Commands Reference, Volume 2

ftpd Daemon

Purpose

Provides the server function for the Internet FTP protocol.

Syntax

Note: The ftpd daemon is normally started by the inetd daemon. It can also be controlled from the command line, using SRC commands.

/usr/sbin/ftpd [ -d ] [ -f ] [ -ff ] [ -k ] [ -l ] [ -t TimeOut ] [ -T MaxTimeOut ] [ -s ] [ -u OctalVal ]

The /usr/sbin/ftpd daemon is the DARPA Internet File Transfer Protocol (FTP) server process. The ftpd daemon uses the Transmission Control Protocol (TCP) to listen at the port specified with the ftp command service specification in the /etc/services fil.

Changes to the ftpd daemon can be made using the System Management Interface Tool (SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or /etc/services file. Entering ftp at the command line is not recommended. The ftpd daemon is started by default when it is uncommented in the /etc/inetd.conf file.

The inetd daemon gets its information from the /etc/inetd.conf file and the /etc/services file.

If you change the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill -1 InetdPID command to inform the inetd daemon of the changes to its configuration files.

The ftpd daemon expands file names according to the conventions of the csh command. This command allows you to use such metacharacters as the * (asterisk), the ? (question mark), [ ] (left and right brackets), { } (left and right braces), and the ~ (tilde).

If the current authentication method is the Standard Operating system authentication method:

Before the ftpd daemon can transfer files for a client process, it must authenticate the client process. The ftpd daemon authenticates client processes according to these rules:

The user must have a password in the password database, /etc/security/passwd. (If the user's password is not null, the client process must provide that password.)
The user name must not appear in the /etc/ftpusers file.
The user's login shell must appear in the shells attribute of the /etc/security/login.cfg file.
If the user name is anonymous or ftp, an anonymous FTP account must be defined in the password file. In this case, the client process is allowed to log in using any password. By convention, the password is the name of the client host. The ftpd daemon takes special measures to restrict access by the client process to the anonymous account.

If Kerberos 5 is the current authentication method:

The ftpd daemon allows access only if all of the following conditions are satisfied:

The local user of the ftp client has current DCE credentials.
The local and remote systems both support the AUTH command.
The remote system accepts the DCE credentials as sufficient for access to the remote account. See the kvalid_user function for additional information.

File Transfer Protocol Subtree Guidelines

When handling an anonymous FTP user, the server performs the chroot command in the home directory of the FTP user account. For greater security, implement the following rules when you construct the FTP subtree:

~ftp	Make the home directory owned by root and mode r-xr-xr-x (555).
~ftp/bin	Make this directory owned by the root user and not writable by anyone. The ls program must be present in this directory to support the list command. This program should have mode 111.
~ftp/etc	Make this directory owned by the root user and not writable by anyone.
~ftp/pub	Make this directory mode 777 and owned by FTP. Users should then place files that are to be accessible through the anonymous account in this directory.

Note: The shell script /usr/samples/tcpip/anon.ftp uses the above rules to set up the anonymous FTP account for you.

The server must run as the root user to create sockets with privileged port numbers. The server maintains an effective user ID of the logged-in user, reverting to the root user only when binding addresses to sockets.

Supported File Transfer Protocol Requests

The ftpd daemon currently supports the following FTP requests:

ABOR	Terminates previous command.
ACCT	Specifies account (ignored).
ADAT	Specifies the Authentication/Security Data.
ALLO	Allocates storage (vacuously).
APPE	Appends to a file.
AUTH	Specifies the Authentication/Security Mechanism.
CCC	Specifies the Clear Command Channel.
CDUP	Changes to the parent directory of the current working directory.
CWD	Changes working directory.
DELE	Deletes a file.
ENC	Specifies the Privacy Protected Command.
HELP	Gives help information.

LIST	Gives list files in a directory (this FTP request is the same as the ls -lA command).
MKD	Makes a directory.
MDTM	Shows last modification time of file.
MIC	Specifies the Integrity Protected Command.
MODE	Specifies data transfer mode.
NLST	Gives a name list of files in directory (this FTP request is the same as the ls command).
NOOP	Does nothing.
PASS	Specifies a password.
PASV	Prepares for server-to-server transfers.
PBSZ	Specifies the Protection Buffer Size.
PORT	Specifies a data connection port.
PROT	Specifies the Data Channel Protection Level.
PWD	Prints the current working directory.
QUIT	Terminates session.
RETR	Retrieves a file.
RMD	Removes a directory.
RNFR	Specifies rename-from file name.
RNTO	Specifies rename-to file name.
SITE	The following nonstandard or UNIX-specific commands are supported by the SITE request: UMASK Changes umask (SITE UMASK 002). IDLE Sets idler time (SITE IDLE 60). CHMOD Changes mode of a file (SITE CHMOD 755 FileName). HELP Gives help information (SITE HELP).
SIZE	Returns size of current file.
STAT	Returns the status of the server.
STOR	Stores a file.
STOU	Stores a file using a unique file name.
STRU	Specifies the structure of data transfer as a file structure.
SYST	Shows operating system type of server system.
TYPE	Specifies data transfer type with the Type parameter.
USER	Specifies user name.
XCUP	Changes the parent directory of the current working directory (not normally used).
XCWD	Changes current directory (not normally used).
XMKD	Creates a directory (not normally used).
XPWD	Prints the current working directory (not normally used).
XRMD	Removes a directory (not normally used).

