Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
TNFTPD(8)		FreeBSD	System Manager's Manual		     TNFTPD(8)

NAME
     tnftpd -- Internet	File Transfer Protocol server

SYNOPSIS
     tnftpd [-46DdHlnQqrsUuWwX]	[-a anondir] [-C user[@host]] [-c confdir]
	    [-e	emailaddr] [-h hostname] [-L xferlogfile] [-P dataport]
	    [-V	version]

DESCRIPTION
     tnftpd is the Internet File Transfer Protocol server process.  The	server
     uses the TCP protocol and listens at the port specified in	the "ftp" ser-
     vice specification; see services(5).

     Available options:

     -4	     When -D is	specified, bind	to IPv4	addresses only.

     -6	     When -D is	specified, bind	to IPv6	addresses only.

     -a	anondir
	     Define anondir as the directory to	chroot(2) into for anonymous
	     logins.  Default is the home directory for	the ftp	user.  This
	     can also be specified with	the ftpd.conf(5) chroot	directive.

     -C	user[@host]
	     Check whether user	(as if connecting from host, if	provided)
	     would be granted access under the restrictions given in
	     ftpusers(5), and exit without attempting a	connection.  tnftpd
	     exits with	an exit	code of	0 if access would be granted, or 1
	     otherwise.	 This can be useful for	testing	configurations.

     -c	confdir
	     Change the	root directory of the configuration files from
	     "/usr/local/etc" to confdir.  This	changes	the directory for the
	     following files: /usr/local/etc/ftpchroot,
	     /usr/local/etc/ftpusers, /usr/local/etc/ftpwelcome,
	     /usr/local/etc/motd, and the file specified by the	ftpd.conf(5)
	     limit directive.

     -D	     Run as daemon.  tnftpd will listen	on the default FTP port	for
	     incoming connections and fork a child for each connection.	 This
	     is	lower overhead than starting tnftpd from inetd(8) and thus
	     might be useful on	busy servers to	reduce load.

     -d	     Debugging information is written to the syslog using a facility
	     of	LOG_FTP.

     -e	emailaddr
	     Use emailaddr for the "%E"	escape sequence	(see Display file
	     escape sequences)

     -H	     Equivalent	to "-h `hostname`".

     -h	hostname
	     Explicitly	set the	hostname to advertise as to hostname.  The de-
	     fault is the hostname associated with the IP address that tnftpd
	     is	listening on.  This ability (with or without -h), in conjunc-
	     tion with -c confdir, is useful when configuring `virtual'	FTP
	     servers, each listening on	separate addresses as separate names.
	     Refer to inetd.conf(5) for	more information on starting services
	     to	listen on specific IP addresses.

     -L	xferlogfile
	     Log wu-ftpd style `xferlog' entries to xferlogfile.

     -l	     Each successful and failed	FTP session is logged using syslog
	     with a facility of	LOG_FTP.  If this option is specified more
	     than once,	the retrieve (get), store (put), append, delete, make
	     directory,	remove directory and rename operations and their file
	     name arguments are	also logged.

     -n	     Don't attempt translation of IP addresses to hostnames.

     -P	dataport
	     Use dataport as the data port, overriding the default of using
	     the port one less that the	port tnftpd is listening on.

     -Q	     Disable the use of	pid files for keeping track of the number of
	     logged-in users per class.	 This may reduce the load on heavily
	     loaded FTP	servers.

     -q	     Enable the	use of pid files for keeping track of the number of
	     logged-in users per class.	 This is the default.

     -r	     Permanently drop root privileges once the user is logged in.  The
	     use of this option	may result in the server using a port other
	     than the (listening-port -	1) for PORT style commands, which is
	     contrary to the RFC 959 specification, but	in practice very few
	     clients rely upon this behaviour.	See SECURITY CONSIDERATIONS
	     below for more details.

     -s	     Require a secure authentication mechanism like Kerberos or	S/Key
	     to	be used.

     -U	     Don't log each concurrent FTP session to /var/run/utmp.  This is
	     the default.

     -u	     Log each concurrent FTP session to	/var/run/utmp, making them
	     visible to	commands such as who(1).

     -V	version
	     Use version as the	version	to advertise in	the login banner and
	     in	the output of STAT and SYST instead of the default version in-
	     formation.	 If version is empty or	`-' then don't display any
	     version information.

     -W	     Don't log each FTP	session	to /var/log/wtmp.

     -w	     Log each FTP session to /var/log/wtmp, making them	visible	to
	     commands such as last(1).	This is	the default.

