*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> ftpd (8)              



NAME    [Toc]    [Back]

     ftpd - Internet File Transfer Protocol server

SYNOPSIS    [Toc]    [Back]

     ftpd [-46ADdlMnPSU] [-T maxtimeout] [-t timeout] [-u mask]

DESCRIPTION    [Toc]    [Back]

     ftpd is the Internet File Transfer Protocol server  process.
The server
     uses  the  TCP protocol and listens at the port specified in
the ``ftp''
     service specification; see services(5).

     The options are as follows:

     -4      When -D is specified, forces ftpd to  use  IPv4  addresses only.

     -6       When  -D  is specified, forces ftpd to use IPv6 addresses only.

     -A      Permit  only  anonymous  ftp  connections,  accounts
listed in
             /etc/ftpchroot  or  users  in a login class with the
             variable set (see below).  Other connection attempts
are refused.

     -D       With this option set, ftpd will detach and become a
daemon, accepting
 connections on  the  FTP  port  and  forking
child processes
             to handle them.  This has lower overhead than starting ftpd from
             inetd(8) and is thus useful on busy servers  to  reduce load.

     -d      Debugging information is written to the syslog using

     -l      Each successful and failed ftp(1) session is  logged
using syslog
             with a facility of LOG_FTP.  If this option is specified twice,
             the retrieve (get),  store  (put),  append,  delete,
make directory,
             remove  directory  and  rename  operations and their
filename arguments
 are also logged.

     -M      Enables multihomed mode.  Instead  of  simply  using
~ftp for anonymous
 transfers, a directory matching the fully qualified name of
             the IP number the client connected to,  and  located
inside ~ftp,
             is used instead.

     -n       Do  not permit anonymous ftp logins.  Normally they
are permitted.

     -P      Permit illegal port numbers or  addresses  for  PORT
command initiated
 connects.  By default ftpd violates the RFC and
thus constrains
 the PORT command to non-reserved  ports  and
requires it
             use  the  same source address as the connection came
from.  This
             prevents the "FTP bounce attack" against services on
both the local
 machine and other local machines.

     -S       With this option set, ftpd logs all anonymous downloads to the
             file /var/log/ftpd when this file exists.

     -T maxtimeout
             A client may also request a different timeout  period; the maximum
             period allowed may be set to maxtimeout seconds with
the -T option.
  The default limit is 2 hours.

     -t timeout
             The inactivity timeout period is set to timeout seconds (the default
 is 15 minutes).

     -U      Each concurrent ftp(1) session is logged to the file
             /var/run/utmp, making them visible to commands  such
as who(1).

     -u mask
             Force  the  umask  to  mask,  instead of the default
specified in
             /etc/login.conf  (usually  022).    Also   disallows

     The file /etc/nologin can be used to disable ftp access.  If
the file exists,
 ftpd displays it and exits.  Note:  this  method  will
disable all
     non-root  logins;  see login(1) for further details.  If the
     /etc/ftpwelcome exists, ftpd prints it  before  issuing  the
``ready'' message.
   If  the  welcome file exists (/etc/motd by default),
ftpd prints it
     after a successful login.  If the file .message exists in  a
     ftpd prints it when that directory is entered.

     The  ftp  server  currently  supports  the following ftp requests.  The case
     of the requests is ignored.

           Request    Description
           ABOR       abort previous command
           ACCT       specify account (not implemented)
           ALLO       allocate storage (vacuously)
           APPE       append to a file
           CDUP       change to parent of current working  directory
           CWD        change working directory
           DELE       delete a file
           EPRT       specify data connection port
           EPSV       prepare for server-to-server transfer
           HELP       give help information
           LIST       give list of files in a directory (ls -lgA)
           LPRT       specify data connection port
           LPSV       prepare for server-to-server transfer
           MDTM       show last modification time of file
           MKD        make a directory
           MODE       specify data transfer mode
           NLST       give name list of files in directory
           NOOP       do nothing
           PASS       specify password
           PASV       prepare for server-to-server transfer
           PORT       specify data connection port
           PWD        print the current working directory
           QUIT       terminate session
           REIN       reinitialize (not implemented)
           REST       restart incomplete transfer
           RETR       retrieve a file
           RMD        remove a directory
           RNFR       specify rename-from file name
           RNTO       specify rename-to file name
           SITE       non-standard commands (see next section)
           SIZE       return size of file
           SMNT       structure mount (not implemented)
           STAT       return status of server
           STOR       store a file
           STOU       store a file with a unique name
           STRU       specify data transfer structure
           SYST       show operating system type of server system
           TYPE       specify data transfer type
           USER       specify user name; not valid after login
           XCUP        change to parent of current working directory (deprec.)
           XCWD       change working directory (deprecated)
           XMKD       make a directory (deprecated)
           XPWD       print the current working directory (deprecated)
           XRMD       remove a directory (deprecated)

