[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 2

ftpd Daemon

Purpose

Provides the server function for the Internet FTP protocol.

Syntax

Note: The ftpd daemon is usually started by the inetd daemon. It can also be controlled from the command line, using SRC commands.

/usr/sbin/ftpd [ -d ] [ -f ] [ -ff ] [ -k ] [ -l ] [ -U ] [ -t TimeOut ] [ -T MaxTimeOut ] [ -s ] [ -u OctalVal ] [-q [-C]]

Description

The /usr/sbin/ftpd daemon is the DARPA Internet File Transfer Protocol (FTP) server process. The ftpd daemon uses the Transmission Control Protocol (TCP) to listen at the port specified with the ftp command service specification in the /etc/services fil.

Changes to the ftpd daemon can be made using the System Management Interface Tool (SMIT) or System Resource Controller (SRC), by editing the /etc/inetd.conf or /etc/services file. Typing ftp at the command line is not recommended. The ftpd daemon is started by default when it is uncommented in the /etc/inetd.conf file.

The inetd daemon gets its information from the /etc/inetd.conf file and the /etc/services file.

If you change the /etc/inetd.conf or /etc/services file, run the refresh -s inetd or kill -1 InetdPID command to inform the inetd daemon of the changes to its configuration files.

The ftpd daemon expands file names according to the conventions of the csh command. This command allows you to use such metacharacters as the * (asterisk), the ? (question mark), [ ] (left and right brackets), { } (left and right braces), and the ~ (tilde).

ftpaccess.ctl File

The /etc/ftpaccess.ctl file is searched for lines that start with allow:, deny:, readonly:, writeonly:, readwrite:, useronly:, grouponly:, herald: and/or motd:. Other lines are ignored. If the file doesn't exist, then ftp access is allowed for all hosts. The allow: and deny: lines are for restricting host access. The readonly:, writeonly: and readwrite: lines are for restricting ftp reads (get) and writes (put). The useronly: and grouponly: lines are for defining anonymous users. The herald: and motd: lines are for multiline messages before and after login.

The syntax for all lines in /etc/ftpaccess.ctl are in the form:

keyword: value, value, ...

where one can specify one or more values for every keyword. One can have multiple lines with the same keyword. The lines in /etc/ftpaccess.ctl are limited to 1024 characters, anything more than 1024 characters will be ignored.

The syntax for the allow: and deny: lines are:

allow: host, host, ...
dent: host, host, ...

If an allow: line is specified, than only the hosts listed in all the allow: lines are allowed ftp access. All other hosts will be refused ftp access. If there are no allow: line(s), then all hosts will be given ftp access except those hosts specified in the deny: line(s). The host can be specified as either a hostname or IP address.

The syntax for the readonly:, writeonly: and readwrite: lines are:

readonly: dirname, dirname, ...
writeonly: dirname, dirname, ...
readwrite: dirname, dirname, ...

The readonly: lines list the read-only directories and the writeonly: lines list the write-only directories. If one wants read access in a write-only directory or if one wants write access in a read-only directory, then access is denied. All other directories are granted access except when a readwrite: line(s) is specified. If a readwrite: line(s) is specified, only directories listed in the readwrite: line and/or listed in the readonly: line are granted access for reading, AND only directories listed in the readwrite: line and/or listed in the writeonly: line are granted access for writing. Also, these lines can have a value of "ALL" or "NONE".

The syntax for the useronly: and grouponly: lines are:

useronly: username, username, ...
grouponly: groupname, groupname, ...

The username is from /etc/passwd and the groupname is from /etc/group. The useronly: line defines an anonymous user. The grouponly: line defines a group of anonymous users. These anonymous users are similar to the user anonymous in that ftp activity is restricted to their home directories.

The syntax for the herald: and motd: lines are:

herald: path
motd: on|off

The path is the full path name of the file that contains the multiline herald that will be displayed before login. When the motd: line has a value of 'on', then the $HOME/motd file contains the multiline message that will displayed after login. If the user is a defined anonymous user, then the /etc/motd file contains the multiline message that will displayed after login. (Note that /etc/motd is in the anonymous user's chroot'ed home directory). The default for the motd: line is off.

If the current authentication method is the Standard Operating system authentication method:

Before the ftpd daemon can transfer files for a client process, it must authenticate the client process. The ftpd daemon authenticates client processes according to these rules:

If Kerberos 5 is the current authentication method:

The ftpd daemon allows access only if all of the following conditions are satisfied:

File Transfer Protocol Subtree Guidelines

When handling an anonymous FTP user, the server performs the chroot command in the home directory of the FTP user account. For greater security, implement the following rules when you construct the FTP subtree:

~ftp Make the home directory owned by root and mode r-xr-xr-x (555).
~ftp/bin Make this directory owned by the root user and not writable by anyone. The ls program must be present in this directory to support the list command. This program should have mode 111.
~ftp/etc Make this directory owned by the root user and not writable by anyone.
~ftp/pub Make this directory mode 777 and owned by FTP. Users should then place files that are to be accessible through the anonymous account in this directory.