     -X	     Log wu-ftpd style `xferlog' entries to the	syslog,	prefixed with
	     "xferlog: ", using	a facility of LOG_FTP.	These syslog entries
	     can be converted to a wu-ftpd style xferlog file suitable for in-
	     put into a	third-party log	analysis tool with a command similar
	     to:
		   sed -ne 's/^.*xferlog: //p' /var/log/xferlog	> wuxferlog

     The file /etc/nologin can be used to disable FTP access.  If the file ex-
     ists, tnftpd displays it and exits.  If the file
     /usr/local/etc/ftpwelcome exists, tnftpd prints it	before issuing the
     "ready" message.  If the file /usr/local/etc/motd exists (under the ch-
     root directory if applicable), tnftpd prints it after a successful	login.
     This may be changed with the ftpd.conf(5) directive motd.

     The tnftpd	server currently supports the following	FTP requests.  The
     case of the requests is ignored.

	   Request    Description
	   ABOR	      abort previous command
	   ACCT	      specify account (ignored)
	   ALLO	      allocate storage (vacuously)
	   APPE	      append to	a file
	   CDUP	      change to	parent of current working directory
	   CWD	      change working directory
	   DELE	      delete a file
	   EPSV	      prepare for server-to-server transfer
	   EPRT	      specify data connection port
	   FEAT	      list extra features that are not defined in RFC 959
	   HELP	      give help	information
	   LIST	      give list	files in a directory ("ls -lA")
	   LPSV	      prepare for server-to-server transfer
	   LPRT	      specify data connection port
	   MLSD	      list contents of directory in a machine-processable form
	   MLST	      show a pathname in a machine-processable form
	   MKD	      make a directory
	   MDTM	      show last	modification time of file
	   MODE	      specify data transfer mode
	   NLST	      give name	list of	files in directory
	   NOOP	      do nothing
	   OPTS	      define persistent	options	for a given command
	   PASS	      specify password
	   PASV	      prepare for server-to-server transfer
	   PORT	      specify data connection port
	   PWD	      print the	current	working	directory
	   QUIT	      terminate	session
	   REST	      restart incomplete transfer
	   RETR	      retrieve a file
	   RMD	      remove a directory
	   RNFR	      specify rename-from file name
	   RNTO	      specify rename-to	file name
	   SITE	      non-standard commands (see next section)
	   SIZE	      return size of file
	   STAT	      return status of server
	   STOR	      store a file
	   STOU	      store a file with	a unique name
	   STRU	      specify data transfer structure
	   SYST	      show operating system type of server system
	   TYPE	      specify data transfer type
	   USER	      specify user name
	   XCUP	      change to	parent of current working directory
				     (deprecated)
	   XCWD	      change working directory (deprecated)
	   XMKD	      make a directory (deprecated)
	   XPWD	      print the	current	working	directory (deprecated)
	   XRMD	      remove a directory (deprecated)

     The following non-standard	or UNIX	specific commands are supported	by the
     SITE request.

	   Request    Description
	   CHMOD      change mode of a file, e.g. ``SITE CHMOD 755 filename''
	   HELP	      give help	information.
	   IDLE	      set idle-timer, e.g. ``SITE IDLE 60''
	   RATEGET    set maximum get rate throttle in bytes/second, e.g.
				     ``SITE RATEGET 5k''
	   RATEPUT    set maximum put rate throttle in bytes/second, e.g.
				     ``SITE RATEPUT 5k''
	   UMASK      change umask, e.g. ``SITE	UMASK 002''

     The following FTP requests	(as specified in RFC 959 and RFC 2228) are
     recognized, but are not implemented: ACCT,	ADAT, AUTH, CCC, CONF, ENC,
     MIC, PBSZ,	PROT, REIN, and	SMNT.

     The tnftpd	server will abort an active file transfer only when the	ABOR
     command is	preceded by a Telnet "Interrupt	Process" (IP) signal and a
     Telnet "Synch" signal in the command Telnet stream, as described in In-
     ternet RFC	959.  If a STAT	command	is received during a data transfer,
     preceded by a Telnet IP and Synch,	transfer status	will be	returned.

     tnftpd interprets file names according to the "globbing" conventions used
     by	csh(1).	 This allows users to use the metacharacters "*?[]{}~".

   User	authentication
     tnftpd authenticates users	according to five rules.

	   1.	The login name must be in the password data base, passwd(5),
		and not	have a null password.  In this case a password must be
		provided by the	client before any file operations may be per-
		formed.	 If the	user has an S/Key key, the response from a
		successful USER	command	will include an	S/Key challenge.  The
		client may choose to respond with a PASS command giving	either
		a standard password or an S/Key	one-time password.  The	server
		will automatically determine which type	of password it has
		been given and attempt to authenticate accordingly.  See
		skey(1)	for more information on	S/Key authentication.  S/Key
		is a Trademark of Bellcore.

