"Fossies" - the Fresh Open Source Software Archive

Member "pure-ftpd-1.0.49/README" (25 Mar 2019, 75540 Bytes) of package /linux/misc/pure-ftpd-1.0.49.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "README": 1.0.48_vs_1.0.49.

    1 
    2                               .:. PURE-FTPD .:.
    3                       Documentation for version 1.0.48
    4 
    5 
    6            ------------------------ BLURB ------------------------
    7 
    8 
    9 Pure-FTPd is a fast, production-quality, standard-conformant FTP server,
   10 based upon Troll-FTPd.
   11 
   12 The server has been designed to be secure in default configuration, it has no
   13 known vulnerability, it is really trivial to set up and it is especially
   14 designed for modern kernels. It was successfully ported to Linux, FreeBSD,
   15 Dragonfly BSD, NetBSD, OpenBSD, OSX, AIX and more.
   16 
   17 Features include chroot()ed and/or virtual chroot()ed home directories,
   18 virtual domains, built-in 'ls', anti-warez system, configurable ports for
   19 passive downloads, FXP protocol, bandwidth throttling, ratios,
   20 LDAP / MySQL / PostgreSQL-based authentication, fortune files, Apache-like
   21 log files, fast standalone mode, text / HTML / XML real-time status report,
   22 virtual users, virtual quotas, privilege separation, TLS and more.
   23 
   24 
   25       ------------------------ WHO'S USING IT? ------------------------
   26 
   27 
   28 Many people new to Unix are running Pure-FTPd because they find it easy to
   29 install. But that software is also used on embedded systems and highly loaded
   30 production servers, especially for hosting services.
   31 
   32 For large sites with centralized user management, Pure-FTPd provides flexible
   33 authentication schemes including SQL and LDAP backends, plus the ability to
   34 easily write new custom handlers in any language.
   35 
   36 
   37         ------------------------ COMPILATION ------------------------
   38         
   39 
   40 In its current form, Pure-FTPd uses some OS-specific system calls. And although
   41 some portability work has been done in order to ease its port to other
   42 operating systems, only Linux FreeBSD, NetBSD, OpenBSD, ISOS, MirBSD, BSDi,
   43 DragonflyBSD, Darwin, Solaris, Tru64, Irix, AIX and HPUX are known to work,
   44 other operating systems may need some tweaks. With Linux, any modern
   45 distribution should be ok.
   46 
   47 * Step 1 (optional but recommended):
   48 
   49 Create a specific, unprivileged user and group called _pure-ftpd, without any
   50 valid shell. Don't use this for anything else, including FTP virtual users.
   51 
   52 groupadd _pure-ftpd
   53 useradd -g _pure-ftpd -d /var/empty -s /etc _pure-ftpd
   54 
   55 If having a user whose name begins with an underscore is a no-go for you,
   56 you can also call it pure-ftpd, without the underscore.
   57 
   58 * Step 2:
   59 
   60 If you have Cdialog or Xdialog installed on your system, try the following
   61 command to build and install Pure-FTPd:
   62 
   63 make -f Makefile.gui
   64 
   65 If you don't have Cdialog or if you prefer the conventional way, here it is:
   66 
   67 ./configure
   68 make install-strip
   69 
   70 Et voila! The software is now installed in /usr/local/sbin/pure-ftpd
   71 
   72 * Step 3:
   73 
   74 To launch the server, just type the following command:
   75 
   76 /usr/local/sbin/pure-ftpd &
   77 
   78 If you installed a binary package (RPM, SLP, Debian), maybe use the
   79 following command instead:
   80 
   81 /usr/sbin/pure-ftpd &
   82 
   83 Your server is ready. Just type 'ftp localhost' to test it. If you want to
   84 automatically run the server when the system boots, add the previous command
   85 to /etc/rc.d/rc.local or /etc/rc.d/boot.local . Don't forget the '&' sign.
   86 
   87 Note:
   88 
   89 To deinstall Pure-FTPd (no, do you really want to do this?), use:
   90 ./configure
   91 make uninstall
   92 
   93 
   94    ------------------------ ADVANCED COMPILATION ------------------------
   95     
   96     
   97 The "./configure" script accepts some arguments you might want to add before
   98 the compilation:
   99 
  100 
  101 
  102 /--------------------
  103  "--with-" switches
  104  --------------------/
  105 
  106 
  107 --with-altlog: in addition to the syslog output, support logging into a
  108 specific file, in an alternative format. Currently, the CLF, Stats, W3C and
  109 xferlog formats are implemented.
  110 CLF (common log format) is the basic format produced by Apache, WebFS, Roxen
  111 and most web servers. These log files only record file transfers and they can
  112 feed web statistic software (Analog, Webalizer, etc.) to analyze the load of
  113 your FTP server. The Stats format is a special output format, designed for log
  114 file analysis software. The W3C format is a standard format parsed by most
  115 commercial log analyzers (all analyzers with support for IIS should deal with
  116 it) . Xferlog is the traditional format created by wu-ftpd. Check the -O
  117 option later in this documentation for additional info.
  118 
  119 --with-brokenrealpath: some Solaris versions have a broken realpath()
  120 implementation. If altlog and/or pure-uploadscript doesn't seem to work
  121 properly on your system, try to recompile with this switch.
  122 
  123 --with-tls: enable TLS support. Read README.TLS for more about this feature.
  124 
  125 --with-certfile=<file>: the file with the TLS certificate (see README.TLS). The
  126 default is /etc/ssl/private/pure-ftpd.pem .
  127 
  128 --with-cookie: display a fortune or a customized banner when a user logs
  129 in (see the '-F' option) .
  130 
  131 --with-diraliases: support directory aliases ("shortcuts" for the "cd"
  132 command) . Please read the appropriate section about this (further in this
  133 manual) .
  134 
  135 --with-everything: build a big server with almost all features turned on:
  136 altlog, cookies, throttling, ratios, ftpwho, upload script, virtual users
  137 (puredb), quotas, virtual hosts, directory aliases, external authentication,
  138 Bonjour and privilege separation.
  139 
  140 --with-extauth: compiles support for external authentication modules. Please
  141 read README.Authentication-Modules and the pure-authd(8) man page before
  142 enabling this feature. Most users don't need it.
  143 
  144 --with-ftpwho: support for the 'pure-ftpwho' command. Enabling this feature
  145 needs some extra memory. Better use it when the server is run in standalone
  146 mode. It can be way slower in inetd mode.
  147 
  148 --with-language=english
  149 --with-language=albanian
  150 --with-language=german
  151 --with-language=romanian
  152 --with-language=french
  153 --with-language=polish
  154 --with-language=spanish
  155 --with-language=danish
  156 --with-language=italian
  157 --with-language=brazilian-portuguese
  158 --with-language=slovak
  159 --with-language=dutch 
  160 --with-language=korean
  161 --with-language=swedish
  162 --with-language=norwegian
  163 --with-language=russian
  164 --with-language=traditional-chinese
  165 --with-language=simplified-chinese
  166 --with-language=hungarian
  167 --with-language=catalan
  168 --with-language=czech: change the language of server messages.
  169 Default is english. If you want to contribute a translation, please
  170 translate the 'src/messages_en.h' file and send it to <j at pureftpd dot org> .
  171 
  172 --with-ldap: use the native LDAP directory support. When this option is
  173 enabled, system accounts can be bypassed. You need OpenLDAP to use that
  174 feature. If OpenLDAP is installed in a custom location, you can use the
  175 --with-ldap=<directory> syntax. See the README.LDAP file for more info about
  176 LDAP and Pure-FTPd.
  177 
  178 --with-minimal: to efficiently use features of modern FTP clients, Pure-FTPd
  179 implements the basics of the FTP protocol, with many extensions (SITE IDLE,
  180 SITE CHMOD, MLSD, ...) . Using the --with-minimal directive, these extensions
  181 won't be compiled in. Also, there will be no standalone server, no lookup for
  182 user/group names, no humor and no ASCII support. But the executable file size
  183 will be smaller than in a default installation. You need at least GCC 3.3 to
  184 compile with this option. Regular expressions are compiled in. If you still
  185 want to reduce the size, use --without-globbing in conjunction with
  186 --with-minimal. If you are building an embedded system, use this. In all other
  187 cases, to avoid complaints from customers (especially with Windows clients),
  188 forget this.
  189 
  190 --with-mysql: use the native MySQL support for users database. When this
  191 option is enabled, system accounts can be bypassed. MySQL client libraries
  192 should be installed to use that feature. If MySQL is installed in a custom
  193 location, you can use the --with-mysql=<directory> syntax. See the
  194 README.MySQL file for more info about MySQL and Pure-FTPd. 
  195 
  196 --with-nonroot: set up a server that doesn't need root privileges to be
  197 started. Any regular user can run the server. It can be useful if you have a
  198 limited shell access to a non-dedicated hosting server. But some features
  199 will be disabled and passwords can only be checked via LDAP, SQL or PureDB.
  200 When virtual chroot is enabled, people will be restricted to the directory
  201 the server was started in. This is an insecure mode, designed for setting up
  202 very temporary servers by regular (non-root) users. Port 2121 will be
  203 listened by default in standalone mode. If you want to use the nonroot mode,
  204 you must compile and *install* the software (./configure --prefix=... &&
  205 make install-strip) . /sbin, /bin and /man directories will be created in
  206 that prefix. But you must also add an /etc directory (readable and writeable
  207 by the user pure-ftpd will run as) . You can change the anonymous FTP root
  208 directory through an environment variable named FTP_ANON_DIR.
  209 
  210 --with-pam: use pluggable authentication modules. Don't use this option
  211 if your login/passwd pairs are always refused (but the real fix would be to
  212 fix your PAM configuration). You need to create a /etc/pam.d/pure-ftpd file
  213 to properly use the PAM authentication. The 'pam' directory contains an
  214 example of such a file.
  215 
  216 --with-paranoidmsg: favor paranoid messages over sysadmin-friendly
  217 messages. When this option is enabled, login failures will show the same
  218 message to the user, regardless of the source of the problem. Without this
  219 option, "Authentication failure" is displayed when this is a password
  220 problem and "Sorry, I can't trust you" is displayed when the user has been
  221 banned by the sysadmin.
  222 
  223 --with-peruserlimits: enable per-user concurrency limits. Avoid this
  224 on very loaded servers.
  225 
  226 --with-pgsql: use the native Postgres support for users database. When this
  227 option is enabled, system accounts can be bypassed. Postgres client libraries
  228 should be installed to use that feature. If Postgres is installed in a custom
  229 location, you can use the --with-pgsql=<directory> syntax. See the
  230 README.PGSQL file for more info about Postgres and Pure-FTPd. 
  231 
  232 --with-probe-random-dev: Pure-FTPd uses /dev/urandom or /dev/random devices
  233 to provide hardly-predicable random numbers. Presence of these devices are
  234 usually probed at compile-time. If you want to compile a binary package on
  235 a host, then run it on another host, this option will enable the probe at
  236 run-time. This is useless on Linux and BSD systems, but it can be needed on
  237 Solaris and QNX.
  238 
  239 --with-puredb: support virtual users, ie. a local users database,
  240 independent of your system accounts. Please read the README.Virtual-Users
  241 file for more info about virtual users.
