
If the result of the most recent
|
|
|
|
.Dq "\&%M"
|
|
|
|
or
|
|
|
|
.Dq "\&%N"
|
|
|
|
was not
|
|
|
|
.Dq Li 1 ,
|
|
|
|
print an
|
|
|
|
.Dq S .
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.It "\&%T"
|
|
|
|
Current time.
|
|
|
|
.It "\&%U"
|
2000-07-17 06:30:52 +04:00
|
|
|
User name.
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.It "\&%\&%"
|
|
|
|
A
|
|
|
|
.Dq \&%
|
|
|
|
character.
|
|
|
|
.El
|
2002-01-15 05:20:37 +03:00
|
|
|
.Ss Setting up a restricted ftp subtree
|
1993-03-21 12:45:37 +03:00
|
|
|
In order that system security is not breached, it is recommended
|
|
|
|
that the
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
subtrees for the
|
|
|
|
.Dq ftp
|
|
|
|
and
|
|
|
|
.Dq chroot
|
|
|
|
accounts be constructed with care, following these rules
|
|
|
|
(replace
|
1993-03-21 12:45:37 +03:00
|
|
|
.Dq ftp
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
in the following directory names
|
|
|
|
with the appropriate account name for
|
|
|
|
.Sq chroot
|
|
|
|
users):
|
1997-03-31 02:53:36 +04:00
|
|
|
.Bl -tag -width "~ftp/incoming" -offset indent
|
1993-03-21 12:45:37 +03:00
|
|
|
.It Pa ~ftp
|
|
|
|
Make the home directory owned by
|
1994-06-29 05:49:37 +04:00
|
|
|
.Dq root
|
1993-03-21 12:45:37 +03:00
|
|
|
and unwritable by anyone.
|
|
|
|
.It Pa ~ftp/bin
|
1994-06-29 05:49:37 +04:00
|
|
|
Make this directory owned by
|
|
|
|
.Dq root
|
|
|
|
and unwritable by anyone (mode 555).
|
1999-05-17 19:14:53 +04:00
|
|
|
Generally any conversion commands should be installed
|
|
|
|
here (mode 111).
|
1993-03-21 12:45:37 +03:00
|
|
|
.It Pa ~ftp/etc
|
1994-06-29 05:49:37 +04:00
|
|
|
Make this directory owned by
|
|
|
|
.Dq root
|
|
|
|
and unwritable by anyone (mode 555).
|
1997-04-27 07:21:38 +04:00
|
|
|
The files
|
|
|
|
.Pa pwd.db
|
|
|
|
(see
|
1996-01-14 23:55:23 +03:00
|
|
|
.Xr passwd 5 )
|
1993-03-21 12:45:37 +03:00
|
|
|
and
|
1997-04-27 07:21:38 +04:00
|
|
|
.Pa group
|
|
|
|
(see
|
|
|
|
.Xr group 5 )
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
must be present for the
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy LIST
|
1999-05-17 19:14:53 +04:00
|
|
|
command to be able to display owner and group names instead of numbers.
|
1993-03-21 12:45:37 +03:00
|
|
|
The password field in
|
1998-04-29 12:33:11 +04:00
|
|
|
.Xr passwd 5
|
1994-06-29 05:49:37 +04:00
|
|
|
is not used, and should not contain real passwords.
|
|
|
|
The file
|
|
|
|
.Pa motd ,
|
|
|
|
if present, will be printed after a successful login.
|
1993-03-21 12:45:37 +03:00
|
|
|
These files should be mode 444.
|
|
|
|
.It Pa ~ftp/pub
|
1997-03-31 02:53:36 +04:00
|
|
|
This directory and the subdirectories beneath it should be owned
|
|
|
|
by the users and groups responsible for placing files in them,
|
1998-04-29 12:33:11 +04:00
|
|
|
and be writable only by them (mode 755 or 775).
|
|
|
|
They should
|
1997-03-31 02:53:36 +04:00
|
|
|
.Em not
|
|
|
|
be owned or writable by ftp or its group.
|
|
|
|
.It Pa ~ftp/incoming
|
|
|
|
This directory is where anonymous users place files they upload.
