Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ ftpd(1M) — DG/UX R4.11

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

ftp(1C)

inetd(1M)

ftpd.deny(4M)



ftpd(1M)                        TCP/IP R4.11                        ftpd(1M)


NAME
       ftpd - File Transfer Protocol server

SYNOPSIS
       /usr/bin/ftpd [ -d ] [ -l ] [ -s max-concurrent-sessions ] [ -t
       timeout ]

DESCRIPTION
       The ftpd process is the DARPA Internet File Transfer Protocol (FTP)
       server process.  The server uses the Transmission Control Protocol
       (TCP) as its transport protocol.  The FTP server is invoked by the
       inetd server when an incoming connection is detected on the port
       specified in /etc/services.  See inetd(1M) and services(4) for
       details.

   Options
       -d     Enable debugging, with output going to /tmp/ftpd*.

       -l     Log each ftp session to the system log.  Each connection,
              disconnect, login, get, put, mkdir, rmdir, delete, and rename
              operation will be logged via syslog along with their
              completion status.  Ftp session messages are logged at syslog
              level LOG_INFO.  For additional information about the system
              log, see syslog(3C).

       -s max-concurrent-sessions
              Limit the number of concurrent ftp connections for any given
              username to max-concurrent-sessions sessions.  In the event
              that the session limit has been exceeded, a 'session limit
              exceeded' message will be returned to the ftp client.  On a
              non-trusted DG/UX system, the username root is excluded from
              any max-concurrent-sessions limit imposed by the system
              administrator.  This option does not apply to a trusted DG/UX
              system.

       -t timeout
              Set the inactivity time-out period to timeout seconds.  By
              default, the ftp server does not time out an inactive session.

   Requests
       The ftp server currently supports the following requests; case is not
       distinguished.

       Request        Description
       ABOR           abort any transfer in progress
       ACCT           specify account (ignored)
       ALLO           allocate storage
       APPE           append to a file
       CDUP           change to the parent of the current working directory
       CWD            change working directory
       DELE           delete a file
       HELP           give help information
       LIST           give list of files in a directory (ls -l)
       MKD            make a directory
       MODE           specify data transfer mode
       NLST           give list of names of files in directory (ls)
       NOOP           do nothing
       PAGE           specify a new page size
       PASS           specify password
       PASV           listen on a data port and wait for a connection
       PORT           specify data connection port
       PWD            print the current working directory
       QUIT           terminate session
       REIN           reinitialize server state
       REST           restart the last aborted transfer
       RETR           retrieve a file
       RMD            remove a directory
       RNFR           specify rename-from filename
       RNTO           specify rename-to filename
       SEOR           specify a new end-of-record delimiter
       SITE           display any information specific to the remote system
       SYST           returns the type of operating system on the remote system
       STAT           display server's status
       STOR           store a file
       STOU           store a file under a unique name
       STRU           specify data transfer structure
       TYPE           specify data transfer type
       USER           specify username
       XCUP           change to parent of current working directory
       XCWD           change working directory
       XMKD           make a directory
       XPWD           print the current working directory
       XRMD           remove a directory

       The ftpd process interprets filenames according to the "globbing"
       conventions used by csh(1).  This allows you to use the
       metacharacters ``*?[]{}~''.

   User Authentication Rules
       The ftpd process authenticates users according to five rules:

       1)     The username must be in the password database, /etc/passwd,
              or, if you use the Network Information Service, it must be in
              the Network Information Service password database.  If a
              password is required for a given username, it must be provided
              by the client process before any file operations can be
              performed.

              If the host system is running DG/UX information security, the
              username must have an account in the A&A database and must be
              specifically authorized to use ftp.

       2)     If the /etc/ftpd.allow file exists, the username must be
              listed in it.  Furthermore, if /etc/ftpd.allow restricts
              username access to a specific host or network(s), the ftp
              connection must have originated from that host (or network).

       3)     If the /etc/ftpd.deny file exists, the username must not be
              listed in it.  If the username is in this file, ftp access is
              denied to the user.

       4)     If the username is anonymous or ftp, an anonymous ftp login
              must be specified in the password file (user ftp).  In this
              case, a user is allowed to log in by specifying any password
              (by convention, this is given as the client hostname).

       5)     The username must not exceed the max-concurrent-sessions per
              username limit (if specified).