  242 
  243 --with-quotas: enable virtual quotas. With virtual quotas, you can restrict
  244 the maximal number of files a user can store in his account. You can also
  245 of course restrict the total size. See the "quotas" section later in this
  246 document.
  247 
  248 --with-ratios: support upload/download ratios, to please w4r3z fr34k2.
  249 
  250 --with-sysquotas: support system quotas (not Pure-FTPd's virtual quotas) .
  251 
  252 --with-throttling: support bandwidth throttling (see below).
  253 
  254 --with-uploadscript: since 0.98, Pure-FTPd has a nice feature regarding
  255 uploads. Any external program or script can be automatically called after a
  256 successful upload. It needs another program installed by the Pure-FTPd
  257 package, called 'pure-uploadscript'. Check the man page for more info about
  258 this.
  259 
  260 --with-virtualchroot: usually, when a user is chrooted (-A and -a
  261 options), it's impossible to go out of his home directory. Enabling that
  262 feature makes it possible: symbolic links are always followed, even if they
  263 are pointing to directories not located in the user's home directory. This
  264 is very useful for having shared directories (for instance, have a symbolic
  265 link to /var/incoming in every home directory) .
  266 This feature isn't enabled by default.
  267 
  268 --with-virtualhosts: support virtual hosting. It means that you can have
  269 different anonymouns FTP areas for each IP address. If your server has only
  270 one IP address, you don't need that feature. But if you have multiple IP
  271 addresses and if you want a client that connects to IP xxx to get
  272 the content of /etc/pure-ftpd/xxx/ instead of ~ftp/ , enable this option.
  273 And read the the "VIRTUAL SERVERS" section at the end of this file.
  274 
  275 --with-welcomemsg: read 'welcome.msg' files for compatibility with some
  276 other FTP servers. This is a security flaw (anonymous users may upload
  277 'welcome.msg' files to add random banners) . Pure-ftpd uses '.banner' files
  278 by default.
  279 
  280 --with-boring: display boring "professionnal-looking" messages.
  281 
  282 --with-bonjour: enable Bonjour support on MacOS X (see the -v switch).
  283 
  284 --with-rfc2640: enable support for charset conversion. It adds a dependency
  285 over the iconv library and it requires a little more CPU time. See the -8
  286 and -9 switches.
  287 
  288 --with-implicittls: build a FTPS server (TLS is implicitly enabled).
  289 The protocol is incompatible with FTP and listens to another port by default
  290 (port 990, ftps). Never enable this option unless you know what you're doing.
  291 
  292 
  293 /-----------------------
  294  "--without-" switches
  295  -----------------------/
  296 
  297 --without-privsep: disable privilege separation (see notes about this later),
  298 not recommended.
  299 
  300 --without-ascii: does not support 7-bits transfers (ASCII) .  If you have
  301 customers using Windows clients to send scripts and HTML files, don't use
  302 this option or they will yell at you.
  303 
  304 --without-capabilities: if the capabilities library (libcap) is found,
  305 Pure-FTPd will try to use it in order to enhance security. This option
  306 overrides the test to ignore the library. Try this if capabilities don't
  307 work properly on your system. libcap can be downloaded from
  308 ftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/ .
  309 
  310 --without-globbing: don't include the globbing code. It reduces the memory
  311 footprint but regular expressions won't work any more (things like 'ls
  312 *.rpm') . Most people shouldn't use --without-globbing. Globbing is a nice
  313 feature.
  314 
  315 --without-humor: if you find what this option does without peeking at the
  316 source code, you're a lucky guy!
  317 
  318 --without-inetd: if you will always be running Pure-FTPd in standalone-mode,
  319 enabling this flag can save a few code bytes. Don't enable --without-inetd
  320 and --without-standalone, because it's impossible to run a server without
  321 one of them. These options aren't enabled on binary distributions of
  322 Pure-FTPd, so that both inetd-like and standalone mode are supported.
  323 
  324 --without-iplogging: don't log any IP address to protect confidentiality,
  325 especially for political servers.
  326 
  327 --without-nonalnum: paranoid file name checking: only allow basic
  328 alphanumeric characters. Never enable this switch blindly, or your customers
  329 will complain.
  330 
  331 --without-unicode: disallow non-latin characters. Recommended if you don't
  332 have special characters in file names.
  333 
  334 --without-sendfile: on Linux, Solaris, HPUX and FreeBSD kernels, Pure-FTPd
  335 tries to reduce the CPU/memory usage by using a special system call (sendfile)
  336 . It works very well with most filesystems. However, this optimization is not
  337 implemented for all filesystems in current kernels. Users reported that
  338 downloading files with Pure-FTPd failed with SMBFS (Samba) on FreeBSD and
  339 TmpFS and NTFS on Linux (the error reported by the server is "broken pipe" or
  340 "Error during write to data connection") . If you are planning to serve files
  341 from these filesystems, you have to use the --without-sendfile switch to
  342 enable a workaround. It was also reported that PA-Risc Linux systems need this
  343 flag.
  344 
  345 --without-shadow: ignore the shadow passwords, even though they are
  346 auto-detected. Usually a bad idea, unless you use PAM, LDAP or SQL.
  347 Pure-FTPd support expiration dates of shadow passwords (both for accounts
  348 and passwords) .
  349 
  350 --without-standalone: the FTP server can normally run in standalone-mode
  351 (without any super-server) . If you don't need that feature and if you want
  352 to save few code bytes, add this option. A super-server such as xinetd
  353 or tcpserver will be mandatory to run the service. But the standalone mode is
  354 the recommended mode of operation.
  355 
  356 --without-usernames: never outputs user and group names in directory
  357 listings, only UIDs and GIDs. It improves security and performances, but
  358 some people find this not user-friendly.
  359 
  360 
  361 
  362 /--------------
  363  Other notes
  364  --------------/
  365 
  366 
  367 Other traditional autoconf options are of course recognised, in particular:
  368 
  369 - "--prefix=" to change the installation prefix, that defaults to "/usr/local/"
  370 
  371 - "--sysconfdir=" to change the configuration files directory (defaults to
  372 "/etc" unless you specified a prefix with --prefix)
  373 
  374 - "--localstatedir=" to change the runtime files directory (defaults to
  375 "/var" even if you specified a prefix with --prefix)
  376 
  377 FYI, the binary RPM packages of Pure-FTPd are configured with the following
  378 command line:
  379 
  380 ./configure --with-everything --with-paranoidmsg --without-capabilities \
  381             --with-virtualchroot
  382 
  383 RPM packages are also compiled with --without-pam to enhance their
  384 portability.
  385 
  386 
  387   ------------------------ STANDALONE INSTALLATION ------------------------
  388 
  389 
  390 This is the recommended way to start the server.
  391 
  392 Unless you compiled the server with "--without-standalone", running the
  393 server is as easy as typing:
  394 
  395 /usr/local/sbin/pure-ftpd &
  396 
  397 In the following examples, we will assume that the 'pure-ftpd' file is
  398 located in /usr/local/sbin. This is the default if you compiled the server
  399 from the source code tarball. But as I said earlier in this document, if
  400 you installed a binary package (RPM, SLP, DEB, TGZ), the server maybe
  401 installed in /usr/sbin/. So just replace '/usr/local/sbin/pure-ftpd' with
  402 '/usr/sbin/pure-ftpd'.
  403 
  404 When the previous command is run, the server will listen for incoming
  405 connections on every interface, all IP addresses and the standard FTP port
  406 (21) . If your system has IPv6 addresses, they should work as well.
  407 
  408 Now, if you want to listen for an incoming connection on a non-standard port,
  409 just append '-S' and the port number:
  410 
  411 /usr/local/sbin/pure-ftpd -S 42
  412 
  413 Service names are also allowed ('-S smtp' and the daemon will be accepting
  414 connections on the SMTP port (25) . Very uncommon, but we should please
  415 everybody anyway, even disturbed minds) .
  416 
  417 Now, what if your system has many IP addresses and you want the FTP server
  418 to be reachable on only one of these addresses, let's say 192.168.0.42?
  419 Just use the following command line:
  420 
  421 /usr/local/sbin/pure-ftpd -S 192.168.0.42,
  422 
  423 The final comma is important, don't forget it. Actually, it's a shorthand for:
  424 
  425 /usr/local/sbin/pure-ftpd -S 192.168.0.42,21
  426 
  427 If you prefer host names over IP addresses, it's your choice:
  428 
  429 /usr/local/sbin/pure-ftpd -S ftp.example.com,21
  430 
  431 IPv6 addresses are of course supported.
  432 
  433 With previous command lines, the server will run in the default
  434 configuration. Anonymous FTP logins will be allowed if there's a system
  435 account called 'ftp' and every user of your system will be able to access
  436 the FTP server using their regular login/password pair.
  437 
  438 If you need to tweak that default configuration, other command-lines options
  439 can be added. For instance:
  440 
  441 /usr/local/sbin/pure-ftpd -c 50 &
  442 
  443 or
  444 
  445 /usr/local/sbin/pure-ftpd -S ftp.example.com,21 -c 50 &
  446 
  447 And only 50 simultaneous connections will be allowed. To discover what
  448 options are available please jump to the 'OPTIONS' chapter below. If the
  449 server runs perfectly for you in standalone mode, you don't need to read the
  450 following chapter about super-servers. But read the options. '-m' and '-C'
  451 are recommended. '-D' is also a good choice if you (or your customers) use
  452 broken clients. Please read on.
  453 
  454 When you run 'ps auxw|grep pure-ftpd', the result looks like this:
  455 
  456 root     15211  0.1  0.3  1276  452 ?        S    13:53   0:00 pure-ftpd [SERVER]
  457 root     15212  0.1  0.5  1340  672 ?        S    13:54   0:00 pure-ftpd [IDLE]
  458 root     15214  0.0  0.5  1340  672 ?        S    13:56   0:00 pure-ftpd [DOWNLOADING]
  459 
  460 [SERVER] is the main server. If you kill this process, the server will exit
  461 after the next connection.
  462 [IDLE] shows a client with no transfer activity.
  463 [DOWNLOADING] shows a client downloading a file.
  464 [UPLOADING] show a client uploading a file.
  465 
  466 For easy scripting, the file '/var/run/pure-ftpd.pid' is created and it
  467 always contains the PID of the main server process.
