597 lines
17 KiB
Groff
597 lines
17 KiB
Groff
.\" $NetBSD: ftpd.8,v 1.22 1998/02/13 17:15:56 cjs Exp $
|
|
.\"
|
|
.\" Copyright (c) 1985, 1988, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. All advertising materials mentioning features or use of this software
|
|
.\" must display the following acknowledgement:
|
|
.\" This product includes software developed by the University of
|
|
.\" California, Berkeley and its contributors.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
|
|
.\"
|
|
.Dd June 10, 1997
|
|
.Dt FTPD 8
|
|
.Os NetBSD
|
|
.Sh NAME
|
|
.Nm ftpd ,
|
|
.Nm ftpd.conf
|
|
.Nd
|
|
Internet File Transfer Protocol server
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl dl
|
|
.Op Fl a Ar anondir
|
|
.Op Fl c Ar confdir
|
|
.Op Fl C Ar user
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is the
|
|
Internet File Transfer Protocol
|
|
server process. The server uses the
|
|
.Tn TCP
|
|
protocol
|
|
and listens at the port specified in the
|
|
.Dq ftp
|
|
service specification; see
|
|
.Xr services 5 .
|
|
.Pp
|
|
Available options:
|
|
.Bl -tag -width Ds
|
|
.It Fl a
|
|
Define the directory to
|
|
.Xr chroot 2
|
|
into for anonymous logins.
|
|
Default is the home directory for the ftp user.
|
|
.It Fl c
|
|
Change the root directory of the configuration files from
|
|
.Dq Pa /etc
|
|
to
|
|
.Ar directory .
|
|
.It Fl C
|
|
Check whether the specified user would be granted access under
|
|
the restrictions given in
|
|
.Pa /etc/ftpusers
|
|
and exit without attempting a connection.
|
|
.Nm
|
|
exits with an exit code of 0 if access would be granted, or 1 otherwise.
|
|
This can be useful for testing configurations.
|
|
.It Fl d
|
|
Debugging information is written to the syslog using LOG_FTP.
|
|
.It Fl l
|
|
Each successful and failed
|
|
.Xr ftp 1
|
|
session is logged using syslog with a facility of LOG_FTP.
|
|
If this option is specified twice, the retrieve (get), store (put), append,
|
|
delete, make directory, remove directory and rename operations and
|
|
their filename arguments are also logged.
|
|
.El
|
|
.Pp
|
|
The file
|
|
.Pa /etc/nologin
|
|
can be used to disable ftp access.
|
|
If the file exists,
|
|
.Nm
|
|
displays it and exits.
|
|
If the file
|
|
.Pa /etc/ftpwelcome
|
|
exists,
|
|
.Nm
|
|
prints it before issuing the
|
|
.Dq ready
|
|
message.
|
|
If the file
|
|
.Pa /etc/motd
|
|
exists,
|
|
.Nm
|
|
prints it after a successful login.
|
|
.Pp
|
|
The ftp server currently supports the following ftp requests.
|
|
The case of the requests is ignored.