       If the username is anonymous, ftp, or is listed in /etc/ftpd.rest,
       ftpd takes special measures to restrict the client's access
       privileges.  The server performs a chroot(1M) command to the home
       directory of the ftp (or restricted) user.  So that system security
       is not breached, it is recommended that the ftp (or restricted user)
       new root directory subtree be constructed with care.  The following
       guidelines are recommended.

       new-root       Make the home directory owned by ftp (or the
                      appropriate restricted username) and unwritable by
                      anyone.

       new-root/bin   Make this directory owned by root and unwritable by
                      anyone.  The programs ls(1) and pwd(1) must be present
                      to support the list and print directory commands.
                      These programs should have mode 111.

       new-root/etc   Make this directory owned by root and unwritable by
                      anyone.  The file group(4) must be present for the ls
                      command to work properly.  This file should be mode
                      444.

       new-root/pub   To provide public filespace, create this directory
                      with mode 777 and owned by ftp.  Users should then put
                      in this directory all files that are to be accessible
                      through the anonymous account.

       If the host system is running trusted DG/UX, the following additional
       directories/files must be provided in the new root directory of the
       anonymous (or restricted) user.

            new-root/etc/tcb/cap/capaliasdefs
            new-root/etc/tcb/cap/events
            new-root/etc/tcb/audit/auditeventdefs
            new-root/etc/tcb/audit/auditaliasdefs
            new-root/etc/tcb/audit/auditmaskdefs

       When copying these files from the system root, ensure that the owner
       UID, group ID, permissions, ACL (if any), MAC label and/or range, and
       required capability set(if any) of the original files and directories
       are preserved on the copies.

   FTP Daemon Customization
       .ftpbanner     If this file exists in the user's $HOME directory, it
                      will be displayed to the user after successful login.
                      Additionally, the .ftpbanner from each directory will
                      be displayed (if it exists) as the user changes into
                      that directory.

       /etc/ftpbanner This file is the global system ftp banner and will be
                      displayed after successful login (if it exists) for
                      all accounts which do not have a $HOME/.ftpbanner.
                      Note that this file will not be displayed for either
                      restricted or anonymous ftp users since file system
                      access is restricted for those accounts.  Bannering
                      for restricted and anonymous ftp accounts can be
                      implemented only via .ftpbanner.

       /etc/ftppswd   This file contains a customized password prompt for
                      all accounts except the anonymous ftp account.  If
                      /etc/ftppswd exists, it will be displayed prior to the
                      standard ftp password prompt during normal user login.

       /etc/ftpanonpswd
                      This file contains a customized password prompt for
                      the anonymous ftp account.  If /etc/ftpanonpswd
                      exists, it will be displayed prior to the standard
                      anonymous ftp password prompt during anonymous ftp
                      user login.

       /etc/ftpwelcome
                      This file contains a customized banner which is
                      displayed (if it exists) before the username prompt is
                      issued.

       /etc/ftpd.rest This file lists the restricted ftp users.  Usernames
                      listed in this file are required to have a valid
                      username/password account (just like a normal ftp
                      user).  However, upon successful login, the daemon
                      performs a chroot(1M) to the user's home directory.
                      Restricted user accounts are identified by listing the
                      username (one per line) in the /etc/ftpd.rest file.

                      NOTE:     The system administrator must create a
                                '/var/ftp' like directory structure in the
                                restricted user's home directory.  See the
                                discussion under 'User Authentication Rules'
                                regarding anonymous ftp home directory
                                administration.  Failure to establish
                                $HOME/bin/ls and $HOME/bin/pwd will prohibit
                                restricted user login and result in a

       /etc/ftpd.allow

       /etc/ftpd.deny These files list usernames (and, alternatively,
                      hosts/networks) for ftp server access control.  If the
                      file /etc/ftpd.allow exists, only those usernames
                      listed in it are allowed ftp access to this server.
                      If it does not exist, all users except those listed in
                      /etc/ftpd.deny will be allowed access.  These
                      configuration files may also specify hosts/networks
                      which are allowed to access the ftp server.  Access is
                      validated by checking /etc/ftpd.allow first and then
                      /etc/ftpd.deny.  Note that it is possible to specify
                      an account in the allow file only to subsequently
                      reject it in the deny file.  The file format is as
                      follows:

                                               username [network [netmask]]
                           Where:

                           username  is a valid username as specified by
                                     /etc/passwd or NIS.  The '+' wildcard
                                     symbol may be used to specify all
                                     usernames.

                           network   is a dotted quad IP address which
                                     specifies networks (or hosts) to which
                                     access is allowed or denied.

                           netmask   is a dotted quad IP address mask which
                                     is and'ed with network to specify a
                                     range of addresses to allow or deny.

                      For example: all users on machines located on the
                      128.222.8 lan are granted ftp access to the ftp server
                      by specifying '+ 128.222.8.0 255.255.255.0' in the
                      /etc/ftpd.allow file.  To allow anonymous access from
                      anywhere and normal user access only from the
                      128.222.0.0 network, the /etc/ftpd.allow file should
                      contain the records 'ftp' and '+ 128.222.0.0
                      255.255.0.0'.

SEE ALSO
       ftp(1C), inetd(1M), ftpd.deny(4M).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026