| FTPD(8) | System Manager's Manual | FTPD(8) | 
ftpd —
| ftpd | [ -46DdfHlnQqrsUuWwX] [-aanondir] [-Cuser[@host]]
      [-cconfdir]
      [-eemailaddr]
      [-hhostname]
      [-Lxferlogfile]
      [-Pdataport]
      [-Vversion] | 
ftpd is the Internet File Transfer Protocol server
  process. The server uses the TCP protocol and listens at the port specified in
  the “ftp” service specification; see
  services(5).
Available options:
-4-D is specified, bind to IPv4 addresses
    only.-6-D is specified, bind to IPv6 addresses
    only.-a
    anondir-C
    user[@host]ftpd exits with
      an exit code of 0 if access would be granted, or 1 otherwise. This can be
      useful for testing configurations.-c
    confdir-Dftpd will listen on the default FTP
      port for incoming connections and fork a child for each connection. This
      is lower overhead than starting ftpd from
      inetd(8) and thus might be
      useful on busy servers to reduce load.-dLOG_FTP.-e
    emailaddr-f-D flag from detaching from the tty and
      going into the background.-H-h
    hostnameftpd is listening on.
      This ability (with or without -h), in conjunction
      with -c confdir, is useful
      when configuring ‘virtual’ FTP servers, each listening on
      separate addresses as separate names. Refer to
      inetd.conf(5) for more
      information on starting services to listen on specific IP addresses.-L
    xferlogfile-lLOG_FTP. If this option is specified
      more than once, the retrieve (get), store (put), append, delete, make
      directory, remove directory and rename operations and their file name
      arguments are also logged.-n-P
    dataportftpd is listening on.-Q-q-rRFC 959 specification, but in
      practice very few clients rely upon this behaviour. See
      SECURITY CONSIDERATIONS
      below for more details.-s-U-u-V
    version-W-w-XLOG_FTP. These syslog entries can be converted to
      a wu-ftpd style xferlog file suitable for input
      into a third-party log analysis tool with a command similar to:
    sed -ne 's/^.*xferlog: //p'
      /var/log/xferlog > wuxferlogThe file /etc/nologin can be used to
    disable FTP access. If the file exists, ftpd
    displays it and exits. If the file /etc/ftpwelcome
    exists, ftpd prints it before issuing the
    “ready” message. If the file /etc/motd
    exists (under the chroot directory if applicable),
    ftpd prints it after a successful login. This may be
    changed with the
    ftpd.conf(5) directive
    motd.
The ftpd server currently supports the
    following FTP requests. The case of the requests is ignored.
| Request | Description | 
| ABOR | abort previous command | 
| ACCT | specify account (ignored) | 
| ALLO | allocate storage (vacuously) | 
| APPE | append to a file | 
| CDUP | change to parent of current working directory | 
| CWD | change working directory | 
| DELE | delete a file | 
| EPSV | prepare for server-to-server transfer | 
| EPRT | specify data connection port | 
| FEAT | list extra features that are not defined in RFC
      959 | 
| HELP | give help information | 
| LIST | give list files in a directory (“ ls
      -lA”) | 
| LPSV | prepare for server-to-server transfer | 
| LPRT | specify data connection port | 
| MLSD | list contents of directory in a machine-processable form | 
| MLST | show a pathname in a machine-processable form | 
| MKD | make a directory | 
| MDTM | show last modification time of file | 
| MODE | specify data transfer mode | 
| NLST | give name list of files in directory | 
| NOOP | do nothing | 
| OPTS | define persistent options for a given command | 
| PASS | specify password | 
| PASV | prepare for server-to-server transfer | 
| PORT | specify data connection port | 
| PWD | print the current working directory | 
| QUIT | terminate session | 
| REST | restart incomplete transfer | 
| RETR | retrieve a file | 
| RMD | remove a directory | 
| RNFR | specify rename-from file name | 
| RNTO | specify rename-to file name | 
| SITE | non-standard commands (see next section) | 
| SIZE | return size of file | 
| STAT | return status of server | 
| STOR | store a file | 
| STOU | store a file with a unique name | 
| STRU | specify data transfer structure | 
| SYST | show operating system type of server system | 
| TYPE | specify data transfer type | 
| USER | specify user name | 
| XCUP | change to parent of current working directory (deprecated) | 
| XCWD | change working directory (deprecated) | 
| XMKD | make a directory (deprecated) | 
| XPWD | print the current working directory (deprecated) | 
| XRMD | remove a directory (deprecated) | 
The following non-standard or UNIX specific commands are supported by the SITE request.
| Request | Description | 
| CHMOD | change mode of a file, e.g. ``SITE CHMOD 755 filename'' | 
| HELP | give help information. | 
| IDLE | set idle-timer, e.g. ``SITE IDLE 60'' | 
| RATEGET | set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k'' | 
| RATEPUT | set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k'' | 
| UMASK | change umask, e.g. ``SITE UMASK 002'' | 
The following FTP requests (as specified in RFC
    959 and RFC 2228) are recognized, but are not
    implemented: ACCT, ADAT,
    AUTH, CCC, CONF,
    ENC, MIC, PBSZ,
    PROT, REIN, and
  SMNT.
