366 lines
12 KiB
Groff
366 lines
12 KiB
Groff
.\" $NetBSD: ftpd.8,v 1.13 1997/05/23 22:09:51 cjs Exp $
|
|
.\"
|
|
.\" Copyright (c) 1985, 1988, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the University of
|
|
.\" California, Berkeley and its contributors.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
|
|
.\"
|
|
.Dd April 19, 1994
|
|
.Dt FTPD 8
|
|
.Os BSD 4.2
|
|
.Sh NAME
|
|
.Nm ftpd
|
|
.Nd
|
|
Internet File Transfer Protocol server
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl dl
|
|
.Op Fl a Ar anondir
|
|
.Op Fl T Ar maxtimeout
|
|
.Op Fl t Ar timeout
|
|
.Op Fl u Ar umask
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is the
|
|
Internet File Transfer Protocol
|
|
server process. The server uses the
|
|
.Tn TCP
|
|
protocol
|
|
and listens at the port specified in the
|
|
.Dq ftp
|
|
service specification; see
|
|
.Xr services 5 .
|
|
.Pp
|
|
Available options:
|
|
.Bl -tag -width Ds
|
|
.It Fl a
|
|
Define the directory to which we chroot for anonymous logins.
|
|
Default is the home directory for the ftp user.
|
|
.It Fl d
|
|
Debugging information is written to the syslog using LOG_FTP.
|
|
.It Fl l
|
|
Each successful and failed
|
|
.Xr ftp 1
|
|
session is logged using syslog with a facility of LOG_FTP.
|
|
If this option is specified twice, the retrieve (get), store (put), append,
|
|
delete, make directory, remove directory and rename operations and
|
|
their filename arguments are also logged.
|
|
.It Fl T
|
|
A client may also request a different timeout period;
|
|
the maximum period allowed may be set to
|
|
.Ar timeout
|
|
seconds with the
|
|
.Fl T
|
|
option.
|
|
The default limit is 2 hours.
|
|
.It Fl t
|
|
The inactivity timeout period is set to
|
|
.Ar timeout
|
|
seconds (the default is 15 minutes).
|
|
.It Fl u
|
|
Sets the default umask. Must be in octal form, e.g. "002"
|
|
.El
|
|
.Pp
|
|
The file
|
|
.Pa /etc/nologin
|
|
can be used to disable ftp access.
|
|
If the file exists,
|
|
.Nm
|
|
displays it and exits.
|
|
If the file
|
|
.Pa /etc/ftpwelcome
|
|
exists,
|
|
.Nm
|
|
prints it before issuing the
|
|
.Dq ready
|
|
message.
|
|
If the file
|
|
.Pa /etc/motd
|
|
exists,
|
|
.Nm
|
|
prints it after a successful login.
|
|
.Pp
|
|
The
|
|
.Pa /etc/ftpusers
|
|
file is used to determine which users may use ftp.
|
|
If the file does not exist, all users are denied access. If it
|
|
does exist, each line is a a comment starting with ``#'' or a
|
|
glob pattern that uses the same syntax as /bin/sh, optionally
|
|
followed by whitespace and ``allow'' or ``deny''.
|
|
Each glob pattern is compared in turn against the username
|
|
until a match is found. If the word following the matched glob
|
|
pattern is ``allow'' the user is granted access; if the word is
|
|
anything else, or nothing at all, the user is denied access.
|
|
(No further comparisons are attempted after the first successful match.)
|
|
If no match is found, the user is granted access.
|
|
This syntax is backward-compatable with the old syntax.
|
|
.Pp
|
|
|
|
If a user requests a guest login, the ftp server checks to see that
|
|
both ``anonymous'' and ``ftp'' have access, so if you deny all
|
|
users by default, you will need to add both ``anonymous allow''
|
|
and ``ftp allow'' to
|
|
.Pa /etc/ftpusers
|
|
in order to allow guest logins.
|
|
.Pp
|
|
The ftp server currently supports the following ftp requests.
|
|
The case of the requests is ignored.
