ftpd.8
上传用户:lukesailor
上传日期:2007-01-04
资源大小:27k
文件大小:16k
- .TH ftpd 8 "28 Sep 1995" "Troll Tech AS" " -*- nroff -*-
- ."
- ." Written by Arnt Gulbrandsen <agulbra@troll.no> and copyright 1995-1999
- ." Troll Tech AS, Waldemar Thranes gate 98B, N-0175 Oslo, Norway, fax +47
- ." 22806380.
- ."
- ." Use, modification and distribution is allowed without limitation,
- ." warranty, or liability of any kind.
- ."
- ." $Id: ftpd.8,v 1.18 1999/01/02 07:32:15 agulbra Exp $
- ."
- .SH NAME
- ftpd - simple File Transfer Protocol server
- .SH SYNOPSIS
- .B ftpd [-c clients] [-d [-d]] [-f facility] [-m maxload] [-s] [-p first:last] [-u uid]
- .SH DESCRIPTION
- .B Ftpd
- is a small, simple server for the old and hairy File Transfer
- Protocol, designed to use less resources than older servers, be
- smaller, and to never execute any external program.
- .PP
- It supports only the most-used features and commands of FTP, and
- leaves out everything which is deprecated, meaningless, or correlates
- with trouble.
- .SH OPTIONS
- .TP
- .B -c clients
- Allow a maximum of
- .I clients
- to be connected.
- .I clients
- must be at least 1, and if you combine it with
- .B -p
- it will be forced down to half the number of ports specified by
- .B -p.
- If more than
- .I clients
- are connected, new clients are rejected at once, even clients wishing
- to upload, or to log in as normal users. Therefore, it is advisable
- to use
- .B -m
- as primary overload protection. The default is infinity.
- .TP
- .B -d
- turns on debug logging. You can also turn this on by sending SIGUSR1
- to the ftpd while it's running. Every command is logged at the
- LOG_DEBUG level, except that the argument to PASS is changed to
- "<password>". If you repeat
- .B -d
- (or SIGUSR1), responses too are logged. SIGUSR2 negates
- .BR "" SIGUSR1/ -d .
- .TP
- .B -f facility
- makes ftpd use
- .I facility
- for all
- .BR syslog (3)
- messages.
- .I facility
- defaults to local2. The facility names are normally listed in
- .IR /usr/include/syslog.h " or " /usr/include/sys/syslog.h .
- Note that if
- .B -f
- is not the first option on the command line, a couple of messages may
- be logged to local2 before the
- .B -f
- option is parsed.
- .TP
- .B -m load
- Do not allow anonymous users to download files if the load is above
- .I load
- when the user connects. Uploads and file listings are still allowed,
- as are downloads by real users. The user is not told about this until
- he/she tries to download a file.
- .TP
- .B -p first:last
- Use only ports in the range
- .IR first
- to
- .I last
- inclusive for passive-mode downloads. This means that clients will
- not try to open connections to TCP ports outside the range
- .IR first - last ,
- which makes troll-ftpd more compatible with packet filters. Note that
- the maximum number of clients (specified with
- .BR -c )
- is forced down to
- .IR "" ( last +1- first )/2
- if it is greater, as the default is. (The syntax for the port range
- is, conveniently, the same as that of
- .BR ipfwadm (8)).
- .TP
- .B -s
- Don't allow anonymous users to retrieve files owned by "ftp"
- (generally, files uploaded by other anonymous users).
- .TP
- .B -u uid
- Do not allow uids below
- .I uid
- to log in (typically, low-numbered
- .IR uid s
- are used for administrative accounts).
- .B "-u 100"
- is sufficient to deny access to all administrative accounts on many
- linux boxes, where 99 is the last administrative account. Anonymous
- FTP is allowed even if the uid of the ftp user is smaller than
- .IR uid .
- .B "-u 1"
- denies access only to root accounts. The default is to allow FTP
- access to all accounts.
- .SH AUTHENTICATION
- Some of the complexities of older servers are left out.
- .PP
- Normal users are authenticated using USER, PASS and
- .I /etc/shells
- only. In particular,
- .I /etc/ftpusers
- is
- .I not
- consulted, since I think the name is misleading.
- .PP
- Anonymous users are authenticated in any of three ways:
- .PP
- 1. The user logs in as "ftp" or "anonymous" and there is an
- account called "ftp" with an existing home directory. This server
- does not ask anonymous users for an email address or other password.
