1.\" $NetBSD: ftpd.8,v 1.74 2003/08/07 09:46:39 agc Exp $ 2.\" 3.\" Copyright (c) 1997-2003 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. All advertising materials mentioning features or use of this software 18.\" must display the following acknowledgement: 19.\" This product includes software developed by the NetBSD 20.\" Foundation, Inc. and its contributors. 21.\" 4. Neither the name of The NetBSD Foundation nor the names of its 22.\" contributors may be used to endorse or promote products derived 23.\" from this software without specific prior written permission. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35.\" POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" Copyright (c) 1985, 1988, 1991, 1993 38.\" The Regents of the University of California. All rights reserved. 39.\" 40.\" Redistribution and use in source and binary forms, with or without 41.\" modification, are permitted provided that the following conditions 42.\" are met: 43.\" 1. Redistributions of source code must retain the above copyright 44.\" notice, this list of conditions and the following disclaimer. 45.\" 2. Redistributions in binary form must reproduce the above copyright 46.\" notice, this list of conditions and the following disclaimer in the 47.\" documentation and/or other materials provided with the distribution. 48.\" 3. Neither the name of the University nor the names of its contributors 49.\" may be used to endorse or promote products derived from this software 50.\" without specific prior written permission. 51.\" 52.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 55.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 56.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 57.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 58.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 59.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 60.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 61.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 62.\" SUCH DAMAGE. 63.\" 64.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 65.\" 66.Dd February 26, 2003 67.Dt FTPD 8 68.Os 69.Sh NAME 70.Nm ftpd 71.Nd 72Internet File Transfer Protocol server 73.Sh SYNOPSIS 74.Nm 75.Op Fl dHlqQrsuUwWX 76.Op Fl a Ar anondir 77.Op Fl c Ar confdir 78.Op Fl C Ar user 79.Op Fl e Ar emailaddr 80.Op Fl h Ar hostname 81.Op Fl L Ar xferlogfile 82.Op Fl P Ar dataport 83.Op Fl V Ar version 84.Sh DESCRIPTION 85.Nm 86is the Internet File Transfer Protocol server process. 87The server uses the 88.Tn TCP 89protocol and listens at the port specified in the 90.Dq ftp 91service specification; see 92.Xr services 5 . 93.Pp 94Available options: 95.Bl -tag -width Ds 96.It Fl a Ar anondir 97Define 98.Ar anondir 99as the directory to 100.Xr chroot 2 101into for anonymous logins. 102Default is the home directory for the ftp user. 103This can also be specified with the 104.Xr ftpd.conf 5 105.Sy chroot 106directive. 107.It Fl c Ar confdir 108Change the root directory of the configuration files from 109.Dq Pa /etc 110to 111.Ar confdir . 112This changes the directory for the following files: 113.Pa /etc/ftpchroot , 114.Pa /etc/ftpusers , 115.Pa /etc/ftpwelcome , 116.Pa /etc/motd , 117and the file specified by the 118.Xr ftpd.conf 5 119.Sy limit 120directive. 121.It Fl C Ar user 122Check whether 123.Ar user 124would be granted access under 125the restrictions given in 126.Xr ftpusers 5 127and exit without attempting a connection. 128.Nm 129exits with an exit code of 0 if access would be granted, or 1 otherwise. 130This can be useful for testing configurations. 131.It Fl d 132Debugging information is written to the syslog using a facility of 133.Dv LOG_FTP . 