1.\" $NetBSD: ftpd.8,v 1.76 2005/08/07 11:13:34 wiz Exp $ 2.\" 3.\" Copyright (c) 1997-2003 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This code is derived from software contributed to The NetBSD Foundation 7.\" by Luke Mewburn. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. All advertising materials mentioning features or use of this software 18.\" must display the following acknowledgement: 19.\" This product includes software developed by the NetBSD 20.\" Foundation, Inc. and its contributors. 21.\" 4. Neither the name of The NetBSD Foundation nor the names of its 22.\" contributors may be used to endorse or promote products derived 23.\" from this software without specific prior written permission. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 26.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 27.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 28.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 29.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 30.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 31.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 32.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 33.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 34.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 35.\" POSSIBILITY OF SUCH DAMAGE. 36.\" 37.\" Copyright (c) 1985, 1988, 1991, 1993 38.\" The Regents of the University of California. All rights reserved. 39.\" 40.\" Redistribution and use in source and binary forms, with or without 41.\" modification, are permitted provided that the following conditions 42.\" are met: 43.\" 1. Redistributions of source code must retain the above copyright 44.\" notice, this list of conditions and the following disclaimer. 45.\" 2. Redistributions in binary form must reproduce the above copyright 46.\" notice, this list of conditions and the following disclaimer in the 47.\" documentation and/or other materials provided with the distribution. 48.\" 3. Neither the name of the University nor the names of its contributors 49.\" may be used to endorse or promote products derived from this software 50.\" without specific prior written permission. 51.\" 52.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 53.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 54.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 55.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 56.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 57.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 58.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 59.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 60.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 61.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 62.\" SUCH DAMAGE. 63.\" 64.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 65.\" 66.Dd August 4, 2005 67.Dt FTPD 8 68.Os 69.Sh NAME 70.Nm ftpd 71.Nd 72Internet File Transfer Protocol server 73.Sh SYNOPSIS 74.Nm 75.Op Fl 46DdHlQqrsUuWwX 76.Op Fl a Ar anondir 77.Op Fl C Ar user 78.Op Fl c Ar confdir 79.Op Fl e Ar emailaddr 80.Op Fl h Ar hostname 81.Op Fl L Ar xferlogfile 82.Op Fl P Ar dataport 83.Op Fl V Ar version 84.Sh DESCRIPTION 85.Nm 86is the Internet File Transfer Protocol server process. 87The server uses the 88.Tn TCP 89protocol and listens at the port specified in the 90.Dq ftp 91service specification; see 92.Xr services 5 . 93.Pp 94Available options: 95.Bl -tag -width Ds 96.It Fl 4 97When 98.Fl D 99is specified, bind to IPv4 addresses only. 100.It Fl 6 101When 102.Fl D 103is specified, bind to IPv6 addresses only. 104.It Fl a Ar anondir 105Define 106.Ar anondir 107as the directory to 108.Xr chroot 2 109into for anonymous logins. 110Default is the home directory for the ftp user. 111This can also be specified with the 112.Xr ftpd.conf 5 113.Sy chroot 114directive. 115.It Fl C Ar user 116Check whether 117.Ar user 118would be granted access under 119the restrictions given in 120.Xr ftpusers 5 121and exit without attempting a connection. 