  468 
  469 If you want to stop the server, you can just kill the processes:
  470 
  471 pkill -x pure-ftpd
  472 
  473 Of course, don't use -9 unless the server is completely stuck. -9 doesn't
  474 let processes any chance to clean things up and should never be used except
  475 where there's absolutely nothing else to do.
  476 
  477 
  478  ------------------------ SUPER-SERVER INSTALLATION ------------------------
  479     
  480     
  481 Pure-FTPd can also run with the help of a super-server, like telnet, wu-ftp,
  482 finger or Qmail. This is not recommended. If this is an option, start it in
  483 standalone mode instead. Using a super-server is usually slower than the
  484 standalone mode. But if you love tcpwrappers or built-in filtering abilities
  485 of your super-server, Pure-FTPd can cope with them.
  486 
  487 Unix has tons of super-servers: Inetd (the most common one), TCPserver,
  488 G2S, Xinetd, Rlinetd, ... Only the first three will be covered here, but
  489 integration with other super-servers should be painless.
  490 
  491 
  492 **** Usage with Inetd ****
  493 
  494 Important: if security matters for you, forget inetd. In the default
  495 configuration, inetd will stop a service after a high rate of connections to
  496 the same port. This creates an easy denial-of-service. Also, inetd doesn't
  497 have any concurrency limit. Bad guys can fill up your memory and your
  498 descriptor tables even if you are restricting the number of connections in
  499 pure-ftpd. Better use a modern replacement for inetd, or run pure-ftpd in
  500 standalone mode.
  501 
  502 
  503 1) Check that inetd is up:
  504 
  505 ps auxw | grep inetd
  506 root      3699  0.0  0.3  1072  492 ?        S    15:47   0:00 inetd
  507 
  508 2) Edit /etc/inetd.conf and look for a line like:
  509 
  510 ftp        stream        tcp        nowait        root        /usr/sbin/tcpd        in.ftpd
  511 
  512 The line may also end with "proftpd" or "wuftpd", but it should start with
  513 "ftp stream tcp".
  514 
  515 3) Replace that line with the following one:
  516 
  517 ftp        stream        tcp        nowait        root        /usr/sbin/tcpd        /usr/local/sbin/pure-ftpd
  518 
  519 If /usr/sbin/tcpd is missing on your system, try the following line instead:
  520 
  521 ftp        stream        tcp        nowait        root        /usr/local/sbin/pure-ftpd  pure-ftpd
  522 
  523 4) Restart the inetd daemon:
  524 
  525 pkill -x -s HUP inetd
  526 
  527 If 'pkill' is missing on your system, try this:
  528 
  529 kill -HUP $(cat /var/run/inetd.pid)
  530 
  531 
  532 **** Usage with Xinetd ****
  533 
  534 Add the following entry to the /etc/xinetd.conf file:
  535 
  536 
  537 service ftp 
  538 { 
  539     socket_type = stream 
  540     server = /usr/local/sbin/pure-ftpd 
  541     protocol = tcp 
  542     user = root 
  543     wait = no
  544     disable = no 
  545 }
  546 
  547 
  548 On Redhat systems, you can also put this in a /etc/xinetd.d/pure-ftpd file.
  549 
  550 Then, restart the server:
  551 
  552 pkill -x -s USR2 xinetd
  553 
  554 
  555 
  556 **** Usage with TCPserver ****
  557 
  558 
  559 TCPServer is part of the ucspi-tcp package by Dan Bernstein.
  560 The simplest way of running Pure-FTPd with TCPserver is the following command:
  561 
  562 tcpserver -DHRl0 0 21 /usr/local/bin/pure-ftpd &
  563 
  564 You can add that line to your system local startup scripts
  565 (usually /etc/rc.d/boot.local or /etc/rc.d/rc.local) . If it doesn't work,
  566 replace 'tcpserver' with its full path (eg. '/usr/local/bin/tcpserver') .
  567 
  568 
  569           ------------------------ OPTIONS ------------------------
  570     
  571     
  572 The previous steps should be enough to get a running FTP server. But you can
  573 add some command-line arguments to change its behavior. These arguments have
  574 to be added after the pure-ftpd path in your super-server configuration.
  575 For instance, you want to add the '-s' and '-a 42' flags. Here are what the
  576 configuration lines will look like in your super-server:
  577 
  578 - Inetd:
  579 ftp        stream        tcp        nowait        root        /usr/sbin/tcpd  /usr/local/sbin/pure-ftpd -s -a42
  580 or
  581 ftp        stream        tcp        nowait        root        /usr/local/sbin/pure-ftpd  pure-ftpd -s -a42
  582 
  583 If you use Inetd, don't put space between options and arguments. e.g. use
  584 -a42 instead of -a 42 . Inetd has trouble dealing with a lot of options and
  585 with characters like ':' .
  586 
  587 - Xinetd:
  588 
  589 service ftp 
  590 { 
  591     socket_type = stream 
  592     server = /usr/local/sbin/pure-ftpd
  593     server_args = -s -a 42
  594     protocol = tcp 
  595     user = root 
  596     wait = no
  597     disable = no 
  598 }
  599 
  600 - TCPserver:
  601 tcpserver -DHRl0 0 21 /usr/local/bin/pure-ftpd -s -a 42 &
  602 
  603 - G2S:
  604 {  
  605     SERVICE ftp
  606     DESCRIPTION "Pure-FTPd"
  607     RUN /usr/local/sbin/pure-ftpd -s -a 42
  608 }
  609 
  610 Users need a shell listed in /etc/shells to get restricted or unrestricted
  611 FTP access. Alternatively, you can give them "ftp" as a shell. Users with a
  612 "ftp" shell will be able to login through FTP only: no telnet, no SSH. And
  613 there's no need (and you shouldn't do so) for an "ftp" entry in /etc/shells.
  614 
  615 Here are the recognized switches:
  616 
  617 - '-0': when a file is uploaded and there is already a previous version of the
  618 file with the same name, the old file will neither get removed nor truncated.
  619 Upload will take place in a temporary file and once the upload is complete,
  620 the switch to the new version will be atomic. For instance, when a large PHP
  621 script is being uploaded, the web server will still serve the old version and
  622 immediately switch to the new one as soon as the full file will have been
  623 transferred.
  624 
  625 - '-1': log the PID of each session in syslog output.
  626 
  627 - '-2 <file>': when using TLS, set the path to the certificate file.
  628 
  629 - '-4': only listen to IPv4 connections.
  630 
  631 - '-6': don't listen to IPv4, only listen to IPv6.
  632 
  633 - '-a <gid>': authenticated users will be granted access to their home
  634 directory and nothing else (chroot) . This is especially useful for users
  635 without shell access, for instance, WWW-hosting services shared by several
  636 customers. Only member of group number <gid> will have unrestricted access
  637 to the whole filesystem. So add a "staff", "admin" or "ftpadmin" group and
  638 put your trusted users in. <gid> is a NUMERIC group number, not a group name.
  639 This feature is mainly designed for system users, not for virtual ones.
  640 
  641 Note: 'root' (uid 0) always has full filesystem access.
  642 
  643 If you want to chroot() everyone, but root, use the following flag:
  644 
  645 - '-A': chroot() everyone, but root. There's no such thing as a trusted
  646 group. '-A' and '-a <gid>' are mutually exclusive.
  647 
  648 - '-b': Ignore parts of RFC standards in order to deal with some totally
  649 broken FTP clients, or broken firewalls/NAT boxes. Also, non-dangling
  650 symbolic links are shown as real files/directories.
  651 
  652 - '-B': Have the standalone server start in background (daemonization).
  653 
  654 - '-c <number of clients>': Allow a maximum of clients to be connected. For
  655 instance '-c 42' will limit access to simultaneous 42 clients. There is a
  656 50 client limit by default.
  657 
  658 - '-C <max connection per ip>': Limit the number of simultaneous connections
  659 coming from the same IP address. This is yet another very effective way to
  660 prevent stupid denial of services and bandwidth starvation by a single user.
  661 It works only when the server is launched in standalone mode (if you use a
  662 super-server, it is supposed to do that) . If the server is launched with
  663 '-C 2', it doesn't mean that the total number of connections is limited to 2.
  664 But the same client, coming from the same machine (or at least the same IP),
  665 can't have more than two simultaneous connections. This feature needs some
  666 memory to track IP addresses, but it's recommended to use it.
  667 
  668 - '-d': Send various debugging messages to the syslog. Don't use this
  669 unless you really want to debug Pure-FTPd. Passwords aren't logged.
  670 Duplicate '-d' to log responses, too.
  671 
  672 - '-D': List files beginning with a dot ('.') even when the client doesn't
  673 append the '-a' option to the list command. A workaround for badly
  674 configured FTP clients. If you are a purist, don't enable this. If you
  675 provide hosting services and if you have lousy customers, enable this.
  676 
  677 - '-e': Only allow anonymous users. Use this on a public FTP site with no
  678 remote FTP access to real accounts.
  679 
  680 - '-E': Only allow authenticated users. Anonymous logins are prohibited.
  681 
  682 - '-f <facility>': Use that facility for syslog logging. It defaults to
  683 'ftp' (or 'local2' if you got an obsolete libc without that facility).
  684 Logging can be disabled with '-f none' .
  685 
  686 - '-F <fortune file>': Display a fortune cookie on login. The sentence is
  687 a random extract from the text file <fortune file>. This text file should be
  688 formatted like standard "fortune" files (fortunes are separated by a '%'
  689 sign on a single line) . Pure-FTPd has to be compiled with support for
  690 cookies (--with-cookie). If you just want a simple banner displayed before
  691 the login prompt, add the name of any text file here.
  692 
  693 - '-g <pid file>': Change the location of the pid file when the server is
  694 run in standalone mode. The default is /var/run/pure-ftpd.pid .
  695 
  696 - '-G': Disallow renaming.
  697 
  698 - '-H': By default, fully-qualified host names are logged. To achieve this,
  699 DNS lookups are mandatory. The '-H' flag avoids host names resolution.
  700 ("213.41.14.252" will be logged instead of "www.toolinux.com") . It can
  701 significantly speed up connections and reduce bandwidth usage on busy
  702 servers. Use it especially on public FTP sites. Also, please note that
  703 without -H, host names are informative but shouldn't be trusted: no reverse
  704 mapping check is done to save DNS queries.
  705 
  706 - '-i': Disallow upload for anonymous users, whatever directory permissions
  707 are. This option is especially useful for virtual hosting, to avoid your
  708 users creating warez sites in their account.
  709 
  710 - '-I <timeout>': Change the maximum idle time. The timeout is in minutes
  711 and defaults to 15 minutes. Modern FTP clients are trying to fool timeouts
  712 by sending fake commands at regular interval. We disconnect these clients
  713 when they are idle for twice (because they are active anyway) the normal
  714 timeout.