     The  following  non-standard  or  UNIX specific commands are
supported by the
     SITE request:

           Request    Description
           CHMOD      change mode of a file, e.g., SITE CHMOD 755
           HELP       give help information
           IDLE       set idle-timer, e.g., SITE IDLE 60
           UMASK      change umask, e.g., SITE UMASK 002

     The remaining ftp requests specified in Internet RFC 959 are
     but not implemented.  MDTM and SIZE are not specified in RFC
959, but
     will appear in the next updated FTP RFC.

     The  ftp server will abort an active file transfer only when
the ABOR command
 is preceded by a Telnet "Interrupt Process" (IP) signal
and a Telnet
     "Synch" signal in the command Telnet stream, as described in
Internet RFC
     959.  If a STAT command is received during a data  transfer,
preceded by a
     Telnet IP and Synch, transfer status will be returned.

     ftpd  interprets  file  names  according to the ``globbing''
conventions used
     by csh(1).  This allows users to utilize the  metacharacters

     ftpd  authenticates  users  by using the service and type of
ftp, as defined
     in the /etc/login.conf file (see login.conf(5)).  An authentication style
     may  be  specified by appending with a colon (`:') following
the authentication
 style, i.e. ``joe:skey''.  The allowed authentication
styles for
     ftpd  may  be explicitly specified by the ``auth-ftp'' entry

     ftpd authenticates users according to five rules.

           1.   The login name must be in the  password  database
and not have a
                null  password.   In this case a password must be
provided by
                the client before any file operations may be performed.

           2.    The  login  name  must  not  appear  in the file

           3.   The user must have a standard shell as  described
by shells(5).

           4.     If   the   user   name   appears  in  the  file
/etc/ftpchroot, the session's
 root will be changed to the  user's  login
directory by
                chroot(2)  as for an ``anonymous'' or ``ftp'' account (see next
                item).  However, the user  must  still  supply  a
password.  This
                feature  is  intended  as  a compromise between a
fully anonymous
                account and a fully privileged account.  The  account should
                also be set up as for an anonymous account.

           5.    If the user name is ``anonymous'' or ``ftp'', an
anonymous ftp
                account must be present in the password file (user ``ftp'').
                In  this  case  the  user is allowed to log in by
specifying any
                password (by convention an email address for  the
user should
                be used as the password).

     Once  a  user  is authenticated the user must be approved by
any approval
     script defined (see login.conf(5)).   If  a  valid  approval
script (by either
  :approve=...:  or  :approve-ftp=...:  for  the  user's
class) is defined
     then it is run and must exit  with  a  0  (success)  status.
When ftpd is
     running  under  the -D flag (and debugging is not turned on)
then the approval
 script will be called with  at  least  the  following
variables specified
  via  the  -v option (see login.conf(5)) to the approve

           Variable    Description
           FTPD_HOST   The server's (virtual) hostname

     For example (the line is broken to fit the page):

           /usr/libexec/auth/approve_ftpd  -v   FTPD_HOST=ftp.mycompany.com                    username class service

     When  the  user  logs  in to the anonymous ftp account, ftpd
takes special
     measures to restrict the client's  access  privileges.   The
server performs
     a  chroot(2)  to the home directory of the ``ftp'' user.  In
order that
     system security is not breached, it is recommended that  the
``ftp'' subtree
 be constructed with care, following these rules:

           ~ftp       Make  the  home directory owned by ``root''
and unwritable
                     by anyone (mode 555).

           ~ftp/bin  Make this directory owned  by  ``root''  and
unwritable by
                     anyone  (mode  511).   This directory is optional unless you
                     have commands you wish the anonymous ftp user to be able
                     to run (the ls(1) command exists as a builtin).  Any
                     programs in this directory  should  be  mode
111 (executable

           ~ftp/etc   Make  this  directory owned by ``root'' and
unwritable by
                     anyone (mode 511).  The  files  pwd.db  (see
                     and  group(5)  must be present for the ls(1)
command to be
                     able to produce owner names rather than numbers.  The
                     password  field  in  pwd.db is not used, and
should not contain
 real passwords.  The file motd, if present, will be
                     printed  after  a  successful  login.  These
files should be
                     mode 444.