- .PP
- 2. The user connects to an IP address which resolves to the name of a
- directory in
- .I /var/adm/ftp
- (or a symlink in that directory to a real directory), and there is an
- account called "ftp" (which does not need to have a valid home
- directory). See
- .B Virtual Servers
- below.
- .PP
- 3. The user performs a CWD, PASV or PORT command without being
- authenticated by either of the previous methods, and there is an
- account called "ftp" with an existing home directory. This allows
- anonymous users to log in automatically, by simply changing directory,
- up- or downloading a file.
- .PP
- .B Ftpd
- does a
- .BR chroot (2)
- to the relevant base directory when an anonymous user logs in.
- .PP
- Note that
- .B ftpd
- allows remote users to log in as root if the password is known and -u
- not used.
- .SH "UNUSUAL FEATURES"
- The internal
- .B ls
- (see below) uses two files,
- .I /var/adm/ftp/users
- and
- .IR /var/adm/ftp/groups ,
- to look up file owner and group names quickly. These files are
- written by
- .B mkusers
- which is hopefully run nightly by
- .BR cron (8).
- .PP
- .B Ftpd
- never switches uid and euid, it uses
- .BR setfsuid (2)
- instead. The main reason is that uid switching has been exploited in
- several breakins, but the sheer ugliness of uid switching counts too.
- .B Ftpd
- only calls
- .BR setfsuid (2)
- once, at login.
- .PP
- As noted above, this
- .B ftpd
- omits several features that are required by the RFC or might be
- considered useful at first. Here is a list of the most important
- omissions.
- .PP
- ASCII mode transfer is omitted, because it's useful so seldom and
- trips careless users so often. If the client tries to download
- a file in ASCII mode,
- .B ftpd
- prints a warning at the start of the download.
- .PP
- STRU and MODE are not supported. If a client tries to set a structure
- other than file (the default) or a MODE other than ASCII, L8 or I
- .B ftpd
- refuses to play.
- .PP
- On-the-fly tar is not supported, for several reasons. I feel that
- users who want to get many files should use a special FTP client such
- as "mirror," which also supports incremental fetch. I don't want to
- either add several hundred lines of code to create tar files or
- execute an external tar. Finally, on-the-fly tar distorts log files.
- .PP
- On-the-fly compression is left out too. Most files on an FTP site are
- compressed already, and if a file isn't, there presumably is a reason
- why. (As for decompression: Don't FTP users waste bandwidth enough
- without help from on-the-fly decompression?)
- .SH "ANONYMOUS FTP"
- This server leaves out some of the commands and features that have
- been used to subvert anonymous FTP servers in the past, but still you
- have to be a little bit careful in order to support anonymous FTP
- without risk to the rest of your files.
- .PP
- Make
- .I ~ftp
- and all files and directories below this directory owned by some user
- other than "ftp," and only the
- .I .../incoming
- directory/directories writable by "ftp." It is probably best if all
- directories are writable only by a special group such as "ftpadmin"
- and "ftp" is not a member of this group.
- .PP
- If you do not trust the local users, put
- .I ~ftp
- on a separate partition, so local users can't hard-link unapproved
- files into the anonymous FTP area.
- .PP
- Use of the
- .B -s
- option is strongly suggested. (Simply add "-s" to the end of the
- .B ftpd
- line in
- .I /etc/inetd.conf
- to enable it.)
- .PP
- Most other FTP servers require that a number of files such as
- .I ~ftp/bin/ls
- exist. This server does not require that any files or directories
- within
- .I ~/ftp
- whatsoever exist, and I recommend that all such unnecessary files are
- removed (for no real reason).
- .PP
- It may be worth considering to run the anonymous FTP service as a
- virtual server, to get automatic logins and to firewall off the FTP
- address/port to which real users can log in.
- .SH "MAGIC FILES"
- The files
- .I <ftproot>/.banner
- and
- .I .message
- are magical.
- .P
- If there is a file called
- .I .banner
- in the root directory of the anonymous FTP area, or in the root
- directory of a virtual host, and it is shorter than 1024 bytes, it is
- printed upon login. (If the client does not log in explicitly, and an
- implicit login is triggered by a CWD or CDUP command, the banner is
- not printed. This is regrettable but hard to avoid.)
- .P
- If there is a file called
- .I .message
- in any directory and it is shorter than 1024 bytes, that file is
- printed whenever a user enters that directory using CWD or CDUP.
- .SH "VIRTUAL SERVERS"
- You can run several different anonymous FTP servers on one host, by
- giving the host several IP addresses with different DNS names.
