ftpd(1M) DG/UX R4.11MU05 ftpd(1M)
NAME
ftpd - File Transfer Protocol server
SYNOPSIS
/usr/bin/ftpd [ -d ] [ -l ] [ -p ] [ -s max-concurrent-sessions ] [
-t timeout ] [ -T max-timeout ] [ -u umask ] [ -U anonymous umask ]
DESCRIPTION
The ftpd process is the DARPA Internet File Transfer Protocol (FTP)
server process. The server uses the Transmission Control Protocol
(TCP) as its transport protocol. The FTP server is invoked by the
inetd server when an incoming connection is detected on the port
specified in /etc/services. See inetd(1M) and services(4) for
details.
Options
-d Enable debugging, with output going to /tmp/ftpd*.
-l Log each ftp session to the system log. Each connection,
disconnect, login, get, put, mkdir, rmdir, delete, rename, and
site chmod operation will be logged via syslog along with
their completion status. Ftp session messages are logged at
syslog level LOG_INFO. For additional information about the
system log, see syslog(3C).
-p Enable validation of the PORT request for stricter security
purposes. The validation will refuse the PORT command and
will result in an "Illegal PORT Command" error if the port
specified is less than 1024 and if the IP address specified is
different from the ftp client. Note that specifying this
option will cause bftp(1C) transfers between non-local hosts
to fail.
-s max-concurrent-sessions
Limit the number of concurrent ftp connections for any given
username to max-concurrent-sessions sessions. In the event
that the session limit has been exceeded, a 'session limit
exceeded' message will be returned to the ftp client. On a
generic DG/UX system, the username root is excluded from any
max-concurrent-sessions limit imposed by the system
administrator.
-t timeout
Set the inactivity time-out period to timeout seconds. By
default, the ftp server does not time out an inactive session.
-T max-timeout
A client may request a different inactivity time-out period;
the maximum period allowed may be set to max-timeout seconds
with the -T option. The default limit is 2 hours.
-u umask
Set the default file-creation mode mask to umask. The default
umask is 000.
-U anonymous umask
Set the default umask for the anonymous ftp user to umask.
The default umask for the anonymous ftp user is 000.
Requests
The ftp server currently supports the following requests; case is not
distinguished.
Request Description
ABOR abort any transfer in progress
ACCT specify account (ignored)
ALLO allocate storage
APPE append to a file
CDUP change to the parent of the current working directory
CWD change working directory
DELE delete a file
HELP give help information
LIST give list of files in a directory (ls -l)
MKD make a directory
MODE specify data transfer mode
NLST give list of names of files in directory (ls)
NOOP do nothing
PAGE specify a new page size
PASS specify password
PASV listen on a data port and wait for a connection
PORT specify data connection port
PWD print the current working directory
QUIT terminate session
REIN reinitialize server state
REST restart the last aborted transfer
RETR retrieve a file
RMD remove a directory
RNFR specify rename-from filename
RNTO specify rename-to filename
SEOR specify a new end-of-record delimiter
SITE non-standard commands or display remote system specific information
SYST returns the type of operating system on the remote system
STAT display server's status
STOR store a file
STOU store a file under a unique name
STRU specify data transfer structure
TYPE specify data transfer type
USER specify username
XCUP change to parent of current working directory
XCWD change working directory
XMKD make a directory
XPWD print the current working directory
XRMD remove a directory
The following non-standard or UNIX specific commands are supported by
the SITE request.
Request Description
AUTH perform special authentication, e.g., "SITE AUTH mycode"
CHMOD change mode of a file, e.g., "SITE CHMOD 666 /etc/motd"
HELP give help information.
IDLE set idle-timier, e.g., "SITE IDLE 60"
UMASK change umask, e.g., "SITE UMASK 002"
The ftpd process interprets filenames according to the "globbing"
conventions used by csh(1). This allows you to use the
metacharacters ``*?[]{}~''.
User Authentication Rules
The ftpd process authenticates users according to five rules:
1) The username must be in the password database, /etc/passwd,
or, if you use the Network Information Service, it must be in
the Network Information Service password database. If a
password is required for a given username, it must be provided
by the client process before any file operations can be
performed.
If the host system is running DG/UX information security, the
username must have an account in the A&A database and must be
specifically authorized to use ftp at the client's (or user-
specified) clearance label and device range.
2) If the /etc/ftpd.allow file exists, the username must be
listed in it. Furthermore, if /etc/ftpd.allow restricts
username access to a specific host or network(s), the ftp
connection must have originated from that host (or network).
3) If the /etc/ftpd.deny file exists, the username must not be
listed in it. If the username is in this file, ftp access is
denied to the user.
4) If the username is anonymous or ftp, an anonymous ftp login
must be specified in the password file (user ftp). In this
case, a user is allowed to log in by specifying any password
(by convention, this is given as the client hostname).
5) The username must not exceed the max-concurrent-sessions per
username limit (if specified).
If the username is anonymous, ftp, or is listed in /etc/ftpd.rest,
ftpd takes special measures to restrict the client's access
privileges. The server performs a chroot(1M) command to the home
directory of the ftp (or restricted) user. So that system security
is not breached, it is recommended that the ftp (or restricted user)
new root directory subtree be constructed with care. The following
guidelines are recommended.
new-root Make the home directory owned by ftp (or the
appropriate restricted username) and unwritable by
anyone.
new-root/bin Make this directory owned by root and unwritable by
anyone. The programs ls(1) and pwd(1) must be present
to support the list and print directory commands.
