Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ ftpd(1M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

ftp(1C)

inetd(1M)

ftpd.allow(4M)

ftpd.deny(4M)



ftpd(1M)                       DG/UX R4.11MU05                      ftpd(1M)


NAME
       ftpd - File Transfer Protocol server

SYNOPSIS
       /usr/bin/ftpd [ -d ] [ -l ] [ -p ] [ -s max-concurrent-sessions ] [
       -t timeout ] [ -T max-timeout ] [ -u umask ] [ -U anonymous umask ]

DESCRIPTION
       The ftpd process is the DARPA Internet File Transfer Protocol (FTP)
       server process.  The server uses the Transmission Control Protocol
       (TCP) as its transport protocol.  The FTP server is invoked by the
       inetd server when an incoming connection is detected on the port
       specified in /etc/services.  See inetd(1M) and services(4) for
       details.

   Options
       -d     Enable debugging, with output going to /tmp/ftpd*.

       -l     Log each ftp session to the system log.  Each connection,
              disconnect, login, get, put, mkdir, rmdir, delete, rename, and
              site chmod operation will be logged via syslog along with
              their completion status.  Ftp session messages are logged at
              syslog level LOG_INFO.  For additional information about the
              system log, see syslog(3C).

       -p     Enable validation of the PORT request for stricter security
              purposes.  The validation will refuse the PORT command and
              will result in an "Illegal PORT Command" error if the port
              specified is less than 1024 and if the IP address specified is
              different from the ftp client.  Note that specifying this
              option will cause bftp(1C) transfers between non-local hosts
              to fail.

       -s max-concurrent-sessions
              Limit the number of concurrent ftp connections for any given
              username to max-concurrent-sessions sessions.  In the event
              that the session limit has been exceeded, a 'session limit
              exceeded' message will be returned to the ftp client.  On a
              generic DG/UX system, the username root is excluded from any
              max-concurrent-sessions limit imposed by the system
              administrator.

       -t timeout
              Set the inactivity time-out period to timeout seconds.  By
              default, the ftp server does not time out an inactive session.

       -T max-timeout
              A client may request a different inactivity time-out period;
              the maximum period allowed may be set to max-timeout seconds
              with the -T option.  The default limit is 2 hours.

       -u umask
              Set the default file-creation mode mask to umask.  The default
              umask is 000.

       -U anonymous umask
              Set the default umask for the anonymous ftp user to umask.
              The default umask for the anonymous ftp user is 000.

   Requests
       The ftp server currently supports the following requests; case is not
       distinguished.

       Request        Description
       ABOR           abort any transfer in progress
       ACCT           specify account (ignored)
       ALLO           allocate storage
       APPE           append to a file
       CDUP           change to the parent of the current working directory
       CWD            change working directory
       DELE           delete a file
       HELP           give help information
       LIST           give list of files in a directory (ls -l)
       MKD            make a directory
       MODE           specify data transfer mode
       NLST           give list of names of files in directory (ls)
       NOOP           do nothing
       PAGE           specify a new page size
       PASS           specify password
       PASV           listen on a data port and wait for a connection
       PORT           specify data connection port
       PWD            print the current working directory
       QUIT           terminate session
       REIN           reinitialize server state
       REST           restart the last aborted transfer
       RETR           retrieve a file
       RMD            remove a directory
       RNFR           specify rename-from filename
       RNTO           specify rename-to filename
       SEOR           specify a new end-of-record delimiter
       SITE           non-standard commands or display remote system specific information
       SYST           returns the type of operating system on the remote system
       STAT           display server's status
       STOR           store a file
       STOU           store a file under a unique name
       STRU           specify data transfer structure
       TYPE           specify data transfer type
       USER           specify username
       XCUP           change to parent of current working directory
       XCWD           change working directory
       XMKD           make a directory
       XPWD           print the current working directory
       XRMD           remove a directory

       The following non-standard or UNIX specific commands are supported by
       the SITE request.

       Request        Description
       AUTH           perform special authentication, e.g., "SITE AUTH mycode"
       CHMOD          change mode of a file, e.g., "SITE CHMOD 666 /etc/motd"
       HELP           give help information.
       IDLE           set idle-timier, e.g., "SITE IDLE 60"
       UMASK          change umask, e.g., "SITE UMASK 002"

       The ftpd process interprets filenames according to the "globbing"
       conventions used by csh(1).  This allows you to use the
       metacharacters ``*?[]{}~''.

