tnftpd [-46DdHlQqrsUuWwX] [-a anondir] [-C user] [-c confdir] [-e emailaddr] [-h hostname] [-L xferlogfile] [-P dataport] [-V version]
tnftpd is the Internet File Transfer Protocol server process. The server uses the TCP protocol and
listens at the port specified in the ftp
service specification; see services(5).
-a anondir |
if /etc/nologin
exists, tnftpd displays it and exits.
If /etc/ftpwelcome
exists, tnftpd displays it before issuing the ready
message.
If /etc/motd
exists (under the chroot directory if applicable), tnftpd displays it after login.
This may be changed with the ftpd.conf(5) directive motd.
HELP give help information
STAT return status of server
USER specify user name
PASS specify password
ACCT specify account (ignored)
LIST list files in a directory (
| RETR retrieve a file APPE append to a file STOR store a file STOU store a file with a unique name REST restart incomplete transfer RNFR specify rename-from file name RNTO specify rename-to file name DELE delete a file MKD make a directory RMD remove a directory ABOR abort previous command STRU specify data transfer structure ALLO allocate storage (vacuously) SYST show operating system type of server system TYPE specify data transfer type NOOP do nothing EPRT specify data connection port LPRT specify data connection port PORT specify data connection port OPTS define persistent options for a given command QUIT terminate session XCUP change to parent of current working directory (deprecated) XCWD change working directory (deprecated) XMKD make a directory (deprecated) XPWD print the current working directory (deprecated) XRMD remove a directory (deprecated) |
SITE non-standard commands (see next section) |
These requests (as specified in RFC 959) are recognized, but are not implemented: ACCT, SMNT, and REIN.
MDTM
and SIZE
are not specified in RFC 959, but will appear in the next updated FTP RFC.
The tnftpd server will abort an active file transfer only when the ABOR command is preceded by a Telnet
"Interrupt Process" (IP) signal and a Telnet "Synch" signal in the command Telnet stream, as described
in Internet RFC 959.
If a STAT command is received during a data transfer, preceded by a Telnet IP and Synch, transfer status will be returned.
tnftpd interprets file names according to the globbing
conventions used by csh(1).
This allows users to use the metacharacters * ? [ ] { } ~
.
User authentication:
tnftpd authenticates users according to rules.
anonymous
or ftp
, an anonymous FTP account must be present in
the password file (user ftp
). In this case the user is allowed to log in by specifying
any password (by convention an email address for the user should be used as the password).
The server performs a chroot(2) to the directory specified in the ftpd.conf(5) chroot directive (if set), the -a anondir directory (if set), or to the home directory of the ftp
user.
The server then performs a chdir(2) to the directory specified in the ftpd.conf(5) homedir directive (if set), otherwise to /.
If other restrictions are required (such as disabling of certain commands and the setting of a specific umask), then appropriate entries in ftpd.conf(5) are required.
If the first character of the password supplied by an anonymous user is -
, then the verbose messages displayed at login and upon a CWD command are suppressed.
/etc/ftpwelcome
and /etc/motd
),
escape strings are replaced
Escape Description %R Remote hostname. %c Class name. %T Current time. %U User name. %C Current working directory. %L Local hostname. %E Email address given with -e. %M Maximum number of users for this class. Displaysunlimited
if there's no limit. %N Current number of users for this class. %ss
if result of the most recent%M
or%N
was not 1. %SS
for use in "There are %N user%s currently logged in". %% A%
character.
ftp
and
chroot
accounts be constructed with care, following these rules (replace ftp
in the following
directory names with the appropriate account name for `chroot' users):
~ftp Make the home directory owned by root
and unwritable by anyone.
~ftp/bin Make this directory owned by root
and unwritable by anyone (mode 555). Gener
ally any conversion commands should be installed here (mode 111).
~ftp/etc Make this directory owned by root
and unwritable by anyone (mode 555). The
files pwd.db (see passwd(5)) and group (see group(5)) must be present for the LIST
command to be able to display owner and group names instead of numbers.
The password field in passwd(5) is not used, and should not contain real passwords. The
file motd, if present, will be printed after a successful login. These files
should be mode 444.
~ftp/pub This directory and the subdirectories beneath it should be owned by the users and groups responsible for placing files in them, and be writable only by them (mode 755 or 775). They should not be owned or writable by ftp or its group.
~ftp/incoming This directory is where anonymous users place files they upload. The owners
should be the user ftp
and an appropriate group. Members of this group will
be the only users with access to these files after they have been uploaded; these
should be people who know how to deal with them appropriately.