	   2.	The login name must be allowed based on	the information	in
		ftpusers(5).

	   3.	The user must have a standard shell returned by
		getusershell(3).  If the user's	shell field in the password
		database is empty, the shell is	assumed	to be /bin/sh.	As per
		shells(5), the user's shell must be listed with	full path in
		/etc/shells.

	   4.	If directed by the file	ftpchroot(5) the session's root	direc-
		tory will be changed by	chroot(2) to the directory specified
		in the ftpd.conf(5) chroot directive (if set), or to the home
		directory of the user.	This facility may also be triggered by
		enabling the boolean ftp-chroot	in login.conf(5).  However,
		the user must still supply a password.	This feature is	in-
		tended as a compromise between a fully anonymous account and a
		fully privileged account.  The account should also be set up
		as for an anonymous account.

	   5.	If the user name is "anonymous"	or "ftp", an anonymous FTP ac-
		count must be present in the password file (user "ftp").  In
		this case the user is allowed to log in	by specifying any
		password (by convention	an email address for the user should
		be used	as the password).

		The server performs a chroot(2)	to the directory specified in
		the ftpd.conf(5) chroot	directive (if set), the	-a anondir di-
		rectory	(if set), or to	the home directory of the "ftp"	user.

		The server then	performs a chdir(2) to the directory specified
		in the ftpd.conf(5) homedir directive (if set),	otherwise to
		/.

		If other restrictions are required (such as disabling of cer-
		tain commands and the setting of a specific umask), then ap-
		propriate entries in ftpd.conf(5) are required.

		If the first character of the password supplied	by an anony-
		mous user is "-", then the verbose messages displayed at login
		and upon a CWD command are suppressed.

   Display file	escape sequences
     When tnftpd displays various files	back to	the client (such as
     /usr/local/etc/ftpwelcome and /usr/local/etc/motd), various escape
     strings are replaced with information pertinent to	the current connec-
     tion.

     The supported escape strings are:
	   Escape  Description
	   %c	   Class name.
	   %C	   Current working directory.
	   %E	   Email address given with -e.
	   %L	   Local hostname.
	   %M	   Maximum number of users for this class.  Displays
		   "unlimited" if there's no limit.
	   %N	   Current number of users for this class.
	   %R	   Remote hostname.
	   %s	   If the result of the	most recent "%M" or "%N" was not "1",
		   print an "s".
	   %S	   If the result of the	most recent "%M" or "%N" was not "1",
		   print an "S".
	   %T	   Current time.
	   %U	   User	name.
	   %%	   A "%" character.

   Setting up a	restricted ftp subtree
     In	order that system security is not breached, it is recommended that the
     subtrees for the "ftp" and	"chroot" accounts be constructed with care,
     following these rules (replace "ftp" in the following directory names
     with the appropriate account name for `chroot' users):

	   ~ftp		  Make the home	directory owned	by "root" and un-
			  writable by anyone.

	   ~ftp/bin	  Make this directory owned by "root" and unwritable
			  by anyone (mode 555).	 Generally any conversion com-
			  mands	should be installed here (mode 111).

	   ~ftp/etc	  Make this directory owned by "root" and unwritable
			  by anyone (mode 555).	 The files pwd.db (see
			  passwd(5)) and group (see group(5)) must be present
			  for the LIST command to be able to display owner and
			  group	names instead of numbers.  The password	field
			  in passwd(5) is not used, and	should not contain
			  real passwords.  The file motd, if present, will be
			  printed after	a successful login.  These files
			  should be mode 444.

	   ~ftp/pub	  This directory and the subdirectories	beneath	it
			  should be owned by the users and groups responsible
			  for placing files in them, and be writable only by
			  them (mode 755 or 775).  They	should not be owned or
			  writable by ftp or its group.

	   ~ftp/incoming  This directory is where anonymous users place	files
			  they upload.	The owners should be the user "ftp"
			  and an appropriate group.  Members of	this group
			  will be the only users with access to	these files
			  after	they have been uploaded; these should be peo-
			  ple who know how to deal with	them appropriately.
			  If you wish anonymous	FTP users to be	able to	see
			  the names of the files in this directory the permis-
			  sions	should be 770, otherwise they should be	370.

			  The following	ftpd.conf(5) directives	should be
			  used:
				modify guest off
				umask  guest 0707
				upload guest on

			  This will result in anonymous	users being able to
			  upload files to this directory, but they will	not be
			  able to download them, delete	them, or overwrite
			  them,	due to the umask and disabling of the commands
			  mentioned above.

	   ~ftp/tmp	  This directory is used to create temporary files
			  which	contain	the error messages generated by	a con-
			  version or LIST command.  The	owner should be	the
			  user "ftp".  The permissions should be 300.

