ftpd(1M) TCP/IP 5.4R3.00 ftpd(1M)
NAME
ftpd - File Transfer Protocol server
SYNOPSIS
/usr/bin/ftpd [ -d ] [ -l ] [ -s max-concurrent-sessions ] [ -t
timeout ]
DESCRIPTION
The ftpd process is the DARPA Internet File Transfer Protocol (FTP)
server process. The server uses the Transmission Control Protocol
(TCP) as its transport protocol. The FTP server is invoked by the
inetd server when an incoming connection is detected on the port
specified in /etc/services. See inetd(1M) and services(4) for
details.
Options
-d Enable debugging, with output going to /tmp/ftpd*.
-l Log each ftp session to the system log. Each connection,
disconnect, login, get, put, mkdir, rmdir, delete, and rename
operation will be logged via syslog along with their
completion status. Ftp session messages are logged at syslog
level LOG_INFO. For additional information about the system
log, see syslog(3C).
-s max-concurrent-sessions
Limit the number of concurrent ftp connections for any given
username to max-concurrent-sessions sessions. In the event
that the session limit has been exceeded, a 'session limit
exceeded' message will be returned to the ftp client. The
username root is excluded from any max-concurrent-sessions
limit imposed by the system administrator.
-t timeout
Set the inactivity time-out period to timeout seconds. By
default, the ftp server does not time out an inactive session.
Requests
The ftp server currently supports the following requests; case is not
distinguished.
Request Description
ABOR abort any transfer in progress
ACCT specify account (ignored)
ALLO allocate storage
APPE append to a file
CDUP change to the parent of the current working directory
CWD change working directory
DELE delete a file
HELP give help information
LIST give list of files in a directory (ls -l)
MKD make a directory
MODE specify data transfer mode
NLST give list of names of files in directory (ls)
Licensed material--property of copyright holder(s) 1
ftpd(1M) TCP/IP 5.4R3.00 ftpd(1M)
NOOP do nothing
PAGE specify a new page size
PASS specify password
PASV listen on a data port and wait for a connection
PORT specify data connection port
PWD print the current working directory
QUIT terminate session
REIN reinitialize server state
REST restart the last aborted transfer
RETR retrieve a file
RMD remove a directory
RNFR specify rename-from filename
RNTO specify rename-to filename
SEOR specify a new end-of-record delimiter
SITE display any information specific to the remote system
SYST returns the type of operating system on the remote system
STAT display server's status
STOR store a file
STOU store a file under a unique name
STRU specify data transfer structure
TYPE specify data transfer type
USER specify username
XCUP change to parent of current working directory
XCWD change working directory
XMKD make a directory
XPWD print the current working directory
XRMD remove a directory
The ftpd process interprets filenames according to the "globbing"
conventions used by csh(1). This allows you to use the
metacharacters ``*?[]{}~''.
User Authentication Rules
The ftpd process authenticates users according to five rules:
1) The username must be in the password database, /etc/passwd,
or, if you use the Network Information Service, it must be in
the Network Information Service password database. If a
password is required for a given username, it must be provided
by the client process before any file operations can be
performed.
2) If the /etc/ftpd.allow file exists, the username must be
listed in it. Furthermore, if /etc/ftpd.allow restricts
username access to a specific host or network(s), the ftp
connection must have originated from that host (or network).
3) If the /etc/ftpd.deny file exists, the username must not be
listed in it. If the username is in this file, ftp access is
denied to the user.
4) If the username is anonymous or ftp, an anonymous ftp login
must be specified in the password file (user ftp). In this
case, a user is allowed to log in by specifying any password
Licensed material--property of copyright holder(s) 2
ftpd(1M) TCP/IP 5.4R3.00 ftpd(1M)
(by convention, this is given as the client hostname).
5) The username must not exceed the max-concurrent-sessions per
username limit (if specified).
If the username is anonymous, ftp, or is listed in /etc/ftpd.rest,
ftpd takes special measures to restrict the client's access
privileges. The server performs a chroot(1M) command to the home
directory of the ftp (or restricted) user. So that system security
is not breached, it is recommended that the ftp subtree be
constructed with care. The following guidelines are recommended.
~ftp Make the home directory owned by ftp (or the
appropriate restricted username) and unwritable by
anyone.