The ftpd server will abort an active file
    transfer only when the ABOR command is preceded by a
    Telnet "Interrupt Process" (IP) signal and a Telnet
    "Synch" signal in the command Telnet stream, as described in
    Internet RFC 959. If a STAT
    command is received during a data transfer, preceded by a Telnet IP and
    Synch, transfer status will be returned.
ftpd interprets file names according to
    the “globbing” conventions used by
    csh(1). This allows users to use
    the metacharacters “*?[]{}~”.
ftpd authenticates users according to five rules.
The server performs a
        chroot(2) to the directory
        specified in the
        ftpd.conf(5)
        chroot directive (if set), the
        -a anondir directory (if
        set), or to the home directory of the “ftp” user.
The server then performs a chdir(2) to the directory specified in the ftpd.conf(5) homedir directive (if set), otherwise to /.
If other restrictions are required (such as disabling of certain commands and the setting of a specific umask), then appropriate entries in ftpd.conf(5) are required.
If the first character of the password supplied by an anonymous user is “-”, then the verbose messages displayed at login and upon a CWD command are suppressed.
ftpd displays various files back to the client
  (such as /etc/ftpwelcome and
  /etc/motd), various escape strings are replaced with
  information pertinent to the current connection.
The supported escape strings are:
-e.1”, print an
      “s”.1”, print an
      “S”.The following ftpd.conf(5) directives should be used:
modify guest offumask guest 0707upload guest onThis will result in anonymous users being able to upload files to this directory, but they will not be able to download them, delete them, or overwrite them, due to the umask and disabling of the commands mentioned above.
If you don't enable conversion commands, or don't want anonymous users uploading files here (see ~ftp/incoming above), then don't create this directory. However, error messages from conversion or LIST commands won't be returned to the user. (This is the traditional behaviour.) Note that the ftpd.conf(5) directive upload can be used to prevent users uploading here.
To set up "ftp-only" accounts that provide only FTP, but no valid shell login, you can copy/link /sbin/nologin to /sbin/ftplogin, and enter /sbin/ftplogin to /etc/shells to allow logging-in via FTP into the accounts, which must have /sbin/ftplogin as login shell.
ftpd
      class ‘CLASS’.ftpd recognizes all commands in RFC
  959, follows the guidelines in RFC 1123,
  recognizes all commands in RFC 2228 (although they are
  not supported yet), and supports the extensions from RFC
  2389, RFC 2428, and RFC
  3659.
ftpd command appeared in
  4.2BSD.
Various features such as the
    ftpd.conf(5) functionality,
    RFC 2389, and RFC 3659
    support was implemented in NetBSD 1.3 and later
    releases by Luke Mewburn.
IPPORT_RESERVED, which
  is 1024). If ftpd is listening on a privileged port it
  maintains an effective user id of the logged in user, reverting to the
  super-user only when binding addresses to privileged sockets. The
  -r option can be used to override this behaviour and
  force privileges to be permanently revoked; see
  SECURITY CONSIDERATIONS
  below for more details.
ftpd may have trouble handling connections
    from scoped IPv6 addresses, or IPv4 mapped addresses (IPv4 connection on
    AF_INET6 socket). For the latter case, running two
    daemons, one for IPv4 and one for IPv6, will avoid the problem.
RFC 959 provides no restrictions on the
  PORT command, and this can lead to security problems, as
  ftpd can be fooled into connecting to any service on
  any host. With the “checkportcmd” feature of the
  ftpd.conf(5),
  PORT commands with different host addresses, or TCP ports
  lower than IPPORT_RESERVED will be rejected. This also
  prevents ‘third-party proxy ftp’ from working. Use of this
  option is strongly recommended, and enabled by default.
By default ftpd uses a port that is one
    less than the port it is listening on to communicate back to the client for
    the EPRT, LPRT, and
    PORT commands, unless overridden with
    -P dataport. As the default
    port for ftpd (21) is a privileged port below
    IPPORT_RESERVED, ftpd
    retains the ability to switch back to root privileges to bind these ports.
    In order to increase security by reducing the potential for a bug in
    ftpd providing a remote root compromise,
    ftpd will permanently drop root privileges if one of
    the following is true:
ftpd is running on a port greater than
      IPPORT_RESERVED and the user has logged in as a
      ‘guest’ or ‘chroot’ user.ftpd was invoked with
    -r.Don't create ~ftp/tmp if you don't want anonymous users to upload files there. That directory is only necessary if you want to display the error messages of conversion commands to the user. Note that if uploads are disabled with the ftpd.conf(5) directive upload, then this directory cannot be abused by the user in this way, so it should be safe to create.
To avoid possible denial-of-service attacks,
    SIZE requests against files larger than 10240 bytes will
    be denied if the current transfer TYPE is
    ‘A’ (ASCII).
| May 1, 2009 | NetBSD 9.4 |