836 lines
22 KiB
Groff
836 lines
22 KiB
Groff
.\" $NetBSD: ftpd.8,v 1.70 2002/10/26 04:21:12 lukem Exp $
|
|
.\"
|
|
.\" Copyright (c) 1997-2002 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
.\" by Luke Mewburn.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the NetBSD
|
|
.\" Foundation, Inc. and its contributors.
|
|
.\" 4. Neither the name of The NetBSD Foundation nor the names of its
|
|
.\" contributors may be used to endorse or promote products derived
|
|
.\" from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" Copyright (c) 1985, 1988, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the University of
|
|
.\" California, Berkeley and its contributors.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
|
|
.\"
|
|
.Dd October 25, 2002
|
|
.Dt FTPD 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ftpd
|
|
.Nd
|
|
Internet File Transfer Protocol server
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl dHlqQrsuUwWX
|
|
.Op Fl a Ar anondir
|
|
.Op Fl c Ar confdir
|
|
.Op Fl C Ar user
|
|
.Op Fl e Ar emailaddr
|
|
.Op Fl h Ar hostname
|
|
.Op Fl P Ar dataport
|
|
.Op Fl V Ar version
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is the Internet File Transfer Protocol server process.
|
|
The server uses the
|
|
.Tn TCP
|
|
protocol and listens at the port specified in the
|
|
.Dq ftp
|
|
service specification; see
|
|
.Xr services 5 .
|
|
.Pp
|
|
Available options:
|
|
.Bl -tag -width Ds
|
|
.It Fl a Ar anondir
|
|
Define
|
|
.Ar anondir
|
|
as the directory to
|
|
.Xr chroot 2
|
|
into for anonymous logins.
|
|
Default is the home directory for the ftp user.
|
|
This can also be specified with the
|
|
.Xr ftpd.conf 5
|
|
.Sy chroot
|
|
directive.
|
|
.It Fl c Ar confdir
|
|
Change the root directory of the configuration files from
|
|
.Dq Pa /etc
|
|
to
|
|
.Ar confdir .
|
|
This changes the directory for the following files:
|
|
.Pa /etc/ftpchroot ,
|
|
.Pa /etc/ftpusers ,
|
|
.Pa /etc/ftpwelcome ,
|
|
.Pa /etc/motd ,
|
|
and the file specified by the
|
|
.Xr ftpd.conf 5
|
|
.Sy limit
|
|
directive.
|
|
.It Fl C Ar user
|
|
Check whether
|
|
.Ar user
|
|
would be granted access under
|
|
the restrictions given in
|
|
.Xr ftpusers 5
|
|
and exit without attempting a connection.
|
|
.Nm
|
|
exits with an exit code of 0 if access would be granted, or 1 otherwise.
|
|
This can be useful for testing configurations.
|
|
.It Fl d
|
|
Debugging information is written to the syslog using a facility of
|
|
.Dv LOG_FTP .
|
|
.It Fl e Ar emailaddr
|
|
Use
|
|
.Ar emailaddr
|
|
for the
|
|
.Dq "\&%E"
|
|
escape sequence (see
|
|
.Sx Display file escape sequences )
|
|
.It Fl h Ar hostname
|
|
Explicitly set the hostname to advertise as to
|
|
.Ar hostname .
|
|
The default is the hostname associated with the IP address that
|
|
.Nm
|
|
is listening on.
|
|
This ability (with or without
|
|
.Fl h ) ,
|
|
in conjunction with
|
|
.Fl c Ar confdir ,
|
|
is useful when configuring
|
|
.Sq virtual
|
|
.Tn FTP
|
|
servers, each listening on separate addresses as separate names.
|
|
Refer to
|
|
.Xr inetd.conf 5
|
|
for more information on starting services to listen on specific IP addresses.
|
|
.It Fl H
|
|
Equivalent to
|
|
.Do
|
|
-h
|
|
`hostname`
|
|
.Dc .
