Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NetBSD/libexec/ftpd/ftpd.8

875 lines
22 KiB
Groff
Raw Normal View History

Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.\" $NetBSD: ftpd.8,v 1.79 2008/01/30 02:16:35 lukem Exp $
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.\"
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Luke Mewburn.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by the NetBSD
.\" Foundation, Inc. and its contributors.
.\" 4. Neither the name of The NetBSD Foundation nor the names of its
.\" contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
clean up RCS Id's and a couple of stype nits. Also, fix bug 947 (reported by Luke Mewburn, extraneous vers.c)
1995-04-11 06:44:45 +04:00
.\"
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.\" Copyright (c) 1985, 1988, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
Move UCB-licensed code from 4-clause to 3-clause licence. Patches provided by Joel Baker in PR 22284, verified by myself.
2003-08-07 13:46:37 +04:00
.\" 3. Neither the name of the University nor the names of its contributors
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
clean up RCS Id's and a couple of stype nits. Also, fix bug 947 (reported by Luke Mewburn, extraneous vers.c)
1995-04-11 06:44:45 +04:00
.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.\"
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.Dd January 30, 2008
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Dt FTPD 8
More and more .Os cleanups. .Os is defined in the tmac.doc-common file, so we shouldn't override it with versions in the manpages. Many more to come.
1999-03-22 21:25:43 +03:00
.Os
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Sh NAME
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Nm ftpd
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Nd
Internet File Transfer Protocol server
.Sh SYNOPSIS
* fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au> * move resetting of CFLAGS on powerpc to before optional CFLAGS settings * minor code & man page cleanups
1997-04-27 07:21:38 +04:00
.Nm
PR/36468: Andreas Wrede: ftpd(8) always logs hostnames. Add -n option to display addresses.
2007-06-11 00:24:31 +04:00
.Op Fl 46DdHlnQqrsUuWwX
Allow setting the directory to which anonymous users chdir from the command line. Document -u option. A couple of minor cleanups.
1997-05-24 02:09:48 +04:00
.Op Fl a Ar anondir
- add '-C user', which runs checkaccess(user) and exits with the result (0 == user allowed in /etc/ftpusers, 1 == user denied in /etc/ftpusers). from Jim Bernard <jbernard@tater.mines.edu> in [security/4061] with mods - getopt returns -1 not EOF - in lostcon(), call dologout(1) not dologout(-1);
1997-09-23 18:25:30 +04:00
.Op Fl C Ar user
Sort options.
2005-08-07 15:13:34 +04:00
.Op Fl c Ar confdir
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.Op Fl e Ar emailaddr
* add back support for `-h hostname'; it still may be useful to override the name advertised to the client, even if ftpd can determine it from the ip address that ftpd is bound to. requested by mrg. * remove -4/-6; they were effectively no-ops since itojun's change in 1.75. * crank version
1999-12-19 03:09:31 +03:00
.Op Fl h Ar hostname
Add '-L xferlogfile', to write xferlog entries there rather than syslog them. Based on work from Dmitry Sivachenko.
2003-02-26 15:27:04 +03:00
.Op Fl L Ar xferlogfile
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.Op Fl P Ar dataport
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Op Fl V Ar version
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Sh DESCRIPTION
* fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au> * move resetting of CFLAGS on powerpc to before optional CFLAGS settings * minor code & man page cleanups
1997-04-27 07:21:38 +04:00
.Nm
fix bad .Xr references
1998-04-29 12:33:11 +04:00
is the Internet File Transfer Protocol server process.
The server uses the
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Tn TCP
fix bad .Xr references
1998-04-29 12:33:11 +04:00
protocol and listens at the port specified in the
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Dq ftp
service specification; see
.Xr services 5 .
.Pp
Available options:
.Bl -tag -width Ds
Implement option "-D", for running ftpd in standalone mode (daemon). ftpd will listen on the default FTP port for incoming connections and fork a child for each connection. This is lower overhead than starting ftpd from inetd(8) and thus might be useful on busy servers to reduce load. Inspired by FreeBSD. Reviewed by lukem@.
2005-08-04 21:41:35 +04:00
.It Fl 4
When
.Fl D
is specified, bind to IPv4 addresses only.
.It Fl 6
When
.Fl D
is specified, bind to IPv6 addresses only.
* add support for `-h hostname', which defines the hostname to advertise as (useful for virtual ftp servers in conjunction with inetd.conf(5)'s ability to bind to a specific address). if this option is used, add `hostname' to the syslog messages. * improve documentation of command-line options * don't allow class names of `all' or `none' in ftpusers
1999-12-16 05:21:37 +03:00
.It Fl a Ar anondir
Define
.Ar anondir
as the directory to
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
.Xr chroot 2
into for anonymous logins.
Allow setting the directory to which anonymous users chdir from the command line. Document -u option. A couple of minor cleanups.
1997-05-24 02:09:48 +04:00
Default is the home directory for the ftp user.
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
This can also be specified with the
.Xr ftpd.conf 5
.Sy chroot
directive.
Sort options.
2005-08-07 15:13:34 +04:00
.It Fl C Ar user
Check whether
.Ar user
would be granted access under
the restrictions given in
.Xr ftpusers 5
and exit without attempting a connection.
.Nm
exits with an exit code of 0 if access would be granted, or 1 otherwise.
This can be useful for testing configurations.
* add support for `-h hostname', which defines the hostname to advertise as (useful for virtual ftp servers in conjunction with inetd.conf(5)'s ability to bind to a specific address). if this option is used, add `hostname' to the syslog messages. * improve documentation of command-line options * don't allow class names of `all' or `none' in ftpusers
1999-12-16 05:21:37 +03:00
.It Fl c Ar confdir
implement '-c confdir', which allows the specification of an alternate directory to look for the various configuration files, overriding /etc. From Matthias Scheler <tron@lyssa.owl.de> in [bin/4133]
1997-09-23 17:56:39 +04:00
Change the root directory of the configuration files from
.Dq Pa /etc
to
* add support for `-h hostname', which defines the hostname to advertise as (useful for virtual ftp servers in conjunction with inetd.conf(5)'s ability to bind to a specific address). if this option is used, add `hostname' to the syslog messages. * improve documentation of command-line options * don't allow class names of `all' or `none' in ftpusers
1999-12-16 05:21:37 +03:00
.Ar confdir .
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
This changes the directory for the following files:
.Pa /etc/ftpchroot ,
.Pa /etc/ftpusers ,
.Pa /etc/ftpwelcome ,
.Pa /etc/motd ,
and the file specified by the
.Xr ftpd.conf 5
.Sy limit
directive.
Implement option "-D", for running ftpd in standalone mode (daemon). ftpd will listen on the default FTP port for incoming connections and fork a child for each connection. This is lower overhead than starting ftpd from inetd(8) and thus might be useful on busy servers to reduce load. Inspired by FreeBSD. Reviewed by lukem@.
2005-08-04 21:41:35 +04:00
.It Fl D
Run as daemon.
.Nm
will listen on the default FTP port for incoming connections
and fork a child for each connection.
This is lower overhead than starting
.Nm
from
.Xr inetd 8
and thus might be useful on busy servers to reduce load.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It Fl d
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
Debugging information is written to the syslog using a facility of
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
.Dv LOG_FTP .
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.It Fl e Ar emailaddr
Use
.Ar emailaddr
for the
.Dq "\&%E"
escape sequence (see
.Sx Display file escape sequences )
Sort options.
2005-08-07 15:13:34 +04:00
.It Fl H
Equivalent to
.Do
-h
`hostname`
.Dc .
* add back support for `-h hostname'; it still may be useful to override the name advertised to the client, even if ftpd can determine it from the ip address that ftpd is bound to. requested by mrg. * remove -4/-6; they were effectively no-ops since itojun's change in 1.75. * crank version
1999-12-19 03:09:31 +03:00
.It Fl h Ar hostname
Alan Barrett informs me that "advertise" (instead of "advertize") is the norm even in American English.
2001-07-08 11:27:14 +04:00
Explicitly set the hostname to advertise as to
* add -H, which acts like -h `hostname`. (requested by kim@) * refer to draft-ietf-ftpext-mlst-11 instead of -10
2000-07-15 07:45:19 +04:00
.Ar hostname .
The default is the hostname associated with the IP address that
.Nm
* add back support for `-h hostname'; it still may be useful to override the name advertised to the client, even if ftpd can determine it from the ip address that ftpd is bound to. requested by mrg. * remove -4/-6; they were effectively no-ops since itojun's change in 1.75. * crank version
1999-12-19 03:09:31 +03:00
is listening on.