122.Nm 123exits with an exit code of 0 if access would be granted, or 1 otherwise. 124This can be useful for testing configurations. 125.It Fl c Ar confdir 126Change the root directory of the configuration files from 127.Dq Pa /etc 128to 129.Ar confdir . 130This changes the directory for the following files: 131.Pa /etc/ftpchroot , 132.Pa /etc/ftpusers , 133.Pa /etc/ftpwelcome , 134.Pa /etc/motd , 135and the file specified by the 136.Xr ftpd.conf 5 137.Sy limit 138directive. 139.It Fl D 140Run as daemon. 141.Nm 142will listen on the default FTP port for incoming connections 143and fork a child for each connection. 144This is lower overhead than starting 145.Nm 146from 147.Xr inetd 8 148and thus might be useful on busy servers to reduce load. 149.It Fl d 150Debugging information is written to the syslog using a facility of 151.Dv LOG_FTP . 152.It Fl e Ar emailaddr 153Use 154.Ar emailaddr 155for the 156.Dq "\&%E" 157escape sequence (see 158.Sx Display file escape sequences ) 159.It Fl H 160Equivalent to 161.Do 162-h 163`hostname` 164.Dc . 165.It Fl h Ar hostname 166Explicitly set the hostname to advertise as to 167.Ar hostname . 168The default is the hostname associated with the IP address that 169.Nm 170is listening on. 171This ability (with or without 172.Fl h ) , 173in conjunction with 174.Fl c Ar confdir , 175is useful when configuring 176.Sq virtual 177.Tn FTP 178servers, each listening on separate addresses as separate names. 179Refer to 180.Xr inetd.conf 5 181for more information on starting services to listen on specific IP addresses. 182.It Fl L Ar xferlogfile 183Log 184.Tn wu-ftpd 185style 186.Sq xferlog 187entries to 188.Ar xferlogfile . 189.It Fl l 190Each successful and failed 191.Tn FTP 192session is logged using syslog with a facility of 193.Dv LOG_FTP . 194If this option is specified more than once, the retrieve (get), store (put), 195append, delete, make directory, remove directory and rename operations and 196their file name arguments are also logged. 197.It Fl P Ar dataport 198Use 199.Ar dataport 200as the data port, overriding the default of using the port one less 201that the port 202.Nm 203is listening on. 204.It Fl Q 205Disable the use of pid files for keeping track of the number of logged-in 206users per class. 207This may reduce the load on heavily loaded 208.Tn FTP 209servers. 210.It Fl q 211Enable the use of pid files for keeping track of the number of logged-in 212users per class. 213This is the default. 214.It Fl r 215Permanently drop root privileges once the user is logged in. 216The use of this option may result in the server using a port other 217than the (listening-port - 1) for 218.Sy PORT 219style commands, which is contrary to the 220.Cm RFC 959 221specification, but in practice very few clients rely upon this behaviour. 222See 223.Sx SECURITY CONSIDERATIONS 224below for more details. 225.It Fl s 226Require a secure authentication mechanism like Kerberos or S/Key to be used. 227.It Fl U 228Don't log each concurrent 229.Tn FTP 230session to 231.Pa /var/run/utmp . 232This is the default. 233.It Fl u 234Log each concurrent 235.Tn FTP 236session to 237.Pa /var/run/utmp , 238making them visible to commands such as 239.Xr who 1 . 240.It Fl V Ar version 241Use 242.Ar version 243as the version to advertise in the login banner and in the output of 244.Sy STAT 245and 246.Sy SYST 247instead of the default version information. 248If 249.Ar version 250is empty or 251.Sq - 252then don't display any version information. 253.It Fl W 254Don't log each 255.Tn FTP 256session to 257.Pa /var/log/wtmp . 258.It Fl w 259Log each 260.Tn FTP 261session to 262.Pa /var/log/wtmp , 263making them visible to commands such as 264.Xr last 1 . 265This is the default. 266.It Fl X 267Log 268.Tn wu-ftpd 269style 270.Sq xferlog 271entries to the syslog, prefixed with 272.Dq "xferlog:\ " , 273using a facility of 274.Dv LOG_FTP . 