  715 
  716 - '-j': If the home directory of a user doesn't exist, automatically create
  717 it. The newly created home directory belongs to the user and permissions are
  718 set according to the current directory mask. Only the home directory can be
  719 created (so /home/john/./public_html won't work, but /home/john will) . To
  720 avoid local attacks, the parent directory should never belong to an untrusted
  721 user. Also note that you must trust whoever manages the users databases,
  722 because with that feature, he'll be able to create/chown directories anywhere
  723 on the server's filesystem.
  724 
  725 - '-J <ciphers>': Sets the list of ciphers that will be accepted for
  726 TLS connections.
  727 
  728 - '-k <percentage>': Don't allow uploads if the partition is more than
  729 <percentage>% full. For instance, "-k 95" will ensure your disks will never
  730 get filled more than 95% by FTP. No need for the "percent" sign after the
  731 number.
  732 
  733 - '-K': Allow users to resume and upload files, but *NOT* to delete or rename
  734 them. Directories can be removed, but only if they are empty. However,
  735 overwriting existing files is still allowed (to support upload resume) . If
  736 you want to disable this too, add -r (--autorename) .
  737 
  738 - '-l <authentication>' or '-l <authentication>:<config file>': Adds a new
  739 rule to the authentication chain. Please read the "Authentication" section,
  740 later in this README file. It's an important section.
  741 
  742 - '-L <max files>:<max depth>': To avoid stupid denial-of-service attacks
  743 (or just CPU hogs), Pure-FTPd never displays more than 10000 files in response
  744 to an 'ls' command. Also, a recursive 'ls' (-R) never goes further than 5
  745 subdirectories. You can increase/decrease those limits with the '-L' option.
  746 
  747 - '-m <cpu load>': Don't allow anonymous download if the load is above <cpu
  748 load> . A very efficient way to prevent overloading your server. Upload is
  749 still allowed, though.
  750 
  751 - '-M': Allow anonymous users to create directories.
  752 
  753 - '-n <max files>:<max size>': If the server has been compiled with support
  754 for virtual quotas, enforce these quota settings for all users (except
  755 members of the 'trusted' group) . <max size> is in Megabytes. See the
  756 "virtual quotas" section later in this document.
  757 
  758 - '-N': NAT mode. Force ACTIVE mode. If your FTP server is behind a NAT box
  759 that doesn't support applicative FTP proxying, or if you use port
  760 redirection without a transparent FTP proxy, use this. Well... the previous
  761 sentence isn't very clear. Okay: if your network looks like this:
  762 (FTP server)-------(NAT/masquerading gateway/router)------(Internet)
  763 and if you want people coming from the internet to have access to your FTP
  764 server, please try without this option first. If Netscape clients can
  765 connect without any problem, your NAT gateway rulez. If Netscape doesn't
  766 display directory listings, your NAT gateway sucks. Use '-N' as a workaround.
  767 
  768 - '-o': Write all uploaded files to '/var/run/pure-ftpd.upload.pipe' so
  769 that the 'pure-uploadscript' program can run. Don't enable that option if
  770 you don't actually use 'pure-uploadscript' otherwise pure-ftpd will hang
  771 waiting for pure-uploadscript to start.
  772 
  773 - '-O <format>:<log file>': Record all file transfers into a specific log
  774 file, in an alternative format. Currently, four formats are supported: CLF
  775 (Apache-like), Stats, W3C and xferlog.
  776 
  777 If you add '-O clf:/var/log/pureftpd.log' to your starting options,
  778 Pure-FTPd will log transfers in /var/log/pureftpd.log in a format similar to
  779 the Apache web server in default configuration. 
  780 
  781 If you use '-O stats:/var/log/pureftpd.log' to your starting options,
  782 Pure-FTPd will create log files in a special format, designed for statistical
  783 reports. The Stats format is compact, more efficient and more accurate that
  784 CLF and the old broken "xferlog" format.
  785 
  786 The Stats format is:
  787 <date> <session id> <user> <ip> <U or D> <size> <duration> <file>
  788 
  789 <date> is a GMT timestamp (time()) and <session id> identifies the current
  790 session. <file> is unquoted, but it's always the last element of a log line.
  791 "U" means "Upload" and "D" means "Download".
  792 
  793 Warning: the session id is only designed for statistics purposes. While it's
  794 always an unique string in the real world, it's theoretically possible to have
  795 it non unique in very rare conditions. So don't rely on it for critical
  796 missions.
  797 
  798 A command called "pure-statsdecode" can be used to convert timestamps into
  799 human-readable dates.
  800 
  801 The W3C format is enabled with '-O w3c:/var/log/pureftpd.log' .
  802 
  803 For security purposes, the path must be absolute (eg. /var/log/pureftpd.log
  804 , not ../log/pureftpd.log) . If this log file is stored on a NFS volume, don't
  805 forget to start the lock manager (often called "lockd" or "rpc.lockd").
  806 
  807 - '-p <first port>:<last port>': Use only ports in the range <first port>
  808 to <last port> inclusive for passive-mode downloads. This is especially
  809 useful if the server is behind a firewall without FTP connection tracking.
  810 Use high ports (40000-50000 for instance), where no regular server should be
  811 listening.
  812 
  813 - '-P <ip address or host name>': Force the specified IP address in reply to
  814 a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box
  815 that doesn't properly handle stateful FTP masquerading, put the ip address
  816 of that box here. If you have a dynamic IP address, you can put the public
  817 host name of your gateway, that will be resolved every time a new client will
  818 connect.
  819 
  820 - '-q <upload ratio>:<download ratio>': Enable ratios for anonymous users.
  821 
  822 - '-Q <upload ratio>:<download ratio>': Enable ratios for everybody
  823 (anonymous and non-anonymous). Members of the root (0, something called
  824 'wheel') have no ratio.
  825 
  826 - '-r': Never overwrite existing files. Uploading a file whose name
  827 already exists cause an automatic rename. Files are called xyz, xyz.1, xyz.2,
  828 xyz.3, etc.
  829 
  830 Tip: if you compile with 'make AUTORENAME_REVERSE_ORDER=1' , the naming
  831 convention will be reversed. Files will be called xyz, 1.xyz, 2.xyz, 3.xyz,
  832 etc.
  833 
  834 - '-R': Disallow users (even non-anonymous ones) usage of the CHMOD
  835 command. On hosting services, it may prevent newbies from making mistakes,
  836 like setting bad permissions on their home directory. Only root can use
  837 CHMOD when -R is enabled.
  838 
  839 - '-s': The "waReZ protection". Don't allow anonymous users to download
  840 files owned by "ftp" (generally, files uploaded by other anonymous users) .
  841 So that uploads have to be validated by a system administrator (chown to
  842 another user) before being available for download.
  843 
  844 - '-S [<ip address>,|<hostname>,] [<port>|<service name>]'. This option is
  845 only effective when the server is launched as a standalone server.
  846 Connections are accepted on the specified IP and port. IPv4 and IPv6 are
  847 supported. Numeric and fully-qualified host names are accepted. A service
  848 name (see /etc/services) can be used instead of a numeric port number.
  849 
  850 - '-T <bandwidth>' and '-t <bandwidth>': Enable bandwidth limitation (see
  851 below) . <bandwidth> is specified in kilobytes/seconds. To set up separate
  852 upload/download bandwidth, the [<upload>]:[<download>] syntax is supported.
  853 
  854 - '-u <uid>': Don't allow uids below <uid> to log in. '-u 1' denies access
  855 to root (safe), '-u 100' denies access to virtual accounts on most Linux
  856 distros.
  857 
  858 - '-U <umask for files>:<umask for dirs>': Change the file creation mask.
  859 The default is 133:022. If you want a new file uploaded by a user to only be
  860 readable by that user, use '-U 177:077'. If you want uploaded files to be
  861 executable, use 022:022 (files will be readable -but not writable- by other
  862 users) or 077:077 (files will only be executable and readable by their
  863 owner) . Please note that Pure-FTPd support the SITE CHMOD extension, so a
  864 user can change the permissions of his own files.
  865 
  866 - '-V <ip address>': Allow non-anonymous FTP access only on this specific
  867 local IP address. All other IP addresses are only anonymous. With that
  868 option, you can have routed IPs for public access and a local IP (like
  869 10.x.x.x) for administration. You can also have a routable trusted IP
  870 protected by firewall rules and only that IP can be used to login as a
  871 non-anonymous user.
  872 
  873 - '-v <name>': Set the service name for Apple's Bonjour. Only available on
  874 MacOS X when Bonjour support is compiled in.
  875 
  876 - '-w': Support the FXP protocol only for authenticated users. FXP works
  877 with IPv4 and IPv6 addresses.
  878 
  879 - '-W': Support the FXP protocol. FXP allows transfers between two remote
  880 servers without any file data going to the client asking for the transfer.
  881 
  882 However:
  883 
  884 ****************************************************************************
  885 
  886    *FXP IS AN INSECURE PROTOCOL* (third-party hosts can steal the current
  887 connection) . In Pure-FTPd, specific precautions have been taken to reduce
  888 FXP insertion attacks. But if your FTP server serves private data:
  889    NEVER ALLOW FXP ACCESS TO UNTRUSTED HOSTS. YOU CAN PLAY WITH IT ON AN
  890 INTERNAL SERVER, BUT _DON'T_ GIVE FXP ACCESS TO ANONYMOUS INTERNET USERS.
  891 
  892 ****************************************************************************
  893 
  894         It's why FXP is disabled by default on Pure-FTPd unless you
  895 explicitly enable it with '-W' or '-w'.
  896 
  897 - '-x': In normal operation mode, authenticated users can read/write files
  898 beginning with a dot ('.') . Anonymous users can't, for security reasons
  899 (like changing banners or a forgotten .rhosts) . When '-x' is used,
  900 authenticated users can download dot-files, but not overwrite/create them,
  901 even if they own them. That way, you can prevent hosted users from messing
  902 .qmail files. If you want to give user access to a special dot-file, create a
  903 symbolic link to the dot-file with a file name that has no dot in it and the
  904 client will be able to retrieve the file through that link.
  905 
  906 - '-X': This flag is identical to the previous one (writing dot-files is
  907 prohibited), but in addition, users can't even *read* files and directories
  908 beginning with a dot (like "cd .ssh") .
  909 
  910 ****************************************************************************
  911 
  912 When used in conjunction with "-a", members of the trusted group can bypass
  913 '-x'/'-X' restrictions.
  914 
  915 ****************************************************************************
  916 
  917 - '-y <max user logins>:<max anonymous logins>': This option only
  918 works if the server has been compiled with --with-peruserlimits. It
  919 restricts the number of concurrent sessions the same user can have.
  920   A null value ('0') means 'unlimited'.
  921 
  922 Here's a concrete example:
  923 
  924 /usr/local/sbin/pure-ftpd -y 3:20 -c 15 -C 5 -B
  925 
  926 Here, we allow:
  927   * A max total of 15 sessions.
