1.\" $NetBSD: ftpd.8,v 1.63 2000/12/18 02:32:51 lukem Exp $ 2.\" 3.\" Copyright (c) 1997-2000 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. All advertising materials mentioning features or use of this software 18.\" must display the following acknowledgement: 19.\" This product includes software developed by the NetBSD 20.\" Foundation, Inc. and its contributors. 21.\" 4. Neither the name of The NetBSD Foundation nor the names of its 22.\" contributors may be used to endorse or promote products derived 23.\" from this software without specific prior written permission. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35.\" POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" Copyright (c) 1985, 1988, 1991, 1993 38.\" The Regents of the University of California. All rights reserved. 39.\" 40.\" Redistribution and use in source and binary forms, with or without 41.\" modification, are permitted provided that the following conditions 42.\" are met: 43.\" 1. Redistributions of source code must retain the above copyright 44.\" notice, this list of conditions and the following disclaimer. 45.\" 2. Redistributions in binary form must reproduce the above copyright 46.\" notice, this list of conditions and the following disclaimer in the 47.\" documentation and/or other materials provided with the distribution. 48.\" 3. All advertising materials mentioning features or use of this software 49.\" must display the following acknowledgement: 50.\" This product includes software developed by the University of 51.\" California, Berkeley and its contributors. 52.\" 4. Neither the name of the University nor the names of its contributors 53.\" may be used to endorse or promote products derived from this software 54.\" without specific prior written permission. 55.\" 56.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 57.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 58.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 59.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 60.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 61.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 62.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 63.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 64.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 65.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 66.\" SUCH DAMAGE. 67.\" 68.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 69.\" 70.Dd December 18, 2000 71.Dt FTPD 8 72.Os 73.Sh NAME 74.Nm ftpd 75.Nd 76Internet File Transfer Protocol server 77.Sh SYNOPSIS 78.Nm 79.Op Fl dHlqQrsuUwWX 80.Op Fl a Ar anondir 81.Op Fl c Ar confdir 82.Op Fl C Ar user 83.Op Fl e Ar emailaddr 84.Op Fl h Ar hostname 85.Op Fl P Ar dataport 86.Op Fl V Ar version 87.Sh DESCRIPTION 88.Nm 89is the Internet File Transfer Protocol server process. 90The server uses the 91.Tn TCP 92protocol and listens at the port specified in the 93.Dq ftp 94service specification; see 95.Xr services 5 . 96.Pp 97Available options: 98.Bl -tag -width Ds 99.It Fl a Ar anondir 100Define 101.Ar anondir 102as the directory to 103.Xr chroot 2 104into for anonymous logins. 105Default is the home directory for the ftp user. 106This can also be specified with the 107.Xr ftpd.conf 5 108.Sy chroot 109directive. 110.It Fl c Ar confdir 111Change the root directory of the configuration files from 112.Dq Pa /etc 113to 114.Ar confdir . 115This changes the directory for the following files: 116.Pa /etc/ftpchroot , 117.Pa /etc/ftpusers , 118.Pa /etc/ftpwelcome , 119.Pa /etc/motd , 120and the file specified by the 121.Xr ftpd.conf 5 122.Sy limit 123directive. 124.It Fl C Ar user 125Check whether 126.Ar user 127would be granted access under 128the restrictions given in 129.Xr ftpusers 5 130and exit without attempting a connection. 