   User Authentication Rules
       The ftpd process authenticates users according to five rules:

       1)     The username must be in the password database, /etc/passwd,
              or, if you use the Network Information Service, it must be in
              the Network Information Service password database.  If a
              password is required for a given username, it must be provided
              by the client process before any file operations can be
              performed.

              If the host system is running DG/UX information security, the
              username must have an account in the A&A database and must be
              specifically authorized to use ftp at the client's (or user-
              specified) clearance label and device range.

       2)     If the /etc/ftpd.allow file exists, the username must be
              listed in it.  Furthermore, if /etc/ftpd.allow restricts
              username access to a specific host or network(s), the ftp
              connection must have originated from that host (or network).

       3)     If the /etc/ftpd.deny file exists, the username must not be
              listed in it.  If the username is in this file, ftp access is
              denied to the user.

       4)     If the username is anonymous or ftp, an anonymous ftp login
              must be specified in the password file (user ftp).  In this
              case, a user is allowed to log in by specifying any password
              (by convention, this is given as the client hostname).

       5)     The username must not exceed the max-concurrent-sessions per
              username limit (if specified).

       If the username is anonymous, ftp, or is listed in /etc/ftpd.rest,
       ftpd takes special measures to restrict the client's access
       privileges.  The server performs a chroot(1M) command to the home
       directory of the ftp (or restricted) user.  So that system security
       is not breached, it is recommended that the ftp (or restricted user)
       new root directory subtree be constructed with care.  The following
       guidelines are recommended.

       new-root       Make the home directory owned by ftp (or the
                      appropriate restricted username) and unwritable by
                      anyone.

       new-root/bin   Make this directory owned by root and unwritable by
                      anyone.  The programs ls(1) and pwd(1) must be present
                      to support the list and print directory commands.
                      These programs should have mode 111.

       new-root/etc   Make this directory owned by root and unwritable by
                      anyone.  The file group(4) must be present for the ls
                      command to work properly.  This file should be mode
                      444.

       new-root/pub   To provide public filespace, create this directory
                      with mode 777 and owned by ftp.  Users should then put
                      in this directory all files that are to be accessible
                      through the anonymous account.

   FTP Daemon Customization
       .ftpbanner     If this file exists in the user's $HOME directory, it
                      will be displayed to the user after successful login.
                      Additionally, the .ftpbanner from each directory will
                      be displayed (if it exists) as the user changes into
                      that directory.

       /etc/ftpbanner This file is the global system ftp banner and will be
                      displayed after successful login (if it exists) for
                      all accounts which do not have a $HOME/.ftpbanner.
                      Note that this file will not be displayed for either
                      restricted or anonymous ftp users since file system
                      access is restricted for those accounts.  Bannering
                      for restricted and anonymous ftp accounts can be
                      implemented only via .ftpbanner.

       /etc/ftppswd   This file contains a customized password prompt for
                      all accounts except the anonymous ftp account.  If
                      /etc/ftppswd exists, it will be displayed prior to the
                      standard ftp password prompt during normal user login.

       /etc/ftpanonpswd
                      This file contains a customized password prompt for
                      the anonymous ftp account.  If /etc/ftpanonpswd
                      exists, it will be displayed prior to the standard
                      anonymous ftp password prompt during anonymous ftp
                      user login.

       /etc/ftpwelcome
                      This file contains a customized banner which is
                      displayed (if it exists) before the username prompt is
                      issued.

       /etc/ftpd.rest This file lists the restricted ftp users.  Usernames
                      listed in this file are required to have a valid
                      username/password account (just like a normal ftp
                      user).  However, upon successful login, the daemon
                      performs a chroot(1M) to the user's home directory.
                      Restricted user accounts are identified by listing the
                      username (one per line) in the /etc/ftpd.rest file.

