1.\" $NetBSD: ftpd.8,v 1.78 2007/06/10 20:24:31 christos Exp $ 2.\" 3.\" Copyright (c) 1997-2007 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. All advertising materials mentioning features or use of this software 18.\" must display the following acknowledgement: 19.\" This product includes software developed by the NetBSD 20.\" Foundation, Inc. and its contributors. 21.\" 4. Neither the name of The NetBSD Foundation nor the names of its 22.\" contributors may be used to endorse or promote products derived 23.\" from this software without specific prior written permission. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35.\" POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" Copyright (c) 1985, 1988, 1991, 1993 38.\" The Regents of the University of California. All rights reserved. 39.\" 40.\" Redistribution and use in source and binary forms, with or without 41.\" modification, are permitted provided that the following conditions 42.\" are met: 43.\" 1. Redistributions of source code must retain the above copyright 44.\" notice, this list of conditions and the following disclaimer. 45.\" 2. Redistributions in binary form must reproduce the above copyright 46.\" notice, this list of conditions and the following disclaimer in the 47.\" documentation and/or other materials provided with the distribution. 48.\" 3. Neither the name of the University nor the names of its contributors 49.\" may be used to endorse or promote products derived from this software 50.\" without specific prior written permission. 51.\" 52.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 55.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 56.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 57.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 58.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 59.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 60.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 61.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 62.\" SUCH DAMAGE. 63.\" 64.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 65.\" 66.Dd June 10, 2007 67.Dt FTPD 8 68.Os 69.Sh NAME 70.Nm ftpd 71.Nd 72Internet File Transfer Protocol server 73.Sh SYNOPSIS 74.Nm 75.Op Fl 46DdHlnQqrsUuWwX 76.Op Fl a Ar anondir 77.Op Fl C Ar user 78.Op Fl c Ar confdir 79.Op Fl e Ar emailaddr 80.Op Fl h Ar hostname 81.Op Fl L Ar xferlogfile 82.Op Fl P Ar dataport 83.Op Fl V Ar version 84.Sh DESCRIPTION 85.Nm 86is the Internet File Transfer Protocol server process. 87The server uses the 88.Tn TCP 89protocol and listens at the port specified in the 90.Dq ftp 91service specification; see 92.Xr services 5 . 93.Pp 94Available options: 95.Bl -tag -width Ds 96.It Fl 4 97When 98.Fl D 99is specified, bind to IPv4 addresses only. 100.It Fl 6 101When 102.Fl D 103is specified, bind to IPv6 addresses only. 104.It Fl a Ar anondir 105Define 106.Ar anondir 107as the directory to 108.Xr chroot 2 109into for anonymous logins. 110Default is the home directory for the ftp user. 111This can also be specified with the 112.Xr ftpd.conf 5 113.Sy chroot 114directive. 115.It Fl C Ar user 116Check whether 117.Ar user 118would be granted access under 119the restrictions given in 120.Xr ftpusers 5 121and exit without attempting a connection. 122.Nm 123exits with an exit code of 0 if access would be granted, or 1 otherwise. 124This can be useful for testing configurations. 125.It Fl c Ar confdir 126Change the root directory of the configuration files from 127.Dq Pa /etc 128to 129.Ar confdir . 130This changes the directory for the following files: 131.Pa /etc/ftpchroot , 132.Pa /etc/ftpusers , 133.Pa /etc/ftpwelcome , 134.Pa /etc/motd , 135and the file specified by the 136.Xr ftpd.conf 5 137.Sy limit 138directive. 139.It Fl D 140Run as daemon. 141.Nm 142will listen on the default FTP port for incoming connections 143and fork a child for each connection. 