|
System Administration Commands | in.ftpd(1M) |
| in.ftpd, ftpd - File Transfer Protocol Server |
SYNOPSIS
| in.ftpd [-A] [-a] [-d] [-I] [-i] [-L] [-l] [-o] [-P dataport] [-p ctrlport] [-Q] [-q] [-r rootdir] [-S] [-s] [-T maxtimeout] [-t timeout] [-u umask] [-V] [-v] [-W] [-w] [-X] |
|
in.ftpd is the Internet File Transfer Protocol (FTP) server process. The server may be invoked by the Internet daemon inetd(1M) each time a connection to the FTP service
is made or run as a standalone server. See services(4).
|
|
in.ftpd supports the following options:
- -A
- Disable use of the ftpaccess(4) file. Use of ftpaccess is disabled by default.
- -a
- Enable use of the ftpaccess(4) file.
- -d
- Write debugging information to syslogd(1M).
- -I
- Disable the use of AUTH and ident to determine the username on the client. See RFC 931. The FTP Server is built not to use AUTH and ident.
- -i
- Log the names of all files received by the FTP Server to xferlog(4). You can override the -i option through use of the ftpaccess(4) file.
- -L
- Log all commands sent to in.ftpd to syslogd(1M). When the -L option is used, command logging
will be on by default, once the FTP Server is invoked. Because the FTP Server includes USER commands in those logged, if a user accidentally enters a password instead of the username, the password will be logged. You can override the -L option through use of the ftpaccess(4) file.
- -l
- Log each FTP session to syslogd(1M).
- -o
- Log the names of all files transmitted by the FTP Server to xferlog(4). You can override the -o option through use of the ftpaccess(4) file.
- -P dataport
- The FTP Server determines the port number by looking in the services(4)
file for an entry for the ftp-data service. If there is no entry, the daemon uses the port just prior to the control connection port. Use the -P option to specify the data port number.
- -p ctrlport
- When run in standalone mode, the FTP Server determines the control port number by looking in the services(4) file for an entry for the ftp service. Use the -p option to specify the control port number.
- -Q
- Disable PID files. This disables user limits. Large, busy sites that do not want to impose limits on the number of concurrent users can use this option to disable PID files.
- -q
- Use PID files. The limit directive uses PID files to determine the number of current users in each access class. By default, PID files are used.
- -r rootdir
- chroot(2) to rootdir upon loading. Use
this option to improve system security. It limits the files that can be damaged should a break in occur through the daemon. This option is similar to anonymous FTP. Additional files are needed, which vary from system to system.
- -S
- Place the daemon in standalone operation mode. The daemon runs in the background. This is useful for startup scripts that run during system initialization. See init.d(4).
- -s
- Place the daemon in standalone operation mode. The daemon runs in the foreground. This is useful when run from /etc/inittab by init(1M).
- -T maxtimeout
- Set the maximum allowable timeout period to maxtimeout seconds. The default maximum timeout limit is 7200 second (two hours). You can override the -T option through
use of the ftpaccess(4) file.
- -t timeout
- Set the inactivity timeout period to timeout seconds. The default timeout period is 900 seconds (15 minutes). You can override the -t option through use of the ftpaccess(4) file.
- -u umask
- Set the default umask to umask.
- -V
- Display copyright and version information, then terminate.
- -v
- Write debugging information to syslogd(1M).
- -W
- Do not record user login and logout in the wtmpx(4) file.
- -w
- Record each user login and logout in the wtmpx(4) file. By default,
logins and logouts are recorded.
- -X
- Write the output from the -i and -o options to the syslogd(1M) file instead of xferlog(4). This allows the collection of output from several hosts on one central loghost. You can override the -X option through use of the ftpaccess(4) file.
Requests
|
The FTP Server currently supports the following FTP requests; case is not distinguished.
-
ABOR
- Abort previous command.
-
ALLO
- Allocate storage (vacuously).
-
APPE
- Append to a file.
-
CDUP
- Change to parent of current working directory.
-
CWD
- Change working directory.
-
DELE
- Delete a file.
-
EPRT
- Specify extended address for the transport connection.
