tnftpd -- Internet File Transfer Protocol server

     tnftpd [-46DdHlQqrsUuWwX] [-a anondir] [-C user] [-c confdir] [-e emailaddr] [-h hostname]
            [-L xferlogfile] [-P dataport] [-V version]

tnftpd is the Internet File Transfer Protocol server process. The server uses the TCP protocol and listens at the port specified in the ftp service specification; see services(5).

-a anondir the directory to chroot(2) into for anonymous logins. Default is the home directory for the ftp user. This can also be specified with the ftpd.conf(5) chroot directive.
-C user Check whether user would be granted access under the restrictions given in ftpusers(5) and exit without attempting a connection. tnftpd exits with an exit code of 0 if access would be granted, or 1 otherwise. This can be useful for testing configurations.
-c confdir Change the root directory of the configuration files from /etc to confdir. This changes the directory for the following files: /etc/ftpchroot, /etc/ftpusers, /etc/ftpwelcome, /etc/motd, and the file specified by the ftpd.conf(5) limit directive.
-D Run as daemon, listens on the default FTP port for incoming connections and fork a child for each connection. This is lower overhead than starting tnftpd from inetd(8) and thus might be useful on busy servers to reduce load.
-4 with -D bind to IPv4 addresses only.
-6 with -D bind to IPv6 addresses only.
-d Debugging information is written to the syslog using a facility of LOG_FTP.
-e emailaddr Use emailaddr for the %E escape sequence (see Display file escape sequences)
-h hostname Explicitly set the hostname to advertise as to hostname. The default is the hostname associated with the IP address that tnftpd is listening on. This ability (with or without -h), in conjunction with -c confdir, is useful when configuring `virtual' FTP servers, each listening on separate addresses as separate names.
Refer to inetd.conf information on starting services to listen on specific IP addresses.
-H Equivalent to -h `hostname`.
-L xferlogfile Log wu-ftpd style `xferlog' entries to xferlogfile.
-l sessions are logged using syslog with a facility of LOG_FTP.
If specified more than once, retrieve (get), store (put), append, delete, make directory, remove directory and rename operations and their file name arguments are also logged.
-P dataport Use dataport as the data port, overriding the default of using the port one less that the port tnftpd is listening on.
-q Enable the use of pid files for keeping track of the number of logged-in users per class. This is the default.
-Q Disable the use of pid files for keeping track of the number of logged-in users per class.
May reduce the load on heavily loaded FTP servers.
-r Permanently drop root privileges once the user is logged in. The use of this option may result in the server using a port other than the (listening-port - 1) for PORT style commands, which is contrary to the RFC 959 specification, but in practice very few clients rely upon this b haviour. See SECURITY CONSIDERATIONS below for more details.
-s Require a secure authentication mechanism like Kerberos or S/Key.
-U Don't log each concurrent FTP session to /var/run/utmp. This is the default.
-u Log each concurrent FTP session to /var/run/utmp, making them visible to commands such as who.
-V version in the login banner and in the output of STAT and SYST instead of the default version information.
If version is empty or `-' then don't display any version information.
-W Don't log each FTP session to /var/log/wtmp.
-w Log each FTP session to /var/log/wtmp, making them visible to commands such as last(1). This is the default.
-X Log wu-ftpd style `xferlog' entries to the syslog, prefixed with xferlog: , using a facility of LOG_FTP. These syslog entries can be converted to a wu-ftpd style xferlog file suitable for input into a third-party log analysis tool with a command similar to:
                   grep 'xferlog: ' /var/log/xferlog | \
                      sed -e 's/^.*xferlog: //' > wuxferlog

if /etc/nologin exists, tnftpd displays it and exits.
If /etc/ftpwelcome exists, tnftpd displays it before issuing the ready message.
If /etc/motd exists (under the chroot directory if applicable), tnftpd displays it after login.
This may be changed with the ftpd.conf(5) directive motd.