144This is lower overhead than starting 145.Nm 146from 147.Xr inetd 8 148and thus might be useful on busy servers to reduce load. 149.It Fl d 150Debugging information is written to the syslog using a facility of 151.Dv LOG_FTP . 152.It Fl e Ar emailaddr 153Use 154.Ar emailaddr 155for the 156.Dq "\&%E" 157escape sequence (see 158.Sx Display file escape sequences ) 159.It Fl H 160Equivalent to 161.Do 162-h 163`hostname` 164.Dc . 165.It Fl h Ar hostname 166Explicitly set the hostname to advertise as to 167.Ar hostname . 168The default is the hostname associated with the IP address that 169.Nm 170is listening on. 171This ability (with or without 172.Fl h ) , 173in conjunction with 174.Fl c Ar confdir , 175is useful when configuring 176.Sq virtual 177.Tn FTP 178servers, each listening on separate addresses as separate names. 179Refer to 180.Xr inetd.conf 5 181for more information on starting services to listen on specific IP addresses. 182.It Fl L Ar xferlogfile 183Log 184.Tn wu-ftpd 185style 186.Sq xferlog 187entries to 188.Ar xferlogfile . 189.It Fl l 190Each successful and failed 191.Tn FTP 192session is logged using syslog with a facility of 193.Dv LOG_FTP . 194If this option is specified more than once, the retrieve (get), store (put), 195append, delete, make directory, remove directory and rename operations and 196their file name arguments are also logged. 197.It Fl n 198Don't attempt translation of IP addresses to hostnames. 199.It Fl P Ar dataport 200Use 201.Ar dataport 202as the data port, overriding the default of using the port one less 203that the port 204.Nm 205is listening on. 206.It Fl Q 207Disable the use of pid files for keeping track of the number of logged-in 208users per class. 209This may reduce the load on heavily loaded 210.Tn FTP 211servers. 212.It Fl q 213Enable the use of pid files for keeping track of the number of logged-in 214users per class. 215This is the default. 216.It Fl r 217Permanently drop root privileges once the user is logged in. 218The use of this option may result in the server using a port other 219than the (listening-port - 1) for 220.Sy PORT 221style commands, which is contrary to the 222.Cm RFC 959 223specification, but in practice very few clients rely upon this behaviour. 224See 225.Sx SECURITY CONSIDERATIONS 226below for more details. 227.It Fl s 228Require a secure authentication mechanism like Kerberos or S/Key to be used. 229.It Fl U 230Don't log each concurrent 231.Tn FTP 232session to 233.Pa /var/run/utmp . 234This is the default. 235.It Fl u 236Log each concurrent 237.Tn FTP 238session to 239.Pa /var/run/utmp , 240making them visible to commands such as 241.Xr who 1 . 242.It Fl V Ar version 243Use 244.Ar version 245as the version to advertise in the login banner and in the output of 246.Sy STAT 247and 248.Sy SYST 249instead of the default version information. 250If 251.Ar version 252is empty or 253.Sq - 254then don't display any version information. 255.It Fl W 256Don't log each 257.Tn FTP 258session to 259.Pa /var/log/wtmp . 260.It Fl w 261Log each 262.Tn FTP 263session to 264.Pa /var/log/wtmp , 265making them visible to commands such as 266.Xr last 1 . 267This is the default. 268.It Fl X 269Log 270.Tn wu-ftpd 271style 272.Sq xferlog 273entries to the syslog, prefixed with 274.Dq "xferlog:\ " , 275using a facility of 276.Dv LOG_FTP . 277These syslog entries can be converted to a 278.Tn wu-ftpd 279style 280.Pa xferlog 281file suitable for input into a third-party log analysis tool with a command 282similar to: 283.Dl "grep 'xferlog: ' /var/log/xferlog | \e" 284.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog" 285.El 286.Pp 287The file 288.Pa /etc/nologin 289can be used to disable 290.Tn FTP 291access. 292If the file exists, 293.Nm 294displays it and exits. 295If the file 296.Pa /etc/ftpwelcome 297exists, 298.Nm 299prints it before issuing the 300.Dq ready 301message. 