-
EPSV
- Extended passive command request.
-
HELP
- Give help information.
-
LIST
- Give list files in a directory (ls -lA).
-
LPRT
- Specify long address for the transport connection.
-
LPSV
- Long passive command request.
-
MKD
- Make a directory.
-
MDTM
- Show last time file modified.
-
MODE
- Specify data transfer mode.
-
NLST
- Give name list of files in directory (ls).
-
NOOP
- Do nothing.
-
PASS
- Specify password.
-
PASV
- Prepare for server-to-server transfer.
-
PORT
- Specify data connection port.
-
PWD
- Print the current working directory.
-
QUIT
- Terminate session.
-
REST
- Restart incomplete transfer.
-
RETR
- Retrieve a file.
-
RMD
- Remove a directory.
-
RNFR
- Specify rename-from file name.
-
RNTO
- Specify rename-to file name.
-
SITE
- Use nonstandard commands.
-
SIZE
- Return size of file.
-
STAT
- Return status of server.
-
STOR
- Store a file.
-
STOU
- Store a file with a unique name.
-
STRU
- Specify data transfer structure.
-
SYST
- Show operating system type of server system.
-
TYPE
- Specify data transfer type.
-
USER
- Specify user name.
-
XCUP
- Change to parent of current working directory. This request is deprecated.
-
XCWD
- Change working directory. This request is deprecated.
-
XMKD
- Make a directory. This request is deprecated.
-
XPWD
- Print the current working directory. This request is deprecated.
-
XRMD
- Remove a directory. This request is deprecated.
The following nonstandard or UNIX specific commands are supported by the SITE request:
-
ALIAS
- List aliases.
-
CDPATH
- List the search path used when changing directories.
-
CHECKMETHOD
- List or set the checksum method.
-
CHECKSUM
- Give the checksum of a file.
-
CHMOD
- Change mode of a file. For example, SITE CHMOD 755 filename.
-
EXEC
- Execute a program. For example, SITE EXEC program params
-
GPASS
- Give special group access password. For example, SITE GPASS bar.
-
GROUP
- Request special group access. For example, SITE GROUP foo.
-
GROUPS
- List supplementary group membership.
-
HELP
- Give help information. For example, SITE HELP.
-
IDLE
- Set idle-timer. For example, SITE IDLE 60.
-
UMASK
- Change umask. For example, SITE UMASK 002.
The remaining FTP requests specified in RFC 959 are recognized, but not implemented.
The FTP server will abort an active file transfer only when the ABOR command is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet "Synch" signal in the command Telnet stream, as described
in RFC 959. If a STAT command is received during a data transfer that has been preceded by a Telnet IP and Synch, transfer status will be returned.
in.ftpd interprets file names according to the "globbing" conventions used by csh(1). This allows users to utilize the metacharacters: * ? [ ] { } ~
in.ftpd authenticates users according to four rules.
First, the user name must be in the password data base, /etc/passwd. The password must not be null. A password must always be provided by the client before any file operations may be performed. The PAM framework is used to verify that the correct password was entered. See SECURITY below.
Second, the user name must not appear in either the /etc/ftpusers or the /etc/ftpd/ftpusers file. Use of the /etc/ftpusers files is deprecated, although it is still supported.
Third, the uses must have a standard shell returned by getusershell(3C).
Fourth, if the user name is anonymous or ftp, an anonymous ftp account must be present in the password file for user ftp. Use ftpconfig(1M)
to create the anonymous ftp account and home directory tree.
The FTP Server supports virtual hosting, which can be configured by using ftpaddhost(1M).
The FTP Server does not support sublogins.
|
General FTP Extensions
|
The FTP Server has certain extensions. If the user specifies a filename that does not exist with a RETR (retrieve) command, the FTP Server looks for a conversion to change a file or directory that does into the one requested. See ftpconversions(4).
By convention, anonymous users supply their email address when prompted for a password. The FTP Server attempts to validate these email addresses. A user whose FTP client hangs on a long reply, for example, a multiline response, should use a dash (-) as the first character of the user's password,
as this disables the Server's lreply() function.