134.It Fl e Ar emailaddr 135Use 136.Ar emailaddr 137for the 138.Dq "\&%E" 139escape sequence (see 140.Sx Display file escape sequences ) 141.It Fl h Ar hostname 142Explicitly set the hostname to advertise as to 143.Ar hostname . 144The default is the hostname associated with the IP address that 145.Nm 146is listening on. 147This ability (with or without 148.Fl h ) , 149in conjunction with 150.Fl c Ar confdir , 151is useful when configuring 152.Sq virtual 153.Tn FTP 154servers, each listening on separate addresses as separate names. 155Refer to 156.Xr inetd.conf 5 157for more information on starting services to listen on specific IP addresses. 158.It Fl H 159Equivalent to 160.Do 161-h 162`hostname` 163.Dc . 164.It Fl l 165Each successful and failed 166.Tn FTP 167session is logged using syslog with a facility of 168.Dv LOG_FTP . 169If this option is specified more than once, the retrieve (get), store (put), 170append, delete, make directory, remove directory and rename operations and 171their file name arguments are also logged. 172.It Fl L Ar xferlogfile 173Log 174.Tn wu-ftpd 175style 176.Sq xferlog 177entries to 178.Ar xferlogfile . 179.It Fl P Ar dataport 180Use 181.Ar dataport 182as the data port, overriding the default of using the port one less 183that the port 184.Nm 185is listening on. 186.It Fl q 187Enable the use of pid files for keeping track of the number of logged-in 188users per class. 189This is the default. 190.It Fl Q 191Disable the use of pid files for keeping track of the number of logged-in 192users per class. 193This may reduce the load on heavily loaded 194.Tn FTP 195servers. 196.It Fl r 197Permanently drop root privileges once the user is logged in. 198The use of this option may result in the server using a port other 199than the (listening-port - 1) for 200.Sy PORT 201style commands, which is contrary to the 202.Cm RFC 959 203specification, but in practice very few clients rely upon this behaviour. 204See 205.Sx SECURITY CONSIDERATIONS 206below for more details. 207.It Fl s 208Require a secure authentication mechanism like Kerberos or S/Key to be used. 209.It Fl u 210Log each concurrent 211.Tn FTP 212session to 213.Pa /var/run/utmp , 214making them visible to commands such as 215.Xr who 1 . 216.It Fl U 217Don't log each concurrent 218.Tn FTP 219session to 220.Pa /var/run/utmp . 221This is the default. 222.It Fl V Ar version 223Use 224.Ar version 225as the version to advertise in the login banner and in the output of 226.Sy STAT 227and 228.Sy SYST 229instead of the default version information. 230If 231.Ar version 232is empty or 233.Sq - 234then don't display any version information. 235.It Fl w 236Log each 237.Tn FTP 238session to 239.Pa /var/log/wtmp , 240making them visible to commands such as 241.Xr last 1 . 242This is the default. 243.It Fl W 244Don't log each 245.Tn FTP 246session to 247.Pa /var/log/wtmp . 248.It Fl X 249Log 250.Tn wu-ftpd 251style 252.Sq xferlog 253entries to the syslog, prefixed with 254.Dq "xferlog:\ " , 255using a facility of 256.Dv LOG_FTP . 257These syslog entries can be converted to a 258.Tn wu-ftpd 259style 260.Pa xferlog 261file suitable for input into a third-party log analysis tool with a command 262similar to: 263.Dl "grep 'xferlog: ' /var/log/xferlog | \e" 264.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog" 265.El 266.Pp 267The file 268.Pa /etc/nologin 269can be used to disable 270.Tn FTP 271access. 272If the file exists, 273.Nm 274displays it and exits. 275If the file 276.Pa /etc/ftpwelcome 277exists, 278.Nm 279prints it before issuing the 280.Dq ready 281message. 282If the file 283.Pa /etc/motd 284exists (under the chroot directory if applicable), 285.Nm 286prints it after a successful login. 287This may be changed with the 288.Xr ftpd.conf 5 289directive 290.Sy motd . 291.Pp 292The 293.Nm 294server currently supports the following 295.Tn FTP 296requests. 