|
|
.It Fl l
|
|
Each successful and failed
|
|
.Tn FTP
|
|
session is logged using syslog with a facility of
|
|
.Dv LOG_FTP .
|
|
If this option is specified more than once, the retrieve (get), store (put),
|
|
append, delete, make directory, remove directory and rename operations and
|
|
their file name arguments are also logged.
|
|
.It Fl P Ar dataport
|
|
Use
|
|
.Ar dataport
|
|
as the data port, overriding the default of using the port one less
|
|
that the port
|
|
.Nm
|
|
is listening on.
|
|
.It Fl q
|
|
Enable the use of pid files for keeping track of the number of logged-in
|
|
users per class.
|
|
This is the default.
|
|
.It Fl Q
|
|
Disable the use of pid files for keeping track of the number of logged-in
|
|
users per class.
|
|
This may reduce the load on heavily loaded
|
|
.Tn FTP
|
|
servers.
|
|
.It Fl r
|
|
Permanently drop root privileges once the user is logged in.
|
|
The use of this option may result in the server using a port other
|
|
than the (listening-port - 1) for
|
|
.Sy PORT
|
|
style commands, which is contrary to the
|
|
.Cm RFC 959
|
|
specification, but in practice very few clients rely upon this behaviour.
|
|
See
|
|
.Sx SECURITY CONSIDERATIONS
|
|
below for more details.
|
|
.It Fl s
|
|
Require a secure authentication mechanism like Kerberos or S/Key to be used.
|
|
.It Fl u
|
|
Log each concurrent
|
|
.Tn FTP
|
|
session to
|
|
.Pa /var/run/utmp ,
|
|
making them visible to commands such as
|
|
.Xr who 1 .
|
|
.It Fl U
|
|
Don't log each concurrent
|
|
.Tn FTP
|
|
session to
|
|
.Pa /var/run/utmp .
|
|
This is the default.
|
|
.It Fl V Ar version
|
|
Use
|
|
.Ar version
|
|
as the version to advertise in the login banner and in the output of
|
|
.Sy STAT
|
|
and
|
|
.Sy SYST
|
|
instead of the default version information.
|
|
If
|
|
.Ar version
|
|
is empty or
|
|
.Sq -
|
|
then don't display any version information.
|
|
.It Fl w
|
|
Log each
|
|
.Tn FTP
|
|
session to
|
|
.Pa /var/log/wtmp ,
|
|
making them visible to commands such as
|
|
.Xr last 1 .
|
|
This is the default.
|
|
.It Fl W
|
|
Don't log each
|
|
.Tn FTP
|
|
session to
|
|
.Pa /var/log/wtmp .
|
|
.It Fl X
|
|
Log
|
|
.Tn wu-ftpd
|
|
style
|
|
.Sq xferlog
|
|
entries to the syslog, prefixed with
|
|
.Dq "xferlog:\ " ,
|
|
using a facility of
|
|
.Dv LOG_FTP .
|
|
These syslog entries can be converted to a
|
|
.Tn wu-ftpd
|
|
style
|
|
.Pa xferlog
|
|
file suitable for input into a third-party log analysis tool with a command
|
|
similar to:
|
|
.Dl "grep 'xferlog: ' /var/log/xferlog | \e"
|
|
.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog"
|
|
.El
|
|
.Pp
|
|
The file
|
|
.Pa /etc/nologin
|
|
can be used to disable
|
|
.Tn FTP
|
|
access.
|
|
If the file exists,
|
|
.Nm
|
|
displays it and exits.
|
|
If the file
|
|
.Pa /etc/ftpwelcome
|
|
exists,
|
|
.Nm
|
|
prints it before issuing the
|
|
.Dq ready
|
|
message.
|
|
If the file
|
|
.Pa /etc/motd
|
|
exists (under the chroot directory if applicable),
|
|
.Nm
|
|
prints it after a successful login.
|
|
This may be changed with the
|
|
.Xr ftpd.conf 5
|
|
directive
|
|
.Sy motd .