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
The owners should be the user
|
|
|
|
.Dq ftp
|
|
|
|
and an appropriate group.
|
1997-03-31 02:53:36 +04:00
|
|
|
Members of this group will be the only users with access to these
|
|
|
|
files after they have been uploaded; these should be people who
|
1998-04-29 12:33:11 +04:00
|
|
|
know how to deal with them appropriately.
|
1999-12-18 08:51:34 +03:00
|
|
|
If you wish anonymous
|
|
|
|
.Tn FTP
|
|
|
|
users to be able to see the names of the
|
1998-04-29 12:33:11 +04:00
|
|
|
files in this directory the permissions should be 770, otherwise
|
|
|
|
they should be 370.
|
1997-03-31 02:53:36 +04:00
|
|
|
.Pp
|
2000-11-16 16:15:13 +03:00
|
|
|
The following
|
|
|
|
.Xr ftpd.conf 5
|
|
|
|
directives should be used:
|
|
|
|
.Dl "modify guest off"
|
|
|
|
.Dl "umask guest 0707"
|
2001-10-13 17:50:18 +04:00
|
|
|
.Dl "upload guest on"
|
2000-11-16 16:15:13 +03:00
|
|
|
.Pp
|
|
|
|
This will result in anonymous users being able to upload files to this
|
|
|
|
directory, but they will not be able to download them, delete them, or
|
|
|
|
overwrite them, due to the umask and disabling of the commands mentioned
|
1997-03-31 02:53:36 +04:00
|
|
|
above.
|
1998-06-08 11:13:13 +04:00
|
|
|
.It Pa ~ftp/tmp
|
|
|
|
This directory is used to create temporary files which contain
|
|
|
|
the error messages generated by a conversion or
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy LIST
|
1998-06-08 11:13:13 +04:00
|
|
|
command.
|
|
|
|
The owner should be the user
|
|
|
|
.Dq ftp .
|
|
|
|
The permissions should be 300.
|
|
|
|
.Pp
|
|
|
|
If you don't enable conversion commands, or don't want anonymous users
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
uploading files here (see
|
1998-06-08 11:13:13 +04:00
|
|
|
.Pa ~ftp/incoming
|
|
|
|
above), then don't create this directory.
|
|
|
|
However, error messages from conversion or
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy LIST
|
1998-06-08 11:13:13 +04:00
|
|
|
commands won't be returned to the user.
|
|
|
|
(This is the traditional behaviour.)
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
Note that the
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpd.conf 5
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
directive
|
|
|
|
.Sy upload
|
|
|
|
can be used to prevent users uploading here.
|
1994-06-29 05:49:37 +04:00
|
|
|
.El
|
* change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.
* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.
* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that
* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.
* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)
* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).
* update & reorder copyrights
* use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
|
|
|
.Pp
|
1999-12-18 08:51:34 +03:00
|
|
|
To set up "ftp-only" accounts that provide only
|
|
|
|
.Tn FTP ,
|
|
|
|
but no valid shell
|
1999-08-02 04:44:59 +04:00
|
|
|
login, you can copy/link
|
|
|
|
.Pa /sbin/nologin
|
|
|
|
to
|
|
|
|
.Pa /sbin/ftplogin ,
|
2002-01-15 05:20:37 +03:00
|
|
|
and enter
|
|
|
|
.Pa /sbin/ftplogin
|
1999-08-02 04:44:59 +04:00
|
|
|
to
|
|
|
|
.Pa /etc/shells
|
1999-12-18 08:51:34 +03:00
|
|
|
to allow logging-in via
|
|
|
|
.Tn FTP
|
|
|
|
into the accounts, which must have
|
2002-01-15 05:20:37 +03:00
|
|
|
.Pa /sbin/ftplogin
|
1999-08-02 04:44:59 +04:00
|
|
|
as login shell.
|
1994-06-29 05:49:37 +04:00
|
|
|
.Sh FILES
|
|
|
|
.Bl -tag -width /etc/ftpwelcome -compact
|
|
|
|
.It Pa /etc/ftpchroot
|
2002-01-15 05:20:37 +03:00
|
|
|
List of normal users whose root directory should be changed via
|
|
|
|
.Xr chroot 2 .
