mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-15 14:56:13 +01:00
474 lines
13 KiB
Groff
474 lines
13 KiB
Groff
|
.\" $NetBSD: ftpd.8,v 1.7 1995/04/11 02:44:53 cgd Exp $
|
||
|
.\"
|
||
|
.\" Copyright (c) 1985, 1988, 1991, 1993
|
||
|
.\" The Regents of the University of California. All rights reserved.
|
||
|
.\"
|
||
|
.\" Redistribution and use in source and binary forms, with or without
|
||
|
.\" modification, are permitted provided that the following conditions
|
||
|
.\" are met:
|
||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer.
|
||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||
|
.\" documentation and/or other materials provided with the distribution.
|
||
|
.\" 3. All advertising materials mentioning features or use of this software
|
||
|
.\" must display the following acknowledgement:
|
||
|
.\" This product includes software developed by the University of
|
||
|
.\" California, Berkeley and its contributors.
|
||
|
.\" 4. Neither the name of the University nor the names of its contributors
|
||
|
.\" may be used to endorse or promote products derived from this software
|
||
|
.\" without specific prior written permission.
|
||
|
.\"
|
||
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
||
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||
|
.\" SUCH DAMAGE.
|
||
|
.\"
|
||
|
.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94
|
||
|
.\"
|
||
|
.Dd April 19, 1997
|
||
|
.Dt FTPD 8
|
||
|
.Os BSD 4.2
|
||
|
.Sh NAME
|
||
|
.Nm ftpd
|
||
|
.Nd
|
||
|
Internet File Transfer Protocol server
|
||
|
.Sh SYNOPSIS
|
||
|
.Nm ftpd
|
||
|
.Op Fl a Ar authmode
|
||
|
.Op Fl dilv
|
||
|
.Op Fl g Ar umask
|
||
|
.Op Fl p Ar port
|
||
|
.Op Fl T Ar maxtimeout
|
||
|
.Op Fl t Ar timeout
|
||
|
.Op Fl u Ar default umask
|
||
|
.Sh DESCRIPTION
|
||
|
.Nm Ftpd
|
||
|
is the
|
||
|
Internet File Transfer Protocol
|
||
|
server process. The server uses the
|
||
|
.Tn TCP
|
||
|
protocol
|
||
|
and listens at the port specified in the
|
||
|
.Dq ftp
|
||
|
service specification; see
|
||
|
.Xr services 5 .
|
||
|
.Pp
|
||
|
Available options:
|
||
|
.Bl -tag -width Ds
|
||
|
.It Fl a
|
||
|
Select the level of authentication required. Kerberised login can not
|
||
|
be turned off. The default is to only allow kerberised login. Other
|
||
|
possibilities can be turned on by giving a string of comma separated
|
||
|
flags as argument to
|
||
|
.Fl a .
|
||
|
Recognised flags are:
|
||
|
.Bl -tag -width plain
|
||
|
.It Ar plain
|
||
|
Allow logging in with plaintext password. The password can be a(n) OTP
|
||
|
or an ordinary password.
|
||
|
.It Ar otp
|
||
|
Same as
|
||
|
.Ar plain ,
|
||
|
but only OTP is allowed.
|
||
|
.It Ar ftp
|
||
|
Allow anonymous login.
|
||
|
.El
|
||
|
|
||
|
The following combination modes exists for backwards compatibility:
|
||
|
.Bl -tag -width plain
|
||
|
.It Ar none
|
||
|
Same as
|
||
|
.Ar plain,ftp .
|
||
|
.It Ar safe
|
||
|
Same as
|
||
|
.Ar ftp .
|
||
|
.It Ar user
|
||
|
Ignored.
|
||
|
.El
|
||
|
.It Fl d
|
||
|
Debugging information is written to the syslog using LOG_FTP.
|
||
|
.It Fl g
|
||
|
Anonymous users will get a umask of
|
||
|
.Ar umask .
|
||
|
.It Fl i
|
||
|
Open a socket and wait for a connection. This is mainly used for
|
||
|
debugging when ftpd isn't started by inetd.