  928   * 5 connections max coming from the same IP address.
  929   * 3 connections max with the same user name.
  930   * 20 anonymous users max.
  931   
  932 With such a setup, a single user can't easily fill all slots.  
  933 
  934 - '-Y 0': Disable the TLS encryption layer (default).
  935   '-Y 1': Accept both standard and encrypted sessions.
  936   '-Y 2': Refuse connections that aren't using TLS security mechanisms,
  937 including anonymous sessions. The server must have been compiled with
  938 --with-tls and a valid certificate must be in place to get this feature.
  939 See the README.TLS file for more info about TLS.
  940   '-Y 3': Cleartext sessions are refused and only TLS compatible 
  941 clients are accepted. Clear data connections are also refused, so private 
  942 data connections are enforced.
  943 
  944 - '-z': Allow anonymous users to read files and directories starting with a
  945 dot ('.') .
  946 
  947 - '-Z': Try to protect customers against common mistakes to avoid your
  948 technical support being busy with stupid issues. Right now, the '-Z' switch
  949 prevents your users against making bad 'chmod' commands, that would deny
  950 access to files/directories to themselves. The switch may turn on other
  951 features in the future. If you are a hosting provider, turn this on.
  952 
  953 If you prefer long options (GNU-style) over standard ones, the following
  954 aliases are available. You can get this list at any time by typing
  955 'pure-ftpd --help' .
  956 
  957 
  958 --(switches sorted by ##standard switches## lexical order)--
  959 
  960 -0  --notruncate
  961 -1  --logpid                <file>
  962 -4  --ipv4only
  963 -6  --ipv6only
  964 -8  --fscharset             <charset>
  965 -9  --clientcharset         <charset>
  966 -a  --trustedgid            <gid>
  967 -A  --chrooteveryone    
  968 -b  --brokenclientscompatibility    
  969 -B  --daemonize 
  970 -c  --maxclientsnumber      <number>
  971 -C  --maxclientsperip       <number>
  972 -d  --verboselog    
  973 -D  --displaydotfiles   
  974 -e  --anonymousonly 
  975 -E  --noanonymous   
  976 -f  --syslogfacility        <facility>
  977 -F  --fortunesfile          <file>
  978 -g  --pidfile               <path to pid file>
  979 -G  --norename
  980 -h  --help  
  981 -H  --dontresolve   
  982 -i  --anonymouscantupload
  983 -I  --maxidletime           <time (min)>
  984 -j  --createhomedir
  985 -J  --tlsciphersuite        <ciphers>
  986 -k  --maxdiskusagepct       <percentage>
  987 -K  --keepallfiles
  988 -l  --login                 <auth> or <auth>:<config file>
  989 -L  --limitrecursion        <number:number>
  990 -m  --maxload               <load>
  991 -M  --anonymouscancreatedirs    
  992 -N  --natmode
  993 -o  --uploadscript
  994 -O  --altlog                <format>:<log file>
  995 -p  --passiveportrange      <minport:maxport>
  996 -P  --forcepassiveip        <ip address>
  997 -q  --anonymousratio        <upload ratio>:<download ratio>
  998 -Q  --userratio             <upload ratio>:<download ratio>
  999 -r  --autorename
 1000 -R  --nochmod
 1001 -s  --antiwarez 
 1002 -S  --bind                  <ip address,port>
 1003 -t  --anonymousbandwidth    <bandwidth (KB/s)>
 1004 -T  --userbandwidth         <bandwidth (KB/s)> or [<up bw>]:[<down bw>]
 1005 -u  --minuid                <uid>
 1006 -U  --umask                 <mask>
 1007 -v  --bonjour               <name>
 1008 -V  --trustedip             <ip address>
 1009 -w  --allowuserfxp  
 1010 -W  --allowanonymousfxp
 1011 -x  --prohibitdotfileswrite 
 1012 -X  --prohibitdotfilesread  
 1013 -y  --peruserlimits         <per user max>:<max anonymous sessions>
 1014 -Y  --tls                   <0:no TLS | 1:TLS+cleartext | 2:enforce TLS |
 1015                              3: enforce encrypted data channel as well>
 1016 -z  --allowdotfiles
 1017 -Z  --customerproof
 1018 
 1019 
 1020 
 1021 --(switches sorted by ##GNU-style long switches## lexical order)--
 1022 
 1023 -W  --allowanonymousfxp
 1024 -z  --allowdotfiles
 1025 -w  --allowuserfxp  
 1026 -O  --altlog                <format>:<log file>
 1027 -t  --anonymousbandwidth    <bandwidth (KB/s)>
 1028 -M  --anonymouscancreatedirs    
 1029 -i  --anonymouscantupload
 1030 -e  --anonymousonly 
 1031 -q  --anonymousratio        <upload ratio>:<download ratio>
 1032 -s  --antiwarez 
 1033 -r  --autorename
 1034 
 1035 -S  --bind                  <ip address,port>
 1036 -b  --brokenclientscompatibility    
 1037 
 1038 -A  --chrooteveryone
 1039 -9  --clientcharset         <charset>
 1040 -j  --createhomedir
 1041 -Z  --customerproof
 1042 
 1043 -B  --daemonize 
 1044 -D  --displaydotfiles   
 1045 -H  --dontresolve   
 1046 
 1047 -Y  --tls                   <0:no TLS | 1:TLS+cleartext | 2:enforce TLS |
 1048                              3:enforce encrypted data channel as well>
 1049 
 1050 -P  --forcepassiveip        <ip address>
 1051 -F  --fortunesfile          <file>
 1052 -8  --fscharset             <charset>
 1053 
 1054 -h  --help  
 1055 
 1056 -4  --ipv4only
 1057 -6  --ipv6only
 1058 
 1059 -K  --keepallfiles
 1060 
 1061 -l  --login                 <auth> or <auth>:<config file>
 1062 -1  --logpid                <file>
 1063 -L  --limitrecursion        <number:number>
 1064 
 1065 -c  --maxclientsnumber      <number>
 1066 -C  --maxclientsperip       <number>
 1067 -k  --maxdiskusagepct       <percentage>
 1068 -I  --maxidletime           <time (min)>
 1069 -m  --maxload               <load>
 1070 -u  --minuid                <uid>
 1071 
 1072 -N  --natmode
 1073 -E  --noanonymous   
 1074 -R  --nochmod
 1075 -G  --norename
 1076 -0  --notruncate
 1077 
 1078 -v  --bonjour               <name>
 1079 
 1080 -p  --passiveportrange      <minport:maxport>
 1081 -y  --peruserlimits         <per user max>:<max anonymous sessions>
 1082 -g  --pidfile               <path to pid file>
 1083 -X  --prohibitdotfilesread  
 1084 -x  --prohibitdotfileswrite 
 1085 
 1086 -f  --syslogfacility        <facility>
 1087 
 1088 -J  --tlsciphersuite        <ciphers>
 1089 -a  --trustedgid            <gid>
 1090 -V  --trustedip             <ip address>
 1091 
 1092 -U  --umask                 <mask>
 1093 -o  --uploadscript
 1094 -T  --userbandwidth         <bandwidth (KB/s)> or [<up bw>]:[<down bw>]
 1095 -Q  --userratio             <upload ratio>:<download ratio>
 1096 
 1097 -d  --verboselog    
 1098 
 1099 
 1100 ------------------------ SETTING UP AN ANONYMOUS FTP ------------------------
 1101     
 1102     
 1103 If a 'ftp' user exists and its home directory exists, Pure-FTPd will
 1104 accept anonymous login, as 'ftp' or 'anonymous'.
 1105 
 1106 The root directory of the files served when logged as 'anonymous' is
 1107 the home directory of the 'ftp' user.
 1108 
 1109 There's no need for 'bin', 'lib', 'etc' and 'dev' directories, nor any
 1110 external program. Don't chown the public files to 'ftp', just writable
 1111 directories such as 'incoming'.
 1112 
 1113 
 1114     ------------------------ DISPLAYING BANNERS ------------------------
 1115     
 1116 
 1117 If a '.banner' file is located in the 'ftp' user home directory (or in the
 1118 root directory of a virtual server, see below), it will be printed when the
 1119 client logs in. Put a nice ASCII-art logo with your name in that file.
 1120 
 1121 This file shouldn't be larger than 4000 bytes, or it won't be displayed.
 1122 
 1123 In each directory, you may also have a '.message' file. Its content will be
 1124 printed when a client enters the directory. Such a file can contain important
 1125 information ("Don't download version 1.7, it's broken!") .
 1126 
 1127 
 1128     ------------------------ DISPLAYING A COOKIE ------------------------
 1129 
 1130 
 1131 A funny random message can be displayed in the initial login banner. The
 1132 random cookies are extracted from a text file, in the standard "fortune"
 1133 format. If you installed the "fortune" package, you should have a directory
 1134 (usually /usr/share/fortune) with binary files (xxxx.dat) and text files
 1135 (without the .dat extension) . To use Pure-FTPd cookies, just add the name
 1136 of a text file to the '-F' option. For instance:
 1137 
 1138 /usr/local/sbin/pure-ftpd -F /usr/share/fortune/zippy
 1139 
 1140 If you want to have your own fortune files, just create a text file with the
 1141 following structure.
 1142 
 1143 Hello... this is the first fortune...
 1144 %
 1145 Welcome to the real world.
 1146 %
 1147 Follow the white rabbit.
 1148 %
 1149 Have fun...
 1150 Well... lotsa fun!
 1151 %
 1152 Yop is good for you.
 1153 
 1154 Goddit? Fortunes are delimited by a '%' sign on a single line. But a
 1155 fortune itself can be multi-line (see the fourth example) .
 1156 
 1157 For security paranoia, the text file has to be readable by everybody (chmod
 1158 644 the file if necessary), or the server will ignore it.
 1159 
 1160 Of course, the fortune file can contain a single message.
 1161 
 1162 
 1163   ------------------------ PER-USER CHROOT() RULES ------------------------
 1164 
 1165 
 1166 Apart from the "-a" flag, Pure-FTPd has another way to fine-tune chroot()
 1167 rules. Let's take an /etc/passwd entry:
 1168 
 1169 mimi:x:501:100:Mimi:/home/mimi:/bin/zsh
 1170 
 1171 Without any special rule, mimi will be able to log in and to retrieve any
 1172 public-readable file in the filesystem. Now, let's change a bit of its home
 1173 directory:
 1174 
 1175 mimi:x:501:100:Mimi:/home/mimi/./:/bin/zsh
 1176 
 1177 So what? Mimi's home directory is still the same and common applications
 1178 shouldn't notice any difference. But Pure-FTPd understands "chroot() until
 1179 /./". So when mimi next carries out a FTP log in, only the /home/mimi
 1180 directory will be reachable, not the whole filesystem. If you don't like the
 1181 "-a" and its trusted gid thing, this is a good way to only chroot() some
 1182 users. Another trick is to add something after "/./":
 1183 
 1184 mimi:x:501:100:Mimi:/home/mimi/./public_html:/bin/zsh
 1185 
 1186 When Mimi will log in, two things will happen:
 1187 - chroot("/home/mimi") so that Mimi can't see anything but her home directory.