|
|
.Pp
|
|
The
|
|
.Nm
|
|
server currently supports the following
|
|
.Tn FTP
|
|
requests.
|
|
The case of the requests is ignored.
|
|
.Bl -column "Request" -offset indent
|
|
.It Sy Request Ta Sy Description
|
|
.It ABOR Ta "abort previous command"
|
|
.It ACCT Ta "specify account (ignored)"
|
|
.It ALLO Ta "allocate storage (vacuously)"
|
|
.It APPE Ta "append to a file"
|
|
.It CDUP Ta "change to parent of current working directory"
|
|
.It CWD Ta "change working directory"
|
|
.It DELE Ta "delete a file"
|
|
.It EPSV Ta "prepare for server-to-server transfer"
|
|
.It EPRT Ta "specify data connection port"
|
|
.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959"
|
|
.It HELP Ta "give help information"
|
|
.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA"
|
|
.It LPSV Ta "prepare for server-to-server transfer"
|
|
.It LPRT Ta "specify data connection port"
|
|
.It MLSD Ta "list contents of directory in a machine-processable form"
|
|
.It MLST Ta "show a pathname in a machine-processable form"
|
|
.It MKD Ta "make a directory"
|
|
.It MDTM Ta "show last modification time of file"
|
|
.It MODE Ta "specify data transfer" Em mode
|
|
.It NLST Ta "give name list of files in directory"
|
|
.It NOOP Ta "do nothing"
|
|
.It OPTS Ta "define persistent options for a given command"
|
|
.It PASS Ta "specify password"
|
|
.It PASV Ta "prepare for server-to-server transfer"
|
|
.It PORT Ta "specify data connection port"
|
|
.It PWD Ta "print the current working directory"
|
|
.It QUIT Ta "terminate session"
|
|
.It REST Ta "restart incomplete transfer"
|
|
.It RETR Ta "retrieve a file"
|
|
.It RMD Ta "remove a directory"
|
|
.It RNFR Ta "specify rename-from file name"
|
|
.It RNTO Ta "specify rename-to file name"
|
|
.It SITE Ta "non-standard commands (see next section)"
|
|
.It SIZE Ta "return size of file"
|
|
.It STAT Ta "return status of server"
|
|
.It STOR Ta "store a file"
|
|
.It STOU Ta "store a file with a unique name"
|
|
.It STRU Ta "specify data transfer" Em structure
|
|
.It SYST Ta "show operating system type of server system"
|
|
.It TYPE Ta "specify data transfer" Em type
|
|
.It USER Ta "specify user name"
|
|
.It XCUP Ta "change to parent of current working directory (deprecated)"
|
|
.It XCWD Ta "change working directory (deprecated)"
|
|
.It XMKD Ta "make a directory (deprecated)"
|
|
.It XPWD Ta "print the current working directory (deprecated)"
|
|
.It XRMD Ta "remove a directory (deprecated)"
|
|
.El
|
|
.Pp
|
|
The following non-standard or
|
|
.Ux
|
|
specific commands are supported by the SITE request.
|
|
.Pp
|
|
.Bl -column Request -offset indent
|
|
.It Sy Request Ta Sy Description
|
|
.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
|
|
.It HELP Ta "give help information."
|
|
.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
|
|
.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''"
|
|
.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''"
|
|
.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
|
|
.El
|
|
.Pp
|
|
The following
|
|
.Tn FTP
|
|
requests (as specified in
|
|
.Cm RFC 959 )
|
|
are recognized, but are not implemented:
|
|
.Sy ACCT ,
|
|
.Sy SMNT ,
|
|
and
|
|
.Sy REIN .
|
|
.Sy MDTM
|
|
and
|
|
.Sy SIZE
|
|
are not specified in
|
|
.Cm RFC 959 ,
|
|
but will appear in the
|
|
next updated
|
|
.Tn FTP
|
|
RFC.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
server will abort an active file transfer only when the
|
|
.Sy ABOR
|
|
command is preceded by a Telnet "Interrupt Process" (IP)
|
|
signal and a Telnet "Synch" signal in the command Telnet stream,
|
|
as described in Internet
|
|
.Cm RFC 959 .