297The case of the requests is ignored. 298.Bl -column "Request" -offset indent 299.It Sy Request Ta Sy Description 300.It ABOR Ta "abort previous command" 301.It ACCT Ta "specify account (ignored)" 302.It ALLO Ta "allocate storage (vacuously)" 303.It APPE Ta "append to a file" 304.It CDUP Ta "change to parent of current working directory" 305.It CWD Ta "change working directory" 306.It DELE Ta "delete a file" 307.It EPSV Ta "prepare for server-to-server transfer" 308.It EPRT Ta "specify data connection port" 309.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 310.It HELP Ta "give help information" 311.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 312.It LPSV Ta "prepare for server-to-server transfer" 313.It LPRT Ta "specify data connection port" 314.It MLSD Ta "list contents of directory in a machine-processable form" 315.It MLST Ta "show a pathname in a machine-processable form" 316.It MKD Ta "make a directory" 317.It MDTM Ta "show last modification time of file" 318.It MODE Ta "specify data transfer" Em mode 319.It NLST Ta "give name list of files in directory" 320.It NOOP Ta "do nothing" 321.It OPTS Ta "define persistent options for a given command" 322.It PASS Ta "specify password" 323.It PASV Ta "prepare for server-to-server transfer" 324.It PORT Ta "specify data connection port" 325.It PWD Ta "print the current working directory" 326.It QUIT Ta "terminate session" 327.It REST Ta "restart incomplete transfer" 328.It RETR Ta "retrieve a file" 329.It RMD Ta "remove a directory" 330.It RNFR Ta "specify rename-from file name" 331.It RNTO Ta "specify rename-to file name" 332.It SITE Ta "non-standard commands (see next section)" 333.It SIZE Ta "return size of file" 334.It STAT Ta "return status of server" 335.It STOR Ta "store a file" 336.It STOU Ta "store a file with a unique name" 337.It STRU Ta "specify data transfer" Em structure 338.It SYST Ta "show operating system type of server system" 339.It TYPE Ta "specify data transfer" Em type 340.It USER Ta "specify user name" 341.It XCUP Ta "change to parent of current working directory (deprecated)" 342.It XCWD Ta "change working directory (deprecated)" 343.It XMKD Ta "make a directory (deprecated)" 344.It XPWD Ta "print the current working directory (deprecated)" 345.It XRMD Ta "remove a directory (deprecated)" 346.El 347.Pp 348The following non-standard or 349.Ux 350specific commands are supported by the SITE request. 351.Pp 352.Bl -column Request -offset indent 353.It Sy Request Ta Sy Description 354.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 355.It HELP Ta "give help information." 356.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 357.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 358.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 359.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 360.El 361.Pp 362The following 363.Tn FTP 364requests (as specified in 365.Cm RFC 959 ) 366are recognized, but are not implemented: 367.Sy ACCT , 368.Sy SMNT , 369and 370.Sy REIN . 371.Sy MDTM 372and 373.Sy SIZE 374are not specified in 375.Cm RFC 959 , 376but will appear in the 377next updated 378.Tn FTP 379RFC. 380.Pp 381The 382.Nm 383server will abort an active file transfer only when the 384.Sy ABOR 385command is preceded by a Telnet "Interrupt Process" (IP) 386signal and a Telnet "Synch" signal in the command Telnet stream, 387as described in Internet 388.Cm RFC 959 . 389If a 390.Sy STAT 391command is received during a data transfer, preceded by a Telnet IP 392and Synch, transfer status will be returned. 393.Pp 394.Nm 395interprets file names according to the 396.Dq globbing 397conventions used by 398.Xr csh 1 . 399This allows users to use the metacharacters 400.Dq Li \&*?[]{}~ . 401.Ss User authentication 402.Nm 403authenticates users according to five rules. 