ftpd manpage

Search topic Section

FTPD(8)			    System Manager's Manual		       FTPD(8)

       ftpd - DARPA Internet File Transfer Protocol server

       ftpd  [-A | -a] [-C] [-c] [-d] [-E] [-l] [-v] [-T maxtimeout] [-t time-
       out] [-p port]  [-U  ftpusers-file]  [-u	 umask]	 [-r  realm-file]  [-s
       srvtab] [-w{ip|maxhostlen[,{striplocal|nostriplocal}]}]

       Ftpd  is the DARPA Internet File Transfer Protocol server process.  The
       server uses the TCP protocol and listens at the port specified  in  the
       ``ftp'' service specification; see services(5).

       Available options:

       -A     Connections  are only allowed for users who can authenticate via
	      the ftp AUTH mechanism. (Anonymous ftp may also be allowed if it
	      is  configured.) Ftpd will ask the user for a password if one is

       -a     Connections are only allowed for users who can authenticate (via
	      the ftp AUTH mechanism) and who are authorized to connect to the
	      named account without a password. (Anonymous  ftp	 may  also  be
	      allowed if it is configured.)

       -C     Non-anonymous  users  need  local	 credentials  (for example, to
	      authenticate to remote  fileservers),  and  so  they  should  be
	      prompted	for  a	password  unless they forwarded credentials as
	      part of authentication.

       -c     Allow the CCC (Clear Command Channel) command to be  used.  This
	      allows less secure connections, and should probably only be used
	      when debugging.

       -d     Debugging information is written to the syslog.	(Identical  to

       -E     Don't  allow  passwords  to  be typed across unencrypted connec-

       -l     Each ftp(1) session is logged  in	 the  syslog.	If  this  flag
	      appears twice, additional information about operations performed
	      (such as files retrieved, directories  created,  etc.)  will  be
	      logged  via  syslog.  If it appears three times, some other sta-
	      tistics such as the number of bytes transferred will  be	logged
	      via syslog as well.

       -v     Debugging	 information  is written to the syslog.	 (Identical to

       -T maxtimeout
	      A client may request a maximum timeout  period  allowed  set  to
	      timeout  seconds	with  the  -T  option.	The default limit is 2
	      hours.  This is different from  the  normal  inactivity  timeout
	      specified by the -t option (see below).

       -t timeout
	      The  inactivity  timeout	period	is set to timeout seconds (the
	      default is 15 minutes).

       -p port
	      Run as a server and accept a connection on port.	 Normally  the
	      ftp server is invoked by inetd(8).

       -U ftpusers-file
	      Sets  the	 full  path and name of the ftpusers file to use.  The
	      default value is normally /etc/ftpusers.

       -u umask
	      Sets the umask for the ftpd process.  The default value is  nor-
	      mally 027.

       -r realm-file
	      Sets the name of the krb.conf file to use.  The default value is
	      normally set by /etc/krb5.conf.

       -s srvtab
	      Sets the name of the srvtab file to use for Kerberos V4  authen-
	      tication.	 The default value is normally /etc/srvtab.

       -w {ip|maxhostlen[,{striplocal|nostriplocal}]}
	      Controls	the  form  of  the remote hostname passed to login(1).
	      Specifying ip results in the numeric  IP	address	 always	 being
	      passed  to  login(1).  Specifying a number, maxhostlen, sets the
	      maximum length of the hostname passed to login(1) before it will
	      be passed as a numeric IP address.  If maxhostlen is 0, then the
	      system default, as determined by the utmp or  utmpx  structures,
	      is used.	The nostriplocal and striplocal options, which must be
	      preceded by a comma, control  whether  or	 not  the  local  host
	      domain  is  stripped  from the remote hostname.  By default, the
	      equivalent of striplocal is in effect.

       The ftp server currently supports the following ftp requests;  case  is
       not distinguished.

       Request	Description
       ABOR	abort previous command
       ACCT	specify account (ignored)
       ADAT	send an authentication protocol message
       ALLO	allocate storage (vacuously)
       APPE	append to a file
       AUTH	specify an authentication protocol to be performed
       CCC	set the command channel protection mode to "Clear" (no protec-
		tion).	Only available	if  the	 -c  command-line  option  was
       CDUP	change to parent of current working directory
       CWD	change working directory
       DELE	delete a file
       ENC	send a privacy and integrity protected command (given in argu-
       HELP	give help information
       LIST	give list files in a directory (``ls -lgA'')
       MIC	send an integrity protected command (given in argument)
       MKD	make a directory
       MDTM	show last modification time of file
       MODE	specify data transfer mode
       NLST	give name list of files in directory
       NOOP	do nothing
       PASS	specify password
       PASV	prepare for server-to-server transfer
       PBSZ	specify a protection buffer size
       PORT	specify data connection port
       PROT	specify a protection level under which to protect data	trans-
       PWD	print the current working directory
       QUIT	terminate session
       REST	restart incomplete transfer
       RETR	retrieve a file
       RMD	remove a directory
       RNFR	specify rename-from file name
       RNTO	specify rename-to file name
       SITE	non-standard commands (see next section)
       SIZE	return size of file
       STAT	return status of server
       STOR	store a file
       STOU	store a file with a unique name
       STRU	specify data transfer structure
       SYST	show operating system type of server system
       TYPE	specify data transfer type
       USER	specify user name
       XCUP	change to parent of current working directory (deprecated)
       XCWD	change working directory (deprecated)
       XMKD	make a directory (deprecated)
       XPWD	print the current working directory (deprecated)
       XRMD	remove a directory (deprecated)