|
|
If a
|
|
.Sy STAT
|
|
command is received during a data transfer, preceded by a Telnet IP
|
|
and Synch, transfer status will be returned.
|
|
.Pp
|
|
.Nm
|
|
interprets file names according to the
|
|
.Dq globbing
|
|
conventions used by
|
|
.Xr csh 1 .
|
|
This allows users to utilize the metacharacters
|
|
.Dq Li \&*?[]{}~ .
|
|
.Ss User authentication
|
|
.Nm
|
|
authenticates users according to five rules.
|
|
.Pp
|
|
.Bl -enum -offset indent
|
|
.It
|
|
The login name must be in the password data base,
|
|
.Pa /etc/pwd.db ,
|
|
and not have a null password.
|
|
In this case a password must be provided by the client before any
|
|
file operations may be performed.
|
|
If the user has an S/Key key, the response from a successful
|
|
.Sy USER
|
|
command will include an S/Key challenge.
|
|
The client may choose to respond with a
|
|
.Sy PASS
|
|
command giving either
|
|
a standard password or an S/Key one-time password.
|
|
The server will automatically determine which type of password it
|
|
has been given and attempt to authenticate accordingly.
|
|
See
|
|
.Xr skey 1
|
|
for more information on S/Key authentication.
|
|
S/Key is a Trademark of Bellcore.
|
|
.It
|
|
The login name must be allowed based on the information in
|
|
.Xr ftpusers 5 .
|
|
.It
|
|
The user must have a standard shell returned by
|
|
.Xr getusershell 3 .
|
|
If the user's shell field in the password database is empty, the
|
|
shell is assumed to be
|
|
.Pa /bin/sh .
|
|
As per
|
|
.Xr shells 5 ,
|
|
the user's shell must be listed with full path in
|
|
.Pa /etc/shells .
|
|
.It
|
|
If directed by the file
|
|
.Xr ftpchroot 5
|
|
the session's root directory will be changed by
|
|
.Xr chroot 2
|
|
to the directory specified in the
|
|
.Xr ftpd.conf 5
|
|
.Sy chroot
|
|
directive (if set),
|
|
or to the home directory of the user.
|
|
However, the user must still supply a password.
|
|
This feature is intended as a compromise between a fully anonymous account
|
|
and a fully privileged account.
|
|
The account should also be set up as for an anonymous account.
|
|
.It
|
|
If the user name is
|
|
.Dq anonymous
|
|
or
|
|
.Dq ftp ,
|
|
an
|
|
anonymous
|
|
.Tn FTP
|
|
account must be present in the password
|
|
file (user
|
|
.Dq ftp ) .
|
|
In this case the user is allowed
|
|
to log in by specifying any password (by convention an email address for
|
|
the user should be used as the password).
|
|
.Pp
|
|
The server performs a
|
|
.Xr chroot 2
|
|
to the directory specified in the
|
|
.Xr ftpd.conf 5
|
|
.Sy chroot
|
|
directive (if set),
|
|
the
|
|
.Fl a Ar anondir
|
|
directory (if set),
|
|
or to the home directory of the
|
|
.Dq ftp
|
|
user.
|
|
.Pp
|
|
The server then performs a
|
|
.Xr chdir 2
|
|
to the directory specified in the
|
|
.Xr ftpd.conf 5
|
|
.Sy homedir
|
|
directive (if set), otherwise to
|
|
.Pa / .
|
|
.Pp
|
|
If other restrictions are required (such as disabling of certain
|
|
commands and the setting of a specific umask), then appropriate
|
|
entries in
|
|
.Xr ftpd.conf 5
|
|
are required.
|
|
.Pp
|
|
If the first character of the password supplied by an anonymous user
|
|
is
|
|
.Dq - ,
|
|
then the verbose messages displayed at login and upon a
|
|
.Sy CWD
|
|
command are suppressed.