275These syslog entries can be converted to a 276.Tn wu-ftpd 277style 278.Pa xferlog 279file suitable for input into a third-party log analysis tool with a command 280similar to: 281.Dl "grep 'xferlog: ' /var/log/xferlog | \e" 282.Dl "\ \ \ sed -e 's/^.*xferlog: //' \*[Gt] wuxferlog" 283.El 284.Pp 285The file 286.Pa /etc/nologin 287can be used to disable 288.Tn FTP 289access. 290If the file exists, 291.Nm 292displays it and exits. 293If the file 294.Pa /etc/ftpwelcome 295exists, 296.Nm 297prints it before issuing the 298.Dq ready 299message. 300If the file 301.Pa /etc/motd 302exists (under the chroot directory if applicable), 303.Nm 304prints it after a successful login. 305This may be changed with the 306.Xr ftpd.conf 5 307directive 308.Sy motd . 309.Pp 310The 311.Nm 312server currently supports the following 313.Tn FTP 314requests. 315The case of the requests is ignored. 316.Bl -column "Request" -offset indent 317.It Sy Request Ta Sy Description 318.It ABOR Ta "abort previous command" 319.It ACCT Ta "specify account (ignored)" 320.It ALLO Ta "allocate storage (vacuously)" 321.It APPE Ta "append to a file" 322.It CDUP Ta "change to parent of current working directory" 323.It CWD Ta "change working directory" 324.It DELE Ta "delete a file" 325.It EPSV Ta "prepare for server-to-server transfer" 326.It EPRT Ta "specify data connection port" 327.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" 328.It HELP Ta "give help information" 329.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" 330.It LPSV Ta "prepare for server-to-server transfer" 331.It LPRT Ta "specify data connection port" 332.It MLSD Ta "list contents of directory in a machine-processable form" 333.It MLST Ta "show a pathname in a machine-processable form" 334.It MKD Ta "make a directory" 335.It MDTM Ta "show last modification time of file" 336.It MODE Ta "specify data transfer" Em mode 337.It NLST Ta "give name list of files in directory" 338.It NOOP Ta "do nothing" 339.It OPTS Ta "define persistent options for a given command" 340.It PASS Ta "specify password" 341.It PASV Ta "prepare for server-to-server transfer" 342.It PORT Ta "specify data connection port" 343.It PWD Ta "print the current working directory" 344.It QUIT Ta "terminate session" 345.It REST Ta "restart incomplete transfer" 346.It RETR Ta "retrieve a file" 347.It RMD Ta "remove a directory" 348.It RNFR Ta "specify rename-from file name" 349.It RNTO Ta "specify rename-to file name" 350.It SITE Ta "non-standard commands (see next section)" 351.It SIZE Ta "return size of file" 352.It STAT Ta "return status of server" 353.It STOR Ta "store a file" 354.It STOU Ta "store a file with a unique name" 355.It STRU Ta "specify data transfer" Em structure 356.It SYST Ta "show operating system type of server system" 357.It TYPE Ta "specify data transfer" Em type 358.It USER Ta "specify user name" 359.It XCUP Ta "change to parent of current working directory (deprecated)" 360.It XCWD Ta "change working directory (deprecated)" 361.It XMKD Ta "make a directory (deprecated)" 362.It XPWD Ta "print the current working directory (deprecated)" 363.It XRMD Ta "remove a directory (deprecated)" 364.El 365.Pp 366The following non-standard or 367.Ux 368specific commands are supported by the SITE request. 369.Pp 370.Bl -column Request -offset indent 371.It Sy Request Ta Sy Description 372.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" 373.It HELP Ta "give help information." 374.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" 375.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" 376.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" 377.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" 378.El 379.Pp 380The following 381.Tn FTP 382requests (as specified in 383.Cm RFC 959 ) 384are recognized, but are not implemented: 385.Sy ACCT , 386.Sy SMNT , 387and 388.Sy REIN . 389.Sy MDTM 390and 391.Sy SIZE 392are not specified in 393.Cm RFC 959 , 394but will appear in the 395next updated 396.Tn FTP 397RFC. 398.Pp 399The 400.Nm 401server will abort an active file transfer only when the 402.Sy ABOR 403command is preceded by a Telnet "Interrupt Process" (IP) 404signal and a Telnet "Synch" signal in the command Telnet stream, 405as described in Internet 406.Cm RFC 959 . 