131.Nm 132exits with an exit code of 0 if access would be granted, or 1 otherwise. 133This can be useful for testing configurations. 134.It Fl d 135Debugging information is written to the syslog using a facility of 136.Dv LOG_FTP . 137.It Fl e Ar emailaddr 138Use 139.Ar emailaddr 140for the 141.Dq "\&%E" 142escape sequence (see 143.Sx Display file escape sequences ) 144.It Fl h Ar hostname 145Explicitly set the hostname to advertise as to 146.Ar hostname . 147The default is the hostname associated with the IP address that 148.Nm 149is listening on. 150This ability (with or without 151.Fl h ) , 152in conjunction with 153.Fl c Ar confdir , 154is useful when configuring 155.Sq virtual 156.Tn FTP 157servers, each listening on separate addresses as separate names. 158Refer to 159.Xr inetd.conf 5 160for more information on starting services to listen on specific IP addresses. 161.It Fl H 162Equivalent to 163.Do 164-h 165`hostname` 166.Dc . 167.It Fl l 168Each successful and failed 169.Tn FTP 170session is logged using syslog with a facility of 171.Dv LOG_FTP . 172If this option is specified more than once, the retrieve (get), store (put), 173append, delete, make directory, remove directory and rename operations and 174their file name arguments are also logged. 175.It Fl P Ar dataport 176Use 177.Ar dataport 178as the data port, overriding the default of using the port one less 179that the port 180.Nm 181is listening on. 182.It Fl q 183Enable the use of pid files for keeping track of the number of logged-in 184users per class. 185This is the default. 186.It Fl Q 187Disable the use of pid files for keeping track of the number of logged-in 188users per class. 189This may reduce the load on heavily loaded 190.Tn FTP 191servers. 192.It Fl r 193Permanently drop root privileges once the user is logged in. 194The use of this option may result in the server using a port other 195than the (listening-port - 1) for 196.Sy PORT 197style commands, which is contrary to the 198.Cm RFC 959 199specification, but in practice very few clients rely upon this behaviour. 200See 201.Sx SECURITY CONSIDERATIONS 202below for more details. 203.It Fl s 204Require a secure authentication mechanism like Kerberos or S/Key to be used. 205.It Fl u 206Log each concurrent 207.Tn FTP 208session to 209.Pa /var/run/utmp , 210making them visible to commands such as 211.Xr who 1 . 212.It Fl U 213Don't log each concurrent 214.Tn FTP 215session to 216.Pa /var/run/utmp . 217This is the default. 218.It Fl V Ar version 219Use 220.Ar version 221as the version to advertise in the login banner and in the output of 222.Sy STAT 223and 224.Sy SYST 225instead of the default version information. 226If 227.Ar version 228is empty or 229.Sq - 230then don't display any version information. 231.It Fl w 232Log each 233.Tn FTP 234session to 235.Pa /var/log/wtmp , 236making them visible to commands such as 237.Xr last 1 . 238This is the default. 239.It Fl W 240Don't log each 241.Tn FTP 242session to 243.Pa /var/log/wtmp . 244.It Fl X 245Log 246.Tn wu-ftpd 247style 248.Sq xferlog 249entries to the syslog, prefixed with 250.Dq "xferlog:\ " , 251using a facility of 252.Dv LOG_FTP . 253These syslog entries can be converted to a 254.Tn wu-ftpd 255style 256.Pa xferlog 257file suitable for input into a third-party log analysis tool with a command 258similar to: 259.Dl "grep 'xferlog: ' /var/log/xferlog | \e" 260.Dl "\ \ \ sed -e 's/^.*xferlog: //' > wuxferlog" 261.El 262.Pp 263The file 264.Pa /etc/nologin 265can be used to disable 266.Tn FTP 267access. 268If the file exists, 269.Nm 270displays it and exits. 271If the file 272.Pa /etc/ftpwelcome 273exists, 274.Nm 275prints it before issuing the 276.Dq ready 277message. 278If the file 279.Pa /etc/motd 280exists (under the chroot directory if applicable), 281.Nm 282prints it after a successful login. 