Available options:
/etc
''
to
confdir.
This changes the directory for the following files:
/etc/ftpchroot
,
/etc/ftpusers
,
/etc/ftpwelcome
,
/etc/motd
,
and the file specified by the
ftpd.conf(5)
limit
directive.
LOG_FTP
.
LOG_FTP
.
If this option is specified more than once, the retrieve (get), store (put),
append, delete, make directory, remove directory and rename operations and
their file name arguments are also logged.
/var/run/utmp
.
This is the default.
/var/run/utmp
,
making them visible to commands such as
who(1).
/var/log/wtmp
.
/var/log/wtmp
,
making them visible to commands such as
last(1).
This is the default.
LOG_FTP
.
These syslog entries can be converted to a
wu-ftpd
style
xferlog
file suitable for input into a third-party log analysis tool with a command
similar to:
grep 'xferlog: ' /var/log/xferlog | \
sed -e 's/^.*xferlog: //' > wuxferlog
The file
/etc/nologin
can be used to disable
FTP
access.
If the file exists,
ftpd
displays it and exits.
If the file
/etc/ftpwelcome
exists,
ftpd
prints it before issuing the
``ready''
message.
If the file
/etc/motd
exists (under the chroot directory if applicable),
ftpd
prints it after a successful login.
This may be changed with the
ftpd.conf(5)
directive
motd.
The ftpd server currently supports the following FTP requests. The case of the requests is ignored.
Request | Description |
ABOR | abort previous command |
ACCT | specify account (ignored) |
ALLO | allocate storage (vacuously) |
APPE | append to a file |
CDUP | change to parent of current working directory |
CWD | change working directory |
DELE | delete a file |
EPSV | prepare for server-to-server transfer |
EPRT | specify data connection port |
FEAT | list extra features that are not defined in RFC 959 |
HELP | give help information |
LIST | give list files in a directory (``
ls -lA '')
|
LPSV | prepare for server-to-server transfer |
LPRT | specify data connection port |
MLSD | list contents of directory in a machine-processable form |
MLST | show a pathname in a machine-processable form |
MKD | make a directory |
MDTM | show last modification time of file |
MODE | specify data transfer mode |
NLST | give name list of files in directory |
NOOP | do nothing |
OPTS | define persistent options for a given command |
PASS | specify password |
PASV | prepare for server-to-server transfer |
PORT | specify data connection port |
PWD | print the current working directory |
QUIT | terminate session |
REST | restart incomplete transfer |
RETR | retrieve a file |
RMD | remove a directory |
RNFR | specify rename-from file name |
RNTO | specify rename-to file name |
SITE | non-standard commands (see next section) |
SIZE | return size of file |
STAT | return status of server |
STOR | store a file |
STOU | store a file with a unique name |
STRU | specify data transfer structure |
SYST | show operating system type of server system |
TYPE | specify data transfer type |
USER | specify user name |
XCUP | change to parent of current working directory (deprecated) |
XCWD | change working directory (deprecated) |
XMKD | make a directory (deprecated) |
XPWD | print the current working directory (deprecated) |
XRMD | remove a directory (deprecated) |
The following non-standard or UNIX specific commands are supported by the SITE request.
Request | Description |
CHMOD | change mode of a file, e.g. ``SITE CHMOD 755 filename'' |
HELP | give help information. |
IDLE | set idle-timer, e.g. ``SITE IDLE 60'' |
RATEGET | set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k'' |
RATEPUT | set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k'' |
UMASK | change umask, e.g. ``SITE UMASK 002'' |
The following FTP requests (as specified in RFC 959 and RFC 2228) are recognized, but are not implemented: ACCT, ADAT, AUTH, CCC, CONF, ENC, MIC, PBSZ, PROT, REIN, and SMNT.
The ftpd server will abort an active file transfer only when the ABOR command is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet "Synch" signal in the command Telnet stream, as described in Internet RFC 959. If a STAT command is received during a data transfer, preceded by a Telnet IP and Synch, transfer status will be returned.
ftpd
interprets file names according to the
``globbing''
conventions used by
csh(1).
This allows users to use the metacharacters
``*?[]{}~
''.
/bin/sh
.
As per
shells(5),
the user's shell must be listed with full path in
/etc/shells
.