|
||
|
.It Fl l
|
||
|
Each successful and failed
|
||
|
.Xr ftp 1
|
||
|
session is logged using syslog with a facility of LOG_FTP.
|
||
|
If this option is specified twice, the retrieve (get), store (put), append,
|
||
|
delete, make directory, remove directory and rename operations and
|
||
|
their filename arguments are also logged.
|
||
|
.It Fl p
|
||
|
Use
|
||
|
.Ar port
|
||
|
(a service name or number) instead of the default
|
||
|
.Ar ftp/tcp .
|
||
|
.It Fl T
|
||
|
A client may also request a different timeout period;
|
||
|
the maximum period allowed may be set to
|
||
|
.Ar timeout
|
||
|
seconds with the
|
||
|
.Fl T
|
||
|
option.
|
||
|
The default limit is 2 hours.
|
||
|
.It Fl t
|
||
|
The inactivity timeout period is set to
|
||
|
.Ar timeout
|
||
|
seconds (the default is 15 minutes).
|
||
|
.It Fl u
|
||
|
Set the initial umask to something else than the default 027.
|
||
|
.It Fl v
|
||
|
Verbose mode.
|
||
|
.El
|
||
|
.Pp
|
||
|
The file
|
||
|
.Pa /etc/nologin
|
||
|
can be used to disable ftp access.
|
||
|
If the file exists,
|
||
|
.Nm
|
||
|
displays it and exits.
|
||
|
If the file
|
||
|
.Pa /etc/ftpwelcome
|
||
|
exists,
|
||
|
.Nm
|
||
|
prints it before issuing the
|
||
|
.Dq ready
|
||
|
message.
|
||
|
If the file
|
||
|
.Pa /etc/motd
|
||
|
exists,
|
||
|
.Nm
|
||
|
prints it after a successful login.
|
||
|
.Pp
|
||
|
The ftp server currently supports the following ftp requests.
|
||
|
The case of the requests is ignored.
|
||
|
.Bl -column "Request" -offset indent
|
||
|
.It Request Ta "Description"
|
||
|
.It ABOR Ta "abort previous command"
|
||
|
.It ACCT Ta "specify account (ignored)"
|
||
|
.It ALLO Ta "allocate storage (vacuously)"
|
||
|
.It APPE Ta "append to a file"
|
||
|
.It CDUP Ta "change to parent of current working directory"
|
||
|
.It CWD Ta "change working directory"
|
||
|
.It DELE Ta "delete a file"
|
||
|
.It HELP Ta "give help information"
|
||
|
.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lgA"
|
||
|
.It MKD Ta "make a directory"
|
||
|
.It MDTM Ta "show last modification time of file"
|
||
|
.It MODE Ta "specify data transfer" Em mode
|
||
|
.It NLST Ta "give name list of files in directory"
|
||
|
.It NOOP Ta "do nothing"
|
||
|
.It PASS Ta "specify password"
|
||
|
.It PASV Ta "prepare for server-to-server transfer"
|
||
|
.It PORT Ta "specify data connection port"
|
||
|
.It PWD Ta "print the current working directory"
|
||
|
.It QUIT Ta "terminate session"
|
||
|
.It REST Ta "restart incomplete transfer"
|
||
|
.It RETR Ta "retrieve a file"
|
||
|
.It RMD Ta "remove a directory"
|
||
|
.It RNFR Ta "specify rename-from file name"
|
||
|
.It RNTO Ta "specify rename-to file name"
|
||
|
.It SITE Ta "non-standard commands (see next section)"
|
||
|
.It SIZE Ta "return size of file"
|
||
|
.It STAT Ta "return status of server"
|
||
|
.It STOR Ta "store a file"
|
||
|
.It STOU Ta "store a file with a unique name"
|
||
|
.It STRU Ta "specify data transfer" Em structure
|
||
|
.It SYST Ta "show operating system type of server system"
|
||
|
.It TYPE Ta "specify data transfer" Em type
|
||
|
.It USER Ta "specify user name"
|
||
|
.It XCUP Ta "change to parent of current working directory (deprecated)"
|
||
|
.It XCWD Ta "change working directory (deprecated)"
|
||
|
.It XMKD Ta "make a directory (deprecated)"
|
||
|
.It XPWD Ta "print the current working directory (deprecated)"
|
||
|
.It XRMD Ta "remove a directory (deprecated)"
|
||
|
.El
|
||
|
.Pp
|
||
|
The following commands are specified by RFC2228.