283This may be changed with the 284.Xr ftpd.conf 5 285directive 286.Sy motd . 287.Pp 288The 289.Nm 290server currently supports the following 291.Tn FTP 292requests. 293The case of the requests is ignored. 294.Bl -column "Request" -offset indent 295.It Sy Request Ta Sy Description 296.It ABOR Ta "abort previous command" 297.It ACCT Ta "specify account (ignored)" 298.It ALLO Ta "allocate storage (vacuously)" 299.It APPE Ta "append to a file" 300.It CDUP Ta "change to parent of current working directory" 301.It CWD Ta "change working directory" 302.It DELE Ta "delete a file" 303.It EPSV Ta "prepare for server-to-server transfer" 304.It EPRT Ta "specify data connection port" 305.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 306.It HELP Ta "give help information" 307.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 308.It LPSV Ta "prepare for server-to-server transfer" 309.It LPRT Ta "specify data connection port" 310.It MLSD Ta "list contents of directory in a machine-processable form" 311.It MLST Ta "show a pathname in a machine-processable form" 312.It MKD Ta "make a directory" 313.It MDTM Ta "show last modification time of file" 314.It MODE Ta "specify data transfer" Em mode 315.It NLST Ta "give name list of files in directory" 316.It NOOP Ta "do nothing" 317.It OPTS Ta "define persistent options for a given command" 318.It PASS Ta "specify password" 319.It PASV Ta "prepare for server-to-server transfer" 320.It PORT Ta "specify data connection port" 321.It PWD Ta "print the current working directory" 322.It QUIT Ta "terminate session" 323.It REST Ta "restart incomplete transfer" 324.It RETR Ta "retrieve a file" 325.It RMD Ta "remove a directory" 326.It RNFR Ta "specify rename-from file name" 327.It RNTO Ta "specify rename-to file name" 328.It SITE Ta "non-standard commands (see next section)" 329.It SIZE Ta "return size of file" 330.It STAT Ta "return status of server" 331.It STOR Ta "store a file" 332.It STOU Ta "store a file with a unique name" 333.It STRU Ta "specify data transfer" Em structure 334.It SYST Ta "show operating system type of server system" 335.It TYPE Ta "specify data transfer" Em type 336.It USER Ta "specify user name" 337.It XCUP Ta "change to parent of current working directory (deprecated)" 338.It XCWD Ta "change working directory (deprecated)" 339.It XMKD Ta "make a directory (deprecated)" 340.It XPWD Ta "print the current working directory (deprecated)" 341.It XRMD Ta "remove a directory (deprecated)" 342.El 343.Pp 344The following non-standard or 345.Ux 346specific commands are supported by the SITE request. 347.Pp 348.Bl -column Request -offset indent 349.It Sy Request Ta Sy Description 350.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 351.It HELP Ta "give help information." 352.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 353.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 354.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 355.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 356.El 357.Pp 358The following 359.Tn FTP 360requests (as specified in 361.Cm RFC 959 ) 362are recognized, but are not implemented: 363.Sy ACCT , 364.Sy SMNT , 365and 366.Sy REIN . 367.Sy MDTM 368and 369.Sy SIZE 370are not specified in 371.Cm RFC 959 , 372but will appear in the 373next updated 374.Tn FTP 375RFC. 376.Pp 377The 378.Nm 379server will abort an active file transfer only when the 380.Sy ABOR 381command is preceded by a Telnet "Interrupt Process" (IP) 382signal and a Telnet "Synch" signal in the command Telnet stream, 383as described in Internet 384.Cm RFC 959 . 385If a 386.Sy STAT 387command is received during a data transfer, preceded by a Telnet IP 388and Synch, transfer status will be returned. 389.Pp 390.Nm 391interprets file names according to the 392.Dq globbing 393conventions used by 394.Xr csh 1 . 