- .PP
- Here are the steps needed to create an extra server using an IP alias
- on linux 2.0.35, called "ftp.example.com" on address 10.11.12.13. on
- the IP alias eth0:1 (the first IP alias of eth0).
- .PP
- 1. Create an "ftp" account if you do not have one. It it best if
- the account does not have a valid home directory and shell. I prefer
- to make
- .I /dev/null
- the ftp account's home directory and shell.
- .B Ftpd
- uses this account to set the anonymous users' uid.
- .PP
- 2. Create a directory as described in
- .B Anonymous FTP
- and make a symlink called
- .I /var/adm/ftp/ftp.example.com
- which points to this directory.
- .PP
- 3. Make sure your kernel has support for IP aliases.
- .PP
- 4. Make sure that the following commands are run at boot:
- .PP
- .in +2
- /sbin/ifconfig eth0:1 10.11.12.13
- .br
- /sbin/route add 10.11.12.13 dev eth0:1
- .PP
- 5. Do the DNS setup. Add a PTR record to the 10.in-addr.arpa zone
- which points to
- .I ftp.example.com.
- (this must point to the same name as the symlink in step 2, but with a
- trailing dot) and an A record for ftp to the example.com zone file
- which points to 10.11.12.13. I prefer to add a line to the host's own
- .I /etc/hosts
- file, too:
- .PP
- .ti +2
- 10.11.12.13 ftp.example.com
- .PP
- Then reload the zone files. Note that it is
- .I not
- enough to use CNAME records, you must use A and PTR records as in this
- example, otherwise
- .B ftpd
- cannot differentiate between the different virtual servers.
- .PP
- That should be all. If you have problems, here are some things to
- try.
- .PP
- First, symlink
- .I /var/adm/ftp/localhost
- to some directory and say "ftp localhost". If that doesn't log you
- in, the problem is with
- .B ftpd.
- .PP
- If not, "ping -v 10.11.12.13" and/or "ping -v ftp.example.com" from the
- same host. If this does not work, the problem is with the IP alias.
- .PP
- Next, try "ping -v 10.11.12.13" from a host on the local ethernet, and
- afterwards "/sbin/arp -a". If 10.11.12.13 is listed among the ARP
- entries with the correct hardware address, the problem is probably
- with the IP alias. If 1.2.3.4 is listed, but has hardware address
- 0:0:0:0:0:0, then proxy-ARP isn't working.
- .PP
- If none of that helps, I'm stumped. Good luck.
- .SH FILES
- .I /etc/passwd
- is used via libc, to get the uid and home directory of normal users,
- the uid and home directory of "ftp" for normal anonymous ftp, and
- just the uid of "ftp" for virtual ftp hosts.
- .PP
- .I /etc/shadow
- is used like
- .I /etc/passwd
- if shadow support is enabled.
- .PP
- .I /etc/group
- is used via libc, to get the group membership of normal users.
- .PP
- .I /proc/net/tcp
- is used to count existing FTP connections, if the
- .B -c
- or
- .B -p
- options are used
- .PP
- .I /var/adm/ftp/users
- and
- .I /var/adm/ftp/groups
- are used to list the names of users and groups by the LIST command,
- and are updated by
- .BR mkusers (8).
- "ls -l" will tell you that these file are enormous, but actually
- they are mostly unallocated space. Use "ls -s" to find the true
- size of the files (in kbytes).
- .PP
- .I /var/adm/ftp/[hostname]
- is the base directory for the [hostname] virtual ftp server, or a
- symbolic link to its base directory.
- .B Ftpd
- does a
- .BR chroot (2)
- into this directory when a user logs in to [hostname], thus symlinks
- outside this directory will not work.
- .PP
- .I ~ftp
- is the base directory for "normal" anonymous FTP.
- .B Ftpd
- does a
- .BR chroot (2)
- into this directory when an anonymous user logs in, thus symlinks
- outside this directory will not work.
- .SH LS
- The behaviour of LIST and NLST is a tricky issue. Few servers send
- RFC-compliant responses to LIST, and some clients depend on
- non-compliant responses.
- .PP
- This server uses
- .BR glob (3)
- to do filename globbing.
- .PP
- The response to NLST is by default similar to that of
- .BR ls (1),
- and
- that to LIST is by default similar to that of
- .B "ls -l"
- or
- .B "ls -lg"
- on most Unix systems, except that the "total" count is meaningless.