|
||
|
.Bl -column Request -offset indent
|
||
|
.It AUTH Ta "authentication/security mechanism"
|
||
|
.It ADAT Ta "authentication/security data"
|
||
|
.It PROT Ta "data channel protection level"
|
||
|
.It PBSZ Ta "protection buffer size"
|
||
|
.It MIC Ta "integrity protected command"
|
||
|
.It CONF Ta "confidentiality protected command"
|
||
|
.It ENC Ta "privacy protected command"
|
||
|
.It CCC Ta "clear command channel"
|
||
|
.El
|
||
|
.Pp
|
||
|
The following non-standard or
|
||
|
.Tn UNIX
|
||
|
specific commands are supported
|
||
|
by the
|
||
|
SITE request.
|
||
|
.Pp
|
||
|
.Bl -column Request -offset indent
|
||
|
.It UMASK Ta change umask, (e.g.
|
||
|
.Ic "SITE UMASK 002" )
|
||
|
.It IDLE Ta set idle-timer, (e.g.
|
||
|
.Ic "SITE IDLE 60" )
|
||
|
.It CHMOD Ta change mode of a file (e.g.
|
||
|
.Ic "SITE CHMOD 755 filename" )
|
||
|
.It FIND Ta quickly find a specific file with GNU
|
||
|
.Xr locate 1 .
|
||
|
.It HELP Ta give help information.
|
||
|
.El
|
||
|
.Pp
|
||
|
The following Kerberos related site commands are understood.
|
||
|
.Bl -column Request -offset indent
|
||
|
.It KAUTH Ta obtain remote tickets.
|
||
|
.It KLIST Ta show remote tickets
|
||
|
.El
|
||
|
.Pp
|
||
|
The remaining ftp requests specified in Internet RFC 959
|
||
|
are
|
||
|
recognized, but not implemented.
|
||
|
MDTM and SIZE are not specified in RFC 959, but will appear in the
|
||
|
next updated FTP RFC.
|
||
|
.Pp
|
||
|
The ftp server will abort an active file transfer only when the
|
||
|
ABOR
|
||
|
command is preceded by a Telnet "Interrupt Process" (IP)
|
||
|
signal and a Telnet "Synch" signal in the command Telnet stream,
|
||
|
as described in Internet RFC 959.
|
||
|
If a
|
||
|
STAT
|
||
|
command is received during a data transfer, preceded by a Telnet IP
|
||
|
and Synch, transfer status will be returned.
|
||
|
.Pp
|
||
|
.Nm Ftpd
|
||
|
interprets file names according to the
|
||
|
.Dq globbing
|
||
|
conventions used by
|
||
|
.Xr csh 1 .
|
||
|
This allows users to utilize the metacharacters
|
||
|
.Dq Li \&*?[]{}~ .
|
||
|
.Pp
|
||
|
.Nm Ftpd
|
||
|
authenticates users according to these rules.
|
||
|
.Pp
|
||
|
.Bl -enum -offset indent
|
||
|
.It
|
||
|
If Kerberos authentication is used, the user must pass valid tickets
|
||
|
and the principal must be allowed to login as the remote user.
|
||
|
.It
|
||
|
The login name must be in the password data base, and not have a null
|
||
|
password (if kerberos is used the password field is not checked). In
|
||
|
this case a password must be provided by the client before any file
|
||
|
operations may be performed. If the user has an OTP key, the response
|
||
|
from a successful USER command will include an OTP challenge. The
|
||
|
client may choose to respond with a PASS command giving either a
|
||
|
standard password or an OTP one-time password. The server will
|
||
|
automatically determine which type of password it has been given and
|
||
|
attempt to authenticate accordingly. See
|
||
|
.Xr otp 1
|
||
|
for more information on OTP authentication.
