Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
FTPD(8)			  BSD System Manager's Manual		       FTPD(8)

     ftpd -- Internet File Transfer Protocol server

     ftpd [-dHlqQrsuUwWX] [-a anondir] [-c confdir] [-C	user] [-e emailaddr]
	  [-h hostname]	[-P dataport] [-V version]

     ftpd is the Internet File Transfer	Protocol server	process.  The server
     uses the TCP protocol and listens at the port specified in	the "ftp" ser-
     vice specification; see services(5).

     Available options:

     -a	anondir
	     Define anondir as the directory to	chroot(2) into for anonymous
	     logins.  Default is the home directory for	the ftp	user.  This
	     can also be specified with	the ftpd.conf(5) chroot	directive.

     -c	confdir
	     Change the	root directory of the configuration files from "/etc"
	     to	confdir.  This changes the directory for the following files:
	     /etc/ftpchroot, /etc/ftpusers, /etc/ftpwelcome, /etc/motd,	and
	     the file specified	by the ftpd.conf(5) limit directive.

     -C	user
	     Check whether user	would be granted access	under the restrictions
	     given in ftpusers(5) and exit without attempting a	connection.
	     ftpd exits	with an	exit code of 0 if access would be granted, or
	     1 otherwise.  This	can be useful for testing configurations.

     -d	     Debugging information is written to the syslog using a facility
	     of	LOG_FTP.

     -e	emailaddr
	     Use emailaddr for the "%E"	escape sequence	(see Display file
	     escape sequences)

     -h	hostname
	     Explicitly	set the	hostname to advertise as to hostname.  The de-
	     fault is the hostname associated with the IP address that ftpd is
	     listening on.  This ability (with or without -h), in conjunction
	     with -c confdir, is useful	when configuring `virtual' FTP
	     servers, each listening on	separate addresses as separate names.
	     Refer to inetd.conf(5) for	more information on starting services
	     to	listen on specific IP addresses.

     -H	     Equivalent	to "-h `hostname`".

     -l	     Each successful and failed	FTP session is logged using syslog
	     with a facility of	LOG_FTP.  If this option is specified more
	     than once,	the retrieve (get), store (put), append, delete, make
	     directory,	remove directory and rename operations and their file
	     name arguments are	also logged.

     -P	dataport
	     Use dataport as the data port, overriding the default of using
	     the port one less that the	port ftpd is listening on.

     -q	     Enable the	use of pid files for keeping track of the number of
	     logged-in users per class.	 This is the default.

     -Q	     Disable the use of	pid files for keeping track of the number of
	     logged-in users per class.	 This may reduce the load on heavily
	     loaded FTP	servers.

     -r	     Permanently drop root privileges once the user is logged in.  The
	     use of this option	may result in the server using a port other
	     than the (listening-port -	1) for PORT style commands, which is
	     contrary to the RFC 959 specification, but	in practice very few
	     clients rely upon this behaviour.	See SECURITY CONSIDERATIONS
	     below for more details.

     -s	     Require a secure authentication mechanism like Kerberos or	S/Key
	     to	be used.

     -u	     Log each concurrent FTP session to	/var/run/utmp, making them
	     visible to	commands such as who(1).

     -U	     Don't log each concurrent FTP session to /var/run/utmp.  This is
	     the default.

     -V	version
	     Use version as the	version	to advertise in	the login banner and
	     in	the output of STAT and SYST instead of the default version in-
	     formation.	 If version is empty or	`-' then don't display any
	     version information.

     -w	     Log each FTP session to /var/log/wtmp, making them	visible	to
	     commands such as last(1).	This is	the default.

     -W	     Don't log each FTP	session	to /var/log/wtmp.

     -X	     Log wu-ftpd style `xferlog' entries to the	syslog,	prefixed with
	     "xferlog: ", using	a facility of LOG_FTP.	These syslog entries
	     can be converted to a wu-ftpd style xferlog file suitable for in-
	     put into a	third-party log	analysis tool with a command similar
		   grep	'xferlog: ' /var/log/xferlog | \
		      sed -e 's/^.*xferlog: //'	> wuxferlog

     The file /etc/nologin can be used to disable FTP access.  If the file ex-
     ists, ftpd	displays it and	exits.	If the file /etc/ftpwelcome exists,
     ftpd prints it before issuing the "ready" message.	 If the	file /etc/motd
     exists (under the chroot directory	if applicable),	ftpd prints it after a
     successful	login.	This may be changed with the ftpd.conf(5) directive

     The ftpd server currently supports	the following FTP requests.  The case
     of	the requests is	ignored.