Note
The shell script /usr/samples/tcpip/anon.ftp uses the above rules to set up the anonymous FTP account for you.

When handling an anonymous FTP user defined in /etc/ftpaccess.ctl, the server performs the chroot command in the home directory of the user account. For greater security, implement the following rules when you construct the user's subtree:

~user
Make the home directory owned by root and mode r-xr-xr-x (555).
~user/bin
Make this directory owned by the root user and unwritable by anyone. The ls program must be present in this directory to support the list command. This program should have mode 111.
~user/etc
Make this directory owned by the root user and unwritable by anyone.
~user/pub
Make this directory mode 777 and owned by user. Users should then place files that are to be accessible through the anonymous account in this directory.
Note
The shell script /usr/samples/tcpip/anon.users.ftp uses the above rules to set up the anonymous FTP account for you.

The server must run as the root user to create sockets with privileged port numbers. The server maintains an effective user ID of the logged-in user, reverting to the root user only when binding addresses to sockets.

Supported File Transfer Protocol Requests

The ftpd daemon currently supports the following FTP requests:

ABOR Terminates previous command.
ACCT Specifies account (ignored).
ADAT Specifies the Authentication/Security Data.
ALLO Allocates storage (vacuously).
APPE Appends to a file.
AUTH Specifies the Authentication/Security Mechanism.
CCC Specifies the Clear Command Channel.
CDUP Changes to the parent directory of the current working directory.
CWD Changes working directory.
DELE Deletes a file.
ENC Specifies the Privacy Protected Command.
HELP Gives help information.
LIST Gives list files in a directory (this FTP request is the same as the ls -lA command).
MKD Makes a directory.
MDTM Shows last modification time of file.
MIC Specifies the Integrity Protected Command.
MODE Specifies data transfer mode.
NLST Gives a name list of files in directory (this FTP request is the same as the ls command).
NOOP Does nothing.
PASS Specifies a password.
PASV Prepares for server-to-server transfers.
PBSZ Specifies the Protection Buffer Size.
PORT Specifies a data connection port.
PROT Specifies the Data Channel Protection Level.
PWD Prints the current working directory.
QUIT Terminates session.
RETR Retrieves a file.
RMD Removes a directory.
RNFR Specifies rename-from file name.
RNTO Specifies rename-to file name.
SITE The following nonstandard or UNIX-specific commands are supported by the SITE request:
UMASK
Changes umask (SITE UMASK 002).
IDLE
Sets idler time (SITE IDLE 60).
CHMOD
Changes mode of a file (SITE CHMOD 755 FileName).
HELP
Gives help information (SITE HELP).
SIZE Returns size of current file.
STAT Returns the status of the server.
STOR Stores a file.
STOU Stores a file using a unique file name.
STRU Specifies the structure of data transfer as a file structure.
SYST Shows operating system type of server system.
TYPE Specifies data transfer type with the Type parameter.
USER Specifies user name.
XCUP Changes the parent directory of the current working directory (not usually used).
XCWD Changes current directory (not usually used).
XMKD Creates a directory (not usually used).
XPWD Prints the current working directory (not usually used).
XRMD Removes a directory (not usually used).

The remaining FTP requests defined in Internet RFC 959 are recognized, but not implemented. The MDTM and SIZE requests are not specified by RFC 959, but are scheduled to appear in the next updated FTP RFC.

If a STAT request is received during a data transfer and preceded by both a Telnet IP signal and SYNCH signal, transfer status is returned.

The ftpd daemon should be controlled using the System Management Interface Tool (SMIT) or by changing the /etc/inetd.conf file. Typing ftpd at the command line is not recommended.

Manipulating the ftpd Daemon with the System Resource Controller

The ftpd daemon is a subserver of the inetd daemon, which is a subsystem of the System Resource Controller (SRC). The ftpd daemon is a member of the tcpip SRC subsystem group. This daemon is enabled by default in the /etc/inetd.conf file and can be manipulated by the following SRC commands:

startsrc Starts a subsystem, group of subsystems, or a subserver.
stopsrc Stops a subsystem, group of subsystems, or a subserver.
lssrc Gets the status of a subsystem, group of subsystems, or a subserver.