HELP       give help information
STAT       return status of server

USER       specify user name
PASS       specify password
ACCT       specify account (ignored)

LIST       list files in a directory (ls -lA)
MLSD       list contents of directory in a machine-processable form
NLST       give name list of files in directory 
MLST       show a pathname in a machine-processable form
PWD        print(display) the current working directory
CDUP       change to parent of current working directory
CWD        change working directory

MDTM       show last modification time of file 
SIZE       return size of file

EPSV       prepare for server-to-server transfer
LPSV       prepare for server-to-server transfer
PASV       prepare for server-to-server transfer

MODE       specify data transfer mode 
RETR       retrieve a file
APPE       append to a file
STOR       store a file
STOU       store a file with a unique name
REST       restart incomplete transfer
RNFR       specify rename-from file name
RNTO       specify rename-to file name
DELE       delete a file 


MKD        make a directory
RMD        remove a directory

ABOR       abort previous command

STRU       specify data transfer structure
ALLO       allocate storage (vacuously)
SYST       show operating system type of server system
TYPE       specify data transfer type

NOOP       do nothing

EPRT       specify data connection port
LPRT       specify data connection port
PORT       specify data connection port

OPTS       define persistent options for a given command

QUIT       terminate session

XCUP       change to parent of current working directory (deprecated)
XCWD       change working directory (deprecated)
XMKD       make a directory (deprecated)
XPWD       print the current working directory (deprecated)
XRMD       remove a directory (deprecated)

SITE       non-standard commands (see next section)
    

non-standard commands supported by the SITE request.

Request Description CHMOD change mode of a file, e.g. SITE CHMOD 755 filename HELP give help information. IDLE set idle-timer, e.g. SITE IDLE 60 RATEGET set maximum get rate throttle in bytes/second, e.g. SITE RATEGET 5k RATEPUT set maximum put rate throttle in bytes/second, e.g. SITE RATEPUT 5k UMASK change umask, e.g. SITE UMASK 002 FEAT list extra features that are not defined in RFC 959

These requests (as specified in RFC 959) are recognized, but are not implemented: ACCT, SMNT, and REIN.
MDTM and SIZE are not specified in RFC 959, but will appear in the next updated FTP RFC.

The tnftpd server will abort an active file transfer only when the ABOR command is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet "Synch" signal in the command Telnet stream, as described in Internet RFC 959.
If a STAT command is received during a data transfer, preceded by a Telnet IP and Synch, transfer status will be returned.

tnftpd interprets file names according to the globbing conventions used by csh(1).
This allows users to use the metacharacters * ? [ ] { } ~.

User authentication:
tnftpd authenticates users according to rules.

  1. The login name must be in the system password data base and not have a null password.
    In this case a password must be provided by the client before any file operations may be performed.
    If the user has an S/Key key, the response from a successful USER command will include an S/Key challenge.
    The client may choose to respond with a PASS command giving either a standard password or an S/Key one-time password.
    The server will automatically determine which type of password it has been given and attempt to authenticate accordingly.
    See skey. S/Key is a Trademark of Bellcore.
  2. The login name must be allowed based on the information in ftpusers(5).
  3. The user must have a standard shell returned by getusershell(3). If the user's shell field in the password database is empty, the shell is assumed to be /bin/sh. As per shells(5), the user's shell must be listed with full path in /etc/shells.
  4. If directed by the file ftpchroot(5) the session's root directory will be changed by chroot(2) to the directory specified in the ftpd.conf(5) chroot directive (if set), or to the home directory of the user. However, the user must still supply a password. This feature is intended as a compromise between a fully anonymous account and a fully privileged account. The account should also be set up as for an anonymous account.
  5. If the user name is anonymous or ftp, an anonymous FTP account must be present in the password file (user ftp). In this case the user is allowed to log in by specifying any password (by convention an email address for the user should be used as the password).

The server performs a chroot(2) to the directory specified in the ftpd.conf(5) chroot directive (if set), the -a anondir directory (if set), or to the home directory of the ftp user.

The server then performs a chdir(2) to the directory specified in the ftpd.conf(5) homedir directive (if set), otherwise to /.

If other restrictions are required (such as disabling of certain commands and the setting of a specific umask), then appropriate entries in ftpd.conf(5) are required.

If the first character of the password supplied by an anonymous user is -, then the verbose messages displayed at login and upon a CWD command are suppressed.