If you wish anonymous FTP users to be able to see the names of the files in this directory
the permissions should be 770, otherwise they should be 370.
The following ftpd.conf(5) directives should be used:
modify guest off umask guest 0707 upload guest on
This will result in anonymous users being able to upload files to this directory, but they will not be able to download them, delete them, or overwrite them, due to the umask and disabling of the commands mentioned above.
~ftp/tmp This directory is used to create temporary files which contain the error messages
generated by a conversion or LIST command. The owner should be the user ftp
.
The permissions should be 300.
If you don't enable conversion commands, or don't want anonymous users uploading files here (see ~ftp/incoming above), then don't create this directory. However, error messages from conversion or LIST commands won't be returned to the user. (This is the traditional behaviour.) Note that the ftpd.conf(5) directive upload can be used to prevent users uploading here.
To set up "ftp-only" accounts that provide only FTP, but no valid shell login, you can copy/link /sbin/nologin to /sbin/ftplogin, and enter /sbin/ftplogin to /etc/shells to allow logging-in via FTP into the accounts, which must have /sbin/ftplogin as login shell.
/etc/ftpchroot List of normal users whose root directory should be changed via chroot(2). /etc/ftpd.conf Configure file conversions and other settings. /etc/ftpusers List of unwelcome/restricted users. /etc/ftpwelcome Welcome notice before login. /etc/motd Welcome notice after login. /etc/nologin If it exists, displayed and access is refused. /var/run/ftpd.pids-CLASS State file of logged-in processes for the tnftpd class `CLASS'. /var/run/utmp List of logged-in users on the system. /var/log/wtmp Login history database.
SEE ALSO ftp(1), skey(1), who(1), getusershell(3), ftpchroot(5), ftpd.conf(5), ftpusers(5), syslogd(8)
STANDARDS tnftpd recognizes all commands in RFC 959, follows the guidelines in RFC 1123, recognizes all commands in RFC 2228 (although they are not supported yet), and supports the extensions from RFC 2389, RFC 2428 and draft-ietf-ftpext-mlst-11.
HISTORY The tnftpd command appeared in 4.2BSD.
Various features such as the ftpd.conf(5) functionality, RFC 2389, and draft-ietf-ftpext-mlst-11 support was implemented in NetBSD 1.3 and later releases by Luke Mewburn.
BUGS The server must run as the super-user to create sockets with privileged port numbers (i.e, those less than IPPORT_RESERVED, which is 1024). If tnftpd is listening on a privileged port it maintains an effective user id of the logged in user, reverting to the super-user only when binding addresses to privileged sockets. The -r option can be used to override this behaviour and force privileges to be permanently revoked; see SECURITY CONSIDERATIONS below for more details.
tnftpd may have trouble handling connections from scoped IPv6 addresses, or IPv4 mapped addresses (IPv4 connection on AF_INET6 socket). For the latter case, running two daemons, one for IPv4 and one for IPv6, will avoid the problem.
checkportcmd
feature of the
ftpd.conf(5), PORT commands with different host addresses, or TCP ports lower than IPPORT_RESERVED will
be rejected. This also prevents `third-party proxy ftp' from working. Use of this option is strongly
recommended, and enabled by default.
By default tnftpd uses a port that is one less than the port it is listening on to communicate back to the client for the EPRT, LPRT, and PORT commands, unless overridden with -P dataport. As the default port for tnftpd (21) is a privileged port below IPPORT_RESERVED, tnftpd retains the ability to switch back to root privileges to bind these ports. In order to increase security by reducing the potential for a bug in tnftpd providing a remote root compromise, tnftpd will permanently drop root privileges if one of the following is true:
1. tnftpd is running on a port greater than IPPORT_RESERVED and the user has logged in as a `guest' or `chroot' user.
2. tnftpd was invoked with -r.
Don't create ~ftp/tmp if you don't want anonymous users to upload files there. That directory is only necessary if you want to display the error messages of conversion commands to the user. Note that if uploads are disabled with the ftpd.conf(5) directive upload, then this directory cannot be abused by the user in this way, so it should be safe to create.