|
|
.El
|
|
.Ss Display file escape sequences
|
|
When
|
|
.Nm
|
|
displays various files back to the client (such as
|
|
.Pa /etc/ftpwelcome
|
|
and
|
|
.Pa /etc/motd ) ,
|
|
various escape strings are replaced with information pertinent
|
|
to the current connection.
|
|
.Pp
|
|
The supported escape strings are:
|
|
.Bl -tag -width "Escape" -offset indent -compact
|
|
.It Sy "Escape"
|
|
.Sy Description
|
|
.It "\&%c"
|
|
Class name.
|
|
.It "\&%C"
|
|
Current working directory.
|
|
.It "\&%E"
|
|
Email address given with
|
|
.Fl e .
|
|
.It "\&%L"
|
|
Local hostname.
|
|
.It "\&%M"
|
|
Maximum number of users for this class.
|
|
Displays
|
|
.Dq unlimited
|
|
if there's no limit.
|
|
.It "\&%N"
|
|
Current number of users for this class.
|
|
.It "\&%R"
|
|
Remote hostname.
|
|
.It "\&%s"
|
|
If the result of the most recent
|
|
.Dq "\&%M"
|
|
or
|
|
.Dq "\&%N"
|
|
was not
|
|
.Dq Li 1 ,
|
|
print an
|
|
.Dq s .
|
|
.It "\&%S"
|
|
If the result of the most recent
|
|
.Dq "\&%M"
|
|
or
|
|
.Dq "\&%N"
|
|
was not
|
|
.Dq Li 1 ,
|
|
print an
|
|
.Dq S .
|
|
.It "\&%T"
|
|
Current time.
|
|
.It "\&%U"
|
|
User name.
|
|
.It "\&%\&%"
|
|
A
|
|
.Dq \&%
|
|
character.
|
|
.El
|
|
.Ss Setting up a restricted ftp subtree
|
|
In order that system security is not breached, it is recommended
|
|
that the
|
|
subtrees for the
|
|
.Dq ftp
|
|
and
|
|
.Dq chroot
|
|
accounts be constructed with care, following these rules
|
|
(replace
|
|
.Dq ftp
|
|
in the following directory names
|
|
with the appropriate account name for
|
|
.Sq chroot
|
|
users):
|
|
.Bl -tag -width "~ftp/incoming" -offset indent
|
|
.It Pa ~ftp
|
|
Make the home directory owned by
|
|
.Dq root
|
|
and unwritable by anyone.
|
|
.It Pa ~ftp/bin
|
|
Make this directory owned by
|
|
.Dq root
|
|
and unwritable by anyone (mode 555).
|
|
Generally any conversion commands should be installed
|
|
here (mode 111).
|
|
.It Pa ~ftp/etc
|
|
Make this directory owned by
|
|
.Dq root
|
|
and unwritable by anyone (mode 555).
|
|
The files
|
|
.Pa pwd.db
|
|
(see
|
|
.Xr passwd 5 )
|
|
and
|
|
.Pa group
|
|
(see
|
|
.Xr group 5 )
|
|
must be present for the
|
|
.Sy LIST
|
|
command to be able to display owner and group names instead of numbers.
|
|
The password field in
|
|
.Xr passwd 5
|
|
is not used, and should not contain real passwords.
|
|
The file
|
|
.Pa motd ,
|
|
if present, will be printed after a successful login.
|
|
These files should be mode 444.
|
|
.It Pa ~ftp/pub
|
|
This directory and the subdirectories beneath it should be owned
|
|
by the users and groups responsible for placing files in them,
|
|
and be writable only by them (mode 755 or 775).
|
|
They should
|
|
.Em not
|
|
be owned or writable by ftp or its group.
|
|
.It Pa ~ftp/incoming
|
|
This directory is where anonymous users place files they upload.
|
|
The owners should be the user
|
|
.Dq ftp
|
|
and an appropriate group.