This ability (with or without
.Fl h ) ,
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
in conjunction with
* add back support for `-h hostname'; it still may be useful to override the name advertised to the client, even if ftpd can determine it from the ip address that ftpd is bound to. requested by mrg. * remove -4/-6; they were effectively no-ops since itojun's change in 1.75. * crank version
1999-12-19 03:09:31 +03:00
.Fl c Ar confdir ,
is useful when configuring
.Sq virtual
.Tn FTP
servers, each listening on separate addresses as separate names.
Refer to
.Xr inetd.conf 5
for more information on starting services to listen on specific IP addresses.
Sort options.
2005-08-07 15:13:34 +04:00
.It Fl L Ar xferlogfile
Log
.Tn wu-ftpd
style
.Sq xferlog
entries to
.Ar xferlogfile .
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It Fl l
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
Each successful and failed
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
.Tn FTP
session is logged using syslog with a facility of
.Dv LOG_FTP .
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
If this option is specified more than once, the retrieve (get), store (put),
append, delete, make directory, remove directory and rename operations and
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
their file name arguments are also logged.
PR/36468: Andreas Wrede: ftpd(8) always logs hostnames. Add -n option to display addresses.
2007-06-11 00:24:31 +04:00
.It Fl n
Don't attempt translation of IP addresses to hostnames.
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.It Fl P Ar dataport
Use
.Ar dataport
as the data port, overriding the default of using the port one less
that the port
.Nm
is listening on.
.It Fl Q
Disable the use of pid files for keeping track of the number of logged-in
users per class.
This may reduce the load on heavily loaded
.Tn FTP
servers.
Sort options.
2005-08-07 15:13:34 +04:00
.It Fl q
Enable the use of pid files for keeping track of the number of logged-in
users per class.
This is the default.
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.It Fl r
Permanently drop root privileges once the user is logged in.
The use of this option may result in the server using a port other
than the (listening-port - 1) for
.Sy PORT
style commands, which is contrary to the
.Cm RFC 959
specification, but in practice very few clients rely upon this behaviour.
See
.Sx SECURITY CONSIDERATIONS
below for more details.
add "-s" flag (like telnetd and login)
1998-06-26 22:12:00 +04:00
.It Fl s
Require a secure authentication mechanism like Kerberos or S/Key to be used.
Sort options.
2005-08-07 15:13:34 +04:00
.It Fl U
Don't log each concurrent
.Tn FTP
session to
.Pa /var/run/utmp .
This is the default.
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.It Fl u
Log each concurrent
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
.Tn FTP
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
session to
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
.Pa /var/run/utmp ,
making them visible to commands such as
.Xr who 1 .
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.It Fl V Ar version
Use
.Ar version
Alan Barrett informs me that "advertise" (instead of "advertize") is the norm even in American English.
2001-07-08 11:27:14 +04:00
as the version to advertise in the login banner and in the output of
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy STAT
and
.Sy SYST
instead of the default version information.
If
.Ar version
is empty or
.Sq -
then don't display any version information.
Sort options.
2005-08-07 15:13:34 +04:00
.It Fl W
Don't log each
.Tn FTP
session to
.Pa /var/log/wtmp .
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.It Fl w
Log each
add support for -W; don't log to wtmp (orthogonal of -U which logs to utmp). inspired by similar option in wuftpd.
2000-07-26 17:53:33 +04:00
.Tn FTP
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
session to
wtmp is in /var/log not /var/run ...
2000-07-28 16:54:01 +04:00
.Pa /var/log/wtmp ,
add support for -W; don't log to wtmp (orthogonal of -U which logs to utmp). inspired by similar option in wuftpd.
2000-07-26 17:53:33 +04:00
making them visible to commands such as
.Xr last 1 .
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
This is the default.
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
.It Fl X
Log
.Tn wu-ftpd
style
.Sq xferlog
entries to the syslog, prefixed with
.Dq "xferlog:\ " ,
using a facility of
.Dv LOG_FTP .
These syslog entries can be converted to a
.Tn wu-ftpd
style
.Pa xferlog
file suitable for input into a third-party log analysis tool with a command
similar to:
.Dl "grep 'xferlog: ' /var/log/xferlog | \e"
Generate <>& symbolically. I'm avoiding .../dist/... directories for now.
2002-02-08 04:21:55 +03:00
.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog"
add "-s" flag (like telnetd and login)
1998-06-26 22:12:00 +04:00
.El
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Pp
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
The file
.Pa /etc/nologin
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
can be used to disable
.Tn FTP
access.
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
If the file exists,
.Nm
displays it and exits.
If the file
.Pa /etc/ftpwelcome
exists,
.Nm
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
prints it before issuing the
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.Dq ready
message.
If the file
.Pa /etc/motd
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
exists (under the chroot directory if applicable),
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.Nm
prints it after a successful login.
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
This may be changed with the
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Xr ftpd.conf 5
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
directive
Features: * Add ftpd.conf(5) directive `advertise'; change the address that is advertised to the client for PASV transfers. this may be useful in certain firewall/NAT environments. Feature requested in [bin/9606] by Scott Presnell. * Add -X option; syslog wu-ftpd style xferlog messages, prefixed with `xferlog: '. An example line from syslog (wrapped): Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000 2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c These messages can be converted to a wu-ftpd style xferlog file suitable for parsing with third-party tools with something like: grep 'xferlog: ' /var/log/xferlog | \ sed -e 's/^.*xferlog: //' >wuxferlog The format is the same as the wu-ftpd xferlog entries (with the leading syslog stuff), but different from the wu-ftpd syslogged xferlog entries because the latter is not as easy to convert into the standard xferlog file format. The choice to only syslog the xferlog messages rather than append to a /var/log/xferlog file was made because the latter doesn't work to well in the situation where the logfile is rotated and compressed and a long-running ftpd still has a file-descriptor to the now nonexistant xferlog file, and the log message will then get lost. Feature requested in [bin/11651] by Hubert Feyrer. Fixes: * In ftpd(8), clarify the -a and -c options. * More clarifications in ftpd.conf(5). * Ensure that all ftpd.conf commands set a parameter back to sane defaults if an argument of `none' or bad settings are given. * Support the `chroot' directive for `REAL' users too (for consistency). * For `GUEST' users, store the supplied password in pw->pw_passwd for use later in the xferlog. * If show_chdir_messages() is given a code of -1, flush the cache of visited directories. Invoke show_chdir_messages(-1) in end_login(). * Only syslog session stats if logging is requested. * Rename logcmd() -> logxfer(), and dolog() -> logremotehost(). * Use cprintf() instead of fprintf() where appropriate. * Minor KNF, and make a couple of functions static that were declared static.
2000-12-18 05:32:50 +03:00
.Sy motd .
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.Pp
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
The
.Nm
server currently supports the following
.Tn FTP
requests.
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
The case of the requests is ignored.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Bl -column "Request" -offset indent
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.It Sy Request Ta Sy Description
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It ABOR Ta "abort previous command"
.It ACCT Ta "specify account (ignored)"
.It ALLO Ta "allocate storage (vacuously)"
.It APPE Ta "append to a file"
.It CDUP Ta "change to parent of current working directory"
.It CWD Ta "change working directory"
.It DELE Ta "delete a file"
dual-stack ftpd. run this from inetd, like: >>ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll
1999-07-02 09:52:14 +04:00
.It EPSV Ta "prepare for server-to-server transfer"
.It EPRT Ta "specify data connection port"
new features: * implement FEAT and OPTS from RFC2389. FEAT returns SIZE and MDTM. OPTS only works on NOOP (as a test). * extend format of /etc/ftpchroot similar to /etc/ftpusers; each entry can take an optional trailing `yes' or `no' which indicates if chroot should be done (defaults to `yes'). based on patches from Ty Sarna <tsarna@endicor.com> in [bin/4769] cleanups/bugs: * reorder and reformat entries in yacc parser to match cmdtab[]. add a blank line between each rule. * add short hasopts and char *options to struct tab, to support OPTS. * deprecate upper(); use strcasecmp() instead of strcmp() * remove unnecessary for (;;) { } in yylex(); * replace copy() and sgetsave() with xstrdup() * fix a couple of `hasyyerrored = 1' that were accidently removed.