	   Request    Description
	   ABOR	      abort previous command
	   ACCT	      specify account (ignored)
	   ALLO	      allocate storage (vacuously)
	   APPE	      append to	a file
	   CDUP	      change to	parent of current working directory
	   CWD	      change working directory
	   DELE	      delete a file
	   EPSV	      prepare for server-to-server transfer
	   EPRT	      specify data connection port
	   FEAT	      list extra features that are not defined in RFC 959
	   HELP	      give help	information
	   LIST	      give list	files in a directory ("ls -lA")
	   LPSV	      prepare for server-to-server transfer
	   LPRT	      specify data connection port
	   MLSD	      list contents of directory in a machine-processable form
	   MLST	      show a pathname in a machine-processable form
	   MKD	      make a directory
	   MDTM	      show last	modification time of file
	   MODE	      specify data transfer mode
	   NLST	      give name	list of	files in directory
	   NOOP	      do nothing
	   OPTS	      define persistent	options	for a given command
	   PASS	      specify password
	   PASV	      prepare for server-to-server transfer
	   PORT	      specify data connection port
	   PWD	      print the	current	working	directory
	   QUIT	      terminate	session
	   REST	      restart incomplete transfer
	   RETR	      retrieve a file
	   RMD	      remove a directory
	   RNFR	      specify rename-from file name
	   RNTO	      specify rename-to	file name
	   SITE	      non-standard commands (see next section)
	   SIZE	      return size of file
	   STAT	      return status of server
	   STOR	      store a file
	   STOU	      store a file with	a unique name
	   STRU	      specify data transfer structure
	   SYST	      show operating system type of server system
	   TYPE	      specify data transfer type
	   USER	      specify user name
	   XCUP	      change to	parent of current working directory
	   XCWD	      change working directory (deprecated)
	   XMKD	      make a directory (deprecated)
	   XPWD	      print the	current	working	directory (deprecated)
	   XRMD	      remove a directory (deprecated)

     The following non-standard	or UNIX	specific commands are supported	by the
     SITE request.

	   Request    Description
	   CHMOD      change mode of a file, e.g. ``SITE CHMOD 755 filename''
	   HELP	      give help	information.
	   IDLE	      set idle-timer, e.g. ``SITE IDLE 60''
	   RATEGET    set maximum get rate throttle in bytes/second, e.g.
		      ``SITE RATEGET 5k''
	   RATEPUT    set maximum put rate throttle in bytes/second, e.g.
		      ``SITE RATEPUT 5k''
	   UMASK      change umask, e.g. ``SITE	UMASK 002''

     The following FTP requests	(as specified in RFC 959) are recognized, but
     are not implemented: ACCT,	SMNT, and REIN.	 MDTM and SIZE are not speci-
     fied in RFC 959, but will appear in the next updated FTP RFC.

     The ftpd server will abort	an active file transfer	only when the ABOR
     command is	preceded by a Telnet "Interrupt	Process" (IP) signal and a
     Telnet "Synch" signal in the command Telnet stream, as described in In-
     ternet RFC	959.  If a STAT	command	is received during a data transfer,
     preceded by a Telnet IP and Synch,	transfer status	will be	returned.

     ftpd interprets file names	according to the "globbing" conventions	used
     by	csh(1).	 This allows users to utilize the metacharacters "*?[]{}~".

   User	authentication
     ftpd authenticates	users according	to five	rules.

	   1.	The login name must be in the password data base, /etc/pwd.db,
		and not	have a null password.  In this case a password must be
		provided by the	client before any file operations may be per-
		formed.	 If the	user has an S/Key key, the response from a
		successful USER	command	will include an	S/Key challenge.  The
		client may choose to respond with a PASS command giving	either
		a standard password or an S/Key	one-time password.  The	server
		will automatically determine which type	of password it has
		been given and attempt to authenticate accordingly.  See
		skey(1)	for more information on	S/Key authentication.  S/Key
		is a Trademark of Bellcore.