|
|
Members of this group will be the only users with access to these
|
|
files after they have been uploaded; these should be people who
|
|
know how to deal with them appropriately.
|
|
If you wish anonymous
|
|
.Tn FTP
|
|
users to be able to see the names of the
|
|
files in this directory the permissions should be 770, otherwise
|
|
they should be 370.
|
|
.Pp
|
|
The following
|
|
.Xr ftpd.conf 5
|
|
directives should be used:
|
|
.Dl "modify guest off"
|
|
.Dl "umask guest 0707"
|
|
.Dl "upload guest on"
|
|
.Pp
|
|
This will result in anonymous users being able to upload files to this
|
|
directory, but they will not be able to download them, delete them, or
|
|
overwrite them, due to the umask and disabling of the commands mentioned
|
|
above.
|
|
.It Pa ~ftp/tmp
|
|
This directory is used to create temporary files which contain
|
|
the error messages generated by a conversion or
|
|
.Sy LIST
|
|
command.
|
|
The owner should be the user
|
|
.Dq ftp .
|
|
The permissions should be 300.
|
|
.Pp
|
|
If you don't enable conversion commands, or don't want anonymous users
|
|
uploading files here (see
|
|
.Pa ~ftp/incoming
|
|
above), then don't create this directory.
|
|
However, error messages from conversion or
|
|
.Sy LIST
|
|
commands won't be returned to the user.
|
|
(This is the traditional behaviour.)
|
|
Note that the
|
|
.Xr ftpd.conf 5
|
|
directive
|
|
.Sy upload
|
|
can be used to prevent users uploading here.
|
|
.El
|
|
.Pp
|
|
To set up "ftp-only" accounts that provide only
|
|
.Tn FTP ,
|
|
but no valid shell
|
|
login, you can copy/link
|
|
.Pa /sbin/nologin
|
|
to
|
|
.Pa /sbin/ftplogin ,
|
|
and enter
|
|
.Pa /sbin/ftplogin
|
|
to
|
|
.Pa /etc/shells
|
|
to allow logging-in via
|
|
.Tn FTP
|
|
into the accounts, which must have
|
|
.Pa /sbin/ftplogin
|
|
as login shell.
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/ftpwelcome -compact
|
|
.It Pa /etc/ftpchroot
|
|
List of normal users whose root directory should be changed via
|
|
.Xr chroot 2 .
|
|
.It Pa /etc/ftpd.conf
|
|
Configure file conversions and other settings.
|
|
.It Pa /etc/ftpusers
|
|
List of unwelcome/restricted users.
|
|
.It Pa /etc/ftpwelcome
|
|
Welcome notice before login.
|
|
.It Pa /etc/motd
|
|
Welcome notice after login.
|
|
.It Pa /etc/nologin
|
|
If it exists, displayed and access is refused.
|
|
.It Pa /var/run/ftpd.pids-CLASS
|
|
State file of logged-in processes for the
|
|
.Nm
|
|
class
|
|
.Sq CLASS .
|
|
.It Pa /var/run/utmp
|
|
List of logged-in users on the system.
|
|
.It Pa /var/log/wtmp
|
|
Login history database.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ftp 1 ,
|
|
.Xr skey 1 ,
|
|
.Xr who 1 ,
|
|
.Xr getusershell 3 ,
|
|
.Xr ftpchroot 5 ,
|
|
.Xr ftpd.conf 5 ,
|
|
.Xr ftpusers 5 ,
|
|
.Xr syslogd 8
|
|
.Sh STANDARDS
|
|
.Nm
|
|
recognizes all commands in
|
|
.Cm RFC 959 ,
|
|
follows the guidelines in
|
|
.Cm RFC 1123 ,
|
|
recognizes all commands in
|
|
.Cm RFC 2228
|
|
(although they are not supported yet),
|
|
and supports the extensions from
|
|
.Cm RFC 2389 ,
|
|
.Cm RFC 2428
|
|
and
|
|
.Cm draft-ietf-ftpext-mlst-11 .