1998-09-07 12:11:20 +04:00
.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It HELP Ta "give help information"
various fixes suggested by Robert Elz: * implement closedataconn() and use appropriately (including in mlsd()) * only put leading space in front of MLST output (not MLSD output) * MLSD: only output pdir and cdir entries when the type fact is requested. * change error code for giving MLSD a non-directory from 550 to 501 * remove MLSx Type fact support for UNIX.* for now; it's not standardised yet. * do a check_login when MLSD and MLST are given no args * detect & complain about null facts in OPTS MLST * cache getgroups() at login instead of calling each time in fact_perm() other mods: * implement cprintf(); as per fprintf() but increments total_bytes{,_out} * implement CPUTC(); as per putc() but increments total_bytes{,_out} * implement base64_encode() * fact_unique() display base64 encoding of dev_t and ino_t rather than hex output; should scale if size of those changes * change reply() so that a negative code acts as the initial line in a reply, code == 0 prefixes the line with 4 spaces, and code > 0 works as before. deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and reply(0, ) respectively. * use cprintf() and CPUTC() appropriately (often instead of printf(), lreply(-2, ) or lreply(-1, ). now we actually account for the data sent by MLST and MLSD. * remove DEBUG support for sending MLSD output to control connection instead of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
dual-stack ftpd. run this from inetd, like: >>ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll
1999-07-02 09:52:14 +04:00
.It LPSV Ta "prepare for server-to-server transfer"
.It LPRT Ta "specify data connection port"
various fixes suggested by Robert Elz: * implement closedataconn() and use appropriately (including in mlsd()) * only put leading space in front of MLST output (not MLSD output) * MLSD: only output pdir and cdir entries when the type fact is requested. * change error code for giving MLSD a non-directory from 550 to 501 * remove MLSx Type fact support for UNIX.* for now; it's not standardised yet. * do a check_login when MLSD and MLST are given no args * detect & complain about null facts in OPTS MLST * cache getgroups() at login instead of calling each time in fact_perm() other mods: * implement cprintf(); as per fprintf() but increments total_bytes{,_out} * implement CPUTC(); as per putc() but increments total_bytes{,_out} * implement base64_encode() * fact_unique() display base64 encoding of dev_t and ino_t rather than hex output; should scale if size of those changes * change reply() so that a negative code acts as the initial line in a reply, code == 0 prefixes the line with 4 spaces, and code > 0 works as before. deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and reply(0, ) respectively. * use cprintf() and CPUTC() appropriately (often instead of printf(), lreply(-2, ) or lreply(-1, ). now we actually account for the data sent by MLST and MLSD. * remove DEBUG support for sending MLSD output to control connection instead of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
.It MLSD Ta "list contents of directory in a machine-processable form"
.It MLST Ta "show a pathname in a machine-processable form"
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It MKD Ta "make a directory"
.It MDTM Ta "show last modification time of file"
.It MODE Ta "specify data transfer" Em mode
.It NLST Ta "give name list of files in directory"
.It NOOP Ta "do nothing"
new features: * implement FEAT and OPTS from RFC2389. FEAT returns SIZE and MDTM. OPTS only works on NOOP (as a test). * extend format of /etc/ftpchroot similar to /etc/ftpusers; each entry can take an optional trailing `yes' or `no' which indicates if chroot should be done (defaults to `yes'). based on patches from Ty Sarna <tsarna@endicor.com> in [bin/4769] cleanups/bugs: * reorder and reformat entries in yacc parser to match cmdtab[]. add a blank line between each rule. * add short hasopts and char *options to struct tab, to support OPTS. * deprecate upper(); use strcasecmp() instead of strcmp() * remove unnecessary for (;;) { } in yylex(); * replace copy() and sgetsave() with xstrdup() * fix a couple of `hasyyerrored = 1' that were accidently removed.
1998-09-07 12:11:20 +04:00
.It OPTS Ta "define persistent options for a given command"
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It PASS Ta "specify password"
.It PASV Ta "prepare for server-to-server transfer"
.It PORT Ta "specify data connection port"
.It PWD Ta "print the current working directory"
.It QUIT Ta "terminate session"
.It REST Ta "restart incomplete transfer"
.It RETR Ta "retrieve a file"
.It RMD Ta "remove a directory"
.It RNFR Ta "specify rename-from file name"
.It RNTO Ta "specify rename-to file name"
.It SITE Ta "non-standard commands (see next section)"
.It SIZE Ta "return size of file"
.It STAT Ta "return status of server"
.It STOR Ta "store a file"
.It STOU Ta "store a file with a unique name"
.It STRU Ta "specify data transfer" Em structure
.It SYST Ta "show operating system type of server system"
.It TYPE Ta "specify data transfer" Em type
.It USER Ta "specify user name"
.It XCUP Ta "change to parent of current working directory (deprecated)"
.It XCWD Ta "change working directory (deprecated)"
.It XMKD Ta "make a directory (deprecated)"
.It XPWD Ta "print the current working directory (deprecated)"
.It XRMD Ta "remove a directory (deprecated)"
.El
.Pp
The following non-standard or
Change occurrences of "UNIX" to .Ux or .At as appropriate.
1998-04-28 10:00:51 +04:00
.Ux
specific commands are supported by the SITE request.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Pp
.Bl -column Request -offset indent
.It Sy Request Ta Sy Description
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
.It HELP Ta "give help information."
.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
fix problems noted by <dogcow@redback.com> in [bin/10390] and private email: * fix RATE{GET,PUT} under some situations when the client is slower than the server (something i missed when migrating the rate limiting code i wrote in ftp(1) to ftpd(8)) * document what units RATE{GET,PUT} use
2000-06-20 11:39:46 +04:00
.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.El
.Pp
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
The following
.Tn FTP
requests (as specified in
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.Cm RFC 959
and
.Cm RFC 2228 )
new features: * implement FEAT and OPTS from RFC2389. FEAT returns SIZE and MDTM. OPTS only works on NOOP (as a test). * extend format of /etc/ftpchroot similar to /etc/ftpusers; each entry can take an optional trailing `yes' or `no' which indicates if chroot should be done (defaults to `yes'). based on patches from Ty Sarna <tsarna@endicor.com> in [bin/4769] cleanups/bugs: * reorder and reformat entries in yacc parser to match cmdtab[]. add a blank line between each rule. * add short hasopts and char *options to struct tab, to support OPTS. * deprecate upper(); use strcasecmp() instead of strcmp() * remove unnecessary for (;;) { } in yylex(); * replace copy() and sgetsave() with xstrdup() * fix a couple of `hasyyerrored = 1' that were accidently removed.
1998-09-07 12:11:20 +04:00
are recognized, but are not implemented:
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy ACCT ,
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.Sy ADAT ,
.Sy AUTH ,
.Sy CCC ,
.Sy CONF ,
.Sy ENC ,
.Sy MIC ,
.Sy PBSZ ,
.Sy PROT ,
.Sy REIN ,
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
and
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.Sy SMNT .
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Pp
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
The
.Nm
server will abort an active file transfer only when the
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy ABOR
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
command is preceded by a Telnet "Interrupt Process" (IP)
signal and a Telnet "Synch" signal in the command Telnet stream,
* implement NOARGS state, for commands which don't take any arguments. fixes long standing ftpd bug where two replies would be returned to the client if a command was flagged as accepting `ARGS' but the parser didn't know how to cope. obvious symptom of this would be ftp client is always one error message `behind' the server. * consistently refer to the RFC as `RFC 959' not `RFC959' or `RFC-959', and replace refs to RFC 765 with RFC 959. * change order of commands in cmdtab[] to: RFC 959, BSD extras, and obsolete. * whitespace police, deprecate register, replace malloc/strcpy with strdup
1998-09-05 21:33:00 +04:00
as described in Internet
.Cm RFC 959 .
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
If a
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy STAT
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
command is received during a data transfer, preceded by a Telnet IP
and Synch, transfer status will be returned.
.Pp
* fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au> * move resetting of CFLAGS on powerpc to before optional CFLAGS settings * minor code & man page cleanups
1997-04-27 07:21:38 +04:00
.Nm
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
interprets file names according to the
.Dq globbing
conventions used by
.Xr csh 1 .
"Utilize" has exactly the same meaning as "use," but it is more difficult to read and understand. Most manuals of English style therefore say that you should use "use".
2003-02-05 02:07:28 +03:00
This allows users to use the metacharacters
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Dq Li \&*?[]{}~ .
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
.Ss User authentication
* fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au> * move resetting of CFLAGS on powerpc to before optional CFLAGS settings * minor code & man page cleanups
1997-04-27 07:21:38 +04:00
.Nm
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
authenticates users according to five rules.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Pp
.Bl -enum -offset indent
.It
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
The login name must be in the password data base,
Change mention of /etc/passwd to /etc/pwd.db, as reported by PR #556.
1995-02-17 12:19:45 +03:00
.Pa /etc/pwd.db ,
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
and not have a null password.
In this case a password must be provided by the client before any
file operations may be performed.
