ftpd(1M) TCP/IP R4.11 ftpd(1M)
NAME
ftpd - File Transfer Protocol server
SYNOPSIS
/usr/bin/ftpd [ -d ] [ -l ] [ -s max-concurrent-sessions ] [ -t
timeout ]
DESCRIPTION
The ftpd process is the DARPA Internet File Transfer Protocol (FTP)
server process. The server uses the Transmission Control Protocol
(TCP) as its transport protocol. The FTP server is invoked by the
inetd server when an incoming connection is detected on the port
specified in /etc/services. See inetd(1M) and services(4) for
details.
Options
-d Enable debugging, with output going to /tmp/ftpd*.
-l Log each ftp session to the system log. Each connection,
disconnect, login, get, put, mkdir, rmdir, delete, and rename
operation will be logged via syslog along with their
completion status. Ftp session messages are logged at syslog
level LOG_INFO. For additional information about the system
log, see syslog(3C).
-s max-concurrent-sessions
Limit the number of concurrent ftp connections for any given
username to max-concurrent-sessions sessions. In the event
that the session limit has been exceeded, a 'session limit
exceeded' message will be returned to the ftp client. On a
non-trusted DG/UX system, the username root is excluded from
any max-concurrent-sessions limit imposed by the system
administrator. This option does not apply to a trusted DG/UX
system.
-t timeout
Set the inactivity time-out period to timeout seconds. By
default, the ftp server does not time out an inactive session.
Requests
The ftp server currently supports the following requests; case is not
distinguished.
Request Description
ABOR abort any transfer in progress
ACCT specify account (ignored)
ALLO allocate storage
APPE append to a file
CDUP change to the parent of the current working directory
CWD change working directory
DELE delete a file
HELP give help information
LIST give list of files in a directory (ls -l)
MKD make a directory
MODE specify data transfer mode
NLST give list of names of files in directory (ls)
NOOP do nothing
PAGE specify a new page size
PASS specify password
PASV listen on a data port and wait for a connection
PORT specify data connection port
PWD print the current working directory
QUIT terminate session
REIN reinitialize server state
REST restart the last aborted transfer
RETR retrieve a file
RMD remove a directory
RNFR specify rename-from filename
RNTO specify rename-to filename
SEOR specify a new end-of-record delimiter
SITE display any information specific to the remote system
SYST returns the type of operating system on the remote system
STAT display server's status
STOR store a file
STOU store a file under a unique name
STRU specify data transfer structure
TYPE specify data transfer type
USER specify username
XCUP change to parent of current working directory
XCWD change working directory
XMKD make a directory
XPWD print the current working directory
XRMD remove a directory
The ftpd process interprets filenames according to the "globbing"
conventions used by csh(1). This allows you to use the
metacharacters ``*?[]{}~''.
User Authentication Rules
The ftpd process authenticates users according to five rules:
1) The username must be in the password database, /etc/passwd,
or, if you use the Network Information Service, it must be in
the Network Information Service password database. If a
password is required for a given username, it must be provided
by the client process before any file operations can be
performed.
If the host system is running DG/UX information security, the
username must have an account in the A&A database and must be
specifically authorized to use ftp.
2) If the /etc/ftpd.allow file exists, the username must be
listed in it. Furthermore, if /etc/ftpd.allow restricts
username access to a specific host or network(s), the ftp
connection must have originated from that host (or network).
3) If the /etc/ftpd.deny file exists, the username must not be
listed in it. If the username is in this file, ftp access is
denied to the user.
4) If the username is anonymous or ftp, an anonymous ftp login
must be specified in the password file (user ftp). In this
case, a user is allowed to log in by specifying any password
(by convention, this is given as the client hostname).
5) The username must not exceed the max-concurrent-sessions per
username limit (if specified).
If the username is anonymous, ftp, or is listed in /etc/ftpd.rest,
ftpd takes special measures to restrict the client's access
privileges. The server performs a chroot(1M) command to the home
directory of the ftp (or restricted) user. So that system security
is not breached, it is recommended that the ftp (or restricted user)
new root directory subtree be constructed with care. The following
guidelines are recommended.
new-root Make the home directory owned by ftp (or the
appropriate restricted username) and unwritable by
anyone.
new-root/bin Make this directory owned by root and unwritable by
anyone. The programs ls(1) and pwd(1) must be present
to support the list and print directory commands.