       The  following  non-standard or UNIX specific commands are supported by
       the SITE request.

       Request	Description
       UMASK	change umask.  E.g., SITE UMASK 002
       IDLE	set idle-timer.	 E.g., SITE IDLE 60
       CHMOD	change mode of a file.	E.g., SITE CHMOD 755 filename
       HELP	give help information.	E.g., SITE HELP

       The remaining ftp requests specified in Internet	 RFC  959  are	recog-
       nized,  but  not	 implemented.	MDTM and SIZE are not specified in RFC
       959, but will appear in the next updated FTP RFC.

       The ftp server will abort an active file transfer only  when  the  ABOR
       command	is  preceded by a Telnet "Interrupt Process" (IP) signal and a
       Telnet "Synch" signal in the command Telnet  stream,  as	 described  in
       Internet	 RFC  959.  If a STAT command is received during a data trans-
       fer, preceded by a  Telnet  IP  and  Synch,  transfer  status  will  be

       Ftpd  interprets	 file  names according to the ``globbing'' conventions
       used by csh(1).	 This  allows  users  to  utilize  the	metacharacters

       Ftpd authenticates users according to the following rules:

	 1.   The user name must be in the password data base, /etc/passwd.

	 2.   An  AUTH	command	 must  be accepted, the ensuing authentication
	      protocol (conducted via ADAT commands and replies) must success-
	      fully  complete,	and  the  authenticated	 user  must  permitted
	      access.  Otherwise, a valid password which is not null  must  be
	      provided by the client.

	 3.   The user name must not appear in the file /etc/ftpusers.

	 4.   The user must have a standard shell returned by getusershell(3).

	 5.   If  the  user name is ``anonymous'' or ``ftp'', an anonymous ftp
	      account must be present in the password file (user ``ftp'').  In
	      this  case the user is allowed to log in by specifying any pass-
	      word (by convention this is given as the client host's name).

       In the last case, ftpd takes special measures to restrict the  client's
       access privileges.  The server performs a chroot(2) command to the home
       directory of the ``ftp'' user.  In order that system  security  is  not
       breached,  it  is  recommended  that the ``ftp'' subtree be constructed
       with care; the following rules are recommended.

       ~ftp   Make the home directory owned by ``ftp'' and unwritable by  any-

	      Make  this  directory  owned by the super-user and unwritable by
	      anyone.  The program ls(1) must be present to support  the  list
	      command.	This program should have mode 111.

	      Make  this  directory  owned by the super-user and unwritable by
	      anyone.  The files passwd(5) and group(5) must  be  present  for
	      the  ls  command	to  be able to produce owner names rather than
	      numbers.	The password field in passwd is not used,  and	should
	      not  contain  real  encrypted  passwords.	 These files should be
	      mode 444.

	      Make this directory mode 777 and owned by ``ftp''.  Users should
	      then  place  files  which are to be accessible via the anonymous
	      account in this directory.

       If an ADAT  command  succeeds,  the  control  channel  must  be	either
       integrity or privacy protected.	In this case, the MIC and ENC commands
       are the only commands allowed over the control channel.	 The  argument
       to  the MIC command is a base 64 encoded string which, when decoded, is
       an ftp command integrity protected with a cryptographic checksum.   The
       argument	 to  the  ENC  command is a base 64 encoded string which, when
       decoded, is an ftp command privacy and integrity protected with encryp-

       If  an ADAT command succeeds, ftp replies will also be either integrity
       or privacy protected.

       If an ADAT command succeeds, the data channel can also be integrity  or
       privacy	protected.  The PROT command accepts S for integrity and P for
       privacy protection.  Unless an ADAT command succeeds, the only  protec-
       tion level accepted by the PROT command is C (clear).

       ftp(1), getusershell(3), syslogd(8)

       Lunt, S. J., FTP Security Extensions, Internet Draft, November 1993.

       The  anonymous  account is inherently dangerous and should avoided when

       The server must run as the super-user to create sockets with privileged
       port numbers.  It maintains an effective user id of the logged in user,
       reverting to the super-user only when  binding  addresses  to  sockets.
       The  possible security holes have been extensively scrutinized, but are
       possibly incomplete.

       The ftpd command appeared in 4.2BSD.