Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FTPD(8)			    System Manager's Manual		       FTPD(8)

       ftpd - DARPA Internet File Transfer Protocol server

       ftpd  [-A  |-a] [-C] [-c] [-d] [-E] [-l]	[-v] [-T maxtimeout] [-t time-
       out] [-p	port]  [-U  ftpusers-file]  [-u	 umask]	 [-r  realm-file]  [-s
       srvtab] [-w{ip|maxhostlen[,{striplocal|nostriplocal}]}]

       Ftpd  is	the DARPA Internet File	Transfer Protocol server process.  The
       server uses the TCP protocol and	listens	at the port specified  in  the
       ``ftp'' service specification; see services(5).

       Available options:

       -A     Connections  are only allowed for	users who can authenticate via
	      the ftp AUTH mechanism. (Anonymous ftp may also be allowed if it
	      is  configured.) Ftpd will ask the user for a password if	one is

       -a     Connections are only allowed for users who can authenticate (via
	      the ftp AUTH mechanism) and who are authorized to	connect	to the
	      named account without a password.	(Anonymous ftp may also	be al-
	      lowed if it is configured.)

       -C     Non-anonymous  users need	local credentials (for example,	to au-
	      thenticate  to  remote  fileservers),  and  so  they  should  be
	      prompted	for  a	password  unless they forwarded	credentials as
	      part of authentication.

       -c     Allow the	CCC (Clear Command Channel) command to be  used.  This
	      allows less secure connections, and should probably only be used
	      when debugging.

       -d     Debugging	information is written to the syslog.	(Identical  to

       -E     Don't  allow  passwords  to  be typed across unencrypted connec-

       -l     Each ftp(1) session is logged in the syslog.  If this  flag  ap-
	      pears  twice,  additional	information about operations performed
	      (such as files retrieved,	directories  created,  etc.)  will  be
	      logged  via  syslog.  If it appears three	times, some other sta-
	      tistics such as the number of bytes transferred will  be	logged
	      via syslog as well.

       -v     Debugging	 information  is written to the	syslog.	 (Identical to

       -T maxtimeout
	      A	client may request a maximum timeout  period  allowed  set  to
	      timeout  seconds	with  the  -T  option.	The default limit is 2
	      hours.  This is different	from  the  normal  inactivity  timeout
	      specified	by the -t option (see below).

       -t timeout
	      The inactivity timeout period is set to timeout seconds (the de-
	      fault is 15 minutes).

       -p port
	      Run as a server and accept a connection on port.	 Normally  the
	      ftp server is invoked by inetd(8).

       -U ftpusers-file
	      Sets  the	 full  path and	name of	the ftpusers file to use.  The
	      default value is normally	/etc/ftpusers.

       -u umask
	      Sets the umask for the ftpd process.  The	default	value is  nor-
	      mally 027.

       -w {ip|maxhostlen[,{striplocal|nostriplocal}]}
	      Controls	the  form  of  the remote hostname passed to login(1).
	      Specifying ip results in the numeric  IP	address	 always	 being
	      passed  to  login(1).  Specifying	a number, maxhostlen, sets the
	      maximum length of	the hostname passed to login(1)	before it will
	      be passed	as a numeric IP	address.  If maxhostlen	is 0, then the
	      system default, as determined by the utmp	or  utmpx  structures,
	      is used.	The nostriplocal and striplocal	options, which must be
	      preceded by a comma, control whether or not the local  host  do-
	      main  is	stripped  from	the  remote hostname.  By default, the
	      equivalent of striplocal is in effect.

       The ftp server currently	supports the following ftp requests;  case  is
       not distinguished.

       Request	Description
       ABOR	abort previous command
       ACCT	specify	account	(ignored)
       ADAT	send an	authentication protocol	message
       ALLO	allocate storage (vacuously)
       APPE	append to a file
       AUTH	specify	an authentication protocol to be performed
       CCC	set the	command	channel	protection mode	to "Clear" (no protec-
		tion).	Only available	if  the	 -c  command-line  option  was
       CDUP	change to parent of current working directory
       CWD	change working directory
       DELE	delete a file
       ENC	send a privacy and integrity protected command (given in argu-
       HELP	give help information
       LIST	give list files	in a directory (``ls -lgA'')
       MIC	send an	integrity protected command (given in argument)
       MKD	make a directory
       MDTM	show last modification time of file
       MODE	specify	data transfer mode
       NLST	give name list of files	in directory
       NOOP	do nothing
       PASS	specify	password
       PASV	prepare	for server-to-server transfer
       PBSZ	specify	a protection buffer size
       PORT	specify	data connection	port
       PROT	specify	a protection level under which to protect data	trans-
       PWD	print the current working directory
       QUIT	terminate session
       REST	restart	incomplete transfer
       RETR	retrieve a file
       RMD	remove a directory
       RNFR	specify	rename-from file name
       RNTO	specify	rename-to file name
       SITE	non-standard commands (see next	section)
       SIZE	return size of file
       STAT	return status of server
       STOR	store a	file
       STOU	store a	file with a unique name
       STRU	specify	data transfer structure
       SYST	show operating system type of server system
       TYPE	specify	data transfer type
       USER	specify	user name
       XCUP	change to parent of current working directory (deprecated)
       XCWD	change working directory (deprecated)
       XMKD	make a directory (deprecated)
       XPWD	print the current working directory (deprecated)
       XRMD	remove a directory (deprecated)

       The  following  non-standard or UNIX specific commands are supported by
       the SITE	request.