|
|
.Bl -column "Request" -offset indent
|
|
.It Request Ta "Description"
|
|
.It ABOR Ta "abort previous command"
|
|
.It ACCT Ta "specify account (ignored)"
|
|
.It ALLO Ta "allocate storage (vacuously)"
|
|
.It APPE Ta "append to a file"
|
|
.It CDUP Ta "change to parent of current working directory"
|
|
.It CWD Ta "change working directory"
|
|
.It DELE Ta "delete a file"
|
|
.It HELP Ta "give help information"
|
|
.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA"
|
|
.It MKD Ta "make a directory"
|
|
.It MDTM Ta "show last modification time of file"
|
|
.It MODE Ta "specify data transfer" Em mode
|
|
.It NLST Ta "give name list of files in directory"
|
|
.It NOOP Ta "do nothing"
|
|
.It PASS Ta "specify password"
|
|
.It PASV Ta "prepare for server-to-server transfer"
|
|
.It PORT Ta "specify data connection port"
|
|
.It PWD Ta "print the current working directory"
|
|
.It QUIT Ta "terminate session"
|
|
.It REST Ta "restart incomplete transfer"
|
|
.It RETR Ta "retrieve a file"
|
|
.It RMD Ta "remove a directory"
|
|
.It RNFR Ta "specify rename-from file name"
|
|
.It RNTO Ta "specify rename-to file name"
|
|
.It SITE Ta "non-standard commands (see next section)"
|
|
.It SIZE Ta "return size of file"
|
|
.It STAT Ta "return status of server"
|
|
.It STOR Ta "store a file"
|
|
.It STOU Ta "store a file with a unique name"
|
|
.It STRU Ta "specify data transfer" Em structure
|
|
.It SYST Ta "show operating system type of server system"
|
|
.It TYPE Ta "specify data transfer" Em type
|
|
.It USER Ta "specify user name"
|
|
.It XCUP Ta "change to parent of current working directory (deprecated)"
|
|
.It XCWD Ta "change working directory (deprecated)"
|
|
.It XMKD Ta "make a directory (deprecated)"
|
|
.It XPWD Ta "print the current working directory (deprecated)"
|
|
.It XRMD Ta "remove a directory (deprecated)"
|
|
.El
|
|
.Pp
|
|
The following non-standard or
|
|
.Tn UNIX
|
|
specific commands are supported
|
|
by the
|
|
SITE request.
|
|
.Pp
|
|
.Bl -column Request -offset indent
|
|
.It Sy Request Ta Sy Description
|
|
.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''"
|
|
.It HELP Ta "give help information."
|
|
.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''"
|
|
.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''"
|
|
.El
|
|
.Pp
|
|
The remaining ftp requests specified in Internet RFC 959
|
|
are
|
|
recognized, but not implemented.
|
|
MDTM and SIZE are not specified in RFC 959, but will appear in the
|
|
next updated FTP RFC.
|
|
.Pp
|
|
The ftp server will abort an active file transfer only when the
|
|
ABOR
|
|
command is preceded by a Telnet "Interrupt Process" (IP)
|
|
signal and a Telnet "Synch" signal in the command Telnet stream,
|
|
as described in Internet RFC 959.
|
|
If a
|
|
STAT
|
|
command is received during a data transfer, preceded by a Telnet IP
|
|
and Synch, transfer status will be returned.
|
|
.Pp
|
|
.Nm
|
|
interprets file names according to the
|
|
.Dq globbing
|
|
conventions used by
|
|
.Xr csh 1 .
|
|
This allows users to utilize the metacharacters
|
|
.Dq Li \&*?[]{}~ .
|
|
.Ss User authentication
|
|
.Nm
|
|
authenticates users according to five rules.
|
|
.Pp
|
|
.Bl -enum -offset indent
|
|
.It
|
|
The login name must be in the password data base,
|
|
.Pa /etc/pwd.db ,
|
|
and not have a null password.
|
|
In this case a password must be provided by the client before any
|
|
file operations may be performed.
|
|
If the user has an S/Key key, the response from a successful USER
|
|
command will include an S/Key challenge. The client may choose to respond
|
|
with a PASS command giving either a standard password or an S/Key
|
|
one-time password. The server will automatically determine which type of
|
|
password it has been given and attempt to authenticate accordingly. See
|
|
.Xr skey 1
|
|
for more information on S/Key authentication. S/Key is a Trademark of
|
|
Bellcore.
|
|
.It
|
|
The login name must be allowed based on the information in
|
|
.Pa /etc/ftpusers
|
|
(see below).
|
|
.It
|
|
The user must have a standard shell returned by
|
|
.Xr getusershell 3 .
|
|
(If the user's shell field in the password database is empty, the
|
|
shell is assumed to be
|
|
.Pa /bin/sh . )
|
|
.It
|
|
If the user name appears in the file
|
|
.Pa /etc/ftpchroot
|
|
the session's root will be changed to the user's login directory by
|
|
.Xr chroot 2
|
|
as for an
|
|
.Dq anonymous
|
|
or
|
|
.Dq ftp
|
|
account (see next item). However, the user must still supply a password.
|
|
This feature is intended as a compromise between a fully anonymous account
|
|
and a fully privileged account. The account should also be set up as for an
|
|
anonymous account.