	   2.	The login name must be allowed based on	the information	in

	   3.	The user must have a standard shell returned by
		getusershell(3).  If the user's	shell field in the password
		database is empty, the shell is	assumed	to be /bin/sh.	As per
		shells(5), the user's shell must be listed with	full path in

	   4.	If directed by the file	ftpchroot(5) the session's root	direc-
		tory will be changed by	chroot(2) to the directory specified
		in the ftpd.conf(5) chroot directive (if set), or to the home
		directory of the user.	However, the user must still supply a
		password.  This	feature	is intended as a compromise between a
		fully anonymous	account	and a fully privileged account.	 The
		account	should also be set up as for an	anonymous account.

	   5.	If the user name is "anonymous"	or "ftp", an anonymous FTP ac-
		count must be present in the password file (user "ftp").  In
		this case the user is allowed to log in	by specifying any
		password (by convention	an email address for the user should
		be used	as the password).

		The server performs a chroot(2)	to the directory specified in
		the ftpd.conf(5) chroot	directive (if set), the	-a anondir di-
		rectory	(if set), or to	the home directory of the "ftp"	user.

		The server then	performs a chdir(2) to the directory specified
		in the ftpd.conf(5) homedir directive (if set),	otherwise to

		If other restrictions are required (such as disabling of cer-
		tain commands and the setting of a specific umask), then ap-
		propriate entries in ftpd.conf(5) are required.

		If the first character of the password supplied	by an anony-
		mous user is "-", then the verbose messages displayed at login
		and upon a CWD command are suppressed.

   Display file	escape sequences
     When ftpd displays	various	files back to the client (such as
     /etc/ftpwelcome and /etc/motd), various escape strings are	replaced with
     information pertinent to the current connection.

     The supported escape strings are:
	   Escape  Description
	   %c	   Class name.
	   %C	   Current working directory.
	   %E	   Email address given with -e.
	   %L	   Local hostname.
	   %M	   Maximum number of users for this class.  Displays
		   "unlimited" if there's no limit.
	   %N	   Current number of users for this class.
	   %R	   Remote hostname.
	   %s	   If the result of the	most recent "%M" or "%N" was not "1",
		   print an "s".
	   %S	   If the result of the	most recent "%M" or "%N" was not "1",
		   print an "S".
	   %T	   Current time.
	   %U	   User	name.
	   %%	   A "%" character.

   Setting up a	restricted ftp subtree
     In	order that system security is not breached, it is recommended that the
     subtrees for the "ftp" and	"chroot" accounts be constructed with care,
     following these rules (replace "ftp" in the following directory names
     with the appropriate account name for `chroot' users):

	   ~ftp		  Make the home	directory owned	by "root" and un-
			  writable by anyone.

	   ~ftp/bin	  Make this directory owned by "root" and unwritable
			  by anyone (mode 555).	 Generally any conversion com-
			  mands	should be installed here (mode 111).

	   ~ftp/etc	  Make this directory owned by "root" and unwritable
			  by anyone (mode 555).	 The files pwd.db (see
			  passwd(5)) and group (see group(5)) must be present
			  for the LIST command to be able to display owner and
			  group	names instead of numbers.  The password	field
			  in passwd(5) is not used, and	should not contain
			  real passwords.  The file motd, if present, will be
			  printed after	a successful login.  These files
			  should be mode 444.

	   ~ftp/pub	  This directory and the subdirectories	beneath	it
			  should be owned by the users and groups responsible
			  for placing files in them, and be writable only by
			  them (mode 755 or 775).  They	should not be owned or
			  writable by ftp or its group.

	   ~ftp/incoming  This directory is where anonymous users place	files
			  they upload.	The owners should be the user "ftp"
			  and an appropriate group.  Members of	this group
			  will be the only users with access to	these files
			  after	they have been uploaded; these should be peo-
			  ple who know how to deal with	them appropriately.
			  If you wish anonymous	FTP users to be	able to	see
			  the names of the files in this directory the permis-
			  sions	should be 770, otherwise they should be	370.

			  The following	ftpd.conf(5) directives	should be
				modify guest off
				umask  guest 0707
				upload guest on

			  This will result in anonymous	users being able to
			  upload files to this directory, but they will	not be
			  able to download them, delete	them, or overwrite
			  them,	due to the umask and disabling of the commands
			  mentioned above.