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
If the user has an S/Key key, the response from a successful
.Sy USER
fix bad .Xr references
1998-04-29 12:33:11 +04:00
command will include an S/Key challenge.
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
The client may choose to respond with a
.Sy PASS
command giving either
fix bad .Xr references
1998-04-29 12:33:11 +04:00
a standard password or an S/Key one-time password.
The server will automatically determine which type of password it
has been given and attempt to authenticate accordingly.
See
add skey support
1994-05-24 10:52:17 +04:00
.Xr skey 1
fix bad .Xr references
1998-04-29 12:33:11 +04:00
for more information on S/Key authentication.
S/Key is a Trademark of Bellcore.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It
Change the syntax of /etc/ftpusers to have both allow and deny information in the same file by following the username with `allow' or `deny'. Also, the user `*' can be used to set the default for users not listed in the file. This is entirely backward compatable with old /etc/ftpusers files. Also, do the /etc/ftpusers and the valid login shell checks after the password is verified, rather than before, so as not to give away whether or not a particular user ID is present on the system.
1997-04-06 11:53:10 +04:00
The login name must be allowed based on the information in
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Xr ftpusers 5 .
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
The user must have a standard shell returned by
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Xr getusershell 3 .
fix bad .Xr references
1998-04-29 12:33:11 +04:00
If the user's shell field in the password database is empty, the
Mention that if the user's shell is null, it's assumed to be /bin/sh. (Pointed out by Jim Bernard <jbernard@tater.mines.edu>.)
1997-09-22 02:59:03 +04:00
shell is assumed to be
fix bad .Xr references
1998-04-29 12:33:11 +04:00
.Pa /bin/sh .
Expand description of shells(5) requirement. Per PR [misc/13814] from Alexander Sorg.
2001-08-31 04:05:31 +04:00
As per
.Xr shells 5 ,
the user's shell must be listed with full path in
.Pa /etc/shells .
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It
Fix typo, per PR 6457 by Geoff C. Wing <gcw@pobox.com>
1998-11-18 16:32:17 +03:00
If directed by the file
install ftpusers(5) as ftpchroot(5). more cleanups
1999-12-16 10:05:18 +03:00
.Xr ftpchroot 5
* add two new ftpd.conf(5) directives: chroot specify dir to chroot to for GUEST and CHROOT users, to override -a anondir or the user's homedir. homedir specify dir to change to upon login; also used for ~ expansion and $HOME for subprocesses) both of these can take % escapes: %u (username), %d (homedir), %c (class). * fix NLST to take a pathname not a STRING, so that ~ expansion works * modify CWD to use the homedir parsed from curclass.homedir * implement format_path(dst, src), to parse src expanding % escapes (see above) into dst. * rename format_file() to display_file()
2000-07-17 06:30:52 +04:00
the session's root directory will be changed by
Jarle.F.Greipsland@idt.unit.no's changes to allow for password-protected chrooted ftp logins.
1994-04-07 00:49:52 +04:00
.Xr chroot 2
* add two new ftpd.conf(5) directives: chroot specify dir to chroot to for GUEST and CHROOT users, to override -a anondir or the user's homedir. homedir specify dir to change to upon login; also used for ~ expansion and $HOME for subprocesses) both of these can take % escapes: %u (username), %d (homedir), %c (class). * fix NLST to take a pathname not a STRING, so that ~ expansion works * modify CWD to use the homedir parsed from curclass.homedir * implement format_path(dst, src), to parse src expanding % escapes (see above) into dst. * rename format_file() to display_file()
2000-07-17 06:30:52 +04:00
to the directory specified in the
.Xr ftpd.conf 5
.Sy chroot
directive (if set),
or to the home directory of the user.
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
This facility may also be triggered by enabling the boolean
.Sy ftp-chroot
in
.Xr login.conf 5 .
fix bad .Xr references
1998-04-29 12:33:11 +04:00
However, the user must still supply a password.
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
This feature is intended as a compromise between a fully anonymous account
fix bad .Xr references
1998-04-29 12:33:11 +04:00
and a fully privileged account.
The account should also be set up as for an anonymous account.
Jarle.F.Greipsland@idt.unit.no's changes to allow for password-protected chrooted ftp logins.
1994-04-07 00:49:52 +04:00
.It
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
If the user name is
.Dq anonymous
or
.Dq ftp ,
an
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
anonymous
.Tn FTP
account must be present in the password
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
file (user
.Dq ftp ) .
In this case the user is allowed
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
to log in by specifying any password (by convention an email address for
the user should be used as the password).
* add two new ftpd.conf(5) directives: chroot specify dir to chroot to for GUEST and CHROOT users, to override -a anondir or the user's homedir. homedir specify dir to change to upon login; also used for ~ expansion and $HOME for subprocesses) both of these can take % escapes: %u (username), %d (homedir), %c (class). * fix NLST to take a pathname not a STRING, so that ~ expansion works * modify CWD to use the homedir parsed from curclass.homedir * implement format_path(dst, src), to parse src expanding % escapes (see above) into dst. * rename format_file() to display_file()
2000-07-17 06:30:52 +04:00
.Pp
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
The server performs a
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Xr chroot 2
* add two new ftpd.conf(5) directives: chroot specify dir to chroot to for GUEST and CHROOT users, to override -a anondir or the user's homedir. homedir specify dir to change to upon login; also used for ~ expansion and $HOME for subprocesses) both of these can take % escapes: %u (username), %d (homedir), %c (class). * fix NLST to take a pathname not a STRING, so that ~ expansion works * modify CWD to use the homedir parsed from curclass.homedir * implement format_path(dst, src), to parse src expanding % escapes (see above) into dst. * rename format_file() to display_file()
2000-07-17 06:30:52 +04:00
to the directory specified in the
.Xr ftpd.conf 5
.Sy chroot
directive (if set),
the
.Fl a Ar anondir
directory (if set),
or to the home directory of the
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Dq ftp
user.
* add two new ftpd.conf(5) directives: chroot specify dir to chroot to for GUEST and CHROOT users, to override -a anondir or the user's homedir. homedir specify dir to change to upon login; also used for ~ expansion and $HOME for subprocesses) both of these can take % escapes: %u (username), %d (homedir), %c (class). * fix NLST to take a pathname not a STRING, so that ~ expansion works * modify CWD to use the homedir parsed from curclass.homedir * implement format_path(dst, src), to parse src expanding % escapes (see above) into dst. * rename format_file() to display_file()
2000-07-17 06:30:52 +04:00
.Pp
The server then performs a
.Xr chdir 2
to the directory specified in the
.Xr ftpd.conf 5
.Sy homedir
directive (if set), otherwise to
.Pa / .
.Pp
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
If other restrictions are required (such as disabling of certain
commands and the setting of a specific umask), then appropriate
entries in
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Xr ftpd.conf 5
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
are required.
suppress verbose messages from CWD and post-login if the first character of the anonymous password is `-'.
2000-01-13 03:04:31 +03:00
.Pp
If the first character of the password supplied by an anonymous user
is
.Dq - ,
then the verbose messages displayed at login and upon a
.Sy CWD
command are suppressed.
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
.El
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
.Ss Display file escape sequences
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
When
.Nm
displays various files back to the client (such as
.Pa /etc/ftpwelcome
and
.Pa /etc/motd ) ,
various escape strings are replaced with information pertinent
to the current connection.
.Pp
The supported escape strings are:
.Bl -tag -width "Escape" -offset indent -compact
.It Sy "Escape"
.Sy Description
features: * add connection limits (`limit' keyword in ftpd.conf) * move initialisation of curclass from parse_conf() to new function init_curclass() * implement count_users(), which determines the number of users in a given class. a file - /var/run/ftpd.pids-<class> - is used to store a list of pids in use (effectively an array of pid_t's), and its size is reduced as necessary. * new % modifiers in format_file: %c class %M maximum connection count %N current connection count * always end_login()s, even for refused connections bugs fixed: * remove \n from %T output * fix some inconsistencies in the man pages * ensure that both `ftp' *and* `anonymous' are allowed in ftpusers. (this was accidently broken in a recent commit to be ``or'' not ``and'') * use MAXPATHLEN not MAXPATHLEN+1 * crank copyright date on modified files * crank version
2000-01-08 14:09:56 +03:00
.It "\&%c"
Class name.
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.It "\&%C"
Current working directory.
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.It "\&%E"
Email address given with
.Fl e .