302If the file 303.Pa /etc/motd 304exists (under the chroot directory if applicable), 305.Nm 306prints it after a successful login. 307This may be changed with the 308.Xr ftpd.conf 5 309directive 310.Sy motd . 311.Pp 312The 313.Nm 314server currently supports the following 315.Tn FTP 316requests. 317The case of the requests is ignored. 318.Bl -column "Request" -offset indent 319.It Sy Request Ta Sy Description 320.It ABOR Ta "abort previous command" 321.It ACCT Ta "specify account (ignored)" 322.It ALLO Ta "allocate storage (vacuously)" 323.It APPE Ta "append to a file" 324.It CDUP Ta "change to parent of current working directory" 325.It CWD Ta "change working directory" 326.It DELE Ta "delete a file" 327.It EPSV Ta "prepare for server-to-server transfer" 328.It EPRT Ta "specify data connection port" 329.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 330.It HELP Ta "give help information" 331.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 332.It LPSV Ta "prepare for server-to-server transfer" 333.It LPRT Ta "specify data connection port" 334.It MLSD Ta "list contents of directory in a machine-processable form" 335.It MLST Ta "show a pathname in a machine-processable form" 336.It MKD Ta "make a directory" 337.It MDTM Ta "show last modification time of file" 338.It MODE Ta "specify data transfer" Em mode 339.It NLST Ta "give name list of files in directory" 340.It NOOP Ta "do nothing" 341.It OPTS Ta "define persistent options for a given command" 342.It PASS Ta "specify password" 343.It PASV Ta "prepare for server-to-server transfer" 344.It PORT Ta "specify data connection port" 345.It PWD Ta "print the current working directory" 346.It QUIT Ta "terminate session" 347.It REST Ta "restart incomplete transfer" 348.It RETR Ta "retrieve a file" 349.It RMD Ta "remove a directory" 350.It RNFR Ta "specify rename-from file name" 351.It RNTO Ta "specify rename-to file name" 352.It SITE Ta "non-standard commands (see next section)" 353.It SIZE Ta "return size of file" 354.It STAT Ta "return status of server" 355.It STOR Ta "store a file" 356.It STOU Ta "store a file with a unique name" 357.It STRU Ta "specify data transfer" Em structure 358.It SYST Ta "show operating system type of server system" 359.It TYPE Ta "specify data transfer" Em type 360.It USER Ta "specify user name" 361.It XCUP Ta "change to parent of current working directory (deprecated)" 362.It XCWD Ta "change working directory (deprecated)" 363.It XMKD Ta "make a directory (deprecated)" 364.It XPWD Ta "print the current working directory (deprecated)" 365.It XRMD Ta "remove a directory (deprecated)" 366.El 367.Pp 368The following non-standard or 369.Ux 370specific commands are supported by the SITE request. 371.Pp 372.Bl -column Request -offset indent 373.It Sy Request Ta Sy Description 374.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 375.It HELP Ta "give help information." 376.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 377.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 378.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 379.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 380.El 381.Pp 382The following 383.Tn FTP 384requests (as specified in 385.Cm RFC 959 ) 386are recognized, but are not implemented: 387.Sy ACCT , 388.Sy SMNT , 389and 390.Sy REIN . 391.Sy MDTM 392and 393.Sy SIZE 394are not specified in 395.Cm RFC 959 , 396but will appear in the 397next updated 398.Tn FTP 399RFC. 400.Pp 401The 402.Nm 403server will abort an active file transfer only when the 404.Sy ABOR 405command is preceded by a Telnet "Interrupt Process" (IP) 406signal and a Telnet "Synch" signal in the command Telnet stream, 407as described in Internet 408.Cm RFC 959 . 409If a 410.Sy STAT 411command is received during a data transfer, preceded by a Telnet IP 412and Synch, transfer status will be returned. 