			  If you don't enable conversion commands, or don't
			  want anonymous users uploading files here (see
			  ~ftp/incoming	above),	then don't create this direc-
			  tory.	 However, error	messages from conversion or
			  LIST commands	won't be returned to the user.	(This
			  is the traditional behaviour.)  Note that the
			  ftpd.conf(5) directive upload	can be used to prevent
			  users	uploading here.

     To	set up "ftp-only" accounts that	provide	only FTP, but no valid shell
     login, you	can copy/link /sbin/nologin to /sbin/ftplogin, and enter
     /sbin/ftplogin to /etc/shells to allow logging-in via FTP into the	ac-
     counts, which must	have /sbin/ftplogin as login shell.

FILES
     /usr/local/etc/ftpchroot	List of	normal users whose root	directory
				should be changed via chroot(2).
     /usr/local/etc/ftpd.conf	Configure file conversions and other settings.
     /usr/local/etc/ftpusers	List of	unwelcome/restricted users.
     /usr/local/etc/ftpwelcome	Welcome	notice before login.
     /usr/local/etc/motd	Welcome	notice after login.
     /etc/nologin		If it exists, displayed	and access is refused.
     /var/run/ftpd.pids-CLASS	State file of logged-in	processes for the
				tnftpd class `CLASS'.
     /var/run/utmp		List of	logged-in users	on the system.
     /var/log/wtmp		Login history database.

SEE ALSO
     ftp(1), skey(1), who(1), getusershell(3), ftpchroot(5), ftpd.conf(5),
     ftpusers(5), login.conf(5), syslogd(8)

STANDARDS
     tnftpd recognizes all commands in RFC 959,	follows	the guidelines in RFC
     1123, recognizes all commands in RFC 2228 (although they are not sup-
     ported yet), and supports the extensions from RFC 2389, RFC 2428, and RFC
     3659.

HISTORY
     The tnftpd	command	appeared in 4.2BSD.

     Various features such as the ftpd.conf(5) functionality, RFC 2389,	and
     RFC 3659 support was implemented in NetBSD	1.3 and	later releases by Luke
     Mewburn.

BUGS
     The server	must run as the	super-user to create sockets with privileged
     port numbers (i.e,	those less than	IPPORT_RESERVED, which is 1024).  If
     tnftpd is listening on a privileged port it maintains an effective	user
     id	of the logged in user, reverting to the	super-user only	when binding
     addresses to privileged sockets.  The -r option can be used to override
     this behaviour and	force privileges to be permanently revoked; see
     SECURITY CONSIDERATIONS below for more details.

     tnftpd may	have trouble handling connections from scoped IPv6 addresses,
     or	IPv4 mapped addresses (IPv4 connection on AF_INET6 socket).  For the
     latter case, running two daemons, one for IPv4 and	one for	IPv6, will
     avoid the problem.

SECURITY CONSIDERATIONS
     RFC 959 provides no restrictions on the PORT command, and this can	lead
     to	security problems, as tnftpd can be fooled into	connecting to any ser-
     vice on any host.	With the "checkportcmd"	feature	of the ftpd.conf(5),
     PORT commands with	different host addresses, or TCP ports lower than
     IPPORT_RESERVED will be rejected.	This also prevents `third-party	proxy
     ftp' from working.	 Use of	this option is strongly	recommended, and en-
     abled by default.

     By	default	tnftpd uses a port that	is one less than the port it is	lis-
     tening on to communicate back to the client for the EPRT, LPRT, and PORT
     commands, unless overridden with -P dataport.  As the default port	for
     tnftpd (21) is a privileged port below IPPORT_RESERVED, tnftpd retains
     the ability to switch back	to root	privileges to bind these ports.	 In
     order to increase security	by reducing the	potential for a	bug in tnftpd
     providing a remote	root compromise, tnftpd	will permanently drop root
     privileges	if one of the following	is true:

	   1.	tnftpd is running on a port greater than IPPORT_RESERVED and
		the user has logged in as a `guest' or `chroot'	user.

	   2.	tnftpd was invoked with	-r.

     Don't create ~ftp/tmp if you don't	want anonymous users to	upload files
     there.  That directory is only necessary if you want to display the error
     messages of conversion commands to	the user.  Note	that if	uploads	are
     disabled with the ftpd.conf(5) directive upload, then this	directory can-
     not be abused by the user in this way, so it should be safe to create.

     To	avoid possible denial-of-service attacks, SIZE requests	against	files
     larger than 10240 bytes will be denied if the current transfer TYPE is
     `A' (ASCII).

FreeBSD	13.0			  May 1, 2009			  FreeBSD 13.0

NAME | SYNOPSIS | DESCRIPTION | FILES | SEE ALSO | STANDARDS | HISTORY | BUGS | SECURITY CONSIDERATIONS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=tnftpd&sektion=8&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help