404.Pp 405.Bl -enum -offset indent 406.It 407The login name must be in the password data base, 408.Pa /etc/pwd.db , 409and not have a null password. 410In this case a password must be provided by the client before any 411file operations may be performed. 412If the user has an S/Key key, the response from a successful 413.Sy USER 414command will include an S/Key challenge. 415The client may choose to respond with a 416.Sy PASS 417command giving either 418a standard password or an S/Key one-time password. 419The server will automatically determine which type of password it 420has been given and attempt to authenticate accordingly. 421See 422.Xr skey 1 423for more information on S/Key authentication. 424S/Key is a Trademark of Bellcore. 425.It 426The login name must be allowed based on the information in 427.Xr ftpusers 5 . 428.It 429The user must have a standard shell returned by 430.Xr getusershell 3 . 431If the user's shell field in the password database is empty, the 432shell is assumed to be 433.Pa /bin/sh . 434As per 435.Xr shells 5 , 436the user's shell must be listed with full path in 437.Pa /etc/shells . 438.It 439If directed by the file 440.Xr ftpchroot 5 441the session's root directory will be changed by 442.Xr chroot 2 443to the directory specified in the 444.Xr ftpd.conf 5 445.Sy chroot 446directive (if set), 447or to the home directory of the user. 448However, the user must still supply a password. 449This feature is intended as a compromise between a fully anonymous account 450and a fully privileged account. 451The account should also be set up as for an anonymous account. 452.It 453If the user name is 454.Dq anonymous 455or 456.Dq ftp , 457an 458anonymous 459.Tn FTP 460account must be present in the password 461file (user 462.Dq ftp ) . 463In this case the user is allowed 464to log in by specifying any password (by convention an email address for 465the user should be used as the password). 466.Pp 467The server performs a 468.Xr chroot 2 469to the directory specified in the 470.Xr ftpd.conf 5 471.Sy chroot 472directive (if set), 473the 474.Fl a Ar anondir 475directory (if set), 476or to the home directory of the 477.Dq ftp 478user. 479.Pp 480The server then performs a 481.Xr chdir 2 482to the directory specified in the 483.Xr ftpd.conf 5 484.Sy homedir 485directive (if set), otherwise to 486.Pa / . 487.Pp 488If other restrictions are required (such as disabling of certain 489commands and the setting of a specific umask), then appropriate 490entries in 491.Xr ftpd.conf 5 492are required. 493.Pp 494If the first character of the password supplied by an anonymous user 495is 496.Dq - , 497then the verbose messages displayed at login and upon a 498.Sy CWD 499command are suppressed. 500.El 501.Ss Display file escape sequences 502When 503.Nm 504displays various files back to the client (such as 505.Pa /etc/ftpwelcome 506and 507.Pa /etc/motd ) , 508various escape strings are replaced with information pertinent 509to the current connection. 510.Pp 511The supported escape strings are: 512.Bl -tag -width "Escape" -offset indent -compact 513.It Sy "Escape" 514.Sy Description 515.It "\&%c" 516Class name. 517.It "\&%C" 518Current working directory. 519.It "\&%E" 520Email address given with 521.Fl e . 522.It "\&%L" 523Local hostname. 524.It "\&%M" 525Maximum number of users for this class. 526Displays 527.Dq unlimited 528if there's no limit. 529.It "\&%N" 530Current number of users for this class. 531.It "\&%R" 532Remote hostname. 533.It "\&%s" 534If the result of the most recent 535.Dq "\&%M" 536or 537.Dq "\&%N" 538was not 539.Dq Li 1 , 540print an 541.Dq s . 542.It "\&%S" 543If the result of the most recent 544.Dq "\&%M" 545or 546.Dq "\&%N" 547was not 548.Dq Li 1 , 549print an 550.Dq S . 