The remaining FTP requests defined in Internet RFC 959 are recognized, but not implemented. The MDTM and SIZE requests are not specified by RFC 959, but are scheduled to appear in the next updated FTP RFC.

If a STAT request is received during a data transfer and preceded by both a Telnet IP signal and SYNCH signal, transfer status is returned.

The ftpd daemon should be controlled using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Entering ftpd at the command line is not recommended.

Manipulating the ftpd Daemon with the System Resource Controller

The ftpd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller (SRC). The ftpd daemon is a member of the tcpip SRC subsystem group. This daemon is enabled by default in the /etc/inetd.conf file and can be manipulated by the following SRC commands:

startsrc	Starts a subsystem, group of subsystems, or a subserver.
stopsrc	Stops a subsystem, group of subsystems, or a subserver.
lssrc	Gets the status of a subsystem, group of subsystems, or a subserver.

Flags

-d	Sends debugging information about ftpd daemon operations to the syslogd daemon. If you specify the -d flag, you must edit the /etc/syslog.conf file and add the following entry: daemon.debug FileName Note: The syslogd daemon's `debug` level includes `info` level messages. If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file.
-f	Disables checking for a privileged port when the client requests the server to connect back to a specific port. By default, ftpd does not allow the client to request a connection to a privileged port as a security precaution.
-ff	Disables checking for both a privileged port and an IP address that matches the one used for the control connection when the client requests the server to connect back to a specific client port. Using this flag enables the client to request that the server send data to an alternate host or interface. By default, ftpd does not allow this action as a security precaution.
-k	Sets the SO_KEEPALIVE option defined in the sys/socket.h file on the data transfer socket to enable the data transfer to time out in the event TCP/IP hangs. The idle interval time is based on system-wide values designated by the `tcp_keepidle` and `tcp_keepintvl` options of the no command. Without the flag, ftpd data transfer will not time out.
-l	Sends logging information about ftpd daemon operations to the syslogd daemon. If you specify the -l flag, you must edit the /etc/syslog.conf file and add the following entry: daemon.info FileName If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file.
-t TimeOut	Logs out inactive sessions after the number of seconds specified by the TimeOut variable. The default limit is 15 minutes (900 seconds).
-T MaxTimeOut	Logs out inactive client sessions after a maximum number of seconds specified by the MaxTimeOut variable. The default limit is 2 hours (7200 seconds).
-s	Turns on socket-level debugging.
-u OctalVal	Sets the ftpd daemon's umask. The OctalVal variable must be specified as an octal value to define the umask. The default umask is an octal value of 027, which results in file permissions of rw-r-----.

Examples

Note: The arguments for the ftpd daemon can be specified by using SMIT or by editing the /etc/inetd.conf file.

To start the ftpd daemon, enter the following:
```
startsrc -t ftp
```
The startsrc command with the -t flag starts the ftpd subserver. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.
To stop the ftpd daemon normally, enter the following:
```
stopsrc -t ftp
```
The stopsrc command with the -t flag stops the ftpd subserver. The stopsrc command allows all pending connections to start and all existing connections to complete, but prevents new connections from starting. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.
To force the ftpd daemon and all ftpd connections to stop, enter the following:
```
stopsrc -t -f ftp
```
The stopsrc command with the -t and -f flags forces the ftpd subserver to stop. It terminates all pending connections and existing connections immediately.
To display a short status report about the ftpd daemon, enter the following:
```
lssrc -t ftp
```
The lssrc command with the -t flag returns the daemon's name, process ID, and state (active or inactive). You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.

Files

/etc/locks/ftpd	Contains interlock and process ID (PID) storage.
/etc/group	Contains passwords for groups.
/etc/passwd	Contains passwords for users.
/etc/security/login.cfg	Contains configuration information for login and user authentication.
/etc/security/passwd	Contains encrypted passwords.
/etc/syslog.conf	Contains configuration information for the syslogd daemon.
/usr/samples/tcpip/anon.ftp	Contains the example shell script with which to set up an anonymous FTP account. This file also contains directions for its use.

Related Information

The ftp command, lssrc command, kill command, no command, rcp command, refresh command, rlogin command, rsh command, startsrc command, stopsrc command, telnet command.

The inetd daemon, syslogd daemon.

The kvalid_user function.

The /etc/ftpusers file format, /etc/inetd.conf file format, /etc/services, $HOME/.k5login file format.

TCP/IP Daemons in AIX 5L Version 5.1 System Management Guide: Communications and Networks.

Secure Rcmds in AIX 5L Version 5.1 System User's Guide: Communications and Networks.