 1188 - chdir("public_html") so the session will start in the public_html
 1189 directory. "cd .." is still allowed, though.
 1190 That "url-style" handling is especially handy for FTP-only users (ie.
 1191 without shell access) .
 1192 
 1193 If a user is chrooted with the /./ trick *and* belongs to the trusted group
 1194 (-a) he *will* be chrooted, but he will have no ratio and will be allowed to
 1195 access dot files.
 1196 
 1197 
 1198          ------------------------ RATIOS ------------------------
 1199 
 1200 
 1201 If you want to force people to upload new files before being able to
 1202 download other files, ratios are for you. It's a very good way to get lotsa
 1203 fresh stuff on a public FTP server and a must for warez traders. I don't
 1204 like that kind of business, but well... Pure-FTPd has to be designed to
 1205 please everybody.
 1206 
 1207 To enable ratios, just use the '-q' option, followed by the upload:download
 1208 ratio:
 1209 
 1210                                    -q 2:5
 1211                                    
 1212 ...means that an anonymous user has to upload at least 2 Mb of goodies to be
 1213 able to download 5 Mb.
 1214 
 1215 If ratios should apply to everyone (anon and non-anon), use the '-Q' option
 1216 the same way.
 1217 
 1218 Note: 'root' never has ratios. Neither have users of the trusted group when
 1219 '-Q' in used with the '-a' or '-A' option.
 1220 
 1221 
 1222    ------------------------ BANDWIDTH THROTTLING ------------------------
 1223 
 1224 
 1225 Pure-FTPd has an interesting built-in feature: simple bandwidth throttling.
 1226 
 1227 * You want to limit FTP throughput so that uploading and downloading files
 1228 through that protocol can't fill up your network bandwidth.
 1229 
 1230 -> Compile Pure-FTPd with --with-throttling
 1231 -> Run it with the '-T' flag, followed by a number. That number is the
 1232 maximum bandwidth a user can use in a session, in kilobytes/seconds.
 1233 
 1234 * You want to allow less bandwidth to your anonymous users than your
 1235 authenticated ones. So that during a bandwidth starvation, real users can
 1236 still upload/download properly.
 1237 
 1238 -> Compile Pure-FTPd with --with-throttling
 1239 -> Run it with the '-t' flag, followed by a number.
 1240 
 1241 Example:
 1242 
 1243 /usr/local/sbin/pure-ftpd -t 64
 1244 
 1245 And uploading/downloading files can't take more than 64 KB/sec whatever real
 1246 bandwidth you have.
 1247 
 1248 * It is possible to have different bandwidth limits for uploads and for
 1249 downloads. '-t' and '-T' can indeed be followed by two numbers delimited by
 1250 a column (':') . The first number is the upload bandwidth and the next one
 1251 applies only to downloads. One of them can be left blank which means infinity.
 1252 
 1253 Example 1: 256 KB/s for uploads, 64 KB/s for downloads
 1254 
 1255 /usr/local/sbin/pure-ftpd -t 256:64
 1256 
 1257 Example 2: 256 KB/s for uploads, no limit for downloads
 1258 
 1259 /usr/local/sbin/pure-ftpd -t 256:
 1260 
 1261 Example 3: no limit for uploads, 64 KB/s for downloads
 1262 
 1263 /usr/local/sbin/pure-ftpd -t:64
 1264 
 1265 With no column, the value applies to both, so '-t 64' is an alias for 
 1266 '-t 64:64' .
 1267 
 1268 * When Pure-FTPd serves a session with restricted bandwidth, it decreases
 1269 its process priority to 10. So, '-t 0' makes sense: during a CPU
 1270 starvation, authenticated sessions may be more responsible than anonymous
 1271 ones. '-T 0' is quite useless, but it also works and it will always be nice to
 1272 the server process.
 1273 
 1274 * If you need advanced bandwidth management, have a look at your kernel
 1275 Q.O.S. abilities.
 1276 
 1277 
 1278       ------------------------ VIRTUAL SERVERS ------------------------
 1279 
 1280 
 1281 Using Virtual servers is a convenient way of hosting several FTP sites on the same
 1282 computer. Let's say, you got two customers. The former owns the 'cgx.org'
 1283 domain name, while the latter owns the 'example.com' domain name. Both are
 1284 hosted on the same computer, but they don't want to share the same files.
 1285 ftp://ftp.cgx.org/ should show different content than ftp://ftp.example.com/
 1286 .
 1287 
 1288 The FTP protocol doesn't allow name-based selection. So, if you want to host
 1289 <N> different virtual FTP servers on the same host and keep the standard port,
 1290 you need <N> different IP addresses. Yes, Sir. Or use HTTP.
 1291 
 1292 Assign the needed IP addresses to your network adapter (with "ifconfig eth0:x
 1293 ..." or "ip addr add dev eth0 a.b.c.d").
 1294 
 1295 Now, create a /etc/pure-ftpd directory if it doesn't exist:
 1296 
 1297 mkdir /etc/pure-ftpd
 1298 
 1299 To add a virtual FTP server, you only need to create a symbolic link in
 1300 /etc/pure-ftpd/ from the virtual host IP to the directory that contains the
 1301 file for that virtual host.
 1302 
 1303 Example:
 1304 
 1305 ln -s /home/customers/example.com/ftp /etc/pure-ftpd/216.226.17.77
 1306 ln -s /home/customers/cgx.org/ftp    /etc/pure-ftpd/212.73.209.252
 1307 
 1308 Done! Put the CGX files in /home/customers/cgx.org/ftp/ and the Example
 1309 files in /home/customers/example.com/ftp/ .
 1310 
 1311 With that feature, every account on the server can have its own public
 1312 anonymous FTP area. If you are providing hosting services, this is a nice
 1313 feature for your customers.
 1314 
 1315 * WARNING *: it also means that your customers can create "incoming"
 1316 directories with 1777 permissions. It can be nice, but it can also fill up
 1317 your disk with warez. You can stop uploads for anonymous users with the
 1318 '-i' (or --anonymouscantupload) option.
 1319 
 1320 By default, all IP addresses assigned to your server can be accessed by real
 1321 or anonymous users. You can restrict this with -e (only anonymous) or -E
 1322 (only real) .
 1323 
 1324 A more flexible way is to use '-V <ip address>' to define a "trusted" IP
 1325 address. When a client connects to that trusted IP, anonymous and real
 1326 logins are permitted. But on all other IP, only anonymous users are permitted.
 1327 
 1328 If you are a hosting service provider and if each customer has its own IP
 1329 address, it may be a nice idea to have a trusted IP you give to all your
 1330 customers, so that they can manage the files in their account. That IP is
 1331 the same for all customers. You can easily restrict access to that IP with
 1332 firewall rules if your customers have static IP addresses.
 1333 Use '-V <trusted ip>' and link /etc/pure-ftpd/<customer ip> to
 1334 ~customer/ftp . Every customer will have his own *anonymous only* FTP
 1335 server and hackers will have to find the trusted IP to get in.
 1336 
 1337 
 1338        ------------------------ IPv6 SUPPORT ------------------------
 1339 
 1340 
 1341 Pure-FTPd has full IPv6 support (native IPv6 addresses and 4-in-6
 1342 addresses). But use a super-server that also understands the IPv6 protocol,
 1343 like Rlinetd or Xinetd. Recent versions of Inetd should also be ok
 1344 (unverified). IPv6 is supported everywhere: logging, configuration
 1345 switches, virtual hosts, protocol (EPSV/EPRT support), name resolution...
 1346 
 1347 
 1348              --------------------- LOGGING ---------------------
 1349 
 1350 
 1351 Log messages are sent to the syslog daemon. You can disable logging with
 1352 '-f none'.
 1353 If you want all FTP messages to be redirected to a file, say /var/log/ftp,
 1354 add this line to your /etc/syslog.conf file:
 1355 
 1356 ftp.*   /var/log/ftp
 1357 
 1358 Then restart your syslogd daemon:
 1359 
 1360 pkill -x -s HUP syslogd
 1361 
 1362 You can also drop your old "syslogd" and "klogd" programs for Metalog, an
 1363 efficient alternative: http://metalog.sourceforge.net/
 1364 
 1365 Names of uploaded/downloaded files are logged with paths like this:
 1366 
 1367                            /home/ftp//pub/bla.jpg
 1368                            
 1369 The double-slash ('//') is the chroot limit.
 1370 
 1371 
 1372     --------------------- WATCHING CURRENT SESSIONS ---------------------
 1373 
 1374 
 1375 Since 0.97.7, you can type 'pure-ftpwho' at any time to watch current active
 1376 sessions.
 1377 
 1378 If typing 'pure-ftpwho' answers 'Command not found', you have to add
 1379 /usr/local/sbin in your PATH environment variable.
 1380 
 1381 The default output looks like this:
 1382 
 1383 +------+---------+-------+------+-------------------------------------------+
 1384 | PID  |  Login  |For/Spd| What |                 File/IP                   |
 1385 +------+---------+-------+------+-------------------------------------------+
 1386 | 2239 | jedi    | 00:17 |  D/L | XFree86-clients-4.0.3.tar.gz              |
 1387 |  ''  |    ''   |  41K/s|  33% | ->                     nestea.funboard.de |
 1388 +------+---------+-------+------+-------------------------------------------+
 1389 | 2385 | ftp     | 00:02 | IDLE |                                           |
 1390 |  ''  |    ''   |       |      | ->                     gw2.crn.kjop.co.uk |
 1391 +------+---------+-------+------+-------------------------------------------+
 1392 
 1393 'D/L' means that the client is downloading and 'U/L' means he's uploading
 1394 some file whose name is shown in the next column. '33%' is the real-time
 1395 completion of the current operation. '41K/s' is the bandwidth used by the
 1396 client. You can track down who's starving your bandwidth with this.
 1397 
 1398 The 'pureftp-who' command accepts interesting options:
 1399 
 1400 '-c': the program is called via a web server (CGI interface) . Output is a
 1401 full HTML page with the initial content-type header. This option is
 1402 automatically enabled if an environment variable called GATEWAY_INTERFACE is
 1403 found. This is the default if you can access the program from a CGI-enabled web
 1404 server (Apache, Roxen, Caudium, WN, ...) .
 1405 
 1406 '-h': show command-line options summary.
 1407 
 1408 '-n': don't resolve host names and only show IP addresses (faster).
 1409 
 1410 '-s': output an easily parsable format for shell scripts (but not very user
 1411 friendly) . 
