0.1 NAME

Libra FTP daemon - Internet Anonymous File Transfer Protocol Server

0.2 SYNOPSIS

ftps [-r] [-p] [-lmodes] [-b] [-ccharset]

0.3 DESCRIPTION

Libra is the Internet File Transfer Protocol server process.

The server is supposed to be started from listening servers, like inetd(8) or tcpserver(8). It expects the control connection to be redirected on stdin and stdout.

The FTP server will timeout an inactive session after 5 minutes. A client may also request a different timeout period; the maximum period is 5 minutes.

If the -r option is specified, the server will deny all "write" requests: create file, delete file, write to file, create directory, remove directory, change mode of file, change umask.

If the -p option is specified, the server will accept passive data connections only. It will send the following reply to all PORT commands: 502 Command not implemented. This mode allows to forbid proxy FTP functionaly which is vulnerable to bounce attack.

If the -l option is specified, the server will log events specified in modes. Log messages are written to the standard error device.

modes can be one or more of following values:

• a - Log following user activities: downloads, uploads, deletion or renames of a file, creation or deletion of a directory, changes of file mode, changes of umask.
• u - Log all user connections.
• i - Log all user commands.
• o - Log all replies to the user.

If the -l option isn't specified the server will log error and warning messages only.

Libra will send the content of the .message file (if present) when:

• A new remote user logs in. Libra will send the file in the startup directory. This is called Wellcome message.
• A user changes the current working directory. Libra sends the file in a new working directory.

If the -b option is specified the server won't send a Wellcome greeting to the peer. This is usefull if it works as "back-end" server. Front-end server does the authentication and then lets Libra to process the rest of the session. In this case Wellcome message is already sent by the front-end server. Sending another greetings from Libra will definitelky confuse a FTP client. There is an implementation of a PNIAM-aware front-end server from Alexander A. Naumov (aln@castle.nmd.msu.ru). For more information about PNIAM see http://www.msu.ru/pniam/pniam.html.

Every pathname consisting of ASCII (7bit) characters only is sent via control connection as is. Pathnames containing characters in local (8bit) encoding are sent as UNICODE characters using UTF-8 encoding rules. Using the -c option you should specify the conversion table from local character set to UNICODE. charset has a very simple format. Every line specifies conversion of one character. It consists of a pair local character - UNICODE.

0.4 FTP COMMANDS

The FTP server currently supports the following FTP commands; case is not distinguished.

ABOR

abort file transfer

ACCT

specify account (ignored)

ALLO

allocate storage (vacuously)

APPE

append to a file

CDUP

change to parent of current working directory

CWD

change working directory

DELE

delete a file

EPRT

extended specification of data connection address (IPv4 and IPv6)

EPSV

force server to open data connection (IPv4 and IPv6)

HELP

give help information

LIST

list the content of directory in ls-like format

MKD

make a directory

MODE

specify data transfer mode

NLST

list names of files in a directory

NOOP

do nothing

PASS

specify password (ignored)

PASV

force server to open data connection

PORT

specify data connection address

PWD

print the current working directory

QUIT

terminate session

REST

restart incomplete transfer

RETR

retrieve a file

RMD

remove a directory

RNFR

specify rename-from file name

RNTO

specify rename-to file name

SITE

non-standard commands (see next section)

STAT

return status of server

STOR

store a file

STOU

store a file with a unique name

STRU

specify data transfer structure

SYST

show operating system type of server system

TYPE

specify data transfer type

USER

specify user name (ignored)

XCUP

change to parent of current working directory (deprecated)

XCWD

change working directory (deprecated)

XMKD

make a directory (deprecated)

XPWD

print the current working directory (deprecated)

XRMD

remove a directory (deprecated)

The remaining FTP commands specified in Internet RFC 959 are recognized, but not implemented.

0.5 NON-STANDARD FTP COMMANDS

Following commands are RFC pending.

MDTM path

show last modification time of path

MLSD

list the content of directory in machine-readable format (experimental)

MLST

return the information about the given object in machine-readable format (experimental)

SIZE path

return transfer size of path for TYPE L(ocal byte size) 8(bits), MODE S(tream), STRU F(ile)

Following non-standard or UNIX-specific commands are supported by the SITE request.