|
|
.Bl -column "Request" -offset indent
|
|
.It Request Ta "Description"
|
|
.It ABOR Ta "abort previous command"
|
|
.It ACCT Ta "specify account (ignored)"
|
|
.It ALLO Ta "allocate storage (vacuously)"
|
|
.It APPE Ta "append to a file"
|
|
.It CDUP Ta "change to parent of current working directory"
|
|
.It CWD Ta "change working directory"
|
|
.It DELE Ta "delete a file"
|
|
.It HELP Ta "give help information"
|
|
.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA"
|
|
.It MKD Ta "make a directory"
|
|
.It MDTM Ta "show last modification time of file"
|
|
.It MODE Ta "specify data transfer" Em mode
|
|
.It NLST Ta "give name list of files in directory"
|
|
.It NOOP Ta "do nothing"
|
|
.It PASS Ta "specify password"
|
|
.It PASV Ta "prepare for server-to-server transfer"
|
|
.It PORT Ta "specify data connection port"
|
|
.It PWD Ta "print the current working directory"
|
|
.It QUIT Ta "terminate session"
|
|
.It REST Ta "restart incomplete transfer"
|
|
.It RETR Ta "retrieve a file"
|
|
.It RMD Ta "remove a directory"
|
|
.It RNFR Ta "specify rename-from file name"
|
|
.It RNTO Ta "specify rename-to file name"
|
|
.It SITE Ta "non-standard commands (see next section)"
|
|
.It SIZE Ta "return size of file"
|
|
.It STAT Ta "return status of server"
|
|
.It STOR Ta "store a file"
|
|
.It STOU Ta "store a file with a unique name"
|
|
.It STRU Ta "specify data transfer" Em structure
|
|
.It SYST Ta "show operating system type of server system"
|
|
.It TYPE Ta "specify data transfer" Em type
|
|
.It USER Ta "specify user name"
|
|
.It XCUP Ta "change to parent of current working directory (deprecated)"
|
|
.It XCWD Ta "change working directory (deprecated)"
|
|
.It XMKD Ta "make a directory (deprecated)"
|
|
.It XPWD Ta "print the current working directory (deprecated)"
|
|
.It XRMD Ta "remove a directory (deprecated)"
|
|
.El
|
|
.Pp
|
|
The following non-standard or
|
|
.Tn UNIX
|
|
specific commands are supported
|
|
by the
|
|
SITE request.
|
|
.Pp
|
|
.Bl -column Request -offset indent
|
|
.It Sy Request Ta Sy Description
|
|
.It UMASK Ta change umask, e.g. ``SITE UMASK 002''
|
|
.It IDLE Ta set idle-timer, e.g. ``SITE IDLE 60''
|
|
.It CHMOD Ta change mode of a file, e.g. ``SITE CHMOD 755 filename''
|
|
.It HELP Ta give help information.
|
|
.El
|
|
.Pp
|
|
The remaining ftp requests specified in Internet RFC 959
|
|
are
|
|
recognized, but not implemented.
|
|
MDTM and SIZE are not specified in RFC 959, but will appear in the
|
|
next updated FTP RFC.
|
|
.Pp
|
|
The ftp server will abort an active file transfer only when the
|
|
ABOR
|
|
command is preceded by a Telnet "Interrupt Process" (IP)
|
|
signal and a Telnet "Synch" signal in the command Telnet stream,
|
|
as described in Internet RFC 959.
|
|
If a
|
|
STAT
|
|
command is received during a data transfer, preceded by a Telnet IP
|
|
and Synch, transfer status will be returned.
|
|
.Pp
|
|
.Nm
|
|
interprets file names according to the
|
|
.Dq globbing
|
|
conventions used by
|
|
.Xr csh 1 .
|
|
This allows users to utilize the metacharacters
|
|
.Dq Li \&*?[]{}~ .
|
|
.Pp
|
|
.Nm
|
|
authenticates users according to five rules.
|
|
.Pp
|
|
.Bl -enum -offset indent
|
|
.It
|
|
The login name must be in the password data base,
|
|
.Pa /etc/pwd.db ,
|
|
and not have a null password.
|
|
In this case a password must be provided by the client before any
|
|
file operations may be performed.
|
|
If the user has an S/Key key, the response from a successful USER
|
|
command will include an S/Key challenge. The client may choose to respond
|
|
with a PASS command giving either a standard password or an S/Key
|
|
one-time password. The server will automatically determine which type of
|
|
password it has been given and attempt to authenticate accordingly. See
|
|
.Xr skey 1
|
|
for more information on S/Key authentication. S/Key is a Trademark of
|
|
Bellcore.
|
|
.It
|
|
The login name must be allowed based on the information in
|
|
.Pa /etc/ftpusers
|
|
(see above).
|
|
.It
|
|
The user must have a standard shell returned by
|
|
.Xr getusershell 3 .
