1.\" $NetBSD: ftpd.8,v 1.83 2009/03/15 08:07:22 joerg Exp $ 2.\" 3.\" Copyright (c) 1997-2008 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.\" Copyright (c) 1985, 1988, 1991, 1993 31.\" The Regents of the University of California. All rights reserved. 32.\" 33.\" Redistribution and use in source and binary forms, with or without 34.\" modification, are permitted provided that the following conditions 35.\" are met: 36.\" 1. Redistributions of source code must retain the above copyright 37.\" notice, this list of conditions and the following disclaimer. 38.\" 2. Redistributions in binary form must reproduce the above copyright 39.\" notice, this list of conditions and the following disclaimer in the 40.\" documentation and/or other materials provided with the distribution. 41.\" 3. Neither the name of the University nor the names of its contributors 42.\" may be used to endorse or promote products derived from this software 43.\" without specific prior written permission. 44.\" 45.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 46.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 47.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 48.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 49.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 50.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 51.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 52.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 53.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 54.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 55.\" SUCH DAMAGE. 56.\" 57.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 58.\" 59.Dd September 21, 2008 60.Dt FTPD 8 61.Os 62.Sh NAME 63.Nm ftpd 64.Nd 65Internet File Transfer Protocol server 66.Sh SYNOPSIS 67.Nm 68.Op Fl 46DdHlnQqrsUuWwX 69.Op Fl a Ar anondir 70.Op Fl C Ar user Ns Op @ Ns Ar host 71.Op Fl c Ar confdir 72.Op Fl e Ar emailaddr 73.Op Fl h Ar hostname 74.Op Fl L Ar xferlogfile 75.Op Fl P Ar dataport 76.Op Fl V Ar version 77.Sh DESCRIPTION 78.Nm 79is the Internet File Transfer Protocol server process. 80The server uses the 81.Tn TCP 82protocol and listens at the port specified in the 83.Dq ftp 84service specification; see 85.Xr services 5 . 86.Pp 87Available options: 88.Bl -tag -width Ds 89.It Fl 4 90When 91.Fl D 92is specified, bind to IPv4 addresses only. 93.It Fl 6 94When 95.Fl D 96is specified, bind to IPv6 addresses only. 97.It Fl a Ar anondir 98Define 99.Ar anondir 100as the directory to 101.Xr chroot 2 102into for anonymous logins. 103Default is the home directory for the ftp user. 104This can also be specified with the 105.Xr ftpd.conf 5 106.Sy chroot 107directive. 108.It Fl C Ar user Ns Op @ Ns Ar host 109Check whether 110.Ar user 111.Po 112as if connecting from 113.Ar host , 114if provided 115.Pc 116would be granted access under 117the restrictions given in 118.Xr ftpusers 5 , 119and exit without attempting a connection. 120.Nm 121exits with an exit code of 0 if access would be granted, or 1 otherwise. 122This can be useful for testing configurations. 123.It Fl c Ar confdir 124Change the root directory of the configuration files from 125.Dq Pa /etc 126to 127.Ar confdir . 128This changes the directory for the following files: 129.Pa /etc/ftpchroot , 130.Pa /etc/ftpusers , 131.Pa /etc/ftpwelcome , 132.Pa /etc/motd , 133and the file specified by the 134.Xr ftpd.conf 5 135.Sy limit 136directive. 137.It Fl D 138Run as daemon. 139.Nm 140will listen on the default FTP port for incoming connections 141and fork a child for each connection. 142This is lower overhead than starting 143.Nm 144from 145.Xr inetd 8 146and thus might be useful on busy servers to reduce load. 147.It Fl d 148Debugging information is written to the syslog using a facility of 149.Dv LOG_FTP . 