407If a 408.Sy STAT 409command is received during a data transfer, preceded by a Telnet IP 410and Synch, transfer status will be returned. 411.Pp 412.Nm 413interprets file names according to the 414.Dq globbing 415conventions used by 416.Xr csh 1 . 417This allows users to use the metacharacters 418.Dq Li \&*?[]{}~ . 419.Ss User authentication 420.Nm 421authenticates users according to five rules. 422.Pp 423.Bl -enum -offset indent 424.It 425The login name must be in the password data base, 426.Pa /etc/pwd.db , 427and not have a null password. 428In this case a password must be provided by the client before any 429file operations may be performed. 430If the user has an S/Key key, the response from a successful 431.Sy USER 432command will include an S/Key challenge. 433The client may choose to respond with a 434.Sy PASS 435command giving either 436a standard password or an S/Key one-time password. 437The server will automatically determine which type of password it 438has been given and attempt to authenticate accordingly. 439See 440.Xr skey 1 441for more information on S/Key authentication. 442S/Key is a Trademark of Bellcore. 443.It 444The login name must be allowed based on the information in 445.Xr ftpusers 5 . 446.It 447The user must have a standard shell returned by 448.Xr getusershell 3 . 449If the user's shell field in the password database is empty, the 450shell is assumed to be 451.Pa /bin/sh . 452As per 453.Xr shells 5 , 454the user's shell must be listed with full path in 455.Pa /etc/shells . 456.It 457If directed by the file 458.Xr ftpchroot 5 459the session's root directory will be changed by 460.Xr chroot 2 461to the directory specified in the 462.Xr ftpd.conf 5 463.Sy chroot 464directive (if set), 465or to the home directory of the user. 466However, the user must still supply a password. 467This feature is intended as a compromise between a fully anonymous account 468and a fully privileged account. 469The account should also be set up as for an anonymous account. 470.It 471If the user name is 472.Dq anonymous 473or 474.Dq ftp , 475an 476anonymous 477.Tn FTP 478account must be present in the password 479file (user 480.Dq ftp ) . 481In this case the user is allowed 482to log in by specifying any password (by convention an email address for 483the user should be used as the password). 484.Pp 485The server performs a 486.Xr chroot 2 487to the directory specified in the 488.Xr ftpd.conf 5 489.Sy chroot 490directive (if set), 491the 492.Fl a Ar anondir 493directory (if set), 494or to the home directory of the 495.Dq ftp 496user. 497.Pp 498The server then performs a 499.Xr chdir 2 500to the directory specified in the 501.Xr ftpd.conf 5 502.Sy homedir 503directive (if set), otherwise to 504.Pa / . 505.Pp 506If other restrictions are required (such as disabling of certain 507commands and the setting of a specific umask), then appropriate 508entries in 509.Xr ftpd.conf 5 510are required. 511.Pp 512If the first character of the password supplied by an anonymous user 513is 514.Dq - , 515then the verbose messages displayed at login and upon a 516.Sy CWD 517command are suppressed. 518.El 519.Ss Display file escape sequences 520When 521.Nm 522displays various files back to the client (such as 523.Pa /etc/ftpwelcome 524and 525.Pa /etc/motd ) , 526various escape strings are replaced with information pertinent 527to the current connection. 528.Pp 529The supported escape strings are: 530.Bl -tag -width "Escape" -offset indent -compact 531.It Sy "Escape" 532.Sy Description 533.It "\&%c" 534Class name. 535.It "\&%C" 536Current working directory. 537.It "\&%E" 538Email address given with 539.Fl e . 540.It "\&%L" 541Local hostname. 542.It "\&%M" 543Maximum number of users for this class. 544Displays 545.Dq unlimited 546if there's no limit. 