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
.It Pa /etc/ftpd.conf
|
|
|
|
Configure file conversions and other settings.
|
|
|
|
.It Pa /etc/ftpusers
|
|
|
|
List of unwelcome/restricted users.
|
1994-06-29 05:49:37 +04:00
|
|
|
.It Pa /etc/ftpwelcome
|
1997-12-31 05:43:54 +03:00
|
|
|
Welcome notice before login.
|
1994-06-29 05:49:37 +04:00
|
|
|
.It Pa /etc/motd
|
|
|
|
Welcome notice after login.
|
|
|
|
.It Pa /etc/nologin
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
If it exists, displayed and access is refused.
|
2000-07-26 17:45:52 +04:00
|
|
|
.It Pa /var/run/ftpd.pids-CLASS
|
|
|
|
State file of logged-in processes for the
|
|
|
|
.Nm
|
|
|
|
class
|
|
|
|
.Sq CLASS .
|
|
|
|
.It Pa /var/run/utmp
|
|
|
|
List of logged-in users on the system.
|
2000-11-16 16:15:13 +03:00
|
|
|
.It Pa /var/log/wtmp
|
|
|
|
Login history database.
|
1993-03-21 12:45:37 +03:00
|
|
|
.El
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr ftp 1 ,
|
1994-05-24 10:52:17 +04:00
|
|
|
.Xr skey 1 ,
|
1999-12-18 08:51:34 +03:00
|
|
|
.Xr who 1 ,
|
1993-03-21 12:45:37 +03:00
|
|
|
.Xr getusershell 3 ,
|
1999-12-16 10:05:18 +03:00
|
|
|
.Xr ftpchroot 5 ,
|
2002-01-15 05:20:37 +03:00
|
|
|
.Xr ftpd.conf 5 ,
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpusers 5 ,
|
1993-03-21 12:45:37 +03:00
|
|
|
.Xr syslogd 8
|
1998-09-05 21:33:00 +04:00
|
|
|
.Sh STANDARDS
|
|
|
|
.Nm
|
2002-01-15 05:20:37 +03:00
|
|
|
recognizes all commands in
|
|
|
|
.Cm RFC 959 ,
|
|
|
|
follows the guidelines in
|
1998-09-07 12:11:20 +04:00
|
|
|
.Cm RFC 1123 ,
|
2002-01-15 05:20:37 +03:00
|
|
|
recognizes all commands in
|
1999-02-06 00:40:49 +03:00
|
|
|
.Cm RFC 2228
|
|
|
|
(although they are not supported yet),
|
1998-09-07 12:11:20 +04:00
|
|
|
and supports the extensions from
|
2000-06-14 17:44:21 +04:00
|
|
|
.Cm RFC 2389 ,
|
|
|
|
.Cm RFC 2428
|
|
|
|
and
|
2000-07-15 07:45:19 +04:00
|
|
|
.Cm draft-ietf-ftpext-mlst-11 .
|
1998-06-08 16:41:41 +04:00
|
|
|
.Sh HISTORY
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
command appeared in
|
|
|
|
.Bx 4.2 .
|
* implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
|
|
|
.Pp
|
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()
other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
|
|
|
Various features such as the
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpd.conf 5
|
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()
other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
|
|
|
functionality,
|
|
|
|
.Cm RFC 2389 ,
|
|
|
|
and
|
2000-07-15 07:45:19 +04:00
|
|
|
.Cm draft-ietf-ftpext-mlst-11
|
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()
other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
|
|
|
support was implemented in
|
1998-06-08 16:41:41 +04:00
|
|
|
.Nx 1.3
|
2002-10-26 08:21:12 +04:00
|
|
|
and later releases by Luke Mewburn.
|
1998-09-05 21:33:00 +04:00
|
|
|
.Sh BUGS
|
|
|
|
The server must run as the super-user to create sockets with
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
privileged port numbers (i.e, those less than
|
|
|
|
.Dv IPPORT_RESERVED ,
|
|
|
|
which is 1024).
|
|
|
|
If
|
|
|
|
.Nm
|
|
|
|
is listening on a privileged port
|
|
|
|
it maintains an effective user id of the logged in user, reverting
|
|
|
|
to the super-user only when binding addresses to privileged sockets.
|
|
|
|
The
|
|
|
|
.Fl r
|
|
|
|
option can be used to override this behaviour and force privileges to
|
|
|
|
be permanently revoked; see
|
|
|
|
.Sx SECURITY CONSIDERATIONS
|
|
|
|
below for more details.