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.It "\&%L"
Local hostname.
features: * add connection limits (`limit' keyword in ftpd.conf) * move initialisation of curclass from parse_conf() to new function init_curclass() * implement count_users(), which determines the number of users in a given class. a file - /var/run/ftpd.pids-<class> - is used to store a list of pids in use (effectively an array of pid_t's), and its size is reduced as necessary. * new % modifiers in format_file: %c class %M maximum connection count %N current connection count * always end_login()s, even for refused connections bugs fixed: * remove \n from %T output * fix some inconsistencies in the man pages * ensure that both `ftp' *and* `anonymous' are allowed in ftpusers. (this was accidently broken in a recent commit to be ``or'' not ``and'') * use MAXPATHLEN not MAXPATHLEN+1 * crank copyright date on modified files * crank version
2000-01-08 14:09:56 +03:00
.It "\&%M"
Maximum number of users for this class.
Displays
.Dq unlimited
if there's no limit.
.It "\&%N"
Current number of users for this class.
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.It "\&%R"
Remote hostname.
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.It "\&%s"
If the result of the most recent
.Dq "\&%M"
or
.Dq "\&%N"
was not
.Dq Li 1 ,
print an
.Dq s .
.It "\&%S"
If the result of the most recent
.Dq "\&%M"
or
.Dq "\&%N"
was not
.Dq Li 1 ,
print an
.Dq S .
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.It "\&%T"
Current time.
.It "\&%U"
* add two new ftpd.conf(5) directives: chroot specify dir to chroot to for GUEST and CHROOT users, to override -a anondir or the user's homedir. homedir specify dir to change to upon login; also used for ~ expansion and $HOME for subprocesses) both of these can take % escapes: %u (username), %d (homedir), %c (class). * fix NLST to take a pathname not a STRING, so that ~ expansion works * modify CWD to use the homedir parsed from curclass.homedir * implement format_path(dst, src), to parse src expanding % escapes (see above) into dst. * rename format_file() to display_file()
2000-07-17 06:30:52 +04:00
User name.
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.It "\&%\&%"
A
.Dq \&%
character.
.El
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
.Ss Setting up a restricted ftp subtree
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
In order that system security is not breached, it is recommended
that the
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
subtrees for the
.Dq ftp
and
.Dq chroot
accounts be constructed with care, following these rules
(replace
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Dq ftp
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
in the following directory names
with the appropriate account name for
.Sq chroot
users):
Changes to make anonymous uploads more secure. For anonymous users: * Set umask to 707; * Disable UMASK, CHMOD, DELE, RMD and MKD commands. Compile-time options let you change that umask and go back to the old, insecure way if you like.
1997-03-31 02:53:36 +04:00
.Bl -tag -width "~ftp/incoming" -offset indent
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It Pa ~ftp
Make the home directory owned by
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.Dq root
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
and unwritable by anyone.
.It Pa ~ftp/bin
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
Make this directory owned by
.Dq root
and unwritable by anyone (mode 555).
features/fixes: * implement xferstats. full stats are displayed for `STAT', and a summary is displayed upon exit (and syslogged). inspired by wu-ftpd. * wrap data xfers in {send,receive}_data with alarm() timeouts. this should remove the majority of the `hanging ftpd' problems that people were still seeing. inspired by wu-ftpd. * link with ../../bin/ls, so that bin/ls is not required under a chroot()ed area for `LIST' to work. based on [bin/4497] from "Soren S. Jorvang" <soren@t.dk> * migrate code from util.c into ftpd.c, so that it doesn't conflict with ls' util.c. * remove man page comment about ~ftp/bin/ls being necessary. * bump version to 7.2.0. * syslog xfer time with xfer stats. * if appropriate, syslog error message with command. internal code stuff: * change arguments of various functions from `char *' to `const char *'. * define PLURAL(x) macro, which returns `' if x == 1, `s' otherwise. use macro appropriately * lreply(): a code of -1 means ``send line as is''. a code of 0 means ``send line with 4 space prefix''. don't print a space after the `-' for any other code. * logcmd(): add `const struct timeval *elapsed' and `const char *error' for more flexible error reporting
1999-05-17 19:14:53 +04:00
Generally any conversion commands should be installed
here (mode 111).
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.It Pa ~ftp/etc
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
Make this directory owned by
.Dq root
and unwritable by anyone (mode 555).
* fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au> * move resetting of CFLAGS on powerpc to before optional CFLAGS settings * minor code & man page cleanups
1997-04-27 07:21:38 +04:00
The files
.Pa pwd.db
(see
Correct the instructions regarding the password database in ~ftp/etc, from Rob Windsor <windsor@ksu.ksu.edu> in PR #544.
1996-01-14 23:55:23 +03:00
.Xr passwd 5 )
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
and
* fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au> * move resetting of CFLAGS on powerpc to before optional CFLAGS settings * minor code & man page cleanups
1997-04-27 07:21:38 +04:00
.Pa group
(see
.Xr group 5 )
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
must be present for the
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy LIST
features/fixes: * implement xferstats. full stats are displayed for `STAT', and a summary is displayed upon exit (and syslogged). inspired by wu-ftpd. * wrap data xfers in {send,receive}_data with alarm() timeouts. this should remove the majority of the `hanging ftpd' problems that people were still seeing. inspired by wu-ftpd. * link with ../../bin/ls, so that bin/ls is not required under a chroot()ed area for `LIST' to work. based on [bin/4497] from "Soren S. Jorvang" <soren@t.dk> * migrate code from util.c into ftpd.c, so that it doesn't conflict with ls' util.c. * remove man page comment about ~ftp/bin/ls being necessary. * bump version to 7.2.0. * syslog xfer time with xfer stats. * if appropriate, syslog error message with command. internal code stuff: * change arguments of various functions from `char *' to `const char *'. * define PLURAL(x) macro, which returns `' if x == 1, `s' otherwise. use macro appropriately * lreply(): a code of -1 means ``send line as is''. a code of 0 means ``send line with 4 space prefix''. don't print a space after the `-' for any other code. * logcmd(): add `const struct timeval *elapsed' and `const char *error' for more flexible error reporting
1999-05-17 19:14:53 +04:00
command to be able to display owner and group names instead of numbers.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
The password field in
fix bad .Xr references
1998-04-29 12:33:11 +04:00
.Xr passwd 5
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
is not used, and should not contain real passwords.
The file
.Pa motd ,
if present, will be printed after a successful login.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
These files should be mode 444.
.It Pa ~ftp/pub
Changes to make anonymous uploads more secure. For anonymous users: * Set umask to 707; * Disable UMASK, CHMOD, DELE, RMD and MKD commands. Compile-time options let you change that umask and go back to the old, insecure way if you like.
1997-03-31 02:53:36 +04:00
This directory and the subdirectories beneath it should be owned
by the users and groups responsible for placing files in them,
fix bad .Xr references
1998-04-29 12:33:11 +04:00
and be writable only by them (mode 755 or 775).
They should
Changes to make anonymous uploads more secure. For anonymous users: * Set umask to 707; * Disable UMASK, CHMOD, DELE, RMD and MKD commands. Compile-time options let you change that umask and go back to the old, insecure way if you like.
1997-03-31 02:53:36 +04:00
.Em not
be owned or writable by ftp or its group.
.It Pa ~ftp/incoming
This directory is where anonymous users place files they upload.
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
The owners should be the user
.Dq ftp
and an appropriate group.
Changes to make anonymous uploads more secure. For anonymous users: * Set umask to 707; * Disable UMASK, CHMOD, DELE, RMD and MKD commands. Compile-time options let you change that umask and go back to the old, insecure way if you like.
1997-03-31 02:53:36 +04:00
Members of this group will be the only users with access to these
files after they have been uploaded; these should be people who
fix bad .Xr references
1998-04-29 12:33:11 +04:00
know how to deal with them appropriately.
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
If you wish anonymous
.Tn FTP
users to be able to see the names of the
fix bad .Xr references
1998-04-29 12:33:11 +04:00
files in this directory the permissions should be 770, otherwise
they should be 370.
Changes to make anonymous uploads more secure. For anonymous users: * Set umask to 707; * Disable UMASK, CHMOD, DELE, RMD and MKD commands. Compile-time options let you change that umask and go back to the old, insecure way if you like.
1997-03-31 02:53:36 +04:00
.Pp
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
The following
.Xr ftpd.conf 5
directives should be used:
.Dl "modify guest off"
.Dl "umask guest 0707"
set "upload guest on" in incoming example, even though it is the default
2001-10-13 17:50:18 +04:00
.Dl "upload guest on"
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.Pp
This will result in anonymous users being able to upload files to this
directory, but they will not be able to download them, delete them, or
overwrite them, due to the umask and disabling of the commands mentioned
Changes to make anonymous uploads more secure. For anonymous users: * Set umask to 707; * Disable UMASK, CHMOD, DELE, RMD and MKD commands. Compile-time options let you change that umask and go back to the old, insecure way if you like.