547.It "\&%N" 548Current number of users for this class. 549.It "\&%R" 550Remote hostname. 551.It "\&%s" 552If the result of the most recent 553.Dq "\&%M" 554or 555.Dq "\&%N" 556was not 557.Dq Li 1 , 558print an 559.Dq s . 560.It "\&%S" 561If the result of the most recent 562.Dq "\&%M" 563or 564.Dq "\&%N" 565was not 566.Dq Li 1 , 567print an 568.Dq S . 569.It "\&%T" 570Current time. 571.It "\&%U" 572User name. 573.It "\&%\&%" 574A 575.Dq \&% 576character. 577.El 578.Ss Setting up a restricted ftp subtree 579In order that system security is not breached, it is recommended 580that the 581subtrees for the 582.Dq ftp 583and 584.Dq chroot 585accounts be constructed with care, following these rules 586(replace 587.Dq ftp 588in the following directory names 589with the appropriate account name for 590.Sq chroot 591users): 592.Bl -tag -width "~ftp/incoming" -offset indent 593.It Pa ~ftp 594Make the home directory owned by 595.Dq root 596and unwritable by anyone. 597.It Pa ~ftp/bin 598Make this directory owned by 599.Dq root 600and unwritable by anyone (mode 555). 601Generally any conversion commands should be installed 602here (mode 111). 603.It Pa ~ftp/etc 604Make this directory owned by 605.Dq root 606and unwritable by anyone (mode 555). 607The files 608.Pa pwd.db 609(see 610.Xr passwd 5 ) 611and 612.Pa group 613(see 614.Xr group 5 ) 615must be present for the 616.Sy LIST 617command to be able to display owner and group names instead of numbers. 618The password field in 619.Xr passwd 5 620is not used, and should not contain real passwords. 621The file 622.Pa motd , 623if present, will be printed after a successful login. 624These files should be mode 444. 625.It Pa ~ftp/pub 626This directory and the subdirectories beneath it should be owned 627by the users and groups responsible for placing files in them, 628and be writable only by them (mode 755 or 775). 629They should 630.Em not 631be owned or writable by ftp or its group. 632.It Pa ~ftp/incoming 633This directory is where anonymous users place files they upload. 634The owners should be the user 635.Dq ftp 636and an appropriate group. 637Members of this group will be the only users with access to these 638files after they have been uploaded; these should be people who 639know how to deal with them appropriately. 640If you wish anonymous 641.Tn FTP 642users to be able to see the names of the 643files in this directory the permissions should be 770, otherwise 644they should be 370. 645.Pp 646The following 647.Xr ftpd.conf 5 648directives should be used: 649.Dl "modify guest off" 650.Dl "umask guest 0707" 651.Dl "upload guest on" 652.Pp 653This will result in anonymous users being able to upload files to this 654directory, but they will not be able to download them, delete them, or 655overwrite them, due to the umask and disabling of the commands mentioned 656above. 657.It Pa ~ftp/tmp 658This directory is used to create temporary files which contain 659the error messages generated by a conversion or 660.Sy LIST 661command. 662The owner should be the user 663.Dq ftp . 664The permissions should be 300. 665.Pp 666If you don't enable conversion commands, or don't want anonymous users 667uploading files here (see 668.Pa ~ftp/incoming 669above), then don't create this directory. 670However, error messages from conversion or 671.Sy LIST 672commands won't be returned to the user. 673(This is the traditional behaviour.) 674Note that the 675.Xr ftpd.conf 5 676directive 677.Sy upload 678can be used to prevent users uploading here. 679.El 680.Pp 681To set up "ftp-only" accounts that provide only 682.Tn FTP , 683but no valid shell 684login, you can copy/link 685.Pa /sbin/nologin 686to 687.Pa /sbin/ftplogin , 688and enter 689.Pa /sbin/ftplogin 690to 691.Pa /etc/shells 692to allow logging-in via 693.Tn FTP 694into the accounts, which must have 695.Pa /sbin/ftplogin 696as login shell. 697.Sh FILES 698.Bl -tag -width /etc/ftpwelcome -compact 699.It Pa /etc/ftpchroot 700List of normal users whose root directory should be changed via 701.Xr chroot 2 . 