|
||
|
.It
|
||
|
The login name must not appear in the file
|
||
|
.Pa /etc/ftpusers .
|
||
|
.It
|
||
|
The user must have a standard shell returned by
|
||
|
.Xr getusershell 3 .
|
||
|
.It
|
||
|
If the user name appears in the file
|
||
|
.Pa /etc/ftpchroot
|
||
|
the session's root will be changed to the user's login directory by
|
||
|
.Xr chroot 2
|
||
|
as for an
|
||
|
.Dq anonymous
|
||
|
or
|
||
|
.Dq ftp
|
||
|
account (see next item). However, the user must still supply a password.
|
||
|
This feature is intended as a compromise between a fully anonymous account
|
||
|
and a fully privileged account. The account should also be set up as for an
|
||
|
anonymous account.
|
||
|
.It
|
||
|
If the user name is
|
||
|
.Dq anonymous
|
||
|
or
|
||
|
.Dq ftp ,
|
||
|
an
|
||
|
anonymous ftp account must be present in the password
|
||
|
file (user
|
||
|
.Dq ftp ) .
|
||
|
In this case the user is allowed
|
||
|
to log in by specifying any password (by convention an email address for
|
||
|
the user should be used as the password).
|
||
|
.El
|
||
|
.Pp
|
||
|
In the last case,
|
||
|
.Nm ftpd
|
||
|
takes special measures to restrict the client's access privileges.
|
||
|
The server performs a
|
||
|
.Xr chroot 2
|
||
|
to the home directory of the
|
||
|
.Dq ftp
|
||
|
user.
|
||
|
In order that system security is not breached, it is recommended
|
||
|
that the
|
||
|
.Dq ftp
|
||
|
subtree be constructed with care, consider following these guidelines
|
||
|
for anonymous ftp.
|
||
|
|
||
|
In general all files should be owned by
|
||
|
.Dq root ,
|
||
|
and have non-write permissions (644 or 755 depending on the kind of
|
||
|
file). No files should be owned or writable by
|
||
|
.Dq ftp
|
||
|
(possibly with exception for the
|
||
|
.Pa ~ftp/incoming ,
|
||
|
as specified below).
|
||
|
.Bl -tag -width "~ftp/pub" -offset indent
|
||
|
.It Pa ~ftp
|
||
|
The
|
||
|
.Dq ftp
|
||
|
homedirectory should be owned by root.
|
||
|
.It Pa ~ftp/bin
|
||
|
The directory for external programs (such as
|
||
|
.Xr ls 1 ) .
|
||
|
These programs must either be statically linked, or you must setup an
|
||
|
environment for dynamic linking when running chrooted.
|
||
|
These programs will be used if present:
|
||
|
.Bl -tag -width "locate" -offset indent
|
||
|
.It ls
|
||
|
Used when listing files.
|
||
|
.It compress
|
||
|
When retrieving a filename that ends in
|
||
|
.Pa .Z ,
|
||
|
and that file isn't present,
|
||
|
.Nm
|
||
|
will try to find the filename without
|
||
|
.Pa .Z
|
||
|
and compress it on the fly.
|
||
|
.It gzip
|
||
|
Same as compress, just with files ending in
|
||
|
.Pa .gz .
|
||
|
.It gtar
|
||
|
Enables retrieval of whole directories as files ending in
|
||
|
.Pa .tar .
|
||
|
Can also be combined with compression. You must use GNU Tar (or some
|
||
|
other that supports the
|
||
|
.Fl z
|
||
|
and
|
||
|
.Fl Z
|
||
|
flags).
|
||
|
.It locate
|
||
|
Will enable ``fast find'' with the
|
||
|
.Ic SITE FIND
|
||
|
command. You must also create a
|
||
|
.Pa locatedb
|
||
|
file in
|
||
|
.Pa ~ftp/etc .