These programs should have mode 111.
new-root/etc Make this directory owned by root and unwritable by
anyone. The file group(4) must be present for the ls
command to work properly. This file should be mode
444.
new-root/pub To provide public filespace, create this directory
with mode 777 and owned by ftp. Users should then put
in this directory all files that are to be accessible
through the anonymous account.
If the host system is running trusted DG/UX, the following additional
directories/files must be provided in the new root directory of the
anonymous (or restricted) user.
new-root/etc/tcb/cap/capaliasdefs
new-root/etc/tcb/cap/events
new-root/etc/tcb/audit/auditeventdefs
new-root/etc/tcb/audit/auditaliasdefs
new-root/etc/tcb/audit/auditmaskdefs
When copying these files from the system root, ensure that the owner
UID, group ID, permissions, ACL (if any), MAC label and/or range, and
required capability set(if any) of the original files and directories
are preserved on the copies.
FTP Daemon Customization
.ftpbanner If this file exists in the user's $HOME directory, it
will be displayed to the user after successful login.
Additionally, the .ftpbanner from each directory will
be displayed (if it exists) as the user changes into
that directory.
/etc/ftpbanner This file is the global system ftp banner and will be
displayed after successful login (if it exists) for
all accounts which do not have a $HOME/.ftpbanner.
Note that this file will not be displayed for either
restricted or anonymous ftp users since file system
access is restricted for those accounts. Bannering
for restricted and anonymous ftp accounts can be
implemented only via .ftpbanner.
/etc/ftppswd This file contains a customized password prompt for
all accounts except the anonymous ftp account. If
/etc/ftppswd exists, it will be displayed prior to the
standard ftp password prompt during normal user login.
/etc/ftpanonpswd
This file contains a customized password prompt for
the anonymous ftp account. If /etc/ftpanonpswd
exists, it will be displayed prior to the standard
anonymous ftp password prompt during anonymous ftp
user login.
/etc/ftpwelcome
This file contains a customized banner which is
displayed (if it exists) before the username prompt is
issued.
/etc/ftpd.rest This file lists the restricted ftp users. Usernames
listed in this file are required to have a valid
username/password account (just like a normal ftp
user). However, upon successful login, the daemon
performs a chroot(1M) to the user's home directory.
Restricted user accounts are identified by listing the
username (one per line) in the /etc/ftpd.rest file.
NOTE: The system administrator must create a
'/var/ftp' like directory structure in the
restricted user's home directory. See the
discussion under 'User Authentication Rules'
regarding anonymous ftp home directory
administration. Failure to establish
$HOME/bin/ls and $HOME/bin/pwd will prohibit
restricted user login and result in a
/etc/ftpd.allow
/etc/ftpd.deny These files list usernames (and, alternatively,
hosts/networks) for ftp server access control. If the
file /etc/ftpd.allow exists, only those usernames
listed in it are allowed ftp access to this server.
If it does not exist, all users except those listed in
/etc/ftpd.deny will be allowed access. These
configuration files may also specify hosts/networks
which are allowed to access the ftp server. Access is
validated by checking /etc/ftpd.allow first and then
/etc/ftpd.deny. Note that it is possible to specify
an account in the allow file only to subsequently
reject it in the deny file. The file format is as
follows:
username [network [netmask]]
Where:
username is a valid username as specified by
/etc/passwd or NIS. The '+' wildcard
symbol may be used to specify all
usernames.
network is a dotted quad IP address which
specifies networks (or hosts) to which
access is allowed or denied.
netmask is a dotted quad IP address mask which
is and'ed with network to specify a
range of addresses to allow or deny.
For example: all users on machines located on the
128.222.8 lan are granted ftp access to the ftp server
by specifying '+ 128.222.8.0 255.255.255.0' in the
/etc/ftpd.allow file. To allow anonymous access from
anywhere and normal user access only from the
128.222.0.0 network, the /etc/ftpd.allow file should
contain the records 'ftp' and '+ 128.222.0.0
255.255.0.0'.
SEE ALSO
ftp(1C), inetd(1M), ftpd.deny(4M).
Licensed material--property of copyright holder(s)