551.It "\&%T" 552Current time. 553.It "\&%U" 554User name. 555.It "\&%\&%" 556A 557.Dq \&% 558character. 559.El 560.Ss Setting up a restricted ftp subtree 561In order that system security is not breached, it is recommended 562that the 563subtrees for the 564.Dq ftp 565and 566.Dq chroot 567accounts be constructed with care, following these rules 568(replace 569.Dq ftp 570in the following directory names 571with the appropriate account name for 572.Sq chroot 573users): 574.Bl -tag -width "~ftp/incoming" -offset indent 575.It Pa ~ftp 576Make the home directory owned by 577.Dq root 578and unwritable by anyone. 579.It Pa ~ftp/bin 580Make this directory owned by 581.Dq root 582and unwritable by anyone (mode 555). 583Generally any conversion commands should be installed 584here (mode 111). 585.It Pa ~ftp/etc 586Make this directory owned by 587.Dq root 588and unwritable by anyone (mode 555). 589The files 590.Pa pwd.db 591(see 592.Xr passwd 5 ) 593and 594.Pa group 595(see 596.Xr group 5 ) 597must be present for the 598.Sy LIST 599command to be able to display owner and group names instead of numbers. 600The password field in 601.Xr passwd 5 602is not used, and should not contain real passwords. 603The file 604.Pa motd , 605if present, will be printed after a successful login. 606These files should be mode 444. 607.It Pa ~ftp/pub 608This directory and the subdirectories beneath it should be owned 609by the users and groups responsible for placing files in them, 610and be writable only by them (mode 755 or 775). 611They should 612.Em not 613be owned or writable by ftp or its group. 614.It Pa ~ftp/incoming 615This directory is where anonymous users place files they upload. 616The owners should be the user 617.Dq ftp 618and an appropriate group. 619Members of this group will be the only users with access to these 620files after they have been uploaded; these should be people who 621know how to deal with them appropriately. 622If you wish anonymous 623.Tn FTP 624users to be able to see the names of the 625files in this directory the permissions should be 770, otherwise 626they should be 370. 627.Pp 628The following 629.Xr ftpd.conf 5 630directives should be used: 631.Dl "modify guest off" 632.Dl "umask guest 0707" 633.Dl "upload guest on" 634.Pp 635This will result in anonymous users being able to upload files to this 636directory, but they will not be able to download them, delete them, or 637overwrite them, due to the umask and disabling of the commands mentioned 638above. 639.It Pa ~ftp/tmp 640This directory is used to create temporary files which contain 641the error messages generated by a conversion or 642.Sy LIST 643command. 644The owner should be the user 645.Dq ftp . 646The permissions should be 300. 647.Pp 648If you don't enable conversion commands, or don't want anonymous users 649uploading files here (see 650.Pa ~ftp/incoming 651above), then don't create this directory. 652However, error messages from conversion or 653.Sy LIST 654commands won't be returned to the user. 655(This is the traditional behaviour.) 656Note that the 657.Xr ftpd.conf 5 658directive 659.Sy upload 660can be used to prevent users uploading here. 661.El 662.Pp 663To set up "ftp-only" accounts that provide only 664.Tn FTP , 665but no valid shell 666login, you can copy/link 667.Pa /sbin/nologin 668to 669.Pa /sbin/ftplogin , 670and enter 671.Pa /sbin/ftplogin 672to 673.Pa /etc/shells 674to allow logging-in via 675.Tn FTP 676into the accounts, which must have 677.Pa /sbin/ftplogin 678as login shell. 679.Sh FILES 680.Bl -tag -width /etc/ftpwelcome -compact 681.It Pa /etc/ftpchroot 682List of normal users whose root directory should be changed via 683.Xr chroot 2 . 684.It Pa /etc/ftpd.conf 685Configure file conversions and other settings. 686.It Pa /etc/ftpusers 687List of unwelcome/restricted users. 