Flags

-C Allows the user to specify that the outgoing file sent using the send_file command must be cached in the Network Buffer Cache (NBC). This flag cannot be used unless the -q flag is specified. This flag is only applicable when a file is being sent out in the binary mode with no protection.
-d Sends debugging information about ftpd daemon operations to the syslogd daemon. If you specify the -d flag, you must edit the /etc/syslog.conf file and add the following entry:

daemon.debug FileName

Note: The syslogd daemon's debug level includes info level messages.

If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file.

-f Disables checking for a privileged port when the client requests the server to connect back to a specific port. By default, ftpd does not allow the client to request a connection to a privileged port as a security precaution.
-ff Disables checking for both a privileged port and an IP address that matches the one used for the control connection when the client requests the server to connect back to a specific client port. Using this flag enables the client to request that the server send data to an alternate host or interface. By default, ftpd does not allow this action as a security precaution.
-k Sets the SO_KEEPALIVE option defined in the sys/socket.h file on the data transfer socket to enable the data transfer to time out in the event TCP/IP hangs. The idle interval time is based on system-wide values designated by the tcp_keepidle and tcp_keepintvl options of the no command. Without the flag, ftpd data transfer will not time out.
-l Sends logging information about ftpd daemon operations to the syslogd daemon. If you specify the -l flag, you must edit the /etc/syslog.conf file and add the following entry:

daemon.info FileName

If you do not edit the /etc/syslog.conf file, no messages are produced. After changing the /etc/syslog.conf file, run the refresh -s syslogd command or kill -1 SyslogdPID command to inform the syslogd daemon of the changes to its configuration file. For more information about debug levels, refer to the /etc/syslog.conf file.

-q Allows the user to specify that the send_file subroutine must be used for sending the file on the network. This flag is only applicable when a file is being sent out in the binary mode with no protection.
-t TimeOut Logs out inactive sessions after the number of seconds specified by the TimeOut variable. The default limit is 15 minutes (900 seconds).
-T MaxTimeOut Logs out inactive client sessions after a maximum number of seconds specified by the MaxTimeOut variable. The default limit is 2 hours (7200 seconds).
-s Turns on socket-level debugging.
-u OctalVal Sets the ftpd daemon's umask. The OctalVal variable must be specified as an octal value to define the umask. The default umask is an octal value of 027, which results in file permissions of rw-r-----.
-U Keep files unlocked while in transfer. If this flag is specified with /usr/sbin/ftpd, then the file can be opened while still in transfer.

Examples

Note: The arguments for the ftpd daemon can be specified by using SMIT or by editing the /etc/inetd.conf file.
  1. To start the ftpd daemon, type the following:

    startsrc -t ftp

    The startsrc command with the -t flag starts the ftpd subserver. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.

  2. To stop the ftpd daemon, usually type the following:

    stopsrc -t ftp

    The stopsrc command with the -t flag stops the ftpd subserver. The stopsrc command allows all pending connections to start and all existing connections to complete, but prevents new connections from starting. You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.

  3. To force the ftpd daemon and all ftpd connections to stop, type the following:

    stopsrc -t -f ftp

    The stopsrc command with the -t and -f flags forces the ftpd subserver to stop. It terminates all pending connections and existing connections immediately.

  4. To display a short status report about the ftpd daemon, type the following:

    lssrc -t ftp

    The lssrc command with the -t flag returns the daemon's name, process ID, and state (active or inactive). You must use the -t flag to specify a subserver. Otherwise, the command does not execute properly.

Files

/etc/locks/ftpd Contains interlock and process ID (PID) storage.
/etc/group Contains passwords for groups.
/etc/passwd Contains passwords for users.
/etc/security/login.cfg Contains configuration information for login and user authentication.
/etc/security/passwd Contains encrypted passwords.
/etc/syslog.conf Contains configuration information for the syslogd daemon.
/usr/samples/tcpip/anon.ftp Contains the example shell script with which to set up an anonymous FTP account. This file also contains directions for its use.

Related Information

The ftp command, lssrc command, kill command, no command, rcp command, refresh command, rlogin command, rsh command, startsrc command, stopsrc command, telnet command.

The inetd daemon, syslogd daemon.

The kvalid_user function.

The /etc/ftpusers file format, /etc/inetd.conf file format, /etc/services, $HOME/.k5login file format.

TCP/IP Daemons in AIX 5L Version 5.2 System Management Guide: Communications and Networks.

Secure Rcmds in AIX 5L Version 5.2 System User's Guide: Communications and Networks.

Network Option Tunable Parameters in AIX 5L Version 5.2 Performance Management Guide.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]