150.It Fl e Ar emailaddr 151Use 152.Ar emailaddr 153for the 154.Dq "\&%E" 155escape sequence (see 156.Sx Display file escape sequences ) 157.It Fl H 158Equivalent to 159.Do 160-h 161`hostname` 162.Dc . 163.It Fl h Ar hostname 164Explicitly set the hostname to advertise as to 165.Ar hostname . 166The default is the hostname associated with the IP address that 167.Nm 168is listening on. 169This ability (with or without 170.Fl h ) , 171in conjunction with 172.Fl c Ar confdir , 173is useful when configuring 174.Sq virtual 175.Tn FTP 176servers, each listening on separate addresses as separate names. 177Refer to 178.Xr inetd.conf 5 179for more information on starting services to listen on specific IP addresses. 180.It Fl L Ar xferlogfile 181Log 182.Tn wu-ftpd 183style 184.Sq xferlog 185entries to 186.Ar xferlogfile . 187.It Fl l 188Each successful and failed 189.Tn FTP 190session is logged using syslog with a facility of 191.Dv LOG_FTP . 192If this option is specified more than once, the retrieve (get), store (put), 193append, delete, make directory, remove directory and rename operations and 194their file name arguments are also logged. 195.It Fl n 196Don't attempt translation of IP addresses to hostnames. 197.It Fl P Ar dataport 198Use 199.Ar dataport 200as the data port, overriding the default of using the port one less 201that the port 202.Nm 203is listening on. 204.It Fl Q 205Disable the use of pid files for keeping track of the number of logged-in 206users per class. 207This may reduce the load on heavily loaded 208.Tn FTP 209servers. 210.It Fl q 211Enable the use of pid files for keeping track of the number of logged-in 212users per class. 213This is the default. 214.It Fl r 215Permanently drop root privileges once the user is logged in. 216The use of this option may result in the server using a port other 217than the (listening-port - 1) for 218.Sy PORT 219style commands, which is contrary to the 220.Cm RFC 959 221specification, but in practice very few clients rely upon this behaviour. 222See 223.Sx SECURITY CONSIDERATIONS 224below for more details. 225.It Fl s 226Require a secure authentication mechanism like Kerberos or S/Key to be used. 227.It Fl U 228Don't log each concurrent 229.Tn FTP 230session to 231.Pa /var/run/utmp . 232This is the default. 233.It Fl u 234Log each concurrent 235.Tn FTP 236session to 237.Pa /var/run/utmp , 238making them visible to commands such as 239.Xr who 1 . 240.It Fl V Ar version 241Use 242.Ar version 243as the version to advertise in the login banner and in the output of 244.Sy STAT 245and 246.Sy SYST 247instead of the default version information. 248If 249.Ar version 250is empty or 251.Sq - 252then don't display any version information. 253.It Fl W 254Don't log each 255.Tn FTP 256session to 257.Pa /var/log/wtmp . 258.It Fl w 259Log each 260.Tn FTP 261session to 262.Pa /var/log/wtmp , 263making them visible to commands such as 264.Xr last 1 . 265This is the default. 266.It Fl X 267Log 268.Tn wu-ftpd 269style 270.Sq xferlog 271entries to the syslog, prefixed with 272.Dq "xferlog:\ " , 273using a facility of 274.Dv LOG_FTP . 275These syslog entries can be converted to a 276.Tn wu-ftpd 277style 278.Pa xferlog 279file suitable for input into a third-party log analysis tool with a command 280similar to: 281.Dl "grep 'xferlog: ' /var/log/xferlog | \e" 282.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog" 283.El 284.Pp 285The file 286.Pa /etc/nologin 287can be used to disable 288.Tn FTP 289access. 290If the file exists, 291.Nm 292displays it and exits. 293If the file 294.Pa /etc/ftpwelcome 295exists, 296.Nm 297prints it before issuing the 298.Dq ready 299message. 300If the file 301.Pa /etc/motd 302exists (under the chroot directory if applicable), 303.Nm 304prints it after a successful login. 305This may be changed with the 306.Xr ftpd.conf 5 307directive 308.Sy motd . 309.Pp 310The 311.Nm 312server currently supports the following 313.Tn FTP 314requests. 