 1412 There's only one line per client, with only numeric data, delimited by a '|'
 1413 character. It's not very human-readable, but it's designed for easy parsing by
 1414 shell scripts (cut/sed) . '|' characters in user names or file names are
 1415 quoted ('|' becomes '\|') .
 1416 
 1417 Type 'pure-ftpwho -h' to check the format. 
 1418 
 1419 '-w': output a complete HTML page (web mode).
 1420 
 1421 '-W': output an HTML page with no header and no footer. This is an embedded
 1422 mode, suitable for inline calls from CGI, SSI or PHP scripts.
 1423 
 1424 '-x': output well-formed XML data for post-processing. This is the most
 1425 acurate mode. Time is in seconds and file sizes are in bytes (in other
 1426 output formats, sizes are in kbytes for easier readability) .
 1427 
 1428 '-v': verbose output in text mode. Additional info includes the size of
 1429 files being downloaded/uploaded, the local IP or local host name and the
 1430 connection port. This is especially useful for virtual hosts. Here's a
 1431 sample output of 'pure-ftpwho -v':
 1432 
 1433 +------+---------+-------+------+-------------------------------------------+
 1434 | PID  |  Login  |For/Spd| What |     File/Remote IP/Size(Kb)/Local IP      |
 1435 +------+---------+-------+------+-------------------------------------------+
 1436 | 9086 | j       | 00:04 |  DL  | linux-2.4.4.tar.bz2                       |
 1437 |  ''  |    ''   |  22K/s|  27% | ->                              localhost |
 1438 |  ''  |    ''   |       |      | Total size:    20859 Transferred:     5632 |
 1439 |  ''  |    ''   |       |      | <-                        localhost:21    |
 1440 +------+---------+-------+------+-------------------------------------------+
 1441 
 1442 
 1443       ------------------------ AFTER AN UPLOAD ------------------------
 1444 
 1445 
 1446 After an upload, any external program or shell script can be spawned with the
 1447 name of the newly uploaded file as an argument. You can use that feature to
 1448 automatically send a mail when a new file arrives. Or you can pass it to a
 1449 moderation system, an anti-virus, a MD5 signature generator or whatever you
 1450 decide can be done with a file.
 1451 
 1452 To support this, the server has to be configured --with-uploadscript at
 1453 compilation time. Upload scripts won't be spawned on unreadable directories.
 1454 So it's highly recommended to use upload scripts with the --customerproof
 1455 run-time option and without unreadable parent directories.
 1456 To tell the FTP server to use upload scripts, it has to be launched with the
 1457 '-o' option. Finally, you have to run another daemon called 'pure-uploadscript'
 1458 provided by this package.
 1459 
 1460 IMPORTANT:
 1461 
 1462 YOU MUST START PURE-FTPD _FIRST_ and _THEN_ START PURE-UPLOADSCRIPT.
 1463 THE REVERSE ORDER WON'T WORK.
 1464 
 1465 For security purposes, the server never launches any external program. It's
 1466 why there is a separate daemon, that reads new uploads pushed into a named
 1467 pipe by the server. Uploads are processed synchronously and sequencially.
 1468 It's why on loaded or untrusted servers, it might be a bad idea to use
 1469 pure-uploadscript with lengthy or cpu-intensive scripts.
 1470 
 1471 The easiest way to run pure-uploadscript is 'pure-uploadscript -r <script>':
 1472 
 1473 /usr/local/sbin/pure-uploadscript -r /bin/antivirus.sh
 1474 
 1475 The absolute path of the newly uploaded file is passed as a first argument.
 1476 Some environment variables are also filled with interesting values:
 1477 
 1478 - UPLOAD_SIZE  : the size of the file, in bytes.
 1479 - UPLOAD_PERMS : the permissions, as an octal value.
 1480 - UPLOAD_UID   : the uid of the owner.
 1481 - UPLOAD_GID   : the group the file belongs to.
 1482 - UPLOAD_USER  : the name of the owner.
 1483 - UPLOAD_GROUP : the group name the file belongs to.
 1484 - UPLOAD_VUSER : the full user name, or the virtual user name. (127 chars max)
 1485 
 1486 There are also some options to "pure-uploadscript":
 1487 
 1488 - '-u <uid>' and '-g <gid>' to switch the account pure-uploadscript will run
 1489 as. The script will be spawned with the same identity.
 1490 
 1491 - '-B' to fork in background.
 1492 
 1493 Please have a look at the man page ('man pure-uploadscript') for additional
 1494 info.
 1495 
 1496 
 1497     ------------------------ LISTING DIRECTORIES ------------------------
 1498 
 1499 
 1500 The built-in 'ls' supports all common options of a regular 'ls' command.
 1501 Here are the ones you should know for a better life with FTP:
 1502 
 1503 - '-l': verbose listing, reporting dates, owners, perms and sizes.
 1504 - '-a': also lists files and directories beginning with a dot.
 1505 - '-F': adds a '/' after directory names.
 1506 - '-d': list the directory itself, not its content.
 1507 - '-R': recursive listing.
 1508 - '-S': sort by size.
 1509 - '-t': sort by date.
 1510 - '-r': reverse the sorting order.
 1511 
 1512 If you aren't very familiar with Unix, log in to your FTP server and try
 1513 these variants:
 1514 
 1515 ls
 1516 ls -F
 1517 ls -l
 1518 ls -la
 1519 ls -lR
 1520 ls -Sl
 1521 ls -Slr
 1522 ls -tl
 1523 ls -tlr
 1524 
 1525 Globbing is also supported. So if you are looking for a GNOME RPM in
 1526 <I don't know the directory name>/gnome-xxxxxxxx.rpm , you can find it that
 1527 way:
 1528 
 1529 ls */gnome*.rpm
 1530 
 1531 
 1532       ------------------------ VIRTUAL QUOTAS ------------------------
 1533 
 1534 
 1535 With virtual quotas, you can restrict the maximum number of files and the
 1536 total size of a user directory.
 1537 
 1538 These quotas are "virtual" because they aren't handled at kernel-level, but
 1539 by the FTP server itself. There are some advantages over kernel quotas:
 1540 
 1541 - Virtual quotas are specific to the FTP server. You can have different
 1542 system quotas to handle other files (eg. mail) on the same partition.
 1543 
 1544 - You can have different virtual quotas for every user, even if they share
 1545 the same system uid.
 1546 
 1547 - Virtual quotas are working even on filesystems that don't support system
 1548 quotas.
 1549 
 1550 However, virtual quotas are slower and can't be as reliable as kernel quotas,
 1551 so don't trust them ultimately, they are probably races allowing to bypass
 1552 them. Also the filesystem users directories are on must properly support file
 1553 locking.
 1554 
 1555 Virtual quotas are implemented in Pure-FTPd as simple files called
 1556 ".ftpquota", located in the home directory of chrooted users. This file only
 1557 contains two numbers: the current number of files for this user and the
 1558 total size of the directory (+ its subdirectories), in bytes. When a new
 1559 file is uploaded, these numbers grow. When a file is deleted, these numbers
 1560 get smaller. Simple. Of course, when virtual quotas are enabled for one
 1561 user, that user must be 1) chrooted, 2) not allowed to write quota files, 3)
 1562 not allowed to forbid access to some directories to fool the counter.
 1563 
 1564 Quotas can be enabled for all users for the -n (--quotas) option. This
 1565 option is followed by the max number of files and the max size (in Megabytes)
 1566 . Every user will have the same quota. Exception: members of the trusted
 1567 group, if -a is enabled.
 1568 
 1569 You can also have different quotas for every user if you use PureDB or SQL
 1570 databases. See the "README.Virtual-Users" file for more info about PureDB
 1571 databases.
 1572 
 1573 So, if you want 1000 files max and 10 Mb max for all your customers, run
 1574 the server like this:
 1575 
 1576 /usr/local/sbin/pure-ftpd -n 1000:10
 1577 
 1578 ".ftpquota" files are created on demand when they are missing. However, when
 1579 they are created, the server assumes that the account was empty. If this is
 1580 not the case, you must run the "pure-quotacheck" utility to create an
 1581 initial ".ftpquota" file.
 1582 
 1583 "pure-quotacheck" is a tool that computes the size and the number of files
 1584 in a directory and create a ".ftpquota" file with this info.
 1585 
 1586 The syntax is:
 1587 
 1588 pure-quotacheck -u username/uid -d home directory [-g group/gid]
 1589 
 1590 For instance, if you want to summarize usage for the /home/ftpusers/john
 1591 directory, whose files are owned by the "ftpusers" system account, just run:
 1592 
 1593 pure-quotacheck -u ftpusers -d /home/ftpusers/john
 1594 
 1595 You can run pure-quotacheck whenever you want, even when ".ftpquota" files
 1596 are already there. This is even a good idea to run this for all users in
 1597 crontab, so that stored quotas are always exact, even if something went wrong
 1598 (server bug, filesystem corruption, savagely killed server, etc) .
 1599 
 1600 
 1601       ------------------------ AUTHENTICATION ------------------------
 1602 
 1603 
 1604 Pure-FTPd supports multiple methods of authentication. To use a method, you
 1605 must have it compiled in (check the ./configure options) .
 1606 
 1607 - To use Unix authentication (the traditional /etc/passwd file), add the
 1608 following option when you run the server:
 1609 
 1610                                    -l unix
 1611 
 1612 
 1613 - To use PAM authentication, add this:
 1614 
 1615                                    -l pam
 1616                                    
 1617                                    
 1618 - To use PureDB (virtual users), add this:
 1619 
 1620                      -l puredb:/path/to/puredb_database
 1621 
 1622 (read README.Virtual-Users for more info about PureDB indexed files)
 1623 
 1624 
 1625 - To use LDAP directories, add this:
 1626 
 1627                       -l ldap:/path/to/ldap_config_file
 1628 
 1629 (read README.LDAP for more info about LDAP directories)
 1630 
 1631 
 1632 - To use MySQL databases, add this:
 1633 
 1634                      -l mysql:/path/to/mysql_config_file
 1635 
 1636 (read README.MySQL for more info about MySQL databases)
 1637 
 1638 - To use Postgres databases, add this:
 1639 
 1640                      -l pgsql:/path/to/postgres_config_file
 1641 
 1642 (read README.PGSQL for more info about Postgres databases)
 1643 
 1644 - To use external authentication handlers (with pure-authd), use:
 1645 
 1646                      -l extauth:/path/to/authd/socket
 1647 
 1648 (read README.Authentication-Modules for more info about external
 1649 authentication)
 1650 
 1651 
 1652 Multiple authentication methods can be chained. For instance, you can run the
 1653 server like this:
 1654 
 1655 /usr/local/sbin/pure-ftpd -lldap:/etc/pureftpd-ldap.conf      \
 1656                           -lpuredb:/etc/pureftpd.pdb -lunix
 1657 
 1658 Every method is tried in order. With the previous command line, an LDAP
 1659 directory is probed first. If a user isn't found in the directory, a
 1660 PureDB database is scanned for the same user name. If that user is still not
 1661 found, /etc/passwd is scanned.