1997-03-31 02:53:36 +04:00
above.
support displaying the stderr output from a LIST or a conversion to the user at the end of a transfer. this generates a file in /tmp, so anonymous requires a writable ~ftp/tmp, which you may not want to do (because it may allow people to unwanted upload files). XXX: a better method of storing the stderr output would be nice, but is a lot more effort to implement. this feature can at least be used temporarily whilst debugging why an ftp conversion doesn't work.
1998-06-08 11:13:13 +04:00
.It Pa ~ftp/tmp
This directory is used to create temporary files which contain
the error messages generated by a conversion or
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy LIST
support displaying the stderr output from a LIST or a conversion to the user at the end of a transfer. this generates a file in /tmp, so anonymous requires a writable ~ftp/tmp, which you may not want to do (because it may allow people to unwanted upload files). XXX: a better method of storing the stderr output would be nice, but is a lot more effort to implement. this feature can at least be used temporarily whilst debugging why an ftp conversion doesn't work.
1998-06-08 11:13:13 +04:00
command.
The owner should be the user
.Dq ftp .
The permissions should be 300.
.Pp
If you don't enable conversion commands, or don't want anonymous users
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
uploading files here (see
support displaying the stderr output from a LIST or a conversion to the user at the end of a transfer. this generates a file in /tmp, so anonymous requires a writable ~ftp/tmp, which you may not want to do (because it may allow people to unwanted upload files). XXX: a better method of storing the stderr output would be nice, but is a lot more effort to implement. this feature can at least be used temporarily whilst debugging why an ftp conversion doesn't work.
1998-06-08 11:13:13 +04:00
.Pa ~ftp/incoming
above), then don't create this directory.
However, error messages from conversion or
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy LIST
support displaying the stderr output from a LIST or a conversion to the user at the end of a transfer. this generates a file in /tmp, so anonymous requires a writable ~ftp/tmp, which you may not want to do (because it may allow people to unwanted upload files). XXX: a better method of storing the stderr output would be nice, but is a lot more effort to implement. this feature can at least be used temporarily whilst debugging why an ftp conversion doesn't work.
1998-06-08 11:13:13 +04:00
commands won't be returned to the user.
(This is the traditional behaviour.)
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
Note that the
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Xr ftpd.conf 5
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
directive
.Sy upload
can be used to prevent users uploading here.
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.El
* change format of /etc/ftpusers lines from userglob [allow|deny] to userglob[@host] [allow|deny [classname]] where class is a userdefined classname. - if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a hostglob (e.g, `*.foo.com'), and the remote host is matched against that. - if classname is given, use that to match entries in ftpd.conf (defaults to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in /etc/ftpchroot, and `real' for everyone else. * implement new /etc/ftpd.conf directives: classtype classname type set type of classname to GUEST, CHROOT, or REAL motd classname file file to use instead of /etc/motd rateget classname rate set rateget throttle to rate rateput classname rate set rateput throttle to rate upload classname allow/deny uploads (STOU, STOR, APPE). if denied, also acts as `modify deny'. * implement new `SITE' commands: RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that * implement format_file(), which outputs a file to the user, parsing % escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file. * implement strsuftoi() (from ftp(1)), which parses a number and optional suffix (for use with rateget, etc) * don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since we don't need reserved ports (at wasn't getting them anyway). * update & reorder copyrights * use strlcpy() as appropriate
1999-12-12 17:05:54 +03:00
.Pp
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
To set up "ftp-only" accounts that provide only
.Tn FTP ,
but no valid shell
Document setup of "ftp-only" non-anonymous accounts. Suggested by Thilo Manske <Thilo.Manske@HEH.Uni-Oldenburg.DE>, approved by Luke Mewburn <lukem@netbsd.org>
1999-08-02 04:44:59 +04:00
login, you can copy/link
.Pa /sbin/nologin
to
.Pa /sbin/ftplogin ,
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
and enter
.Pa /sbin/ftplogin
Document setup of "ftp-only" non-anonymous accounts. Suggested by Thilo Manske <Thilo.Manske@HEH.Uni-Oldenburg.DE>, approved by Luke Mewburn <lukem@netbsd.org>
1999-08-02 04:44:59 +04:00
to
.Pa /etc/shells
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
to allow logging-in via
.Tn FTP
into the accounts, which must have
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
.Pa /sbin/ftplogin
Document setup of "ftp-only" non-anonymous accounts. Suggested by Thilo Manske <Thilo.Manske@HEH.Uni-Oldenburg.DE>, approved by Luke Mewburn <lukem@netbsd.org>
1999-08-02 04:44:59 +04:00
as login shell.
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.Sh FILES
.Bl -tag -width /etc/ftpwelcome -compact
.It Pa /etc/ftpchroot
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
List of normal users whose root directory should be changed via
.Xr chroot 2 .
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
.It Pa /etc/ftpd.conf
Configure file conversions and other settings.
.It Pa /etc/ftpusers
List of unwelcome/restricted users.
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.It Pa /etc/ftpwelcome
clarify /etc/ftpwelcome is shown *before* login
1997-12-31 05:43:54 +03:00
Welcome notice before login.
4.4-lite, plus our local changes
1994-06-29 05:49:37 +04:00
.It Pa /etc/motd
Welcome notice after login.
.It Pa /etc/nologin
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
If it exists, displayed and access is refused.
document /var/run/[uw]tmp, /var/run/ftpd.pids-CLASS
2000-07-26 17:45:52 +04:00
.It Pa /var/run/ftpd.pids-CLASS
State file of logged-in processes for the
.Nm
class
.Sq CLASS .
.It Pa /var/run/utmp
List of logged-in users on the system.
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
.It Pa /var/log/wtmp
Login history database.
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.El
.Sh SEE ALSO
.Xr ftp 1 ,
add skey support
1994-05-24 10:52:17 +04:00
.Xr skey 1 ,
* move version to separate header file * use .Dv and .Tn in the man pages as appropriate * KNF a bit The following were inspired by similar changes in openbsd, but may have additional improvements by me: * add more check_login tests to the parser rules * nuke a few memory leaks in the parser rules * clear passwords before free()ing them, for safety * don't display \r\n in setproctitle() output * add support for -U, which enables managing /var/run/utmp entries for connections. solves [bin/2217] by Jason Downs <downsj@teeny.org> * fix oob handling for STAT command * use SIG_ERR instead of -1
1999-12-18 08:51:34 +03:00
.Xr who 1 ,
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Xr getusershell 3 ,
install ftpusers(5) as ftpchroot(5). more cleanups
1999-12-16 10:05:18 +03:00
.Xr ftpchroot 5 ,
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
.Xr ftpd.conf 5 ,
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Xr ftpusers 5 ,
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.Xr login.conf 5 ,
initial import of 386bsd-0.1 sources
1993-03-21 12:45:37 +03:00
.Xr syslogd 8
* implement NOARGS state, for commands which don't take any arguments. fixes long standing ftpd bug where two replies would be returned to the client if a command was flagged as accepting `ARGS' but the parser didn't know how to cope. obvious symptom of this would be ftp client is always one error message `behind' the server. * consistently refer to the RFC as `RFC 959' not `RFC959' or `RFC-959', and replace refs to RFC 765 with RFC 959. * change order of commands in cmdtab[] to: RFC 959, BSD extras, and obsolete. * whitespace police, deprecate register, replace malloc/strcpy with strdup
1998-09-05 21:33:00 +04:00
.Sh STANDARDS
.Nm
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
recognizes all commands in
.Cm RFC 959 ,
follows the guidelines in
new features: * implement FEAT and OPTS from RFC2389. FEAT returns SIZE and MDTM. OPTS only works on NOOP (as a test). * extend format of /etc/ftpchroot similar to /etc/ftpusers; each entry can take an optional trailing `yes' or `no' which indicates if chroot should be done (defaults to `yes'). based on patches from Ty Sarna <tsarna@endicor.com> in [bin/4769] cleanups/bugs: * reorder and reformat entries in yacc parser to match cmdtab[]. add a blank line between each rule. * add short hasopts and char *options to struct tab, to support OPTS. * deprecate upper(); use strcasecmp() instead of strcmp() * remove unnecessary for (;;) { } in yylex(); * replace copy() and sgetsave() with xstrdup() * fix a couple of `hasyyerrored = 1' that were accidently removed.
1998-09-07 12:11:20 +04:00
.Cm RFC 1123 ,
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
recognizes all commands in
* actually commit the changes which add support for recognising RFC 2228 commands (even if we don't do anything with them) * in logcmd(), syslog why realpath() failed (if it did).