315The case of the requests is ignored. 316.Bl -column "Request" "Description" -offset indent 317.It Sy Request Ta Sy Description 318.It ABOR Ta "abort previous command" 319.It ACCT Ta "specify account (ignored)" 320.It ALLO Ta "allocate storage (vacuously)" 321.It APPE Ta "append to a file" 322.It CDUP Ta "change to parent of current working directory" 323.It CWD Ta "change working directory" 324.It DELE Ta "delete a file" 325.It EPSV Ta "prepare for server-to-server transfer" 326.It EPRT Ta "specify data connection port" 327.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 328.It HELP Ta "give help information" 329.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 330.It LPSV Ta "prepare for server-to-server transfer" 331.It LPRT Ta "specify data connection port" 332.It MLSD Ta "list contents of directory in a machine-processable form" 333.It MLST Ta "show a pathname in a machine-processable form" 334.It MKD Ta "make a directory" 335.It MDTM Ta "show last modification time of file" 336.It MODE Ta "specify data transfer" Em mode 337.It NLST Ta "give name list of files in directory" 338.It NOOP Ta "do nothing" 339.It OPTS Ta "define persistent options for a given command" 340.It PASS Ta "specify password" 341.It PASV Ta "prepare for server-to-server transfer" 342.It PORT Ta "specify data connection port" 343.It PWD Ta "print the current working directory" 344.It QUIT Ta "terminate session" 345.It REST Ta "restart incomplete transfer" 346.It RETR Ta "retrieve a file" 347.It RMD Ta "remove a directory" 348.It RNFR Ta "specify rename-from file name" 349.It RNTO Ta "specify rename-to file name" 350.It SITE Ta "non-standard commands (see next section)" 351.It SIZE Ta "return size of file" 352.It STAT Ta "return status of server" 353.It STOR Ta "store a file" 354.It STOU Ta "store a file with a unique name" 355.It STRU Ta "specify data transfer" Em structure 356.It SYST Ta "show operating system type of server system" 357.It TYPE Ta "specify data transfer" Em type 358.It USER Ta "specify user name" 359.It XCUP Ta "change to parent of current working directory (deprecated)" 360.It XCWD Ta "change working directory (deprecated)" 361.It XMKD Ta "make a directory (deprecated)" 362.It XPWD Ta "print the current working directory (deprecated)" 363.It XRMD Ta "remove a directory (deprecated)" 364.El 365.Pp 366The following non-standard or 367.Ux 368specific commands are supported by the SITE request. 369.Pp 370.Bl -column Request Description -offset indent 371.It Sy Request Ta Sy Description 372.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 373.It HELP Ta "give help information." 374.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 375.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 376.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 377.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 378.El 379.Pp 380The following 381.Tn FTP 382requests (as specified in 383.Cm RFC 959 384and 385.Cm RFC 2228 ) 386are recognized, but are not implemented: 387.Sy ACCT , 388.Sy ADAT , 389.Sy AUTH , 390.Sy CCC , 391.Sy CONF , 392.Sy ENC , 393.Sy MIC , 394.Sy PBSZ , 395.Sy PROT , 396.Sy REIN , 397and 398.Sy SMNT . 399.Pp 400The 401.Nm 402server will abort an active file transfer only when the 403.Sy ABOR 404command is preceded by a Telnet "Interrupt Process" (IP) 405signal and a Telnet "Synch" signal in the command Telnet stream, 406as described in Internet 407.Cm RFC 959 . 408If a 409.Sy STAT 410command is received during a data transfer, preceded by a Telnet IP 411and Synch, transfer status will be returned. 412.Pp 413.Nm 414interprets file names according to the 415.Dq globbing 416conventions used by 417.Xr csh 1 . 418This allows users to use the metacharacters 419.Dq Li \&*?[]{}~ . 420.Ss User authentication 421.Nm 422authenticates users according to five rules. 