|
||
|
.El
|
||
|
.It Pa ~ftp/etc
|
||
|
If you put copies of the
|
||
|
.Xr passwd 5
|
||
|
and
|
||
|
.Xr group 5
|
||
|
files here, ls will be able to produce owner names rather than
|
||
|
numbers. Remember to remove any passwords from these files.
|
||
|
|
||
|
The file
|
||
|
.Pa motd ,
|
||
|
if present, will be printed after a successful login.
|
||
|
.It Pa ~ftp/dev
|
||
|
Put a copy of
|
||
|
.Xr /dev/null 7
|
||
|
here.
|
||
|
.It Pa ~ftp/pub
|
||
|
Traditional place to put whatever you want to make public.
|
||
|
.El
|
||
|
|
||
|
If you want guests to be able to upload files, create a
|
||
|
.Pa ~ftp/incoming
|
||
|
directory owned by
|
||
|
.Dq root ,
|
||
|
and group
|
||
|
.Dq ftp
|
||
|
with mode 730 (make sure
|
||
|
.Dq ftp
|
||
|
is member of group
|
||
|
.Dq ftp ) .
|
||
|
The following restrictions apply to anonymous users:
|
||
|
.Bl -bullet
|
||
|
.It
|
||
|
Directories created will have mode 700.
|
||
|
.It
|
||
|
Uploaded files will be created with an umask of 777, if not changed
|
||
|
with the
|
||
|
.Fl g
|
||
|
option.
|
||
|
.It
|
||
|
These command are not accessible:
|
||
|
.Ic DELE , RMD , RNTO , RNFR ,
|
||
|
.Ic SITE UMASK ,
|
||
|
and
|
||
|
.Ic SITE CHMOD .
|
||
|
.It
|
||
|
Filenames must start with an alpha-numeric character, and consist of
|
||
|
alpha-numeric characters or any of the following:
|
||
|
.Li \&+
|
||
|
(plus),
|
||
|
.Li \&-
|
||
|
(minus),
|
||
|
.Li \&=
|
||
|
(equal),
|
||
|
.Li \&_
|
||
|
(underscore),
|
||
|
.Li \&.
|
||
|
(period), and
|
||
|
.Li \&,
|
||
|
(comma).
|
||
|
.El
|
||
|
.Sh FILES
|
||
|
.Bl -tag -width /etc/ftpwelcome -compact
|
||
|
.It Pa /etc/ftpusers
|
||
|
Access list for users.
|
||
|
.It Pa /etc/ftpchroot
|
||
|
List of normal users who should be chroot'd.
|
||
|
.It Pa /etc/ftpwelcome
|
||
|
Welcome notice.
|
||
|
.It Pa /etc/motd
|
||
|
Welcome notice after login.
|
||
|
.It Pa /etc/nologin
|
||
|
Displayed and access refused.
|
||
|
.It Pa ~/.klogin
|
||
|
Login access for Kerberos.
|
||
|
.El
|
||
|
.Sh SEE ALSO
|
||
|
.Xr ftp 1 ,
|
||
|
.Xr otp 1 ,
|
||
|
.Xr getusershell 3 ,
|
||
|
.Xr ftpusers 5 ,
|
||
|
.Xr syslogd 8 ,
|
||
|
.Sh STANDARDS
|
||
|
.Bl -tag -compact -width "RFC 1938"
|
||
|
.It Cm RFC 959
|
||
|
FTP PROTOCOL SPECIFICATION
|
||
|
.It Cm RFC 1938
|
||
|
OTP Specification
|
||
|
.It Cm RFC 2228
|
||
|
FTP Security Extensions.
|
||
|
.Sh BUGS
|
||
|
The server must run as the super-user
|
||
|
to create sockets with privileged port numbers. It maintains
|
||
|
an effective user id of the logged in user, reverting to
|
||
|
the super-user only when binding addresses to sockets. The
|
||
|
possible security holes have been extensively
|
||
|
scrutinized, but are possibly incomplete.
|
||
|
.Sh HISTORY
|
||
|
The
|
||
|
.Nm
|
||
|
command appeared in
|
||
|
.Bx 4.2 .
|