       Request	Description
       UMASK	change umask.  E.g., SITE UMASK	002
       IDLE	set idle-timer.	 E.g., SITE IDLE 60
       CHMOD	change mode of a file.	E.g., SITE CHMOD 755 filename
       HELP	give help information.	E.g., SITE HELP

       The remaining ftp requests specified in Internet	 RFC  959  are	recog-
       nized,  but  not	 implemented.	MDTM and SIZE are not specified	in RFC
       959, but	will appear in the next	updated	FTP RFC.

       The ftp server will abort an active file	transfer only  when  the  ABOR
       command	is  preceded by	a Telnet "Interrupt Process" (IP) signal and a
       Telnet "Synch" signal in	the command Telnet stream, as described	in In-
       ternet  RFC 959.	 If a STAT command is received during a	data transfer,
       preceded	by a Telnet IP and Synch, transfer status will be returned.

       Ftpd interprets file names according to	the  ``globbing''  conventions
       used  by	 csh(1).   This	 allows	 users	to  utilize the	metacharacters

       Ftpd authenticates users	according to the following rules:

	 1.   The user name must be in the password data base, /etc/passwd.

	 2.   An AUTH command must be  accepted,  the  ensuing	authentication
	      protocol (conducted via ADAT commands and	replies) must success-
	      fully complete, and the authenticated user  must	permitted  ac-
	      cess.   Otherwise,  a  valid  password which is not null must be
	      provided by the client.

	 3.   The user name must not appear in the file	/etc/ftpusers.

	 4.   The user must have a standard shell returned by getusershell(3).

	 5.   If the user name is ``anonymous''	or ``ftp'', an	anonymous  ftp
	      account must be present in the password file (user ``ftp'').  In
	      this case	the user is allowed to log in by specifying any	 pass-
	      word (by convention this is given	as the client host's name).

       In  the last case, ftpd takes special measures to restrict the client's
       access privileges.  The server performs a chroot(2) command to the home
       directory  of  the  ``ftp'' user.  In order that	system security	is not
       breached, it is recommended that	the  ``ftp''  subtree  be  constructed
       with care; the following	rules are recommended.

       ~ftp   Make  the	home directory owned by	``ftp''	and unwritable by any-

	      Make this	directory owned	by the super-user  and	unwritable  by
	      anyone.	The  program ls(1) must	be present to support the list
	      command.	This program should have mode 111.

	      Make this	directory owned	by the super-user  and	unwritable  by
	      anyone.	The  files  passwd(5) and group(5) must	be present for
	      the ls command to	be able	to produce  owner  names  rather  than
	      numbers.	 The  password field in	passwd is not used, and	should
	      not contain real encrypted passwords.   These  files  should  be
	      mode 444.

	      Make this	directory mode 777 and owned by	``ftp''.  Users	should
	      then place files which are to be accessible  via	the  anonymous
	      account in this directory.

       If  an ADAT command succeeds, the control channel must be either	integ-
       rity or privacy protected.  In this case, the MIC and ENC commands  are
       the  only  commands  allowed over the control channel.  The argument to
       the MIC command is a base 64 encoded string which, when decoded,	is  an
       ftp command integrity protected with a cryptographic checksum.  The ar-
       gument to the ENC command is a base 64 encoded string which,  when  de-
       coded,  is  an ftp command privacy and integrity	protected with encryp-

       If an ADAT command succeeds, ftp	replies	will also be either  integrity
       or privacy protected.

       If  an ADAT command succeeds, the data channel can also be integrity or
       privacy protected.  The PROT command accepts S for integrity and	P  for
       privacy	protection.  Unless an ADAT command succeeds, the only protec-
       tion level accepted by the PROT command is C (clear).

       ftp(1), getusershell(3),	syslogd(8)

       Lunt, S.	J., FTP	Security Extensions, Internet Draft, November 1993.

       The anonymous account is	inherently dangerous and should	 avoided  when

       The server must run as the super-user to	create sockets with privileged
       port numbers.  It maintains an effective	user id	of the logged in user,
       reverting  to  the  super-user  only when binding addresses to sockets.
       The possible security holes have	been extensively scrutinized, but  are
       possibly	incomplete.

       The ftpd	command	appeared in 4.2BSD.



Want to link to this manual page? Use this URL:

home | help