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command appeared in
|
|
.Bx 4.2 .
|
|
.Pp
|
|
Various features such as the
|
|
.Xr ftpd.conf 5
|
|
functionality,
|
|
.Cm RFC 2389 ,
|
|
and
|
|
.Cm draft-ietf-ftpext-mlst-11
|
|
support was implemented in
|
|
.Nx 1.3
|
|
and later releases by Luke Mewburn.
|
|
.Sh BUGS
|
|
The server must run as the super-user to create sockets with
|
|
privileged port numbers (i.e, those less than
|
|
.Dv IPPORT_RESERVED ,
|
|
which is 1024).
|
|
If
|
|
.Nm
|
|
is listening on a privileged port
|
|
it maintains an effective user id of the logged in user, reverting
|
|
to the super-user only when binding addresses to privileged sockets.
|
|
The
|
|
.Fl r
|
|
option can be used to override this behaviour and force privileges to
|
|
be permanently revoked; see
|
|
.Sx SECURITY CONSIDERATIONS
|
|
below for more details.
|
|
.Pp
|
|
.Nm
|
|
may have trouble handling connections from scoped IPv6 addresses, or
|
|
IPv4 mapped addresses
|
|
.Po
|
|
IPv4 connection on
|
|
.Dv AF_INET6
|
|
socket
|
|
.Pc .
|
|
For the latter case, running two daemons,
|
|
one for IPv4 and one for IPv6, will avoid the problem.
|
|
.Sh SECURITY CONSIDERATIONS
|
|
.Cm RFC 959
|
|
provides no restrictions on the
|
|
.Sy PORT
|
|
command, and this can lead to security problems, as
|
|
.Nm
|
|
can be fooled into connecting to any service on any host.
|
|
With the
|
|
.Dq checkportcmd
|
|
feature of the
|
|
.Xr ftpd.conf 5 ,
|
|
.Sy PORT
|
|
commands with different host addresses, or TCP ports lower than
|
|
.Dv IPPORT_RESERVED
|
|
will be rejected.
|
|
This also prevents
|
|
.Sq third-party proxy ftp
|
|
from working.
|
|
Use of this option is
|
|
.Em strongly
|
|
recommended, and enabled by default.
|
|
.Pp
|
|
By default
|
|
.Nm
|
|
uses a port that is one less than the port it is listening on to
|
|
communicate back to the client for the
|
|
.Sy EPRT ,
|
|
.Sy LPRT ,
|
|
and
|
|
.Sy PORT
|
|
commands, unless overridden with
|
|
.Fl P Ar dataport .
|
|
As the default port for
|
|
.Nm
|
|
(21) is a privileged port below
|
|
.Dv IPPORT_RESERVED ,
|
|
.Nm
|
|
retains the ability to switch back to root privileges to bind these
|
|
ports.
|
|
In order to increase security by reducing the potential for a bug in
|
|
.Nm
|
|
providing a remote root compromise,
|
|
.Nm
|
|
will permanently drop root privileges if one of the following is true:
|
|
.Bl -enum -offset indent
|
|
.It
|
|
.Nm
|
|
is running on a port greater than
|
|
.Dv IPPORT_RESERVED
|
|
and the user has logged in as a
|
|
.Sq guest
|
|
or
|
|
.Sq chroot
|
|
user.
|
|
.It
|
|
.Nm
|
|
was invoked with
|
|
.Fl r .
|
|
.El
|
|
.Pp
|
|
Don't create
|
|
.Pa ~ftp/tmp
|
|
if you don't want anonymous users to upload files there.
|
|
That directory is only necessary if you want to display the error
|
|
messages of conversion commands to the user.
|
|
Note that if uploads are disabled with the
|
|
.Xr ftpd.conf 5
|
|
directive
|
|
.Sy upload ,
|
|
then this directory cannot be abused by the user in this way, so it
|
|
should be safe to create.
|