413.Pp 414.Nm 415interprets file names according to the 416.Dq globbing 417conventions used by 418.Xr csh 1 . 419This allows users to use the metacharacters 420.Dq Li \&*?[]{}~ . 421.Ss User authentication 422.Nm 423authenticates users according to five rules. 424.Pp 425.Bl -enum -offset indent 426.It 427The login name must be in the password data base, 428.Pa /etc/pwd.db , 429and not have a null password. 430In this case a password must be provided by the client before any 431file operations may be performed. 432If the user has an S/Key key, the response from a successful 433.Sy USER 434command will include an S/Key challenge. 435The client may choose to respond with a 436.Sy PASS 437command giving either 438a standard password or an S/Key one-time password. 439The server will automatically determine which type of password it 440has been given and attempt to authenticate accordingly. 441See 442.Xr skey 1 443for more information on S/Key authentication. 444S/Key is a Trademark of Bellcore. 445.It 446The login name must be allowed based on the information in 447.Xr ftpusers 5 . 448.It 449The user must have a standard shell returned by 450.Xr getusershell 3 . 451If the user's shell field in the password database is empty, the 452shell is assumed to be 453.Pa /bin/sh . 454As per 455.Xr shells 5 , 456the user's shell must be listed with full path in 457.Pa /etc/shells . 458.It 459If directed by the file 460.Xr ftpchroot 5 461the session's root directory will be changed by 462.Xr chroot 2 463to the directory specified in the 464.Xr ftpd.conf 5 465.Sy chroot 466directive (if set), 467or to the home directory of the user. 468However, the user must still supply a password. 469This feature is intended as a compromise between a fully anonymous account 470and a fully privileged account. 471The account should also be set up as for an anonymous account. 472.It 473If the user name is 474.Dq anonymous 475or 476.Dq ftp , 477an 478anonymous 479.Tn FTP 480account must be present in the password 481file (user 482.Dq ftp ) . 483In this case the user is allowed 484to log in by specifying any password (by convention an email address for 485the user should be used as the password). 486.Pp 487The server performs a 488.Xr chroot 2 489to the directory specified in the 490.Xr ftpd.conf 5 491.Sy chroot 492directive (if set), 493the 494.Fl a Ar anondir 495directory (if set), 496or to the home directory of the 497.Dq ftp 498user. 499.Pp 500The server then performs a 501.Xr chdir 2 502to the directory specified in the 503.Xr ftpd.conf 5 504.Sy homedir 505directive (if set), otherwise to 506.Pa / . 507.Pp 508If other restrictions are required (such as disabling of certain 509commands and the setting of a specific umask), then appropriate 510entries in 511.Xr ftpd.conf 5 512are required. 513.Pp 514If the first character of the password supplied by an anonymous user 515is 516.Dq - , 517then the verbose messages displayed at login and upon a 518.Sy CWD 519command are suppressed. 520.El 521.Ss Display file escape sequences 522When 523.Nm 524displays various files back to the client (such as 525.Pa /etc/ftpwelcome 526and 527.Pa /etc/motd ) , 528various escape strings are replaced with information pertinent 529to the current connection. 530.Pp 531The supported escape strings are: 532.Bl -tag -width "Escape" -offset indent -compact 533.It Sy "Escape" 534.Sy Description 535.It "\&%c" 536Class name. 537.It "\&%C" 538Current working directory. 539.It "\&%E" 540Email address given with 541.Fl e . 542.It "\&%L" 543Local hostname. 544.It "\&%M" 545Maximum number of users for this class. 546Displays 547.Dq unlimited 548if there's no limit. 549.It "\&%N" 550Current number of users for this class. 551.It "\&%R" 552Remote hostname. 553.It "\&%s" 554If the result of the most recent 555.Dq "\&%M" 556or 557.Dq "\&%N" 558was not 559.Dq Li 1 , 560print an 561.Dq s . 