 1662 
 1663 If the user is found in the LDAP directory, but the given password is wrong,
 1664 further authentication methods are skipped.
 1665 
 1666 If you don't specify any -l option, PAM is assumed by default if the server
 1667 is compiled with PAM support and Unix is assumed by default otherwise.
 1668 
 1669 
 1670      ------------------------ DIRECTORY ALIASES ------------------------
 1671 
 1672 
 1673 Directory aliases provides "shortcuts" for the "cd" command. For instance,
 1674 if you define an alias called "pictures" for "/usr/misc/pictures", when an
 1675 user will type "cd pictures" and if no real "pictures" directory exists, he
 1676 will be automatically redirected to "/usr/misc/pictures". Unlike symbolic
 1677 links, "cd pictures" will work from any directory. Tildes are *not* expanded.
 1678 
 1679 a user can get the list of available aliases with the following command:
 1680 
 1681 SITE ALIAS
 1682 
 1683 To support that feature, the server must be compiled with --with-diraliases
 1684 passed to ./configure .
 1685 
 1686 To define alias/directory pairs, you must create a file called
 1687 /etc/pureftpd-dir-aliases, whose format is:
 1688 
 1689 Alternating lines of alias and dir
 1690 (this enables embedded whitespace in dir and alias without quoting rules)
 1691 Optional blank lines
 1692 Optional lines beginning with '#' as comments
 1693 (no you can't put a '#' just anywhere)
 1694 
 1695 Example:
 1696 
 1697 pictures
 1698 /usr/misc/pictures
 1699 
 1700 sources
 1701 /usr/src
 1702 
 1703 # This is for the OpenBSD port tree
 1704 pureftpd-port
 1705 /usr/ports/net/pure-ftpd
 1706 
 1707 
 1708     ------------------------ PRIVILEGE SEPARATION ------------------------
 1709 
 1710 
 1711 When privilege separation is enabled, each session will spawn two processes :
 1712 a "privileged" process running as root, but that can only do very basic
 1713 and trusted actions (binding a port and remove the ftpwho scoreboard) and
 1714 the "client" process. The "client" process definitely revokes all privileges
 1715 after authentication and chroot() and punctually communicates with the
 1716 parent over a private channel.
 1717 
 1718 Privilege separation decreases performance of loaded servers, but it
 1719 increases security and reliability. Enabling it is recommended.
 1720 
 1721 Some old broken operating systems may allow the ptrace() system call on
 1722 processes that revoked privileges. On these platforms, enabling privilege
 1723 separation is a bad idea if untrusted users also have shell access. Use the
 1724 src/ptracetest program to check this. At least Solaris, ISOS, MirBSD,
 1725 OpenBSD, DragonflyBSD, FreeBSD and Linux are known to be safe.
 1726 
 1727 
 1728     ------------------------ CHARSETS (RFC2640) ------------------------
 1729         
 1730 
 1731 Since version 1.0.21, pure-ftpd has *experimental* support for charsets
 1732 conversion. The server filesystem can use a different charset than the
 1733 charset assumed by clients, and pure-ftpd translates file names through the
 1734 iconv library.
 1735 
 1736 Some modern clients like lftp will also try to use UTF-8 if the server
 1737 supports it.
 1738 
 1739 Thus, charsets conversion can be very useful when dealing with file names
 1740 containing non-english characters.
 1741 
 1742 In order to support this, pure-ftpd has to be compiled with:
 1743 
 1744 ./configure ... --with-rfc2640
 1745 
 1746 This is not supported by default because it requires libiconv.
 1747 
 1748 Then the server has to be started with --fscharset=<charset>. Replace
 1749 <charset> with the charset of the server's filesystem. For instance:
 1750 
 1751 /usr/local/sbin/pure-ftpd --fscharset=ISO-8859-15
 1752 
 1753 This is often enough to properly work with UTF-8 capable clients.
 1754 
 1755 But optionnally, you can specify the default charset for clients, with
 1756 --clientcharset:
 1757 
 1758 /usr/local/sbin/pure-ftpd --fscharset=iso-8859-15 --clientcharset=big5
 1759 
 1760 
 1761  ------------------------ OPTIMIZING FOR HIGH LOAD ------------------------
 1762 
 1763 
 1764 If you are going to use Pure-FTPd on a highly loaded server, here are some
 1765 hints to get the best performances:
 1766 
 1767 - Compile with:
 1768 
 1769 env CFLAGS="-O2 -fomit-frame-pointer -fgcse -Os" ./configure --with-minimal --without-inetd --without-pam
 1770 make install-strip
 1771 
 1772 - Run it in standalone mode. Don't use -C, don't enable pure-ftpwho nor
 1773 pure-uploadscript (-o), nor per-user limits (-y) .
 1774 
 1775 - Increase your system max descriptors number and local port range. On a
 1776 Linux kernel, you can try:
 1777 
 1778 echo 2000 > /proc/sys/fs/super-max
 1779 echo 60000 > /proc/sys/fs/file-max
 1780 ulimit -n 60000
 1781 echo 30000 65534 > /proc/sys/net/ipv4/ip_local_port_range
 1782 
 1783 - On a Linux kernel, disable syncookies, ecn, timestamps and window scaling:
 1784 
 1785 echo 0 > /proc/sys/net/ipv4/tcp_syncookies
 1786 echo 0 > /proc/sys/net/ipv4/tcp_ecn
 1787 echo 0 > /proc/sys/net/ipv4/tcp_timestamps
 1788 echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
 1789 
 1790 - Disable access time update on your mounted filesystems. On a Linux system,
 1791 just add 'noatime,nodiratime' for each mount point in your /etc/fstab file.
 1792 
 1793 - Disable syslog output and DNS lookups. Run it with:
 1794 
 1795 /usr/local/sbin/pure-ftpd -f none -H
 1796 
 1797 
 1798 For FreeBSD, DJ_Oggy recommends the following setting:
 1799 
 1800 >>> QUOTE:
 1801 
 1802 Drop into single user mode (do a shutdown now or boot -s) and enter
 1803 
 1804 tunefs -n enable <filesystem>
 1805 
 1806 i sugest / /usr /var
 1807 
 1808 In /etc/fstab add ",noatime" to the options of all filesystems.
 1809 
 1810 In /boot/loader.conf add the following:
 1811 
 1812 hw.ata.wc="1"
 1813 kern.ipc.nmbclusters="60000"
 1814 
 1815 In /etc/sysctl.conf add the following:
 1816 
 1817 vfs.vmiodirenable=1
 1818 kern.ipc.maxsockbuf=2097152
 1819 kern.ipc.somaxconn=8192
 1820 kern.ipc.maxsockets=16424
 1821 kern.maxfiles=65536
 1822 kern.maxfilesperproc=32768
 1823 net.inet.tcp.rfc1323=1
 1824 net.inet.tcp.delayed_ack=0
 1825 net.inet.tcp.sendspace=65535
 1826 net.inet.tcp.recvspace=65535
 1827 net.inet.udp.recvspace=65535
 1828 net.inet.udp.maxdgram=57344
 1829 net.local.stream.recvspace=65535
 1830 net.local.stream.sendspace=65535
 1831 
 1832 give it two asprin, a reboot and call me in the morning!!!!! 
 1833 
 1834 <<< END OF QUOTE
 1835 
 1836 
 1837        ------------------------ KNOWN ISSUES ------------------------
 1838 
 1839 
 1840 - On non-linux systems, '-c' only works in standalone mode.
 1841 
 1842 - You should always avoid the use of spaces in login names: applications
 1843 that are parsing log files often choke on this.
 1844 
 1845 - Incomplete transfers aren't logged in alternative formats.
 1846 
 1847 - On Solaris, to get chroot to work with pure-ftpd you need a dev directory
 1848 in your new rootdir with these:
 1849 
 1850 crw-rw-rw-   1 root     other     11, 42 Dec 10 15:02 tcp
 1851 crw-rw-rw-   1 root     other    105,  1 Dec 10 15:02 ticotsord
 1852 crw-rw-rw-   1 root     other     11, 41 Dec 10 15:03 udp
 1853 crw-rw-rw-   1 root     other     13, 12 Dec 10 15:03 zero
 1854 
 1855 else you get this
 1856 
 1857 ftp> ls
 1858 425 Can't create the data socket: Bad file number.
 1859 
 1860 If all your users are chrooted, you have to create these files in every home
 1861 directory. Here's how:
 1862 
 1863 mkdir dev
 1864 mknod dev/tcp c 11 42
 1865 chmod 0666 dev/tcp
 1866 mknod dev/udp c 11 41
 1867 mknod dev/zero c 13 12
 1868 mknod dev/ticotsord c 105 1
 1869 
 1870 (Reported by Kenneth Stailey)
 1871 
 1872 - Resuming ASCII transfers is refused. ASCII transfers are hell, because
 1873 they are consuming CPU time both at client and server sides. And they even
 1874 consume *more* bandwidth than binary transfers. But they allow Windows
 1875 clients to upload scripts to Unix servers, stripping these nasty ^M signs.
 1876 ASCII transfers are implemented in Pure-FTPd. But they can't be resumed and
 1877 this is intentional. To restart an ASCII transfer, the file has to be
 1878 read and analyzed byte by byte. It can be very long and by sending two
 1879 trivial commands, a client can completely kill a server (take a lot of CPU and
 1880 disk resources) . And there's no workaround.
 1881 Another point is that while RFC describe a way to resume ASCII transfers,
 1882 many clients and servers implement them in another way. The result is that
 1883 resumed ASCII transfers can lead to data corruption. Some major servers
 1884 didn't follow RFC, so some clients did the same mistake to support these
 1885 servers, while some other modern clients and servers are trying to fully
 1886 conform to RFC. So when clients and servers are speaking the same dialect, it
 1887 works. When it's not the case, you get corrupted files. Messy, eh?
 1888 And what if a customer uploads a script to your server and thinks he can
 1889 safely delete it from its hard disk? If the remote file is corrupted, he
 1890 will get really angry.
 1891 It's why Pure-FTPd *refuses* to resume ASCII transfers. If a customer tells
 1892 you that he isn't able to upload/download a partially transferred ASCII file,
 1893 please tell them to remove the partial file and to retransfer it again. This
 1894 is a safe bet.
 1895 
 1896 
 1897    ------------------------ DOWNLOADING PURE-FTPD ------------------------
 1898 
 1899 
 1900 Pure-FTPd home page is: https://www.pureftpd.org/ .
 1901 
 1902 Git repository: https://github.com/jedisct1/pure-ftpd
 1903 
 1904 Thank you, 
 1905 
 1906                        -Frank DENIS "Jedi/Sector One" <j at pureftpd dot org>