                      NOTE:     The system administrator must create a
                                '/var/ftp' like directory structure in the
                                restricted user's home directory.  See the
                                discussion under 'User Authentication Rules'
                                regarding anonymous ftp home directory
                                administration.  Failure to establish
                                $HOME/bin/ls and $HOME/bin/pwd will prohibit
                                restricted user login and result in a '550
                                Bad account...unable to access <cmd>'
                                message.

       /etc/ftpd.allow
                      This file lists usernames which are allowed FTP
                      service.  Additionally, each record may contain
                      network/netmask information (for further access
                      qualification) and per-user configuration information
                      (max-concurrent-sessions, inactivity timeout,
                      inactivity maxtimeout, umask).  If the file
                      /etc/ftpd.allow exists, only those usernames listed in
                      it are allowed ftp access to this server.  If it does
                      not exist, all users except those listed in
                      /etc/ftpd.deny will be allowed access.  If the
                      optional network/netmask information exists, access to
                      the ftp server is granted only if the connection is
                      from the specific host/networks configured for that
                      username.  If per-user configuration information
                      exists, the specific attributes are established upon
                      successful user authentication.  Access is validated
                      by checking /etc/ftpd.allow first and then
                      /etc/ftpd.deny.  Note that it is possible to specify
                      an account in the allow file only to subsequently
                      reject it in the deny file.  The file format is as
                      follows:

                           username [network [netmask]] : max_sess timeout
                           maxtimeout umask

                           Where:

                           username  is a valid username as specified by
                                     /etc/passwd or NIS.  The '+' wildcard
                                     symbol may be used to specify all
                                     usernames.

                           network   is a dotted quad IP address which
                                     specifies networks (or hosts) to which
                                     access is allowed or denied.

                           netmask   is a dotted quad IP address mask which
                                     is and'ed with network to specify a
                                     range of addresses to allow or deny.

                           max_sess  is the number of concurrent ftp
                                     connections allowed for the username.
                                     If '-' is specified, max concurrent
                                     sessions for the username is as defined
                                     globally by the ftpd -s switch.

                           timeout   is a number specifying the inactivity
                                     time-out period (in secs) for the
                                     username.  If '-' is specified, the
                                     timeout value for username is as
                                     defined globally by the ftpd -t switch.

                           maxtimeout
                                     is a number specifying the maximum
                                     inactivity time-out period (in secs)
                                     the user may specify via the ftpd SITE
                                     IDLE command.  If '-' is specified, the
                                     max-timeout value for the username is
                                     as defined globally by the ftpd -T
                                     switch.

                           umask     is an octal number specifying the
                                     default umask for the username.  If '-'
                                     is specified, the default umask value
                                     for the username is as defined globally
                                     by the ftpd -u (or -U) switch.

       /etc/ftpd.deny This file lists usernames (and, alternatively,
                      hosts/networks) for ftp server access control.  If the
                      file /etc/ftpd.allow exists, only those usernames
                      listed in it are allowed ftp access to this server.
                      If it does not exist, all users except those listed in
                      /etc/ftpd.deny will be allowed access.  This
                      configuration file may also specify hosts/networks
                      which are denied access to the ftp server.  Access is
                      validated by checking /etc/ftpd.allow first and then
                      /etc/ftpd.deny.  Note that it is possible to specify
                      an account in the allow file only to subsequently
                      reject it in the deny file.  The file format is as
                      follows:

                           username [network [netmask]]

                           Where:

                           username  is a valid username as specified by
                                     /etc/passwd or NIS.  The '+' wildcard
                                     symbol may be used to specify all
                                     usernames.

                           network   is a dotted quad IP address which
                                     specifies networks (or hosts) to which
                                     access is allowed or denied.

                           netmask   is a dotted quad IP address mask which
                                     is and'ed with network to specify a
                                     range of addresses to allow or deny.

                      For example: all users on machines located on the
                      128.222.8 lan are granted ftp access to the ftp server
                      by specifying '+ 128.222.8.0 255.255.255.0' in the
                      /etc/ftpd.allow file.  To allow anonymous access from
                      anywhere and normal user access only from the
                      128.222.0.0 network, the /etc/ftpd.allow file should
                      contain the records 'ftp' and '+ 128.222.0.0
                      255.255.0.0'.

SEE ALSO
       ftp(1C), inetd(1M), ftpd.allow(4M), ftpd.deny(4M).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026