Display file escape sequences

When tnftpd displays files to the client (such as /etc/ftpwelcome and /etc/motd), escape strings are replaced
           Escape  Description
           %R      Remote hostname.
           %c      Class name.
           %T      Current time.
           %U      User name.
           %C      Current working directory.
           %L      Local hostname.
           %E      Email address given with -e.
           %M      Maximum number of users for this class.  Displays unlimited if there's no limit.
           %N      Current number of users for this class.
           %s      s  if result of the most recent %M or %N was not 1.
           %S      S  for use in "There are %N user%s currently logged in".
           %%      A % character.

Setting up a restricted ftp subtree

In order that system security is not breached, it is recommended that the subtrees for the ftp and chroot accounts be constructed with care, following these rules (replace ftp in the following directory names with the appropriate account name for `chroot' users):

~ftp Make the home directory owned by root and unwritable by anyone.

~ftp/bin Make this directory owned by root and unwritable by anyone (mode 555). Gener ally any conversion commands should be installed here (mode 111).

~ftp/etc Make this directory owned by root and unwritable by anyone (mode 555). The files pwd.db (see passwd(5)) and group (see group(5)) must be present for the LIST command to be able to display owner and group names instead of numbers.
The password field in passwd(5) is not used, and should not contain real passwords. The file motd, if present, will be printed after a successful login. These files should be mode 444.

~ftp/pub This directory and the subdirectories beneath it should be owned by the users and groups responsible for placing files in them, and be writable only by them (mode 755 or 775). They should not be owned or writable by ftp or its group.

~ftp/incoming This directory is where anonymous users place files they upload. The owners should be the user ftp and an appropriate group. Members of this group will be the only users with access to these files after they have been uploaded; these should be people who know how to deal with them appropriately. If you wish anonymous FTP users to be able to see the names of the files in this directory the permissions should be 770, otherwise they should be 370.

The following ftpd.conf(5) directives should be used:

         modify guest off
                                umask  guest 0707
                                upload guest on

This will result in anonymous users being able to upload files to this directory, but they will not be able to download them, delete them, or overwrite them, due to the umask and disabling of the commands mentioned above.

~ftp/tmp This directory is used to create temporary files which contain the error messages generated by a conversion or LIST command. The owner should be the user ftp. The permissions should be 300.

If you don't enable conversion commands, or don't want anonymous users uploading files here (see ~ftp/incoming above), then don't create this directory. However, error messages from conversion or LIST commands won't be returned to the user. (This is the traditional behaviour.) Note that the ftpd.conf(5) directive upload can be used to prevent users uploading here.

To set up "ftp-only" accounts that provide only FTP, but no valid shell login, you can copy/link /sbin/nologin to /sbin/ftplogin, and enter /sbin/ftplogin to /etc/shells to allow logging-in via FTP into the accounts, which must have /sbin/ftplogin as login shell.

FILES

     /etc/ftpchroot   List of normal users whose root directory should be changed via chroot(2).
     /etc/ftpd.conf   Configure file conversions and other settings.
     /etc/ftpusers    List of unwelcome/restricted users.
     /etc/ftpwelcome  Welcome notice before login.
     /etc/motd        Welcome notice after login.
     /etc/nologin     If it exists, displayed and access is refused.
     /var/run/ftpd.pids-CLASS State file of logged-in processes for the tnftpd class `CLASS'.
     /var/run/utmp    List of logged-in users on the system.
     /var/log/wtmp    Login history database.

SEE ALSO ftp(1), skey(1), who(1), getusershell(3), ftpchroot(5), ftpd.conf(5), ftpusers(5), syslogd(8)

STANDARDS tnftpd recognizes all commands in RFC 959, follows the guidelines in RFC 1123, recognizes all commands in RFC 2228 (although they are not supported yet), and supports the extensions from RFC 2389, RFC 2428 and draft-ietf-ftpext-mlst-11.

HISTORY The tnftpd command appeared in 4.2BSD.

Various features such as the ftpd.conf(5) functionality, RFC 2389, and draft-ietf-ftpext-mlst-11 support was implemented in NetBSD 1.3 and later releases by Luke Mewburn.