|
2000-05-16 04:59:12 +04:00
|
|
|
.Pp
|
|
|
|
.Nm
|
|
|
|
may have trouble handling connections from scoped IPv6 addresses, or
|
|
|
|
IPv4 mapped addresses
|
|
|
|
.Po
|
|
|
|
IPv4 connection on
|
|
|
|
.Dv AF_INET6
|
|
|
|
socket
|
|
|
|
.Pc .
|
|
|
|
For the latter case, running two daemons,
|
|
|
|
one for IPv4 and one for IPv6, will avoid the problem.
|
1998-06-08 16:41:41 +04:00
|
|
|
.Sh SECURITY CONSIDERATIONS
|
1998-09-05 21:33:00 +04:00
|
|
|
.Cm RFC 959
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
provides no restrictions on the
|
|
|
|
.Sy PORT
|
|
|
|
command, and this can lead to security problems, as
|
1998-01-23 03:56:55 +03:00
|
|
|
.Nm
|
1998-04-29 12:33:11 +04:00
|
|
|
can be fooled into connecting to any service on any host.
|
|
|
|
With the
|
|
|
|
.Dq checkportcmd
|
|
|
|
feature of the
|
1999-12-16 04:16:04 +03:00
|
|
|
.Xr ftpd.conf 5 ,
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sy PORT
|
|
|
|
commands with different host addresses, or TCP ports lower than
|
1998-01-23 03:56:55 +03:00
|
|
|
.Dv IPPORT_RESERVED
|
1998-04-28 10:00:51 +04:00
|
|
|
will be rejected.
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
This also prevents
|
|
|
|
.Sq third-party proxy ftp
|
|
|
|
from working.
|
1998-04-28 10:00:51 +04:00
|
|
|
Use of this option is
|
1998-01-23 03:56:55 +03:00
|
|
|
.Em strongly
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
recommended, and enabled by default.
|
|
|
|
.Pp
|
|
|
|
By default
|
|
|
|
.Nm
|
|
|
|
uses a port that is one less than the port it is listening on to
|
|
|
|
communicate back to the client for the
|
|
|
|
.Sy EPRT ,
|
2000-12-01 10:59:47 +03:00
|
|
|
.Sy LPRT ,
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
and
|
|
|
|
.Sy PORT
|
2000-11-16 16:15:13 +03:00
|
|
|
commands, unless overridden with
|
|
|
|
.Fl P Ar dataport .
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
As the default port for
|
|
|
|
.Nm
|
|
|
|
(21) is a privileged port below
|
|
|
|
.Dv IPPORT_RESERVED ,
|
|
|
|
.Nm
|
|
|
|
retains the ability to switch back to root privileges to bind these
|
|
|
|
ports.
|
|
|
|
In order to increase security by reducing the potential for a bug in
|
|
|
|
.Nm
|
|
|
|
providing a remote root compromise,
|
|
|
|
.Nm
|
|
|
|
will permanently drop root privileges if one of the following is true:
|
|
|
|
.Bl -enum -offset indent
|
|
|
|
.It
|
|
|
|
.Nm
|
|
|
|
is running on a port greater than
|
|
|
|
.Dv IPPORT_RESERVED
|
|
|
|
and the user has logged in as a
|
|
|
|
.Sq guest
|
2002-01-15 05:20:37 +03:00
|
|
|
or
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
.Sq chroot
|
|
|
|
user.
|
|
|
|
.It
|
|
|
|
.Nm
|
|
|
|
was invoked with
|
|
|
|
.Fl r .
|
|
|
|
.El
|
1999-05-17 19:14:53 +04:00
|
|
|
.Pp
|
|
|
|
Don't create
|
|
|
|
.Pa ~ftp/tmp
|
|
|
|
if you don't want anonymous users to upload files there.
|
|
|
|
That directory is only necessary if you want to display the error
|
|
|
|
messages of conversion commands to the user.
|
1999-12-16 04:16:04 +03:00
|
|
|
Note that if uploads are disabled with the
|
|
|
|
.Xr ftpd.conf 5
|
|
|
|
directive
|
|
|
|
.Sy upload ,
|
* make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
2000-07-23 18:40:48 +04:00
|
|
|
then this directory cannot be abused by the user in this way, so it
|
|
|
|
should be safe to create.
|