|
|
.It
|
|
If the user name is
|
|
.Dq anonymous
|
|
or
|
|
.Dq ftp ,
|
|
an
|
|
anonymous ftp account must be present in the password
|
|
file (user
|
|
.Dq ftp ) .
|
|
In this case the user is allowed
|
|
to log in by specifying any password (by convention an email address for
|
|
the user should be used as the password).
|
|
The server performs a
|
|
.Xr chroot 2
|
|
to the home directory of the
|
|
.Dq ftp
|
|
user.
|
|
If other restrictions are required (such as disabling of certain
|
|
commands and the setting of a specific umask), then appropriate
|
|
entries in
|
|
.Pa /etc/ftpd.conf
|
|
are required.
|
|
.El
|
|
.Ss /etc/ftpusers
|
|
The file
|
|
.Pa /etc/ftpusers
|
|
is used to determine which users may use ftp.
|
|
If the file does not exist, all users are denied access. If it
|
|
does exist, each line is a a comment starting with
|
|
.Dq #
|
|
or a glob pattern that uses the same syntax as /bin/sh,
|
|
optionally followed by whitespace and
|
|
.Dq allow
|
|
or
|
|
.Dq deny .
|
|
Each glob pattern is compared in turn against the username
|
|
until a match is found. If the word following the matched glob
|
|
pattern is
|
|
.Dq allow
|
|
the user is granted access; if the word is
|
|
anything else, or nothing at all, the user is denied access.
|
|
(No further comparisons are attempted after the first successful match.)
|
|
If no match is found, the user is granted access.
|
|
This syntax is backward-compatable with the old syntax.
|
|
.Pp
|
|
If a user requests a guest login, the ftp server checks to see that
|
|
both
|
|
.Dq anonymous
|
|
and
|
|
.Dq ftp
|
|
have access, so if you deny all users by default, you will need to add both
|
|
.Dq "anonymous allow"
|
|
and
|
|
.Dq "ftp allow"
|
|
to
|
|
.Pa /etc/ftpusers
|
|
in order to allow guest logins.
|
|
.Ss /etc/ftpd.conf
|
|
The file
|
|
.Pa /etc/ftpd.conf
|
|
is used to configure various options.
|
|
Each line starting with a
|
|
.Dq #
|
|
is a comment (and ignored), and all other non-blank lines are treated
|
|
as configuration directives.
|
|
.Pp
|
|
Each configuration line may be one of:
|
|
.Bl -tag -width 4n
|
|
.It Sy checkportcmd Ar class Op Sy off
|
|
Check the
|
|
PORT
|
|
command for validity. The
|
|
PORT
|
|
command will fail if the IP address specified does not match the ftp
|
|
command connection, or if the remote TCP port number is less than
|
|
.Dv IPPORT_RESERVED .
|
|
It is
|
|
.Em strongly
|
|
encouraged that this option be used, espcially for sites concerned
|
|
with potential security problems with ftp bounce attacks.
|
|
If class is
|
|
.Dq none
|
|
or
|
|
.Sy off
|
|
is given, disable this feature, otherwise enable it.
|
|
.It Xo Sy conversion Ar class
|
|
.Ar suffix Op Ar "type disable command"
|
|
.Xc
|
|
Define an automatic in-line file conversion.
|
|
If a file to retrieve ends in
|
|
.Ar suffix ,
|
|
and a real file (sans
|
|
.Ar suffix )
|
|
exists, then the output of
|
|
.Ar command
|
|
is returned instead of the contents of the file.
|
|
.Pp
|
|
.Bl -tag -width "disable" -offset indent
|
|
.It Ar suffix
|
|
The suffix to initiate the conversion.
|
|
.It Ar type
|
|
A list of valid filetypes for the conversion.
|
|
Valid types are:
|
|
.Sq f
|
|
(file), and
|
|
.Sq d
|
|
(directory).
|
|
.It Ar disable
|
|
The name of file that will prevent conversion if it exists.
|
|
A filename of
|
|
.Pa \&.
|
|
will prevent this disabling action.
|
|
.It Ar command
|
|
The command to run for the conversion.
|
|
The first word should be the full path name
|
|
of the command, as
|
|
.Xr execv 3
|
|
is used to execute the command.
|
|
The first instance of
|
|
.Sq %s
|
|
in
|
|
.Ar command
|
|
is replaced with the requested file (sans
|
|
.Ar suffix ) .