The server performs a chroot(2) to the directory specified in the ftpd.conf(5) chroot directive (if set), the -a anondir directory (if set), or to the home directory of the ``ftp'' user.
The server then performs a
chdir(2)
to the directory specified in the
ftpd.conf(5)
homedir
directive (if set), otherwise to
/
.
If other restrictions are required (such as disabling of certain commands and the setting of a specific umask), then appropriate entries in ftpd.conf(5) are required.
If the first character of the password supplied by an anonymous user is ``-'', then the verbose messages displayed at login and upon a CWD command are suppressed.
/etc/ftpwelcome
and
/etc/motd
),
various escape strings are replaced with information pertinent
to the current connection.
The supported escape strings are:
1
'',
print an
``s''.
1
'',
print an
``S''.
~ftp
~ftp/bin
~ftp/etc
pwd.db
(see
passwd(5))
and
group
(see
group(5))
must be present for the
LIST
command to be able to display owner and group names instead of numbers.
The password field in
passwd(5)
is not used, and should not contain real passwords.
The file
motd
,
if present, will be printed after a successful login.
These files should be mode 444.
~ftp/pub
~ftp/incoming
The following
ftpd.conf(5)
directives should be used:
modify guest off
umask guest 0707
upload guest on
This will result in anonymous users being able to upload files to this directory, but they will not be able to download them, delete them, or overwrite them, due to the umask and disabling of the commands mentioned above.
~ftp/tmp
If you don't enable conversion commands, or don't want anonymous users
uploading files here (see
~ftp/incoming
above), then don't create this directory.
However, error messages from conversion or
LIST
commands won't be returned to the user.
(This is the traditional behaviour.)
Note that the
ftpd.conf(5)
directive
upload
can be used to prevent users uploading here.
To set up "ftp-only" accounts that provide only
FTP,
but no valid shell
login, you can copy/link
/sbin/nologin
to
/sbin/ftplogin
,
and enter
/sbin/ftplogin
to
/etc/shells
to allow logging-in via
FTP
into the accounts, which must have
/sbin/ftplogin
as login shell.
/etc/ftpchroot
/etc/ftpd.conf
/etc/ftpusers
/etc/ftpwelcome
/etc/motd
/etc/nologin
/var/run/ftpd.pids-CLASS
/var/run/utmp
/var/log/wtmp
Various features such as the ftpd.conf(5) functionality, RFC 2389, and RFC 3659 support was implemented in NetBSD1.3 and later releases by Luke Mewburn.
IPPORT_RESERVED
,
which is 1024).
If
ftpd
is listening on a privileged port
it maintains an effective user id of the logged in user, reverting
to the super-user only when binding addresses to privileged sockets.
The
-r
option can be used to override this behaviour and force privileges to
be permanently revoked; see
SECURITY CONSIDERATIONS
below for more details.
ftpd
may have trouble handling connections from scoped IPv6 addresses, or
IPv4 mapped addresses
AF_INET6
socket
(IPv4 connection on.)
For the latter case, running two daemons,
one for IPv4 and one for IPv6, will avoid the problem.
IPPORT_RESERVED
will be rejected.
This also prevents
`third-party proxy ftp'
from working.
Use of this option is
strongly
recommended, and enabled by default.
By default
ftpd
uses a port that is one less than the port it is listening on to
communicate back to the client for the
EPRT,
LPRT,
and
PORT
commands, unless overridden with
-P dataport.
As the default port for
ftpd
(21) is a privileged port below
IPPORT_RESERVED
,
ftpd
retains the ability to switch back to root privileges to bind these
ports.
In order to increase security by reducing the potential for a bug in
ftpd
providing a remote root compromise,
ftpd
will permanently drop root privileges if one of the following is true:
IPPORT_RESERVED
and the user has logged in as a
`guest'
or
`chroot'
user.
Don't create
~ftp/tmp
if you don't want anonymous users to upload files there.
That directory is only necessary if you want to display the error
messages of conversion commands to the user.
Note that if uploads are disabled with the
ftpd.conf(5)
directive
upload,
then this directory cannot be abused by the user in this way, so it
should be safe to create.
To avoid possible denial-of-service attacks,
SIZE
requests against files larger than 10240 bytes will be denied if
the current transfer
TYPE
is
`A
'
(ASCII).