SITE CHECKSUM

toggle the computation of checksums during the file transfer. The checksum is reported in the 226 final response. The MD5 algorithm is used for computation of checksums. Checksum is computed based on the file content on the server side. Files are stored on the server as sequence of 8-bit bytes. End of line is denoted by a single newline character (ASCII code 10).

SITE CHMOD

change mode of a file. E.g. SITE CHMOD 755 filename

SITE IDLE

set idle-timer. E.g. SITE IDLE 60

SITE NEWER

list files newer than a particular date

SITE MINFO

same as SITE NEWER

SITE UMASK

change umask. E.g. SITE UMASK 002

0.6 SECURITY

The FTP server does not require any authentification. Sending user name and password is optional.

The FTP server does not have to run as a superuser. It does not open privileged ports.

Libra does not implement any server-side filename filtering in LIST and NLST commands. We've decided to abandon to filter out files because it creates possibilities for denial-of-service (DoS) attacks. The other consequence of this decision is that mget command in standard ftp client won't work, because it relies upon this server feature.

The server does not support the ability to restart broken transfer (REST) in ASCII transfer mode (TYPE A). The restart position is given in client-side bytes forcing the server to calculate the number of new lines in the file and introducing another DoS attack possibility (high CPU comsumption for the server by zero cost for the client).

0.7 CONVENTIONS

Libra is supposed to be started by any listening server, like inetd(8) or tcpserver(8). It expects its standard input and output (file descriptors 0 and 1) to be the FTP control connection socket (however, for your fun, you may run the server with input and output on a terminal).

Files sent with the STOR command are created with default permissions. The user can change this behavior with SITE UMASK command.

The FTP server will abort an active file transfer only when the ABOR command is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet "Synch" signal in the command Telnet stream, as described in Internet RFC 959. If a STAT command is received during a data transfer, preceded by a Telnet IP and Synch, transfer status will be returned.

0.8 INSTALLATION

Libra consists of a single file - ftps. It does not require any additional files and devices.

Here is a very simple installation scenario:

1. Create a directory for all publicly available files.
2. Copy the content there.
3. Assign permissions to this directory and files according to your policy of public access.
4. Copy ftps there.
5. Assign permissions to ftps to protect it from being removed or rewritten by a malicious user.
6. Ensure proper start-up of ftps (see below).
7. If you run libra from inetd alter /etc/inetd.conf file. Find the line starting with ftp and change it to look like

   ---

   ftp     stream  tcp     nowait  user    script name
   

   ---

   where user is the name of the user for all anonymous access to your system and script name is the path name of your script starting libra. The script
   • sets umask;
   • sets resource limits;
   • starts ftps with appropriate command line options;
   • redirects stderr to a log file.
   IMPORTANT! Double check that ftps runs with proper user credentials (real/effective/filesystem user and group identifiers and set of supplementary groups) and proper filesystem root. These points are very important for security of your FTP server.
8. Send a HANGUP signal to inetd to force it to re-read the /etc/inetd.conf file.

0.9 IPv6

Libra includes native support for IPv6. The server implements EPRT and EPSV commands as specified in RFC 2428 FTP Extensions for IPv6 and NATs. Thus it is possible to request or open data connection using an IPv6 address. This address family is also supported in various places where output of node address is required, for example in STAT command.

FTP clients working in IPv4 mode can still send PORT and PASV to server working in IPv6 mode.

Following scenarios are supported:

1. Client sends PORT a,b,c,d,port. It requests to open data connection to an IPv4 address a.b.c.d. Server should convert this address to an IPv4-mapped IPv6 address (::FFFF:a.b.c.d). This is necessary because server's side of data connection belongs to IPv6.
2. Client sends PASV. Server open a data connection in IPv4 family. This is possible only if server's IPv6 address is either ::FFFF:u.v.w.x (IPv4-mapped) or ::0:u.v.w.x (IPv4-compatible).
3. Client sends EPRT 1 a.b.c.d port. Server will behave as in case 1.
4. Client sends EPSV 1. Server will behave as in case 2.

0.10 AUTHORS

Andrey Savochkin (saw@saw.sw.com.sg), Maxim Shesterikov (libraftp@narod.ru). The current maintainer is Maxim Shesterikov.

0.11 SEE ALSO

ftp(1), inetd(8), ``Approaches of Libra FTP daemon development''