BUGS The server must run as the super-user to create sockets with privileged port numbers (i.e, those less than IPPORT_RESERVED, which is 1024). If tnftpd is listening on a privileged port it maintains an effective user id of the logged in user, reverting to the super-user only when binding addresses to privileged sockets. The -r option can be used to override this behaviour and force privileges to be permanently revoked; see SECURITY CONSIDERATIONS below for more details.

tnftpd may have trouble handling connections from scoped IPv6 addresses, or IPv4 mapped addresses (IPv4 connection on AF_INET6 socket). For the latter case, running two daemons, one for IPv4 and one for IPv6, will avoid the problem.

SECURITY CONSIDERATIONS

RFC 959 provides no restrictions on the PORT command, and this can lead to security problems, as tnftpd can be fooled into connecting to any service on any host. With the checkportcmd feature of the ftpd.conf(5), PORT commands with different host addresses, or TCP ports lower than IPPORT_RESERVED will be rejected. This also prevents `third-party proxy ftp' from working. Use of this option is strongly recommended, and enabled by default.

By default tnftpd uses a port that is one less than the port it is listening on to communicate back to the client for the EPRT, LPRT, and PORT commands, unless overridden with -P dataport. As the default port for tnftpd (21) is a privileged port below IPPORT_RESERVED, tnftpd retains the ability to switch back to root privileges to bind these ports. In order to increase security by reducing the potential for a bug in tnftpd providing a remote root compromise, tnftpd will permanently drop root privileges if one of the following is true:

1. tnftpd is running on a port greater than IPPORT_RESERVED and the user has logged in as a `guest' or `chroot' user.

2. tnftpd was invoked with -r.

Don't create ~ftp/tmp if you don't want anonymous users to upload files there. That directory is only necessary if you want to display the error messages of conversion commands to the user. Note that if uploads are disabled with the ftpd.conf(5) directive upload, then this directory cannot be abused by the user in this way, so it should be safe to create.


     ftpd.conf -- tnftpd(8) configuration file

     applied once a user has authenticated their connection.

     ftpd.conf consists of a series of lines, each of which may contain a configuration directive, a comment, or a blank line.  Directives
     that appear later in the file override settings by previous directives.  This allows `wildcard' entries to define defaults, and then
     have class-specific overrides.

     A directive line has the format:
           command class [arguments]

     A ``\'' is the escape character; it can be used to escape the meaning of the comment character, or if it is the last character on a
     line, extends a configuration directive across multiple lines.  A ``#'' is the comment character, and all characters from it to the end
     of line are ignored (unless it is escaped with the escape character).

     Each authenticated user is a member of a class, which is determined by ftpusers(5).  class is used to determine which ftpd.conf entries
     apply to the user.  The following special classes exist when parsing entries in ftpd.conf:
           all     Matches any class.
           none    Matches no class.

     Each class has a type, which may be one of:

           GUEST   Guests (as per the ``anonymous'' and ``ftp'' logins).  A chroot(2) is performed after login.

           CHROOT  chroot(2)ed users (as per ftpchroot(5)).  A chroot(2) is performed after login.

           REAL    Normal users.

     The tnftpd(8) STAT command will return the class settings for the current user as defined by ftpd.conf, unless the private directive is
     set for the class.

     Each configuration line may be one of:

     advertize class [host]
           Set the address to advertise in the response to the PASV and LPSV commands to the address for host (which may be either a host
           name or IP address).  This may be useful in some firewall configurations, although many ftp clients may not work if the address
           being advertised is different to the address that they've connected to.  If class is ``none'' or host not is specified, disable
           this.

     checkportcmd class [off]
           Check the PORT command for validity.  The PORT command will fail if the IP address specified does not match the FTP command connection,
           or if the remote TCP port number is less than IPPORT_RESERVED.  It is strongly encouraged that this option be used,
           especially for sites concerned with potential security problems with FTP bounce attacks.  If class is ``none'' or off is specified,
           disable this feature, otherwise enable it.

     chroot class [pathformat]
           If pathformat is not specified or class is ``none'', use the default behavior (see below).  Otherwise, pathformat is parsed to
           create a directory to create as the root directory with chroot(2) into upon login.

           pathformat can contain the following escape strings:
                 Escape  Description
                 %c      Class name.
                 %d      Home directory of user.
                 %u      User name.
                 %%      A ``%'' character.