688.It Pa /etc/ftpwelcome 689Welcome notice before login. 690.It Pa /etc/motd 691Welcome notice after login. 692.It Pa /etc/nologin 693If it exists, displayed and access is refused. 694.It Pa /var/run/ftpd.pids-CLASS 695State file of logged-in processes for the 696.Nm 697class 698.Sq CLASS . 699.It Pa /var/run/utmp 700List of logged-in users on the system. 701.It Pa /var/log/wtmp 702Login history database. 703.El 704.Sh SEE ALSO 705.Xr ftp 1 , 706.Xr skey 1 , 707.Xr who 1 , 708.Xr getusershell 3 , 709.Xr ftpchroot 5 , 710.Xr ftpd.conf 5 , 711.Xr ftpusers 5 , 712.Xr syslogd 8 713.Sh STANDARDS 714.Nm 715recognizes all commands in 716.Cm RFC 959 , 717follows the guidelines in 718.Cm RFC 1123 , 719recognizes all commands in 720.Cm RFC 2228 721(although they are not supported yet), 722and supports the extensions from 723.Cm RFC 2389 , 724.Cm RFC 2428 725and 726.Cm draft-ietf-ftpext-mlst-11 . 727.Sh HISTORY 728The 729.Nm 730command appeared in 731.Bx 4.2 . 732.Pp 733Various features such as the 734.Xr ftpd.conf 5 735functionality, 736.Cm RFC 2389 , 737and 738.Cm draft-ietf-ftpext-mlst-11 739support was implemented in 740.Nx 1.3 741and later releases by Luke Mewburn. 742.Sh BUGS 743The server must run as the super-user to create sockets with 744privileged port numbers (i.e, those less than 745.Dv IPPORT_RESERVED , 746which is 1024). 747If 748.Nm 749is listening on a privileged port 750it maintains an effective user id of the logged in user, reverting 751to the super-user only when binding addresses to privileged sockets. 752The 753.Fl r 754option can be used to override this behaviour and force privileges to 755be permanently revoked; see 756.Sx SECURITY CONSIDERATIONS 757below for more details. 758.Pp 759.Nm 760may have trouble handling connections from scoped IPv6 addresses, or 761IPv4 mapped addresses 762.Po 763IPv4 connection on 764.Dv AF_INET6 765socket 766.Pc . 767For the latter case, running two daemons, 768one for IPv4 and one for IPv6, will avoid the problem. 769.Sh SECURITY CONSIDERATIONS 770.Cm RFC 959 771provides no restrictions on the 772.Sy PORT 773command, and this can lead to security problems, as 774.Nm 775can be fooled into connecting to any service on any host. 776With the 777.Dq checkportcmd 778feature of the 779.Xr ftpd.conf 5 , 780.Sy PORT 781commands with different host addresses, or TCP ports lower than 782.Dv IPPORT_RESERVED 783will be rejected. 784This also prevents 785.Sq third-party proxy ftp 786from working. 787Use of this option is 788.Em strongly 789recommended, and enabled by default. 790.Pp 791By default 792.Nm 793uses a port that is one less than the port it is listening on to 794communicate back to the client for the 795.Sy EPRT , 796.Sy LPRT , 797and 798.Sy PORT 799commands, unless overridden with 800.Fl P Ar dataport . 801As the default port for 802.Nm 803(21) is a privileged port below 804.Dv IPPORT_RESERVED , 805.Nm 806retains the ability to switch back to root privileges to bind these 807ports. 808In order to increase security by reducing the potential for a bug in 809.Nm 810providing a remote root compromise, 811.Nm 812will permanently drop root privileges if one of the following is true: 813.Bl -enum -offset indent 814.It 815.Nm 816is running on a port greater than 817.Dv IPPORT_RESERVED 818and the user has logged in as a 819.Sq guest 820or 821.Sq chroot 822user. 823.It 824.Nm 825was invoked with 826.Fl r . 827.El 828.Pp 829Don't create 830.Pa ~ftp/tmp 831if you don't want anonymous users to upload files there. 832That directory is only necessary if you want to display the error 833messages of conversion commands to the user. 834Note that if uploads are disabled with the 835.Xr ftpd.conf 5 836directive 837.Sy upload , 838then this directory cannot be abused by the user in this way, so it 839should be safe to create. 840