423.Pp 424.Bl -enum -offset indent 425.It 426The login name must be in the password data base, 427.Xr passwd 5 , 428and not have a null password. 429In this case a password must be provided by the client before any 430file operations may be performed. 431If the user has an S/Key key, the response from a successful 432.Sy USER 433command will include an S/Key challenge. 434The client may choose to respond with a 435.Sy PASS 436command giving either 437a standard password or an S/Key one-time password. 438The server will automatically determine which type of password it 439has been given and attempt to authenticate accordingly. 440See 441.Xr skey 1 442for more information on S/Key authentication. 443S/Key is a Trademark of Bellcore. 444.It 445The login name must be allowed based on the information in 446.Xr ftpusers 5 . 447.It 448The user must have a standard shell returned by 449.Xr getusershell 3 . 450If the user's shell field in the password database is empty, the 451shell is assumed to be 452.Pa /bin/sh . 453As per 454.Xr shells 5 , 455the user's shell must be listed with full path in 456.Pa /etc/shells . 457.It 458If directed by the file 459.Xr ftpchroot 5 460the session's root directory will be changed by 461.Xr chroot 2 462to the directory specified in the 463.Xr ftpd.conf 5 464.Sy chroot 465directive (if set), 466or to the home directory of the user. 467This facility may also be triggered by enabling the boolean 468.Sy ftp-chroot 469in 470.Xr login.conf 5 . 471However, the user must still supply a password. 472This feature is intended as a compromise between a fully anonymous account 473and a fully privileged account. 474The account should also be set up as for an anonymous account. 475.It 476If the user name is 477.Dq anonymous 478or 479.Dq ftp , 480an 481anonymous 482.Tn FTP 483account must be present in the password 484file (user 485.Dq ftp ) . 486In this case the user is allowed 487to log in by specifying any password (by convention an email address for 488the user should be used as the password). 489.Pp 490The server performs a 491.Xr chroot 2 492to the directory specified in the 493.Xr ftpd.conf 5 494.Sy chroot 495directive (if set), 496the 497.Fl a Ar anondir 498directory (if set), 499or to the home directory of the 500.Dq ftp 501user. 502.Pp 503The server then performs a 504.Xr chdir 2 505to the directory specified in the 506.Xr ftpd.conf 5 507.Sy homedir 508directive (if set), otherwise to 509.Pa / . 510.Pp 511If other restrictions are required (such as disabling of certain 512commands and the setting of a specific umask), then appropriate 513entries in 514.Xr ftpd.conf 5 515are required. 516.Pp 517If the first character of the password supplied by an anonymous user 518is 519.Dq - , 520then the verbose messages displayed at login and upon a 521.Sy CWD 522command are suppressed. 523.El 524.Ss Display file escape sequences 525When 526.Nm 527displays various files back to the client (such as 528.Pa /etc/ftpwelcome 529and 530.Pa /etc/motd ) , 531various escape strings are replaced with information pertinent 532to the current connection. 533.Pp 534The supported escape strings are: 535.Bl -tag -width "Escape" -offset indent -compact 536.It Sy "Escape" 537.Sy Description 538.It "\&%c" 539Class name. 540.It "\&%C" 541Current working directory. 542.It "\&%E" 543Email address given with 544.Fl e . 545.It "\&%L" 546Local hostname. 547.It "\&%M" 548Maximum number of users for this class. 549Displays 550.Dq unlimited 551if there's no limit. 552.It "\&%N" 553Current number of users for this class. 554.It "\&%R" 555Remote hostname. 556.It "\&%s" 557If the result of the most recent 558.Dq "\&%M" 559or 560.Dq "\&%N" 561was not 562.Dq Li 1 , 563print an 564.Dq s . 565.It "\&%S" 566If the result of the most recent 567.Dq "\&%M" 568or 569.Dq "\&%N" 570was not 571.Dq Li 1 , 572print an 573.Dq S . 574.It "\&%T" 575Current time. 576.It "\&%U" 577User name. 578.It "\&%\&%" 579A 580.Dq \&% 581character. 