|
|
.It
|
|
If the user name appears in the file
|
|
.Pa /etc/ftpchroot
|
|
the session's root will be changed to the user's login directory by
|
|
.Xr chroot 2
|
|
as for an
|
|
.Dq anonymous
|
|
or
|
|
.Dq ftp
|
|
account (see next item). However, the user must still supply a password.
|
|
This feature is intended as a compromise between a fully anonymous account
|
|
and a fully privileged account. The account should also be set up as for an
|
|
anonymous account.
|
|
.It
|
|
If the user name is
|
|
.Dq anonymous
|
|
or
|
|
.Dq ftp ,
|
|
an
|
|
anonymous ftp account must be present in the password
|
|
file (user
|
|
.Dq ftp ) .
|
|
In this case the user is allowed
|
|
to log in by specifying any password (by convention an email address for
|
|
the user should be used as the password).
|
|
.El
|
|
.Pp
|
|
In the last case,
|
|
.Nm
|
|
takes special measures to restrict the client's access privileges.
|
|
The server disables the MKD, XMKD, RMD, XRMD, DELE, SITE UMASK, and
|
|
SITE CHMOD commands, sets the umask to 0707, and performs a
|
|
.Xr chroot 2
|
|
to the home directory of the
|
|
.Dq ftp
|
|
user.
|
|
In order that system security is not breached, it is recommended
|
|
that the
|
|
.Dq ftp
|
|
subtree be constructed with care, following these rules:
|
|
.Bl -tag -width "~ftp/incoming" -offset indent
|
|
.It Pa ~ftp
|
|
Make the home directory owned by
|
|
.Dq root
|
|
and unwritable by anyone.
|
|
.It Pa ~ftp/bin
|
|
Make this directory owned by
|
|
.Dq root
|
|
and unwritable by anyone (mode 555).
|
|
The program
|
|
.Xr ls 1
|
|
must be present to support the list command.
|
|
This program should be mode 111.
|
|
.It Pa ~ftp/etc
|
|
Make this directory owned by
|
|
.Dq root
|
|
and unwritable by anyone (mode 555).
|
|
The files
|
|
.Pa pwd.db
|
|
(see
|
|
.Xr passwd 5 )
|
|
and
|
|
.Pa group
|
|
(see
|
|
.Xr group 5 )
|
|
must be present for the
|
|
.Xr ls
|
|
command to be able to produce owner names rather than numbers.
|
|
The password field in
|
|
.Xr passwd
|
|
is not used, and should not contain real passwords.
|
|
The file
|
|
.Pa motd ,
|
|
if present, will be printed after a successful login.
|
|
These files should be mode 444.
|
|
.It Pa ~ftp/pub
|
|
This directory and the subdirectories beneath it should be owned
|
|
by the users and groups responsible for placing files in them,
|
|
and be writable only by them (mode 755 or 775). They should
|
|
.Em not
|
|
be owned or writable by ftp or its group.
|
|
.It Pa ~ftp/incoming
|
|
This directory is where anonymous users place files they upload.
|
|
The owners should be the user ``ftp'' and an appropriate group.
|
|
Members of this group will be the only users with access to these
|
|
files after they have been uploaded; these should be people who
|
|
know how to deal with them appropriately. If you wish anonymous
|
|
ftp users to be able to see the names of the files in this directory
|
|
the permissions should be 770, otherwise they should be 370.
|
|
.Pp
|
|
Anonymous users will be able to upload files files to this directory,
|
|
but they will not be able to download them, delete them, or overwrite
|
|
them, due to the umask and disabling of the commands mentioned
|
|
above.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/ftpwelcome -compact
|
|
.It Pa /etc/ftpusers
|
|
List of unwelcome/restricted users.
|
|
.It Pa /etc/ftpchroot
|
|
List of normal users who should be chroot'd.
|
|
.It Pa /etc/ftpwelcome
|
|
Welcome notice.
|
|
.It Pa /etc/motd
|
|
Welcome notice after login.
|
|
.It Pa /etc/nologin
|
|
Displayed and access refused.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ftp 1 ,
|
|
.Xr skey 1 ,
|
|
.Xr getusershell 3 ,
|
|
.Xr syslogd 8
|
|
.Sh BUGS
|
|
The server must run as the super-user
|
|
to create sockets with privileged port numbers. It maintains
|
|
an effective user id of the logged in user, reverting to
|
|
the super-user only when binding addresses to sockets. The
|
|
possible security holes have been extensively
|
|
scrutinized, but are possibly incomplete.
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command appeared in
|
|
.Bx 4.2 .
|