ftpd.conf -- tnftpd(8) configuration file applied once a user has authenticated their connection. ftpd.conf consists of a series of lines, each of which may contain a configuration directive, a comment, or a blank line. Directives that appear later in the file override settings by previous directives. This allows `wildcard' entries to define defaults, and then have class-specific overrides. A directive line has the format: command class [arguments] A ``\'' is the escape character; it can be used to escape the meaning of the comment character, or if it is the last character on a line, extends a configuration directive across multiple lines. A ``#'' is the comment character, and all characters from it to the end of line are ignored (unless it is escaped with the escape character). Each authenticated user is a member of a class, which is determined by ftpusers(5). class is used to determine which ftpd.conf entries apply to the user. The following special classes exist when parsing entries in ftpd.conf: all Matches any class. none Matches no class. Each class has a type, which may be one of: GUEST Guests (as per the ``anonymous'' and ``ftp'' logins). A chroot(2) is performed after login. CHROOT chroot(2)ed users (as per ftpchroot(5)). A chroot(2) is performed after login. REAL Normal users. The tnftpd(8) STAT command will return the class settings for the current user as defined by ftpd.conf, unless the private directive is set for the class. Each configuration line may be one of: advertize class [host] Set the address to advertise in the response to the PASV and LPSV commands to the address for host (which may be either a host name or IP address). This may be useful in some firewall configurations, although many ftp clients may not work if the address being advertised is different to the address that they've connected to. If class is ``none'' or host not is specified, disable this. checkportcmd class [off] Check the PORT command for validity. The PORT command will fail if the IP address specified does not match the FTP command connection, or if the remote TCP port number is less than IPPORT_RESERVED. It is strongly encouraged that this option be used, especially for sites concerned with potential security problems with FTP bounce attacks. If class is ``none'' or off is specified, disable this feature, otherwise enable it. chroot class [pathformat] If pathformat is not specified or class is ``none'', use the default behavior (see below). Otherwise, pathformat is parsed to create a directory to create as the root directory with chroot(2) into upon login. pathformat can contain the following escape strings: Escape Description %c Class name. %d Home directory of user. %u User name. %% A ``%'' character. The default root directory is: CHROOT The user's home directory. GUEST If -a anondir is specified, use anondir, otherwise the home directory of the `ftp' user. REAL By default no chroot(2) is performed. classtype class type Set the class type of class to type (see above). conversion class suffix [type disable command] Define an automatic in-line file conversion. If a file to retrieve ends in suffix, and a real file (sans suffix) exists, then the output of command is returned instead of the contents of the file. suffix The suffix to initiate the conversion. type A list of valid file types for the conversion. Valid types are: `f' (file), and `d' (directory). disable The name of file that will prevent conversion if it exists. A file name of ``.'' will prevent this disabling action (i.e., the conversion is always permitted.) command The command to run for the conversion. The first word should be the full path name of the command, as execv(3) is used to execute the command. All instances of the word ``%s'' in command are replaced with the requested file (sans suffix). Conversion directives specified later in the file override earlier conversions with the same suffix. denyquick class [off] Enforce ftpusers(5) rules after the USER command is received, rather than after the PASS command is received. Whilst enabling this feature may allow information leakage about available accounts (for example, if you allow some users of a REAL or CHROOT class but not others), it is useful in preventing a denied user (such as `root') from entering their password across an insecure connection. This option is strongly recommended for servers which run an anonymous-only service. If class is ``none'' or off is specified, disable this feature, otherwise enable it. display class [file] If file is not specified or class is ``none'', disable this. Otherwise, each time the user enters a new directory, check if file exists, and if so, display its contents to the user. Escape sequences are supported; refer to Display file escape sequences in tnftpd(8) for more information. hidesymlinks class [off] If class is ``none'' or off is specified, disable this feature. Otherwise, the LIST command lists symbolic links as the file or directory the link references (``ls -LlA''). Servers which run an anonymous service may wish to enable this feature for GUEST users, so that symbolic links do not leak names in directories that are not searchable by GUEST users. homedir class [pathformat] If pathformat is not specified or class is ``none'', use the default behavior (see below). Otherwise, pathformat is parsed to create a directory to change into upon login, and to use as the `home' directory of the user for tilde expansion in pathnames, etc. pathformat is parsed as per the chroot directive. The default home directory is the home directory of the user for REAL users, and / for GUEST and CHROOT users. limit class [count [file]] Limit the maximum number of concurrent connections for class to count, with `-1' meaning unlimited connections. If the limit is exceeded and file is specified, display its contents to the user. If class is ``none'' or count is not specified, disable