702.It Pa /etc/ftpd.conf 703Configure file conversions and other settings. 704.It Pa /etc/ftpusers 705List of unwelcome/restricted users. 706.It Pa /etc/ftpwelcome 707Welcome notice before login. 708.It Pa /etc/motd 709Welcome notice after login. 710.It Pa /etc/nologin 711If it exists, displayed and access is refused. 712.It Pa /var/run/ftpd.pids-CLASS 713State file of logged-in processes for the 714.Nm 715class 716.Sq CLASS . 717.It Pa /var/run/utmp 718List of logged-in users on the system. 719.It Pa /var/log/wtmp 720Login history database. 721.El 722.Sh SEE ALSO 723.Xr ftp 1 , 724.Xr skey 1 , 725.Xr who 1 , 726.Xr getusershell 3 , 727.Xr ftpchroot 5 , 728.Xr ftpd.conf 5 , 729.Xr ftpusers 5 , 730.Xr syslogd 8 731.Sh STANDARDS 732.Nm 733recognizes all commands in 734.Cm RFC 959 , 735follows the guidelines in 736.Cm RFC 1123 , 737recognizes all commands in 738.Cm RFC 2228 739(although they are not supported yet), 740and supports the extensions from 741.Cm RFC 2389 , 742.Cm RFC 2428 743and 744.Cm draft-ietf-ftpext-mlst-11 . 745.Sh HISTORY 746The 747.Nm 748command appeared in 749.Bx 4.2 . 750.Pp 751Various features such as the 752.Xr ftpd.conf 5 753functionality, 754.Cm RFC 2389 , 755and 756.Cm draft-ietf-ftpext-mlst-11 757support was implemented in 758.Nx 1.3 759and later releases by Luke Mewburn. 760.Sh BUGS 761The server must run as the super-user to create sockets with 762privileged port numbers (i.e, those less than 763.Dv IPPORT_RESERVED , 764which is 1024). 765If 766.Nm 767is listening on a privileged port 768it maintains an effective user id of the logged in user, reverting 769to the super-user only when binding addresses to privileged sockets. 770The 771.Fl r 772option can be used to override this behaviour and force privileges to 773be permanently revoked; see 774.Sx SECURITY CONSIDERATIONS 775below for more details. 776.Pp 777.Nm 778may have trouble handling connections from scoped IPv6 addresses, or 779IPv4 mapped addresses 780.Po 781IPv4 connection on 782.Dv AF_INET6 783socket 784.Pc . 785For the latter case, running two daemons, 786one for IPv4 and one for IPv6, will avoid the problem. 787.Sh SECURITY CONSIDERATIONS 788.Cm RFC 959 789provides no restrictions on the 790.Sy PORT 791command, and this can lead to security problems, as 792.Nm 793can be fooled into connecting to any service on any host. 794With the 795.Dq checkportcmd 796feature of the 797.Xr ftpd.conf 5 , 798.Sy PORT 799commands with different host addresses, or TCP ports lower than 800.Dv IPPORT_RESERVED 801will be rejected. 802This also prevents 803.Sq third-party proxy ftp 804from working. 805Use of this option is 806.Em strongly 807recommended, and enabled by default. 808.Pp 809By default 810.Nm 811uses a port that is one less than the port it is listening on to 812communicate back to the client for the 813.Sy EPRT , 814.Sy LPRT , 815and 816.Sy PORT 817commands, unless overridden with 818.Fl P Ar dataport . 819As the default port for 820.Nm 821(21) is a privileged port below 822.Dv IPPORT_RESERVED , 823.Nm 824retains the ability to switch back to root privileges to bind these 825ports. 826In order to increase security by reducing the potential for a bug in 827.Nm 828providing a remote root compromise, 829.Nm 830will permanently drop root privileges if one of the following is true: 831.Bl -enum -offset indent 832.It 833.Nm 834is running on a port greater than 835.Dv IPPORT_RESERVED 836and the user has logged in as a 837.Sq guest 838or 839.Sq chroot 840user. 841.It 842.Nm 843was invoked with 844.Fl r . 845.El 846.Pp 847Don't create 848.Pa ~ftp/tmp 849if you don't want anonymous users to upload files there. 850That directory is only necessary if you want to display the error 851messages of conversion commands to the user. 852Note that if uploads are disabled with the 853.Xr ftpd.conf 5 854directive 855.Sy upload , 856then this directory cannot be abused by the user in this way, so it 857should be safe to create. 858