The FTP Server can also log all file transmission and reception. See xferlog(4) for details of the log file format.
The SITE EXEC command may be used to execute commands in the /bin/ftp-exec directory. Take care that you understand the security implications before copying any command into the /bin/ftp-exec directory. For example, do not copy in /bin/sh. This would enable the user to execute other commands through the use of sh -c. If you have doubts about this feature, do not create the /bin/ftp-exec directory.
|
|
|
in.ftpd uses pam(3PAM) for authentication, account management, and session management. The PAM configuration
policy, listed through /etc/pam.conf, specifies the module to be used for in.ftpd. Here is a partial pam.conf file with entries for the in.ftpd command using the UNIX authentication, account management, and session management
module.
|
ftp auth requisite pam_authtok_get.so.1
ftp auth required pam_dhkeys.so.1
ftp auth required pam_unix_auth.so.1
ftp account required pam_unix_roles.so.1
ftp account required pam_unix_projects.so.1
ftp account required pam_unix_account.so.1
ftp session required pam_unix_session.so.1
|
If there are no entries for the ftp service, then the entries for the "other" service will be used. Unlike login, passwd, and other commands, the ftp protocol will only support a single password. Using multiple modules will
prevent in.ftpd from working properly.
|
|
The in.ftpd command is IPv6-enabled. See ip6(7P).
|
|
-
/etc/ftpd/ftpaccess
- FTP Server configuration file
-
/etc/ftpd/ftpconversions
- FTP Server conversions database
-
/etc/ftpd/ftpgroups
- FTP Server enhanced group access file
-
/etc/ftpd/ftphosts
- FTP Server individual user host access file
-
/etc/ftpd/ftpservers
- FTP Server virtual hosting configuration file.
-
/etc/ftpd/ftpusers
- File listing users for whom FTP login privileges are disallowed.
-
/etc/ftpusers
- File listing users for whom FTP login privileges are disallowed. This use of this file is deprecated.
-
/var/log/xferlog
- FTP Server transfer log file
-
/var/run/ftp.pids-classname
-
-
/var/adm/wtmpx
- Extended database files that contain the history of user access and accounting information for the wtmpx database.
|
|
See attributes (5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Availability | SUNWftpu |
|
|
csh(1), ftp(1), ftpcount(1), ftpwho(1), ls(1), ftpaddhost(1M), ftpconfig(1M), ftprestart(1M), ftpshut(1M), inetd(1M), syslogd(1M), chroot(2), umask(2), getpwent(3C), getusershell(3C), syslog(3C), ftpaccess(4), ftpconversions(4), ftpgroups(4), ftphosts(4), ftpservers(4), ftpusers(4), group(4), passwd(4), services(4), xferlog(4), wtmpx(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)ip6(7P)
Allman, M., Ostermann, S., and Metz, C. RFC 2428, FTP Extensions for IPv6 and NATs. The Internet Society. September 1998.
Piscitello, D. RFC 1639, FTP Operation Over Big Address Records (FOOBAR). Network Working Group. June 1994.
Postel, Jon, and Joyce Reynolds. RFC 959, File Transfer Protocol (FTP ). Network Information Center. October 1985.
St. Johns, Mike. RFC 931, Authentication Server. Network Working Group. January 1985.
|
|
in.ftpd logs various errors to syslogd(1M), with a facility code of daemon.
|
|
The anonymous FTP account is inherently dangerous and should be avoided when possible.
The FTP Server must perform certain tasks as the superuser, for example, the creation of sockets with privileged port numbers. It maintains an effective user ID of the logged in user, reverting to the superuser only when necessary.
The FTP Server no longer supports the /etc/default/ftpd file. Instead of using UMASK=nnn to set the umask, use the defumask capability in the ftpaccess file. The banner greeting text capability is also now set through
the ftpaccess file by using the greeting text capability instead of by using BANNER="...". However, unlike the BANNER string, the greeting text string is not passed to the shell for evaluation. See ftpaccess(4).
The pam_unix(5) module might not be supported in a future release. Similar functionality is provided by pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).
|
| |