1999-02-06 00:40:49 +03:00
.Cm RFC 2228
(although they are not supported yet),
new features: * implement FEAT and OPTS from RFC2389. FEAT returns SIZE and MDTM. OPTS only works on NOOP (as a test). * extend format of /etc/ftpchroot similar to /etc/ftpusers; each entry can take an optional trailing `yes' or `no' which indicates if chroot should be done (defaults to `yes'). based on patches from Ty Sarna <tsarna@endicor.com> in [bin/4769] cleanups/bugs: * reorder and reformat entries in yacc parser to match cmdtab[]. add a blank line between each rule. * add short hasopts and char *options to struct tab, to support OPTS. * deprecate upper(); use strcasecmp() instead of strcmp() * remove unnecessary for (;;) { } in yylex(); * replace copy() and sgetsave() with xstrdup() * fix a couple of `hasyyerrored = 1' that were accidently removed.
1998-09-07 12:11:20 +04:00
and supports the extensions from
major overhaul (just before netbsd 1.5 :-): * implement draft-ietf-ftpext-mlst-10 commands, especially MLST and MLSD. we already supported SIZE and MDTM. add the appropriate FEAT output lines. * migrate a lot of the command code from ftpcmd.y and ftpd.c to cmds.c * make dataconn(), feat(), lookup(), opts() and sizecmd() public * modify struct tab so that it has a `flags' instead of `implemented' element, and remove the `hasopts' element. If flags == 1, the command is implemented. if flags == 2, the command is implemented and takes options * add macros ISDOTDIR(x) (is x ".") and ISDOTDOTDIR(x) (is x "..") * modify lreply() so that lreply(-2, ...) just outputs the given info without a prefix or trailing \r\n. this saves doing b = printf(); total_* += b; * enhance statcmd(). still needs work in the LPRT status stuff. * crank version
2000-06-14 17:44:21 +04:00
.Cm RFC 2389 ,
Replace references from draft-ietf-ftpext-mlst-NN to RFC 3659.
2007-05-10 09:59:30 +04:00
.Cm RFC 2428 ,
major overhaul (just before netbsd 1.5 :-): * implement draft-ietf-ftpext-mlst-10 commands, especially MLST and MLSD. we already supported SIZE and MDTM. add the appropriate FEAT output lines. * migrate a lot of the command code from ftpcmd.y and ftpd.c to cmds.c * make dataconn(), feat(), lookup(), opts() and sizecmd() public * modify struct tab so that it has a `flags' instead of `implemented' element, and remove the `hasopts' element. If flags == 1, the command is implemented. if flags == 2, the command is implemented and takes options * add macros ISDOTDIR(x) (is x ".") and ISDOTDOTDIR(x) (is x "..") * modify lreply() so that lreply(-2, ...) just outputs the given info without a prefix or trailing \r\n. this saves doing b = printf(); total_* += b; * enhance statcmd(). still needs work in the LPRT status stuff. * crank version
2000-06-14 17:44:21 +04:00
and
Replace references from draft-ietf-ftpext-mlst-NN to RFC 3659.
2007-05-10 09:59:30 +04:00
.Cm RFC 3659 .
Implement a new manual page category ``SECURITY CONSIDERATIONS'' (suggested by mycroft)
1998-06-08 16:41:41 +04:00
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.2 .
* implement /etc/ftpd.conf, which adds support for the following features, controllable on a per class (which is one of: real, chroot, guest, all or none) basis: * on-the-fly execution of a command to build the file (a ``conversion''), providing support for "get dirname.tar" and the like. * displaying the contents of a file when a directory is entered for the first time. * maximum value for timeout (replaces -T). * control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST. * notifying the user of the existance of a files matching a glob pattern when a directory is entered for the first time. * default value for timeout (replaces -t). * default umask (replaces -DGUEST_CMASK and -u). The conversion, display, and notify functionality was based on code by Simon Burge <simonb@telstra.com.au>. * clean up and re-order parts of the man page into subsections. * STAT displays the settings defined for the class of the current user. * bump version from 6.00 to 7.00, because of ftpd.conf. * deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and -t, -T and -u, as ftpd.conf allows finer control of these. * add "nostderr" argument to ftpd_popen(), because you don't want the stderr stream mixing with the stdout stream during a conversion, as this can corrupt the stream.
1997-06-14 12:43:26 +04:00
.Pp
various fixes suggested by Robert Elz: * implement closedataconn() and use appropriately (including in mlsd()) * only put leading space in front of MLST output (not MLSD output) * MLSD: only output pdir and cdir entries when the type fact is requested. * change error code for giving MLSD a non-directory from 550 to 501 * remove MLSx Type fact support for UNIX.* for now; it's not standardised yet. * do a check_login when MLSD and MLST are given no args * detect & complain about null facts in OPTS MLST * cache getgroups() at login instead of calling each time in fact_perm() other mods: * implement cprintf(); as per fprintf() but increments total_bytes{,_out} * implement CPUTC(); as per putc() but increments total_bytes{,_out} * implement base64_encode() * fact_unique() display base64 encoding of dev_t and ino_t rather than hex output; should scale if size of those changes * change reply() so that a negative code acts as the initial line in a reply, code == 0 prefixes the line with 4 spaces, and code > 0 works as before. deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and reply(0, ) respectively. * use cprintf() and CPUTC() appropriately (often instead of printf(), lreply(-2, ) or lreply(-1, ). now we actually account for the data sent by MLST and MLSD. * remove DEBUG support for sending MLSD output to control connection instead of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
Various features such as the
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Xr ftpd.conf 5
various fixes suggested by Robert Elz: * implement closedataconn() and use appropriately (including in mlsd()) * only put leading space in front of MLST output (not MLSD output) * MLSD: only output pdir and cdir entries when the type fact is requested. * change error code for giving MLSD a non-directory from 550 to 501 * remove MLSx Type fact support for UNIX.* for now; it's not standardised yet. * do a check_login when MLSD and MLST are given no args * detect & complain about null facts in OPTS MLST * cache getgroups() at login instead of calling each time in fact_perm() other mods: * implement cprintf(); as per fprintf() but increments total_bytes{,_out} * implement CPUTC(); as per putc() but increments total_bytes{,_out} * implement base64_encode() * fact_unique() display base64 encoding of dev_t and ino_t rather than hex output; should scale if size of those changes * change reply() so that a negative code acts as the initial line in a reply, code == 0 prefixes the line with 4 spaces, and code > 0 works as before. deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and reply(0, ) respectively. * use cprintf() and CPUTC() appropriately (often instead of printf(), lreply(-2, ) or lreply(-1, ). now we actually account for the data sent by MLST and MLSD. * remove DEBUG support for sending MLSD output to control connection instead of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
functionality,
.Cm RFC 2389 ,
and
Replace references from draft-ietf-ftpext-mlst-NN to RFC 3659.
2007-05-10 09:59:30 +04:00
.Cm RFC 3659
various fixes suggested by Robert Elz: * implement closedataconn() and use appropriately (including in mlsd()) * only put leading space in front of MLST output (not MLSD output) * MLSD: only output pdir and cdir entries when the type fact is requested. * change error code for giving MLSD a non-directory from 550 to 501 * remove MLSx Type fact support for UNIX.* for now; it's not standardised yet. * do a check_login when MLSD and MLST are given no args * detect & complain about null facts in OPTS MLST * cache getgroups() at login instead of calling each time in fact_perm() other mods: * implement cprintf(); as per fprintf() but increments total_bytes{,_out} * implement CPUTC(); as per putc() but increments total_bytes{,_out} * implement base64_encode() * fact_unique() display base64 encoding of dev_t and ino_t rather than hex output; should scale if size of those changes * change reply() so that a negative code acts as the initial line in a reply, code == 0 prefixes the line with 4 spaces, and code > 0 works as before. deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and reply(0, ) respectively. * use cprintf() and CPUTC() appropriately (often instead of printf(), lreply(-2, ) or lreply(-1, ). now we actually account for the data sent by MLST and MLSD. * remove DEBUG support for sending MLSD output to control connection instead of data connection (my ftp client now supports MLSD :-)
2000-06-19 19:15:03 +04:00
support was implemented in
Implement a new manual page category ``SECURITY CONSIDERATIONS'' (suggested by mycroft)
1998-06-08 16:41:41 +04:00
.Nx 1.3
tweak reference to me
2002-10-26 08:21:12 +04:00
and later releases by Luke Mewburn.