- Only regular files, directories and symlinks are shown. Only a few of
- the many
- .B ls
- options are supported:
- .TP
- .B -1
- Undoes
- .BR -l " and " -C .
- .TP
- .B -a
- lists even files/directories whose names begin with ".".
- .TP
- .B -C
- lists files in as many colums as will fit on the screen. Undoes
- .BR -1 " and " -l .
- .TP
- .B -d
- lists argument directories' names rather their contents.
- .TP
- .B -F
- appends '*' to executable regular files, '@' to symlinks and '/' to
- directories.
- .TP
- .B -l
- shows various details about the file, including file group. See
- .BR ls (1)
- for details. Undoes
- .BR -1 " and " -C .
- .TP
- .B -r
- reverses the sorting order (modifies
- .BR -S " and " -t " and the default alphabetical ordering)."
- .TP
- .B -R
- recursively descends into subdirectories of the argument directories.
- .TP
- .B -S
- Sorts by file size instead of by name. Undoes
- .BR -t .
- .TP
- .B -t
- Sorts by file modification time instead of by name. Undoes
- .BR -S .
- .SH PROTOCOL
- Here are the FTP commands supported by this server.
- .TP
- .B ABOR
- Abort the file transfer. Incompletely supported.
- .TP
- .B CDUP
- Change to the parent directory.
- .TP
- .B CWD
- Change directory.
- .TP
- .B DELE
- Delete one or more files. This is not available to anonymous users.
- Only one argument is allowed, but that argument may contain wildcards.
- .B Ftpd
- returns success if at least one file is successfully deleted.
- .TP
- .B LIST
- Transfer a verbose file/directory listing via a data connection.
- .TP
- .B MDTM
- Return the modification time of the indicated file in YYYYMMDDHHMMSS
- format.
- .TP
- .B MODE
- Some values are accepted, all values are disregarded. This server
- always uses 8-bit binary for transfers and ASCII for directory
- listings, on the theory that ASCII-mode transfers are more often
- mistakes than intentional.
- .TP
- .B NLST
- Transfer a simple file listing via a data connection.
- .TP
- .B NOOP
- Do nothing, but the connection timeout counter is reset.
- .TP
- .B PASS
- Specify password. Ignored once the user has logged in.
- .TP
- .B PASV
- Specify and open data connection; client does active open.
- .TP
- .B PORT
- Specify and open data connection; server does active open.
- .TP
- .B PWD
- Print the current directory.
- .TP
- .B QUIT
- Close the connection.
- .TP
- .B RETR
- Transmit file to client.
- .TP
- .B RNFR
- Rename stage 1. Set the file name to rename
- .TP
- .B RNTO
- Rename stage 2. Rename f the file from
- .B RNFR
- to the argument name.
- .TP
- .B SIZE
- Return the size of the argument file in bytes.
- .TP
- .B SITE
- Only
- .B "SITE IDLE"
- is accepted. The maximum idle period is 7200 seconds.
- .TP
- .B STOR
- Receive file from client.
- .TP
- .B STRU
- As for MODE.
- .TP
- .B TYPE
- As for MODE.
- .TP
- .B USER
- Specify user name. Ignored once the user has logged in.
- .PP
- The rest of the commands given in the FTP RFC or added in other
- servers are left out in order to keep the server simple, bug-free and
- secure.
- .PP
- This
- .B ftpd
- does not support the STAT command during data transfers. ABOR
- requests during data transfers appear not to work.
- .SH BUGS
- ABOR doesn't work.
- .SH "HOME PAGE"
- http://www.troll.no/freebies/ftpd.html
- .SH "NEW VERSIONS"
- Send a message containing just
- .B subscribe
- in the subject or body to
- .B ftpd-announce-request@troll.no
- to be added to the announcement
- mailing list.
- .SH "AUTHOR AND LICENCE"
- Written by Arnt Gulbrandsen <agulbra@troll.no> and copyright 1995-1999
- Troll Tech AS, Waldemar Thranes gate 98B, N-0175 Oslo, Norway, fax +47
- 22806380.
- .PP
- Use, modification and distribution is allowed without limitation,
- warranty, or liability of any kind.
- .PP
- Janos Farkas, cmj@localnet.com, August Fullford and Ximenes Zalteca
- (and probably others that I've forgotten - write me and I'll add you)
- have made substantial contributions.
- .SH SEE ALSO
- .BR ftp "(1), " ncftp "(1), " mkusers "(8), " mrtginfo "(8), "
- .BR "RFC 959" ", " "RFC 2228" " and " "RFC 2428"