           The default root directory is:
                 CHROOT  The user's home directory.
                 GUEST   If -a anondir is specified, use anondir, otherwise the home directory of the `ftp' user.
                 REAL    By default no chroot(2) is performed.

     classtype class type
           Set the class type of class to type (see above).

     conversion class suffix [type disable command]
           Define an automatic in-line file conversion.  If a file to retrieve ends in suffix, and a real file (sans suffix) exists, then
           the output of command is returned instead of the contents of the file.

                 suffix   The suffix to initiate the conversion.

                 type     A list of valid file types for the conversion.  Valid types are: `f' (file), and `d' (directory).

                 disable  The name of file that will prevent conversion if it exists.  A file name of ``.'' will prevent this disabling
                          action (i.e., the conversion is always permitted.)

                 command  The command to run for the conversion.  The first word should be the full path name of the command, as execv(3) is
                          used to execute the command.  All instances of the word ``%s'' in command are replaced with the requested file
                          (sans suffix).

           Conversion directives specified later in the file override earlier conversions with the same suffix.

     denyquick class [off]
           Enforce ftpusers(5) rules after the USER command is received, rather than after the PASS command is received.  Whilst enabling
           this feature may allow information leakage about available accounts (for example, if you allow some users of a REAL or CHROOT
           class but not others), it is useful in preventing a denied user (such as `root') from entering their password across an insecure
           connection.  This option is strongly recommended for servers which run an anonymous-only service.  If class is ``none'' or off is
           specified, disable this feature, otherwise enable it.

     display class [file]
           If file is not specified or class is ``none'', disable this.  Otherwise, each time the user enters a new directory, check if file
           exists, and if so, display its contents to the user.  Escape sequences are supported; refer to Display file escape sequences in
           tnftpd(8) for more information.

     hidesymlinks class [off]
           If class is ``none'' or off is specified, disable this feature.  Otherwise, the LIST command lists symbolic links as the file or
           directory the link references (``ls -LlA'').  Servers which run an anonymous service may wish to enable this feature for GUEST
           users, so that symbolic links do not leak names in directories that are not searchable by GUEST users.

     homedir class [pathformat]
           If pathformat is not specified or class is ``none'', use the default behavior (see below).  Otherwise, pathformat is parsed to
           create a directory to change into upon login, and to use as the `home' directory of the user for tilde expansion in pathnames,
           etc.  pathformat is parsed as per the chroot directive.

           The default home directory is the home directory of the user for REAL users, and / for GUEST and CHROOT users.

     limit class [count [file]]
           Limit the maximum number of concurrent connections for class to count, with `-1' meaning unlimited connections.  If the limit is
           exceeded and file is specified, display its contents to the user.  If class is ``none'' or count is not specified, disable this.
           If file is a relative path, it will be searched for in /private/etc (which can be overridden with -c confdir).

     maxfilesize class [size]
           Set the maximum size of an uploaded file to size, with `-1' meaning unlimited connections.  If class is ``none'' or size is not
           specified, disable this.

     maxtimeout class [time]
           Set the maximum timeout period that a client may request, defaulting to two hours.  This cannot be less than 30 seconds, or the
           value for timeout.  If class is ``none'' or time is not specified, use the default.

     mmapsize class [size]
           Set the size of the sliding window to map a file using mmap(2).  If zero, tnftpd(8) will use read(2) instead.  The default is
           zero.  This option affects only binary transfers.  If class is ``none'' or size is not specified, use the default.

     modify class [off]
           If class is ``none'' or off is specified, disable the following commands: CHMOD, DELE, MKD, RMD, RNFR, and UMASK.  Otherwise,
           enable them.

     motd class [file]
           If file is not specified or class is ``none'', disable this.  Otherwise, use file as the message of the day file to display after
           login.  Escape sequences are supported; refer to Display file escape sequences in tnftpd(8) for more information.  If file is a
           relative path, it will be searched for in /private/etc (which can be overridden with -c confdir).

     notify class [fileglob]
           If fileglob is not specified or class is ``none'', disable this.  Otherwise, each time the user enters a new directory, notify
           the user of any files matching fileglob.

     passive class [off]
           If class is ``none'' or off is specified, prevent passive (PASV, LPSV, and EPSV) connections.  Otherwise, enable them.