These programs should have mode 111.
new-root/etc Make this directory owned by root and unwritable by
anyone. The file group(4) must be present for the ls
command to work properly. This file should be mode
444.
new-root/pub To provide public filespace, create this directory
with mode 777 and owned by ftp. Users should then put
in this directory all files that are to be accessible
through the anonymous account.
FTP Daemon Customization
.ftpbanner If this file exists in the user's $HOME directory, it
will be displayed to the user after successful login.
Additionally, the .ftpbanner from each directory will
be displayed (if it exists) as the user changes into
that directory.
/etc/ftpbanner This file is the global system ftp banner and will be
displayed after successful login (if it exists) for
all accounts which do not have a $HOME/.ftpbanner.
Note that this file will not be displayed for either
restricted or anonymous ftp users since file system
access is restricted for those accounts. Bannering
for restricted and anonymous ftp accounts can be
implemented only via .ftpbanner.
/etc/ftppswd This file contains a customized password prompt for
all accounts except the anonymous ftp account. If
/etc/ftppswd exists, it will be displayed prior to the
standard ftp password prompt during normal user login.
/etc/ftpanonpswd
This file contains a customized password prompt for
the anonymous ftp account. If /etc/ftpanonpswd
exists, it will be displayed prior to the standard
anonymous ftp password prompt during anonymous ftp
user login.
/etc/ftpwelcome
This file contains a customized banner which is
displayed (if it exists) before the username prompt is
issued.
/etc/ftpd.rest This file lists the restricted ftp users. Usernames
listed in this file are required to have a valid
username/password account (just like a normal ftp
user). However, upon successful login, the daemon
performs a chroot(1M) to the user's home directory.
Restricted user accounts are identified by listing the
username (one per line) in the /etc/ftpd.rest file.
NOTE: The system administrator must create a
'/var/ftp' like directory structure in the
restricted user's home directory. See the
discussion under 'User Authentication Rules'
regarding anonymous ftp home directory
administration. Failure to establish
$HOME/bin/ls and $HOME/bin/pwd will prohibit
restricted user login and result in a '550
Bad account...unable to access <cmd>'
message.
/etc/ftpd.allow
This file lists usernames which are allowed FTP
service. Additionally, each record may contain
network/netmask information (for further access
qualification) and per-user configuration information
(max-concurrent-sessions, inactivity timeout,
inactivity maxtimeout, umask). If the file
/etc/ftpd.allow exists, only those usernames listed in
it are allowed ftp access to this server. If it does
not exist, all users except those listed in
/etc/ftpd.deny will be allowed access. If the
optional network/netmask information exists, access to
the ftp server is granted only if the connection is
from the specific host/networks configured for that
username. If per-user configuration information
exists, the specific attributes are established upon
successful user authentication. Access is validated
by checking /etc/ftpd.allow first and then
/etc/ftpd.deny. Note that it is possible to specify
an account in the allow file only to subsequently
reject it in the deny file. The file format is as
follows:
username [network [netmask]] : max_sess timeout
maxtimeout umask
Where:
username is a valid username as specified by
/etc/passwd or NIS. The '+' wildcard
symbol may be used to specify all
usernames.
network is a dotted quad IP address which
specifies networks (or hosts) to which
access is allowed or denied.
netmask is a dotted quad IP address mask which
is and'ed with network to specify a
range of addresses to allow or deny.
max_sess is the number of concurrent ftp
connections allowed for the username.
If '-' is specified, max concurrent
sessions for the username is as defined
globally by the ftpd -s switch.
timeout is a number specifying the inactivity
time-out period (in secs) for the
username. If '-' is specified, the
timeout value for username is as
defined globally by the ftpd -t switch.
maxtimeout
is a number specifying the maximum
inactivity time-out period (in secs)
the user may specify via the ftpd SITE
IDLE command. If '-' is specified, the
max-timeout value for the username is
as defined globally by the ftpd -T
switch.
umask is an octal number specifying the
default umask for the username. If '-'
is specified, the default umask value
for the username is as defined globally
by the ftpd -u (or -U) switch.
/etc/ftpd.deny This file lists usernames (and, alternatively,
hosts/networks) for ftp server access control. If the
file /etc/ftpd.allow exists, only those usernames
listed in it are allowed ftp access to this server.
If it does not exist, all users except those listed in
/etc/ftpd.deny will be allowed access. This
configuration file may also specify hosts/networks
which are denied access to the ftp server. Access is
validated by checking /etc/ftpd.allow first and then
/etc/ftpd.deny. Note that it is possible to specify
an account in the allow file only to subsequently
reject it in the deny file. The file format is as
follows:
username [network [netmask]]
Where:
username is a valid username as specified by
/etc/passwd or NIS. The '+' wildcard
symbol may be used to specify all
usernames.
network is a dotted quad IP address which
specifies networks (or hosts) to which
access is allowed or denied.
netmask is a dotted quad IP address mask which
is and'ed with network to specify a
range of addresses to allow or deny.
For example: all users on machines located on the
128.222.8 lan are granted ftp access to the ftp server
by specifying '+ 128.222.8.0 255.255.255.0' in the
/etc/ftpd.allow file. To allow anonymous access from
anywhere and normal user access only from the
128.222.0.0 network, the /etc/ftpd.allow file should
contain the records 'ftp' and '+ 128.222.0.0
255.255.0.0'.
SEE ALSO
ftp(1C), inetd(1M), ftpd.allow(4M), ftpd.deny(4M).
Licensed material--property of copyright holder(s)