395This allows users to utilize the metacharacters 396.Dq Li \&*?[]{}~ . 397.Sh User authentication 398.Pp 399.Nm 400authenticates users according to five rules. 401.Pp 402.Bl -enum -offset indent 403.It 404The login name must be in the password data base, 405.Pa /etc/pwd.db , 406and not have a null password. 407In this case a password must be provided by the client before any 408file operations may be performed. 409If the user has an S/Key key, the response from a successful 410.Sy USER 411command will include an S/Key challenge. 412The client may choose to respond with a 413.Sy PASS 414command giving either 415a standard password or an S/Key one-time password. 416The server will automatically determine which type of password it 417has been given and attempt to authenticate accordingly. 418See 419.Xr skey 1 420for more information on S/Key authentication. 421S/Key is a Trademark of Bellcore. 422.It 423The login name must be allowed based on the information in 424.Xr ftpusers 5 . 425.It 426The user must have a standard shell returned by 427.Xr getusershell 3 . 428If the user's shell field in the password database is empty, the 429shell is assumed to be 430.Pa /bin/sh . 431.It 432If directed by the file 433.Xr ftpchroot 5 434the session's root directory will be changed by 435.Xr chroot 2 436to the directory specified in the 437.Xr ftpd.conf 5 438.Sy chroot 439directive (if set), 440or to the home directory of the user. 441However, the user must still supply a password. 442This feature is intended as a compromise between a fully anonymous account 443and a fully privileged account. 444The account should also be set up as for an anonymous account. 445.It 446If the user name is 447.Dq anonymous 448or 449.Dq ftp , 450an 451anonymous 452.Tn FTP 453account must be present in the password 454file (user 455.Dq ftp ) . 456In this case the user is allowed 457to log in by specifying any password (by convention an email address for 458the user should be used as the password). 459.Pp 460The server performs a 461.Xr chroot 2 462to the directory specified in the 463.Xr ftpd.conf 5 464.Sy chroot 465directive (if set), 466the 467.Fl a Ar anondir 468directory (if set), 469or to the home directory of the 470.Dq ftp 471user. 472.Pp 473The server then performs a 474.Xr chdir 2 475to the directory specified in the 476.Xr ftpd.conf 5 477.Sy homedir 478directive (if set), otherwise to 479.Pa / . 480.Pp 481If other restrictions are required (such as disabling of certain 482commands and the setting of a specific umask), then appropriate 483entries in 484.Xr ftpd.conf 5 485are required. 486.Pp 487If the first character of the password supplied by an anonymous user 488is 489.Dq - , 490then the verbose messages displayed at login and upon a 491.Sy CWD 492command are suppressed. 493.El 494.Sh Display file escape sequences 495.Pp 496When 497.Nm 498displays various files back to the client (such as 499.Pa /etc/ftpwelcome 500and 501.Pa /etc/motd ) , 502various escape strings are replaced with information pertinent 503to the current connection. 504.Pp 505The supported escape strings are: 506.Bl -tag -width "Escape" -offset indent -compact 507.It Sy "Escape" 508.Sy Description 509.It "\&%c" 510Class name. 511.It "\&%C" 512Current working directory. 513.It "\&%E" 514Email address given with 515.Fl e . 516.It "\&%L" 517Local hostname. 518.It "\&%M" 519Maximum number of users for this class. 520Displays 521.Dq unlimited 522if there's no limit. 523.It "\&%N" 524Current number of users for this class. 525.It "\&%R" 526Remote hostname. 527.It "\&%s" 528If the result of the most recent 529.Dq "\&%M" 530or 531.Dq "\&%N" 532was not 533.Dq Li 1 , 534print an 535.Dq s . 536.It "\&%S" 537If the result of the most recent 538.Dq "\&%M" 539or 540.Dq "\&%N" 541was not 542.Dq Li 1 , 543print an 544.Dq S . 