|
|
.El
|
|
.Pp
|
|
Conversion directives specified later in the file override earlier
|
|
conversions with the same suffix. The order in which conversions is
|
|
matched is the reverse of their order in the file (i.e., a LIFO).
|
|
.It Sy display Ar class Op Ar file
|
|
If
|
|
.Ar file
|
|
isn't given or
|
|
.Ar class
|
|
is
|
|
.Dq none ,
|
|
disable this.
|
|
Otherwise, each time the user enters a new directory, check if
|
|
.Ar file
|
|
exists, and if so, display its contents to the user.
|
|
.It Sy maxtimeout Ar class Ar time
|
|
Set the maximum timeout period that a client may request,
|
|
defaulting to two hours.
|
|
This cannot be lesser than 30 seconds, or the value for
|
|
.Sy timeout .
|
|
Ignored if class is
|
|
.Dq none
|
|
or
|
|
.Ar time
|
|
isn't specified.
|
|
.It Sy modify Ar class Op Sy off
|
|
If class is
|
|
.Dq none
|
|
or
|
|
.Sy off
|
|
is given, disable the following commands:
|
|
CHMOD, DELE, MKD, RNFR, RMD, and UMASK.
|
|
Otherwise, enable them.
|
|
.It Sy notify Ar class Op Ar fileglob
|
|
If
|
|
.Ar fileglob
|
|
isn't given or
|
|
.Ar class
|
|
is
|
|
.Dq none ,
|
|
disable this.
|
|
Otherwise, each time the user enters a new directory,
|
|
notify the user of any files matching
|
|
.Ar fileglob .
|
|
.It Sy timeout Ar class Ar time
|
|
Set the inactivity timeout period.
|
|
(the default is fifteen minutes).
|
|
This cannot be lesser than 30 seconds, or greater than the value for
|
|
.Sy maxtimeout .
|
|
Ignored if class is
|
|
.Dq none
|
|
or
|
|
.Ar time
|
|
isn't specified.
|
|
.It Sy umask Ar class Ar umaskval
|
|
Set the umask to
|
|
.Ar umaskval .
|
|
Ignored if class is
|
|
.Dq none
|
|
or
|
|
.Ar umaskval
|
|
isn't specified.
|
|
.El
|
|
.Pp
|
|
In any configuration line,
|
|
.Ar class
|
|
is one of:
|
|
.Bl -tag -width "chroot" -compact -offset indent
|
|
.It Sy real
|
|
Normal user logins.
|
|
.It Sy chroot
|
|
Users that have been
|
|
.Xr chroot 2 ed.
|
|
.It Sy guest
|
|
.Dq anonymous
|
|
and
|
|
.Dq ftp
|
|
users.
|
|
.It Sy all
|
|
Matches any class.
|
|
.It Sy none
|
|
Matches no class.
|
|
.El
|
|
.Pp
|
|
The following defaults are used:
|
|
.Bd -literal -offset indent -compact
|
|
checkportcmd none
|
|
display none
|
|
maxtimeout all 7200 # 2 hours
|
|
modify all
|
|
modify guest off
|
|
notify none
|
|
timeout all 900 # 15 minutes
|
|
umask all 027
|
|
umask guest 0707
|
|
.Ed
|
|
.Pp
|
|
Directives that appear later in the file override settings by previous
|
|
directives. This allows
|
|
.Sq wildcard
|
|
entries to define defaults, and then have class-specific overrides.
|
|
.Pp
|
|
The
|
|
STAT
|
|
command will return the class settings for the current user as defined by
|
|
.Pa /etc/ftpd.conf .
|
|
.Ss Setting up a restricted ftp subtree
|
|
In order that system security is not breached, it is recommended
|
|
that the
|
|
subtrees for the
|
|
.Dq ftp
|
|
and
|
|
.Dq chroot
|
|
accounts be constructed with care, following these rules
|
|
(replace
|
|
.Dq ftp
|
|
in the following directory names
|
|
with the appropriate account name for
|
|
.Sq chroot
|
|
users):
|
|
.Bl -tag -width "~ftp/incoming" -offset indent
|
|
.It Pa ~ftp
|
|
Make the home directory owned by
|
|
.Dq root
|
|
and unwritable by anyone.