	   ~ftp/tmp	  This directory is used to create temporary files
			  which	contain	the error messages generated by	a con-
			  version or LIST command.  The	owner should be	the
			  user "ftp".  The permissions should be 300.

			  If you don't enable conversion commands, or don't
			  want anonymous users uploading files here (see
			  ~ftp/incoming	above),	then don't create this direc-
			  tory.	 However, error	messages from conversion or
			  LIST commands	won't be returned to the user.	(This
			  is the traditional behaviour.)  Note that the
			  ftpd.conf(5) directive upload	can be used to prevent
			  users	uploading here.

     To	set up "ftp-only" accounts that	provide	only FTP, but no valid shell
     login, you	can copy/link /sbin/nologin to /sbin/ftplogin, and enter
     /sbin/ftplogin to /etc/shells to allow logging-in via FTP into the	ac-
     counts, which must	have /sbin/ftplogin as login shell.

     /etc/ftpchroot   List of normal users whose root directory	should be
		      changed via chroot(2).
     /etc/ftpd.conf   Configure	file conversions and other settings.
     /etc/ftpusers    List of unwelcome/restricted users.
     /etc/ftpwelcome  Welcome notice before login.
     /etc/motd	      Welcome notice after login.
     /etc/nologin     If it exists, displayed and access is refused.
		      State file of logged-in processes	for the	ftpd class
     /var/run/utmp    List of logged-in	users on the system.
     /var/log/wtmp    Login history database.

     ftp(1), skey(1), who(1), getusershell(3), ftpchroot(5), ftpd.conf(5),
     ftpusers(5), syslogd(8)

     ftpd recognizes all commands in RFC 959, follows the guidelines in	RFC
     1123, recognizes all commands in RFC 2228 (although they are not sup-
     ported yet), and supports the extensions from RFC 2389, RFC 2428 and

     The ftpd command appeared in 4.2BSD.

     Various features such as the ftpd.conf(5) functionality, RFC 2389,	and
     draft-ietf-ftpext-mlst-11 support was implemented in NetBSD 1.3 and later
     releases by Luke Mewburn <>.

     The server	must run as the	super-user to create sockets with privileged
     port numbers (i.e,	those less than	IPPORT_RESERVED, which is 1024).  If
     ftpd is listening on a privileged port it maintains an effective user id
     of	the logged in user, reverting to the super-user	only when binding ad-
     dresses to	privileged sockets.  The -r option can be used to override
     this behaviour and	force privileges to be permanently revoked; see
     SECURITY CONSIDERATIONS below for more details.

     ftpd may have trouble handling connections	from scoped IPv6 addresses, or
     IPv4 mapped addresses (IPv4 connection on AF_INET6	socket).  For the lat-
     ter case, running two daemons, one	for IPv4 and one for IPv6, will	avoid
     the problem.

     RFC 959 provides no restrictions on the PORT command, and this can	lead
     to	security problems, as ftpd can be fooled into connecting to any	ser-
     vice on any host.	With the "checkportcmd"	feature	of the ftpd.conf(5),
     PORT commands with	different host addresses, or TCP ports lower than
     IPPORT_RESERVED will be rejected.	This also prevents `third-party	proxy
     ftp' from working.	 Use of	this option is strongly	recommended, and en-
     abled by default.

     By	default	ftpd uses a port that is one less than the port	it is listen-
     ing on to communicate back	to the client for the EPRT, LPRT, and PORT
     commands, unless overridden with -P dataport.  As the default port	for
     ftpd (21) is a privileged port below IPPORT_RESERVED, ftpd	retains	the
     ability to	switch back to root privileges to bind these ports.  In	order
     to	increase security by reducing the potential for	a bug in ftpd provid-
     ing a remote root compromise, ftpd	will permanently drop root privileges
     if	one of the following is	true:

	   1.	ftpd is	running	on a port greater than IPPORT_RESERVED and the
		user has logged	in as a	`guest'	or `chroot' user.

	   2.	ftpd was invoked with -r.

     Don't create ~ftp/tmp if you don't	want anonymous users to	upload files
     there.  That directory is only necessary if you want to display the error
     messages of conversion commands to	the user.  Note	that if	uploads	are
     disabled with the ftpd.conf(5) directive upload, then this	directory can-
     not be abused by the user in this way, so it should be safe to create.

BSD			       October 13, 2001				   BSD


Want to link to this manual page? Use this URL:

home | help