582.El 583.Ss Setting up a restricted ftp subtree 584In order that system security is not breached, it is recommended 585that the 586subtrees for the 587.Dq ftp 588and 589.Dq chroot 590accounts be constructed with care, following these rules 591(replace 592.Dq ftp 593in the following directory names 594with the appropriate account name for 595.Sq chroot 596users): 597.Bl -tag -width "~ftp/incoming" -offset indent 598.It Pa ~ftp 599Make the home directory owned by 600.Dq root 601and unwritable by anyone. 602.It Pa ~ftp/bin 603Make this directory owned by 604.Dq root 605and unwritable by anyone (mode 555). 606Generally any conversion commands should be installed 607here (mode 111). 608.It Pa ~ftp/etc 609Make this directory owned by 610.Dq root 611and unwritable by anyone (mode 555). 612The files 613.Pa pwd.db 614(see 615.Xr passwd 5 ) 616and 617.Pa group 618(see 619.Xr group 5 ) 620must be present for the 621.Sy LIST 622command to be able to display owner and group names instead of numbers. 623The password field in 624.Xr passwd 5 625is not used, and should not contain real passwords. 626The file 627.Pa motd , 628if present, will be printed after a successful login. 629These files should be mode 444. 630.It Pa ~ftp/pub 631This directory and the subdirectories beneath it should be owned 632by the users and groups responsible for placing files in them, 633and be writable only by them (mode 755 or 775). 634They should 635.Em not 636be owned or writable by ftp or its group. 637.It Pa ~ftp/incoming 638This directory is where anonymous users place files they upload. 639The owners should be the user 640.Dq ftp 641and an appropriate group. 642Members of this group will be the only users with access to these 643files after they have been uploaded; these should be people who 644know how to deal with them appropriately. 645If you wish anonymous 646.Tn FTP 647users to be able to see the names of the 648files in this directory the permissions should be 770, otherwise 649they should be 370. 650.Pp 651The following 652.Xr ftpd.conf 5 653directives should be used: 654.Dl "modify guest off" 655.Dl "umask guest 0707" 656.Dl "upload guest on" 657.Pp 658This will result in anonymous users being able to upload files to this 659directory, but they will not be able to download them, delete them, or 660overwrite them, due to the umask and disabling of the commands mentioned 661above. 662.It Pa ~ftp/tmp 663This directory is used to create temporary files which contain 664the error messages generated by a conversion or 665.Sy LIST 666command. 667The owner should be the user 668.Dq ftp . 669The permissions should be 300. 670.Pp 671If you don't enable conversion commands, or don't want anonymous users 672uploading files here (see 673.Pa ~ftp/incoming 674above), then don't create this directory. 675However, error messages from conversion or 676.Sy LIST 677commands won't be returned to the user. 678(This is the traditional behaviour.) 679Note that the 680.Xr ftpd.conf 5 681directive 682.Sy upload 683can be used to prevent users uploading here. 684.El 685.Pp 686To set up "ftp-only" accounts that provide only 687.Tn FTP , 688but no valid shell 689login, you can copy/link 690.Pa /sbin/nologin 691to 692.Pa /sbin/ftplogin , 693and enter 694.Pa /sbin/ftplogin 695to 696.Pa /etc/shells 697to allow logging-in via 698.Tn FTP 699into the accounts, which must have 700.Pa /sbin/ftplogin 701as login shell. 702.Sh FILES 703.Bl -tag -width /etc/ftpwelcome -compact 704.It Pa /etc/ftpchroot 705List of normal users whose root directory should be changed via 706.Xr chroot 2 . 707.It Pa /etc/ftpd.conf 708Configure file conversions and other settings. 709.It Pa /etc/ftpusers 710List of unwelcome/restricted users. 711.It Pa /etc/ftpwelcome 712Welcome notice before login. 713.It Pa /etc/motd 714Welcome notice after login. 