545.It "\&%T" 546Current time. 547.It "\&%U" 548User name. 549.It "\&%\&%" 550A 551.Dq \&% 552character. 553.El 554.Sh Setting up a restricted ftp subtree 555.Pp 556In order that system security is not breached, it is recommended 557that the 558subtrees for the 559.Dq ftp 560and 561.Dq chroot 562accounts be constructed with care, following these rules 563(replace 564.Dq ftp 565in the following directory names 566with the appropriate account name for 567.Sq chroot 568users): 569.Bl -tag -width "~ftp/incoming" -offset indent 570.It Pa ~ftp 571Make the home directory owned by 572.Dq root 573and unwritable by anyone. 574.It Pa ~ftp/bin 575Make this directory owned by 576.Dq root 577and unwritable by anyone (mode 555). 578Generally any conversion commands should be installed 579here (mode 111). 580.It Pa ~ftp/etc 581Make this directory owned by 582.Dq root 583and unwritable by anyone (mode 555). 584The files 585.Pa pwd.db 586(see 587.Xr passwd 5 ) 588and 589.Pa group 590(see 591.Xr group 5 ) 592must be present for the 593.Sy LIST 594command to be able to display owner and group names instead of numbers. 595The password field in 596.Xr passwd 5 597is not used, and should not contain real passwords. 598The file 599.Pa motd , 600if present, will be printed after a successful login. 601These files should be mode 444. 602.It Pa ~ftp/pub 603This directory and the subdirectories beneath it should be owned 604by the users and groups responsible for placing files in them, 605and be writable only by them (mode 755 or 775). 606They should 607.Em not 608be owned or writable by ftp or its group. 609.It Pa ~ftp/incoming 610This directory is where anonymous users place files they upload. 611The owners should be the user 612.Dq ftp 613and an appropriate group. 614Members of this group will be the only users with access to these 615files after they have been uploaded; these should be people who 616know how to deal with them appropriately. 617If you wish anonymous 618.Tn FTP 619users to be able to see the names of the 620files in this directory the permissions should be 770, otherwise 621they should be 370. 622.Pp 623The following 624.Xr ftpd.conf 5 625directives should be used: 626.Dl "modify guest off" 627.Dl "umask guest 0707" 628.Pp 629This will result in anonymous users being able to upload files to this 630directory, but they will not be able to download them, delete them, or 631overwrite them, due to the umask and disabling of the commands mentioned 632above. 633.It Pa ~ftp/tmp 634This directory is used to create temporary files which contain 635the error messages generated by a conversion or 636.Sy LIST 637command. 638The owner should be the user 639.Dq ftp . 640The permissions should be 300. 641.Pp 642If you don't enable conversion commands, or don't want anonymous users 643uploading files here (see 644.Pa ~ftp/incoming 645above), then don't create this directory. 646However, error messages from conversion or 647.Sy LIST 648commands won't be returned to the user. 649(This is the traditional behaviour.) 650Note that the 651.Xr ftpd.conf 5 652directive 653.Sy upload 654can be used to prevent users uploading here. 655.El 656.Pp 657To set up "ftp-only" accounts that provide only 658.Tn FTP , 659but no valid shell 660login, you can copy/link 661.Pa /sbin/nologin 662to 663.Pa /sbin/ftplogin , 664and enter 665.Pa /sbin/ftplogin 666to 667.Pa /etc/shells 668to allow logging-in via 669.Tn FTP 670into the accounts, which must have 671.Pa /sbin/ftplogin 672as login shell. 673.Sh FILES 674.Bl -tag -width /etc/ftpwelcome -compact 675.It Pa /etc/ftpchroot 676List of normal users who should be 677.Xr chroot 2 ed. 678.It Pa /etc/ftpd.conf 679Configure file conversions and other settings. 680.It Pa /etc/ftpusers 681List of unwelcome/restricted users. 