* implement NOARGS state, for commands which don't take any arguments. fixes long standing ftpd bug where two replies would be returned to the client if a command was flagged as accepting `ARGS' but the parser didn't know how to cope. obvious symptom of this would be ftp client is always one error message `behind' the server. * consistently refer to the RFC as `RFC 959' not `RFC959' or `RFC-959', and replace refs to RFC 765 with RFC 959. * change order of commands in cmdtab[] to: RFC 959, BSD extras, and obsolete. * whitespace police, deprecate register, replace malloc/strcpy with strdup
1998-09-05 21:33:00 +04:00
.Sh BUGS
The server must run as the super-user to create sockets with
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
privileged port numbers (i.e, those less than
.Dv IPPORT_RESERVED ,
which is 1024).
If
.Nm
is listening on a privileged port
it maintains an effective user id of the logged in user, reverting
to the super-user only when binding addresses to privileged sockets.
The
.Fl r
option can be used to override this behaviour and force privileges to
be permanently revoked; see
.Sx SECURITY CONSIDERATIONS
below for more details.
move IPv6 considerations into BUGS section
2000-05-16 04:59:12 +04:00
.Pp
.Nm
may have trouble handling connections from scoped IPv6 addresses, or
IPv4 mapped addresses
.Po
IPv4 connection on
.Dv AF_INET6
socket
.Pc .
For the latter case, running two daemons,
one for IPv4 and one for IPv6, will avoid the problem.
Implement a new manual page category ``SECURITY CONSIDERATIONS'' (suggested by mycroft)
1998-06-08 16:41:41 +04:00
.Sh SECURITY CONSIDERATIONS
* implement NOARGS state, for commands which don't take any arguments. fixes long standing ftpd bug where two replies would be returned to the client if a command was flagged as accepting `ARGS' but the parser didn't know how to cope. obvious symptom of this would be ftp client is always one error message `behind' the server. * consistently refer to the RFC as `RFC 959' not `RFC959' or `RFC-959', and replace refs to RFC 765 with RFC 959. * change order of commands in cmdtab[] to: RFC 959, BSD extras, and obsolete. * whitespace police, deprecate register, replace malloc/strcpy with strdup
1998-09-05 21:33:00 +04:00
.Cm RFC 959
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
provides no restrictions on the
.Sy PORT
command, and this can lead to security problems, as
expand on the checkportcmd option.
1998-01-23 03:56:55 +03:00
.Nm
fix bad .Xr references
1998-04-29 12:33:11 +04:00
can be fooled into connecting to any service on any host.
With the
.Dq checkportcmd
feature of the
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
.Xr ftpd.conf 5 ,
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sy PORT
commands with different host addresses, or TCP ports lower than
expand on the checkportcmd option.
1998-01-23 03:56:55 +03:00
.Dv IPPORT_RESERVED
Change occurrences of "UNIX" to .Ux or .At as appropriate.
1998-04-28 10:00:51 +04:00
will be rejected.
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
This also prevents
.Sq third-party proxy ftp
from working.
Change occurrences of "UNIX" to .Ux or .At as appropriate.
1998-04-28 10:00:51 +04:00
Use of this option is
expand on the checkportcmd option.
1998-01-23 03:56:55 +03:00
.Em strongly
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
recommended, and enabled by default.
.Pp
By default
.Nm
uses a port that is one less than the port it is listening on to
communicate back to the client for the
.Sy EPRT ,
fix typo
2000-12-01 10:59:47 +03:00
.Sy LPRT ,
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
and
.Sy PORT
- new ftpd.conf directives: maxfilesize set the maximum size of uploaded files sanenames if set, only permit uploaded filenames that contain characters from the set "-+,._A-Za-z0-9" and that don't start with `.' - new/changed command line options: -e emailaddr define email address for %E (see below) -P dataport use dataport as the dataport (instead of ctrlport-1) -q use pid files to count users [default] -Q don't use pid files to count users -u write entries to utmp -U don't write entries to utmp [default] -w write entries to wtmp [default] -W don't write entries to wtmp NOTE: -U used to mean `write utmp entries'. Its meaning has changed so that it's orthogonal with -q/-Q and -w/-W. This isn't considered a major problem, because using -U isn't going to enable something you don't want, but will disable something you did want (which is safer). - new display file escape sequences: %E email address %s literal `s' if the previous %M or %N wasn't ``1''. %S literal `S' if the previous %M or %N wasn't ``1''. - expand the description of building ~ftp/incoming to cover the appropriate ftpd.conf(5) directives (which are defaults, but it pays to explicitly explain them) - replace strsuftoi() with strsuftoll(), which returns a long long if supported, otherwise a long - rework the way that check_modify and check_upload are done in the yacc parser; they're merged into a common check_write() function which is called explicitly - merge all ftpclass `flag variables' into a single bitfield-based flag element - move various common bits of parse_conf() into a couple of macros - clean up some comments
2000-11-16 16:15:13 +03:00
commands, unless overridden with
.Fl P Ar dataport .
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
As the default port for
.Nm
(21) is a privileged port below
.Dv IPPORT_RESERVED ,
.Nm
retains the ability to switch back to root privileges to bind these
ports.
In order to increase security by reducing the potential for a bug in
.Nm
providing a remote root compromise,
.Nm
will permanently drop root privileges if one of the following is true:
.Bl -enum -offset indent
.It
.Nm
is running on a port greater than
.Dv IPPORT_RESERVED
and the user has logged in as a
.Sq guest
Drop some unnecessary .Pps, sort SEE ALSO, whitespace nits.
2002-01-15 05:20:37 +03:00
or
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
.Sq chroot
user.
.It
.Nm
was invoked with
.Fl r .
.El
features/fixes: * implement xferstats. full stats are displayed for `STAT', and a summary is displayed upon exit (and syslogged). inspired by wu-ftpd. * wrap data xfers in {send,receive}_data with alarm() timeouts. this should remove the majority of the `hanging ftpd' problems that people were still seeing. inspired by wu-ftpd. * link with ../../bin/ls, so that bin/ls is not required under a chroot()ed area for `LIST' to work. based on [bin/4497] from "Soren S. Jorvang" <soren@t.dk> * migrate code from util.c into ftpd.c, so that it doesn't conflict with ls' util.c. * remove man page comment about ~ftp/bin/ls being necessary. * bump version to 7.2.0. * syslog xfer time with xfer stats. * if appropriate, syslog error message with command. internal code stuff: * change arguments of various functions from `char *' to `const char *'. * define PLURAL(x) macro, which returns `' if x == 1, `s' otherwise. use macro appropriately * lreply(): a code of -1 means ``send line as is''. a code of 0 means ``send line with 4 space prefix''. don't print a space after the `-' for any other code. * logcmd(): add `const struct timeval *elapsed' and `const char *error' for more flexible error reporting
1999-05-17 19:14:53 +04:00
.Pp
Don't create
.Pa ~ftp/tmp
if you don't want anonymous users to upload files there.
That directory is only necessary if you want to display the error
messages of conversion commands to the user.
separate ftpd.conf(5) and ftpusers(5) out from ftpd(8). xxx: still needs a bit of work
1999-12-16 04:16:04 +03:00
Note that if uploads are disabled with the
.Xr ftpd.conf 5
directive
.Sy upload ,
* make checkportcmd the default. this breaks third-party proxy ftp but prevents the ftp bounce attack, and we should be secure out of the box, not require users to tweak obscure stuff. * allow the version string reported to clients to be changed with '-V vers'. if vers is empty or `-', don't report a version. * if -r is given, permanently drop root privs * if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port > IPPORT_RESERVED+1, permanently drop root privs * don't bother reverting to root privs to logout of wtmp/utmp; since the file descriptor is already open this isn't necessary. * fix the binding of the port for the PORT/LPRT/EPRT connection to be the ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6 merge). if root privs have been dropped, and this would be a port < IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant but it doesn't appear that many clients care). * prevent login of a new user if privs have been dropped and already logged in as a REAL user (existing check already stops GUEST & CHROOT users). * move the port check stuff into a separate port_check() function, and use for PORT, LPRT, and EPRT checks. inspired by freebsd * minor KNF * minor man page cleanup
2000-07-23 18:40:48 +04:00
then this directory cannot be abused by the user in this way, so it
should be safe to create.
Explicitly note the unsupported requests from RFC 2228. Improvements from FreeBSD: * Document `ftp-chroot' from login.conf(5). * Document that SIZE is prevented for files > 10240 bytes via ASCII transfers.
2008-01-30 05:16:35 +03:00
.Pp
To avoid possible denial-of-service attacks,
.Sy SIZE
requests against files larger than 10240 bytes will be denied if
the current transfer
.Sy TYPE
is
.Sq Li A
(ASCII).