|
|
.It Pa ~ftp/bin
|
|
Make this directory owned by
|
|
.Dq root
|
|
and unwritable by anyone (mode 555).
|
|
The program
|
|
.Xr ls 1
|
|
must be present to support the
|
|
.Sq LIST
|
|
command.
|
|
This program should be mode 111.
|
|
.It Pa ~ftp/etc
|
|
Make this directory owned by
|
|
.Dq root
|
|
and unwritable by anyone (mode 555).
|
|
The files
|
|
.Pa pwd.db
|
|
(see
|
|
.Xr passwd 5 )
|
|
and
|
|
.Pa group
|
|
(see
|
|
.Xr group 5 )
|
|
must be present for the
|
|
.Xr ls
|
|
command to be able to produce owner names rather than numbers.
|
|
The password field in
|
|
.Xr passwd
|
|
is not used, and should not contain real passwords.
|
|
The file
|
|
.Pa motd ,
|
|
if present, will be printed after a successful login.
|
|
These files should be mode 444.
|
|
.It Pa ~ftp/pub
|
|
This directory and the subdirectories beneath it should be owned
|
|
by the users and groups responsible for placing files in them,
|
|
and be writable only by them (mode 755 or 775). They should
|
|
.Em not
|
|
be owned or writable by ftp or its group.
|
|
.It Pa ~ftp/incoming
|
|
This directory is where anonymous users place files they upload.
|
|
The owners should be the user
|
|
.Dq ftp
|
|
and an appropriate group.
|
|
Members of this group will be the only users with access to these
|
|
files after they have been uploaded; these should be people who
|
|
know how to deal with them appropriately. If you wish anonymous
|
|
ftp users to be able to see the names of the files in this directory
|
|
the permissions should be 770, otherwise they should be 370.
|
|
.Pp
|
|
Anonymous users will be able to upload files to this directory,
|
|
but they will not be able to download them, delete them, or overwrite
|
|
them, due to the umask and disabling of the commands mentioned
|
|
above.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/ftpwelcome -compact
|
|
.It Pa /etc/ftpchroot
|
|
List of normal users who should be chroot'd.
|
|
.It Pa /etc/ftpd.conf
|
|
Configure file conversions and other settings.
|
|
.It Pa /etc/ftpusers
|
|
List of unwelcome/restricted users.
|
|
.It Pa /etc/ftpwelcome
|
|
Welcome notice before login.
|
|
.It Pa /etc/motd
|
|
Welcome notice after login.
|
|
.It Pa /etc/nologin
|
|
If it exists, displayed and access is refused.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ftp 1 ,
|
|
.Xr skey 1 ,
|
|
.Xr getusershell 3 ,
|
|
.Xr syslogd 8
|
|
.Sh BUGS
|
|
The server must run as the super-user
|
|
to create sockets with privileged port numbers. It maintains
|
|
an effective user id of the logged in user, reverting to
|
|
the super-user only when binding addresses to sockets. The
|
|
possible security holes have been extensively
|
|
scrutinized, but are possibly incomplete.
|
|
.Pp
|
|
.Cm RFC-959
|
|
provides no restrictions on the PORT command, and this can lead
|
|
to security problems, as
|
|
.Nm
|
|
can be fooled into connecting to any service on any host. With the
|
|
``checkportcmd'' feature of the
|
|
.Pa /etc/ftpd.conf ,
|
|
PORT commands with different host addresses, or TCP ports lower than
|
|
.Dv IPPORT_RESERVED
|
|
will be rejected. Use of this option is
|
|
.Em strongly
|
|
recommended.
|
|
.Pp
|
|
The feedback to the client is inadequate in the case of an
|
|
error that occurs during a retrieval that uses a
|
|
.Dq conversion
|
|
command
|
|
(refer to
|
|
.Sx /etc/ftpd.conf ) .
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command appeared in
|
|
.Bx 4.2 .
|
|
.Pp
|
|
The
|
|
.Pa /etc/ftpd.conf
|
|
functionality was implemented in
|
|
.Nx 1.3
|
|
by Luke Mewburn, based on work by Simon Burge.
|