this. If file is a relative path, it will be searched for in /private/etc (which can be overridden with -c confdir). maxfilesize class [size] Set the maximum size of an uploaded file to size, with `-1' meaning unlimited connections. If class is ``none'' or size is not specified, disable this. maxtimeout class [time] Set the maximum timeout period that a client may request, defaulting to two hours. This cannot be less than 30 seconds, or the value for timeout. If class is ``none'' or time is not specified, use the default. mmapsize class [size] Set the size of the sliding window to map a file using mmap(2). If zero, tnftpd(8) will use read(2) instead. The default is zero. This option affects only binary transfers. If class is ``none'' or size is not specified, use the default. modify class [off] If class is ``none'' or off is specified, disable the following commands: CHMOD, DELE, MKD, RMD, RNFR, and UMASK. Otherwise, enable them. motd class [file] If file is not specified or class is ``none'', disable this. Otherwise, use file as the message of the day file to display after login. Escape sequences are supported; refer to Display file escape sequences in tnftpd(8) for more information. If file is a relative path, it will be searched for in /private/etc (which can be overridden with -c confdir). notify class [fileglob] If fileglob is not specified or class is ``none'', disable this. Otherwise, each time the user enters a new directory, notify the user of any files matching fileglob. passive class [off] If class is ``none'' or off is specified, prevent passive (PASV, LPSV, and EPSV) connections. Otherwise, enable them. portrange class [min max] Set the range of port number which will be used for the passive data port. max must be greater than min, and both numbers must be be between IPPORT_RESERVED (1024) and 65535. If class is ``none'' or no arguments are specified, disable this. private class [off] If class is ``none'' or off is specified, do not display class information in the output of the STAT command. Otherwise, display the information. rateget class [rate] Set the maximum get (RETR) transfer rate throttle for class to rate bytes per second. If rate is 0, the throttle is disabled. If class is ``none'' or rate is not specified, disable this. rateput class [rate] Set the maximum put (STOR) transfer rate throttle for class to rate bytes per second. If rate is 0, the throttle is disabled. If class is ``none'' or rate is not specified, disable this. readsize class [size] Set the size of the read buffer to read(2) a file. The default is the file system block size. This option affects only binary transfers. If class is ``none'' or size is not specified, use the default. recvbufsize class [size] Set the size of the socket receive buffer. The default is zero and the system default value will be used. This option affects only passive transfers. If class is ``none'' or size is not specified, use the default. sanenames class [off] If class is ``none'' or off is specified, allow uploaded file names to contain any characters valid for a file name. Otherwise, only permit file names which don't start with a `.' and only comprise of characters from the set ``[-+,._A-Za-z0-9]''. sendbufsize class [size] Set the size of the socket send buffer. The default is zero and the system default value will be used. This option affects only binary transfers. If class is ``none'' or size is not specified, use the default. sendlowat class [size] Set the low water mark of socket send buffer. The default is zero and system default value will be used. This option affects only for binary transfer. If class is ``none'' or size is not specified, use the default. template class [refclass] Define refclass as the `template' for class; any reference to refclass in following directives will also apply to members of class. This is useful to define a template class so that other classes which are to share common attributes can be easily defined without unnecessary duplication. There can be only one template defined at a time. If refclass is not specified, disable the template for class. timeout class [time] Set the inactivity timeout period. (the default is fifteen minutes). This cannot be less than 30 seconds, or greater than the value for maxtimeout. If class is ``none'' or time is not specified, use the default. umask class [umaskval] Set the umask to umaskval. If class is ``none'' or umaskval is not specified, set to the default of 027. upload class [off] If class is ``none'' or off is specified, disable the following commands: APPE, STOR, and STOU, as well as the modify commands: CHMOD, DELE, MKD, RMD, RNFR, and UMASK. Otherwise, enable them. writesize class [size] Limit the number of bytes to write(2) at a time. The default is zero, which means all the data available as a result of mmap(2) or read(2) will be written at a time. This option affects only binary transfers. If class is ``none'' or size is not specified, use the default. Numeric argument suffix parsing Where command arguments are numeric, a decimal number is expected. Two or more numbers may be separated by an ``x'' to indicate a product. Each number may have one of the following optional suffixes: b Block; multiply by 512 k Kibi; multiply by 1024 (1 KiB) m Mebi; multiply by 1048576 (1 MiB) g Gibi; multiply by 1073741824 (1 GiB) t Tebi; multiply by 1099511627776 (1 TiB) w Word; multiply by the number of bytes in an integer See strsuftoll(3) for more information. DEFAULTS The following defaults are used: checkportcmd all classtype chroot CHROOT classtype guest GUEST classtype real REAL display none limit all -1 # unlimited connections maxtimeout all 7200 # 2 hours modify all motd all motd notify none passive all timeout all 900 # 15 minutes umask all 027 upload all modify guest off umask guest 0707 FILES /private/etc/ftpd.conf This file. /usr/share/examples/tnftpd/ftpd.conf A sample ftpd.conf file.