562.It "\&%S" 563If the result of the most recent 564.Dq "\&%M" 565or 566.Dq "\&%N" 567was not 568.Dq Li 1 , 569print an 570.Dq S . 571.It "\&%T" 572Current time. 573.It "\&%U" 574User name. 575.It "\&%\&%" 576A 577.Dq \&% 578character. 579.El 580.Ss Setting up a restricted ftp subtree 581In order that system security is not breached, it is recommended 582that the 583subtrees for the 584.Dq ftp 585and 586.Dq chroot 587accounts be constructed with care, following these rules 588(replace 589.Dq ftp 590in the following directory names 591with the appropriate account name for 592.Sq chroot 593users): 594.Bl -tag -width "~ftp/incoming" -offset indent 595.It Pa ~ftp 596Make the home directory owned by 597.Dq root 598and unwritable by anyone. 599.It Pa ~ftp/bin 600Make this directory owned by 601.Dq root 602and unwritable by anyone (mode 555). 603Generally any conversion commands should be installed 604here (mode 111). 605.It Pa ~ftp/etc 606Make this directory owned by 607.Dq root 608and unwritable by anyone (mode 555). 609The files 610.Pa pwd.db 611(see 612.Xr passwd 5 ) 613and 614.Pa group 615(see 616.Xr group 5 ) 617must be present for the 618.Sy LIST 619command to be able to display owner and group names instead of numbers. 620The password field in 621.Xr passwd 5 622is not used, and should not contain real passwords. 623The file 624.Pa motd , 625if present, will be printed after a successful login. 626These files should be mode 444. 627.It Pa ~ftp/pub 628This directory and the subdirectories beneath it should be owned 629by the users and groups responsible for placing files in them, 630and be writable only by them (mode 755 or 775). 631They should 632.Em not 633be owned or writable by ftp or its group. 634.It Pa ~ftp/incoming 635This directory is where anonymous users place files they upload. 636The owners should be the user 637.Dq ftp 638and an appropriate group. 639Members of this group will be the only users with access to these 640files after they have been uploaded; these should be people who 641know how to deal with them appropriately. 642If you wish anonymous 643.Tn FTP 644users to be able to see the names of the 645files in this directory the permissions should be 770, otherwise 646they should be 370. 647.Pp 648The following 649.Xr ftpd.conf 5 650directives should be used: 651.Dl "modify guest off" 652.Dl "umask guest 0707" 653.Dl "upload guest on" 654.Pp 655This will result in anonymous users being able to upload files to this 656directory, but they will not be able to download them, delete them, or 657overwrite them, due to the umask and disabling of the commands mentioned 658above. 659.It Pa ~ftp/tmp 660This directory is used to create temporary files which contain 661the error messages generated by a conversion or 662.Sy LIST 663command. 664The owner should be the user 665.Dq ftp . 666The permissions should be 300. 667.Pp 668If you don't enable conversion commands, or don't want anonymous users 669uploading files here (see 670.Pa ~ftp/incoming 671above), then don't create this directory. 672However, error messages from conversion or 673.Sy LIST 674commands won't be returned to the user. 675(This is the traditional behaviour.) 676Note that the 677.Xr ftpd.conf 5 678directive 679.Sy upload 680can be used to prevent users uploading here. 681.El 682.Pp 683To set up "ftp-only" accounts that provide only 684.Tn FTP , 685but no valid shell 686login, you can copy/link 687.Pa /sbin/nologin 688to 689.Pa /sbin/ftplogin , 690and enter 691.Pa /sbin/ftplogin 692to 693.Pa /etc/shells 694to allow logging-in via 695.Tn FTP 696into the accounts, which must have 697.Pa /sbin/ftplogin 698as login shell. 699.Sh FILES 700.Bl -tag -width /etc/ftpwelcome -compact 701.It Pa /etc/ftpchroot 702List of normal users whose root directory should be changed via 703.Xr chroot 2 . 704.It Pa /etc/ftpd.conf 705Configure file conversions and other settings. 