     portrange class [min max]
           Set the range of port number which will be used for the passive data port.  max must be greater than min, and both numbers must
           be be between IPPORT_RESERVED (1024) and 65535.  If class is ``none'' or no arguments are specified, disable this.

     private class [off]
           If class is ``none'' or off is specified, do not display class information in the output of the STAT command.  Otherwise, display
           the information.

     rateget class [rate]
           Set the maximum get (RETR) transfer rate throttle for class to rate bytes per second.  If rate is 0, the throttle is disabled.
           If class is ``none'' or rate is not specified, disable this.

     rateput class [rate]
           Set the maximum put (STOR) transfer rate throttle for class to rate bytes per second.  If rate is 0, the throttle is disabled.
           If class is ``none'' or rate is not specified, disable this.

     readsize class [size]
           Set the size of the read buffer to read(2) a file.  The default is the file system block size.  This option affects only binary
           transfers.  If class is ``none'' or size is not specified, use the default.

     recvbufsize class [size]
           Set the size of the socket receive buffer.  The default is zero and the system default value will be used.  This option affects
           only passive transfers.  If class is ``none'' or size is not specified, use the default.

     sanenames class [off]
           If class is ``none'' or off is specified, allow uploaded file names to contain any characters valid for a file name.  Otherwise,
           only permit file names which don't start with a `.' and only comprise of characters from the set ``[-+,._A-Za-z0-9]''.

     sendbufsize class [size]
           Set the size of the socket send buffer.  The default is zero and the system default value will be used.  This option affects only
           binary transfers.  If class is ``none'' or size is not specified, use the default.

     sendlowat class [size]
           Set the low water mark of socket send buffer.  The default is zero and system default value will be used.  This option affects
           only for binary transfer.  If class is ``none'' or size is not specified, use the default.

     template class [refclass]
           Define refclass as the `template' for class; any reference to refclass in following directives will also apply to members of
           class.  This is useful to define a template class so that other classes which are to share common attributes can be easily
           defined without unnecessary duplication.  There can be only one template defined at a time.  
                If refclass is not specified, disable the template for class.

     timeout class [time]
           Set the inactivity timeout period.  (the default is fifteen minutes).  This cannot be less than 30 seconds, or greater than the
           value for maxtimeout.  If class is ``none'' or time is not specified, use the default.

     umask class [umaskval]
           Set the umask to umaskval.  If class is ``none'' or umaskval is not specified, set to the default of 027.

     upload class [off]
           If class is ``none'' or off is specified, disable the following commands: APPE, STOR, and STOU, as well as the modify commands:
           CHMOD, DELE, MKD, RMD, RNFR, and UMASK.  Otherwise, enable them.

     writesize class [size]
           Limit the number of bytes to write(2) at a time.  The default is zero, which means all the data available as a result of mmap(2)
           or read(2) will be written at a time.  This option affects only binary transfers.  If class is ``none'' or size is not specified,
           use the default.

   Numeric argument suffix parsing
     Where command arguments are numeric, a decimal number is expected.  Two or more numbers may be separated by an ``x'' to indicate a
     product.  Each number may have one of the following optional suffixes:
           b    Block; multiply by 512
           k    Kibi; multiply by 1024 (1 KiB)
           m    Mebi; multiply by 1048576 (1 MiB)
           g    Gibi; multiply by 1073741824 (1 GiB)
           t    Tebi; multiply by 1099511627776 (1 TiB)
           w    Word; multiply by the number of bytes in an integer

     See strsuftoll(3) for more information.

DEFAULTS
     The following defaults are used:

           checkportcmd  all
           classtype     chroot CHROOT
           classtype     guest  GUEST
           classtype     real   REAL
           display       none
           limit         all    -1     # unlimited connections
           maxtimeout    all    7200   # 2 hours
           modify        all
           motd          all    motd
           notify        none
           passive       all
           timeout       all    900    # 15 minutes
           umask         all    027
           upload        all
           modify        guest  off
           umask         guest  0707

FILES
     /private/etc/ftpd.conf                This file.
     /usr/share/examples/tnftpd/ftpd.conf  A sample ftpd.conf file.
877-640-5958 searchgreen.net 31243296 877-640-5958 support