~ftp/bin Make this directory owned by the superuser and
unwritable by anyone. The programs ls(1) and pwd(1)
must be present to support the list and print
directory commands. These programs should have mode
111.
~ftp/etc Make this directory owned by the superuser and
unwritable by anyone. The file group(4) must be
present for the ls command to work properly. This
file should be mode 444.
~ftp/pub To provide public filespace, create this directory
with mode 777 and owned by ftp. Users should then put
in this directory all files that are to be accessible
through the anonymous account.
FTP Daemon Customization
.ftpbanner If this file exists in the users $HOME directory, it
will be displayed to the user after successful login.
Additionally, the .ftpbanner from each directory will
be displayed (if it exists) as the user cd's into that
directory.
/etc/ftpbanner This file is the global system ftp banner and will be
displayed after successful login (if it exists) for
all accounts which do not have a $HOME/.ftpbanner.
Note that this file will not be displayed for either
restricted or anonymous ftp users since filesystem
access is restricted for those accounts. Bannering
for restricted and anonymous ftp accounts can be
implemented only via .ftpbanner.
/etc/ftppswd This file contains a customized password prompt for
all accounts except the anonymous ftp account. If
/etc/ftppswd exists, it will be displayed prior to the
standard ftp password prompt during normal user login.
Licensed material--property of copyright holder(s) 3
ftpd(1M) TCP/IP 5.4R3.00 ftpd(1M)
/etc/ftpanonpswd
This file contains a customized password prompt for
the anonymous ftp account. If /etc/ftpanonpswd
exists, it will be displayed prior to the standard
anonymous ftp password prompt during anonymous ftp
user login.
/etc/ftpwelcome
This file contains a customized banner which is
displayed (if it exists) before the username prompt is
issued.
/etc/ftpd.rest This file lists the restricted ftp users. Usernames
listed in this file are required to have a valid
username/password account (just like a normal ftp
user). However, upon successful login, the daemon
performs a chroot(1M) to the users home directory.
Restricted user accounts are identified by listing the
username (one per line) in the /etc/ftpd.rest file.
NOTE: The system administrator must create a
'/var/ftp' like directory structure in the
restricted users home directory. See the
discussion under 'User Authentication Rules'
regarding anonymous ftp home directory
administration. Failure to establish
$HOME/bin/ls and $HOME/bin/pwd will prohibit
restricted user login and result in a '550
Bad account...unable to access <cmd>'
message.
/etc/ftpd.allow
/etc/ftpd.deny These files list usernames (and alternatively
hosts/networks) for ftp server access control. If the
file /etc/ftpd.allow exists, only those usernames
listed in it are allowed ftp access to this server.
If it does not exist, all users except those listed in
/etc/ftpd.deny will be allowed access. These
configuration files may also specify hosts/networks
which are allowed to access the ftp server. Access is
validated by checking /etc/ftpd.allow first and then
/etc/ftpd.deny. Note that it is possible to specify
an account in the allow file only to subsequently
reject it in the deny file. The file format is as
follows:
username [network [netmask]]
Where:
username is a valid username as specified by
/etc/passwd or NIS. The '+' wildcard
symbol may be used to specify all
usernames.
Licensed material--property of copyright holder(s) 4
ftpd(1M) TCP/IP 5.4R3.00 ftpd(1M)
network is a dotted quad IP address which
specifies networks (or hosts) to which
access is allowed or denied.
netmask is a dotted quad IP address mask which
is and'ed with network to specify a
range of addresses to allow or deny.
For example: all users on machines located on the
128.222.8 lan are granted ftp access to the ftp server
by specifying '+ 128.222.8.0 255.255.255.0' in the
/etc/ftpd.allow file. To allow anonymous access from
anywhere and normal user access only from the
128.222.0.0 network, the /etc/ftpd.allow file should
contain the records 'ftp' and '+ 128.222.0.0
255.255.0.0'.
SEE ALSO
ftp(1C), inetd(1M), ftpd.deny(4M).
BUGS
The server must run as the superuser to create sockets with
privileged port numbers. It maintains an effective user ID of the
logged-in user, reverting to the superuser only when binding
addresses to sockets.
Licensed material--property of copyright holder(s) 5