           ~ftp/pub  Make this directory mode 555  and  owned  by
``root''.  This
                     is  traditionally  where publicly accessible
files are
                     stored for download.

     If logging to the /var/log/ftpd file is enabled, information
will be
     written in the following format:

           time             The time and date of the download, in
ctime(3) format.

           elapsed time    The elapsed time, in seconds.
           remote host     The remote host (or IP number).
           bytes           The number of bytes transferred.
           path            The full path (relative to the ftp chroot space) of
                           the file transferred.
           type             The  type of transfer; either `a' for
ASCII or `b'
                           for binary.
           unused          Unused field  containing  a  `*',  for
           unused           Unused  field  containing an `o', for
           user type       The  type  of  user;  either  `a'  for
anonymous or `r'
                           for  a  real  user  (should  always be
           name            Either a system login name or the value given for
                           ``email  address'' if an anonymous user.
           unused          Unused field  containing  a  `0',  for
           real  name        The system login name if the connection is not
                           anonymous, or a `*' if it is.

     Although fields exist for logging information on real users,
this file is
     only used for anonymous downloads.  Unused fields exist only
for compatibility
 with other ftpd implementations.


     The ftpd daemon uses the following ftp specific parameters:

     auth-ftp    The list of authentication  types  available  to
this class.
                 See login.conf(5).

     ftp-chroot   A  boolean  value.  If set, users in this class
will be automatically
 chrooted to the user's login  directory.

     ftp-dir     A path to a directory.  This value overrides the
login directory
 for users in this class.  A  leading  tilde
(`~') in ftp-
                 dir will be expanded to the user's home directory based on
                 the contents of the password database.

     welcome     The path of the file containing the welcome message.  If this
                 variable is not set, /etc/motd is used.

PORT ALLOCATION    [Toc]    [Back]

     For  passive  mode  data  connections, ftpd will listen to a
random high TCP
     port.  The interval of ports  used  are  configurable  using
sysctl(8) variables
 net.inet.ip.porthifirst and net.inet.ip.porthilast.

FILES    [Toc]    [Back]

     /etc/ftpchroot      list  of  normal users who should be chrooted
     /etc/ftpusers      list of unwelcome/restricted users
     /etc/ftpwelcome    welcome notice
     /etc/login.conf    authentication styles
     /etc/motd          printed after a successful login
     /etc/nologin       displayed and access refused
     /var/log/ftpd      log file for anonymous downloads
     /var/run/ftpd.pid  process ID if running in daemon mode
     /var/run/utmp      list of users on the system

SEE ALSO    [Toc]    [Back]

     ftp(1),  login(1),  skey(1),  who(1),  chroot(2),  ctime(3),
     login.conf(5),   motd(5),   services(5),   shells(5),   ftpproxy(8), inetd(8),
     pwd_mkdb(8), sysctl(8), syslogd(8)

HISTORY    [Toc]    [Back]

     The ftpd command appeared in 4.2BSD.

BUGS    [Toc]    [Back]

     The server must run as the superuser to create sockets  with
     port  numbers.   It  maintains  an  effective user ID of the
logged in user,
     reverting to the superuser only when  binding  addresses  to
sockets.  The
     possible  security  holes have been extensively scrutinized,
but are possibly

OpenBSD     3.6                           June      18,      1996
[ Back ]
 Similar pages
Name OS Title
ftpd HP-UX DARPA Internet File Transfer Protocol server
ftp-proxy OpenBSD Internet File Transfer Protocol proxy server
tftpd IRIX internet Trivial File Transfer Protocol server
tftpd FreeBSD Internet Trivial File Transfer Protocol server
tftpd HP-UX trivial file transfer protocol server
tftpd OpenBSD DARPA Trivial File Transfer Protocol server
tftpd Tru64 The DARPA Trivial File Transfer Protocol (TFTP) server
ftpd Tru64 The File Transfer Protocol server daemon, including anonymous service
httpd OpenBSD Apache Hypertext Transfer Protocol Server
telnetd IRIX internet TELNET protocol server
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service