706.It Pa /etc/ftpusers 707List of unwelcome/restricted users. 708.It Pa /etc/ftpwelcome 709Welcome notice before login. 710.It Pa /etc/motd 711Welcome notice after login. 712.It Pa /etc/nologin 713If it exists, displayed and access is refused. 714.It Pa /var/run/ftpd.pids-CLASS 715State file of logged-in processes for the 716.Nm 717class 718.Sq CLASS . 719.It Pa /var/run/utmp 720List of logged-in users on the system. 721.It Pa /var/log/wtmp 722Login history database. 723.El 724.Sh SEE ALSO 725.Xr ftp 1 , 726.Xr skey 1 , 727.Xr who 1 , 728.Xr getusershell 3 , 729.Xr ftpchroot 5 , 730.Xr ftpd.conf 5 , 731.Xr ftpusers 5 , 732.Xr syslogd 8 733.Sh STANDARDS 734.Nm 735recognizes all commands in 736.Cm RFC 959 , 737follows the guidelines in 738.Cm RFC 1123 , 739recognizes all commands in 740.Cm RFC 2228 741(although they are not supported yet), 742and supports the extensions from 743.Cm RFC 2389 , 744.Cm RFC 2428 , 745and 746.Cm RFC 3659 . 747.Sh HISTORY 748The 749.Nm 750command appeared in 751.Bx 4.2 . 752.Pp 753Various features such as the 754.Xr ftpd.conf 5 755functionality, 756.Cm RFC 2389 , 757and 758.Cm RFC 3659 759support was implemented in 760.Nx 1.3 761and later releases by Luke Mewburn. 762.Sh BUGS 763The server must run as the super-user to create sockets with 764privileged port numbers (i.e, those less than 765.Dv IPPORT_RESERVED , 766which is 1024). 767If 768.Nm 769is listening on a privileged port 770it maintains an effective user id of the logged in user, reverting 771to the super-user only when binding addresses to privileged sockets. 772The 773.Fl r 774option can be used to override this behaviour and force privileges to 775be permanently revoked; see 776.Sx SECURITY CONSIDERATIONS 777below for more details. 778.Pp 779.Nm 780may have trouble handling connections from scoped IPv6 addresses, or 781IPv4 mapped addresses 782.Po 783IPv4 connection on 784.Dv AF_INET6 785socket 786.Pc . 787For the latter case, running two daemons, 788one for IPv4 and one for IPv6, will avoid the problem. 789.Sh SECURITY CONSIDERATIONS 790.Cm RFC 959 791provides no restrictions on the 792.Sy PORT 793command, and this can lead to security problems, as 794.Nm 795can be fooled into connecting to any service on any host. 796With the 797.Dq checkportcmd 798feature of the 799.Xr ftpd.conf 5 , 800.Sy PORT 801commands with different host addresses, or TCP ports lower than 802.Dv IPPORT_RESERVED 803will be rejected. 804This also prevents 805.Sq third-party proxy ftp 806from working. 807Use of this option is 808.Em strongly 809recommended, and enabled by default. 810.Pp 811By default 812.Nm 813uses a port that is one less than the port it is listening on to 814communicate back to the client for the 815.Sy EPRT , 816.Sy LPRT , 817and 818.Sy PORT 819commands, unless overridden with 820.Fl P Ar dataport . 821As the default port for 822.Nm 823(21) is a privileged port below 824.Dv IPPORT_RESERVED , 825.Nm 826retains the ability to switch back to root privileges to bind these 827ports. 828In order to increase security by reducing the potential for a bug in 829.Nm 830providing a remote root compromise, 831.Nm 832will permanently drop root privileges if one of the following is true: 833.Bl -enum -offset indent 834.It 835.Nm 836is running on a port greater than 837.Dv IPPORT_RESERVED 838and the user has logged in as a 839.Sq guest 840or 841.Sq chroot 842user. 843.It 844.Nm 845was invoked with 846.Fl r . 847.El 848.Pp 849Don't create 850.Pa ~ftp/tmp 851if you don't want anonymous users to upload files there. 852That directory is only necessary if you want to display the error 853messages of conversion commands to the user. 854Note that if uploads are disabled with the 855.Xr ftpd.conf 5 856directive 857.Sy upload , 858then this directory cannot be abused by the user in this way, so it 859should be safe to create. 860