682.It Pa /etc/ftpwelcome 683Welcome notice before login. 684.It Pa /etc/motd 685Welcome notice after login. 686.It Pa /etc/nologin 687If it exists, displayed and access is refused. 688.It Pa /var/run/ftpd.pids-CLASS 689State file of logged-in processes for the 690.Nm 691class 692.Sq CLASS . 693.It Pa /var/run/utmp 694List of logged-in users on the system. 695.It Pa /var/log/wtmp 696Login history database. 697.El 698.Sh SEE ALSO 699.Xr ftp 1 , 700.Xr skey 1 , 701.Xr who 1 , 702.Xr getusershell 3 , 703.Xr ftpd.conf 5 , 704.Xr ftpchroot 5 , 705.Xr ftpusers 5 , 706.Xr syslogd 8 707.Sh STANDARDS 708.Nm 709recognizes all commands in 710.Cm RFC 959 , 711follows the guidelines in 712.Cm RFC 1123 , 713recognizes all commands in 714.Cm RFC 2228 715(although they are not supported yet), 716and supports the extensions from 717.Cm RFC 2389 , 718.Cm RFC 2428 719and 720.Cm draft-ietf-ftpext-mlst-11 . 721.Sh HISTORY 722The 723.Nm 724command appeared in 725.Bx 4.2 . 726.Pp 727Various features such as the 728.Xr ftpd.conf 5 729functionality, 730.Cm RFC 2389 , 731and 732.Cm draft-ietf-ftpext-mlst-11 733support was implemented in 734.Nx 1.3 735and later releases by Luke Mewburn <lukem@netbsd.org>. 736.Sh BUGS 737The server must run as the super-user to create sockets with 738privileged port numbers (i.e, those less than 739.Dv IPPORT_RESERVED , 740which is 1024). 741If 742.Nm 743is listening on a privileged port 744it maintains an effective user id of the logged in user, reverting 745to the super-user only when binding addresses to privileged sockets. 746The 747.Fl r 748option can be used to override this behaviour and force privileges to 749be permanently revoked; see 750.Sx SECURITY CONSIDERATIONS 751below for more details. 752.Pp 753.Nm 754may have trouble handling connections from scoped IPv6 addresses, or 755IPv4 mapped addresses 756.Po 757IPv4 connection on 758.Dv AF_INET6 759socket 760.Pc . 761For the latter case, running two daemons, 762one for IPv4 and one for IPv6, will avoid the problem. 763.Sh SECURITY CONSIDERATIONS 764.Cm RFC 959 765provides no restrictions on the 766.Sy PORT 767command, and this can lead to security problems, as 768.Nm 769can be fooled into connecting to any service on any host. 770With the 771.Dq checkportcmd 772feature of the 773.Xr ftpd.conf 5 , 774.Sy PORT 775commands with different host addresses, or TCP ports lower than 776.Dv IPPORT_RESERVED 777will be rejected. 778This also prevents 779.Sq third-party proxy ftp 780from working. 781Use of this option is 782.Em strongly 783recommended, and enabled by default. 784.Pp 785By default 786.Nm 787uses a port that is one less than the port it is listening on to 788communicate back to the client for the 789.Sy EPRT , 790.Sy LPRT , 791and 792.Sy PORT 793commands, unless overridden with 794.Fl P Ar dataport . 795As the default port for 796.Nm 797(21) is a privileged port below 798.Dv IPPORT_RESERVED , 799.Nm 800retains the ability to switch back to root privileges to bind these 801ports. 802In order to increase security by reducing the potential for a bug in 803.Nm 804providing a remote root compromise, 805.Nm 806will permanently drop root privileges if one of the following is true: 807.Bl -enum -offset indent 808.It 809.Nm 810is running on a port greater than 811.Dv IPPORT_RESERVED 812and the user has logged in as a 813.Sq guest 814or 815.Sq chroot 816user. 817.It 818.Nm 819was invoked with 820.Fl r . 821.El 822.Pp 823Don't create 824.Pa ~ftp/tmp 825if you don't want anonymous users to upload files there. 826That directory is only necessary if you want to display the error 827messages of conversion commands to the user. 828Note that if uploads are disabled with the 829.Xr ftpd.conf 5 830directive 831.Sy upload , 832then this directory cannot be abused by the user in this way, so it 833should be safe to create. 834