715.It Pa /etc/nologin 716If it exists, displayed and access is refused. 717.It Pa /var/run/ftpd.pids-CLASS 718State file of logged-in processes for the 719.Nm 720class 721.Sq CLASS . 722.It Pa /var/run/utmp 723List of logged-in users on the system. 724.It Pa /var/log/wtmp 725Login history database. 726.El 727.Sh SEE ALSO 728.Xr ftp 1 , 729.Xr skey 1 , 730.Xr who 1 , 731.Xr getusershell 3 , 732.Xr ftpchroot 5 , 733.Xr ftpd.conf 5 , 734.Xr ftpusers 5 , 735.Xr login.conf 5 , 736.Xr syslogd 8 737.Sh STANDARDS 738.Nm 739recognizes all commands in 740.Cm RFC 959 , 741follows the guidelines in 742.Cm RFC 1123 , 743recognizes all commands in 744.Cm RFC 2228 745(although they are not supported yet), 746and supports the extensions from 747.Cm RFC 2389 , 748.Cm RFC 2428 , 749and 750.Cm RFC 3659 . 751.Sh HISTORY 752The 753.Nm 754command appeared in 755.Bx 4.2 . 756.Pp 757Various features such as the 758.Xr ftpd.conf 5 759functionality, 760.Cm RFC 2389 , 761and 762.Cm RFC 3659 763support was implemented in 764.Nx 1.3 765and later releases by Luke Mewburn. 766.Sh BUGS 767The server must run as the super-user to create sockets with 768privileged port numbers (i.e, those less than 769.Dv IPPORT_RESERVED , 770which is 1024). 771If 772.Nm 773is listening on a privileged port 774it maintains an effective user id of the logged in user, reverting 775to the super-user only when binding addresses to privileged sockets. 776The 777.Fl r 778option can be used to override this behaviour and force privileges to 779be permanently revoked; see 780.Sx SECURITY CONSIDERATIONS 781below for more details. 782.Pp 783.Nm 784may have trouble handling connections from scoped IPv6 addresses, or 785IPv4 mapped addresses 786.Po 787IPv4 connection on 788.Dv AF_INET6 789socket 790.Pc . 791For the latter case, running two daemons, 792one for IPv4 and one for IPv6, will avoid the problem. 793.Sh SECURITY CONSIDERATIONS 794.Cm RFC 959 795provides no restrictions on the 796.Sy PORT 797command, and this can lead to security problems, as 798.Nm 799can be fooled into connecting to any service on any host. 800With the 801.Dq checkportcmd 802feature of the 803.Xr ftpd.conf 5 , 804.Sy PORT 805commands with different host addresses, or TCP ports lower than 806.Dv IPPORT_RESERVED 807will be rejected. 808This also prevents 809.Sq third-party proxy ftp 810from working. 811Use of this option is 812.Em strongly 813recommended, and enabled by default. 814.Pp 815By default 816.Nm 817uses a port that is one less than the port it is listening on to 818communicate back to the client for the 819.Sy EPRT , 820.Sy LPRT , 821and 822.Sy PORT 823commands, unless overridden with 824.Fl P Ar dataport . 825As the default port for 826.Nm 827(21) is a privileged port below 828.Dv IPPORT_RESERVED , 829.Nm 830retains the ability to switch back to root privileges to bind these 831ports. 832In order to increase security by reducing the potential for a bug in 833.Nm 834providing a remote root compromise, 835.Nm 836will permanently drop root privileges if one of the following is true: 837.Bl -enum -offset indent 838.It 839.Nm 840is running on a port greater than 841.Dv IPPORT_RESERVED 842and the user has logged in as a 843.Sq guest 844or 845.Sq chroot 846user. 847.It 848.Nm 849was invoked with 850.Fl r . 851.El 852.Pp 853Don't create 854.Pa ~ftp/tmp 855if you don't want anonymous users to upload files there. 856That directory is only necessary if you want to display the error 857messages of conversion commands to the user. 858Note that if uploads are disabled with the 859.Xr ftpd.conf 5 860directive 861.Sy upload , 862then this directory cannot be abused by the user in this way, so it 863should be safe to create. 864.Pp 865To avoid possible denial-of-service attacks, 866.Sy SIZE 867requests against files larger than 10240 bytes will be denied if 868the current transfer 869.Sy TYPE 870is 871.Sq Li A 872(ASCII). 873