{"id":13807245,"url":"https://github.com/jedisct1/pure-ftpd","last_synced_at":"2025-05-15T00:09:24.776Z","repository":{"id":659111,"uuid":"301941","full_name":"jedisct1/pure-ftpd","owner":"jedisct1","description":"Pure FTP server","archived":false,"fork":false,"pushed_at":"2025-04-08T18:38:43.000Z","size":2924,"stargazers_count":704,"open_issues_count":12,"forks_count":196,"subscribers_count":42,"default_branch":"master","last_synced_at":"2025-04-09T21:26:19.598Z","etag":null,"topics":["ftp","ftpd-server"],"latest_commit_sha":null,"homepage":"https://www.pureftpd.org","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jedisct1.png","metadata":{"files":{"readme":"README","changelog":"ChangeLog","contributing":null,"funding":".github/FUNDING.yml","license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null},"funding":{"open_collective":"pure-ftpd"}},"created_at":"2009-09-09T10:23:17.000Z","updated_at":"2025-04-08T18:38:48.000Z","dependencies_parsed_at":"2023-01-13T10:34:40.026Z","dependency_job_id":"eec805a8-3551-4191-a7d9-eaf0643ad3ac","html_url":"https://github.com/jedisct1/pure-ftpd","commit_stats":{"total_commits":1053,"total_committers":42,"mean_commits":"25.071428571428573","dds":"0.11585944919278257","last_synced_commit":"2bbe0f25c6b905044803649a29df5f765f940b91"},"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fpure-ftpd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fpure-ftpd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fpure-ftpd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jedisct1%2Fpure-ftpd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jedisct1","download_url":"https://codeload.github.com/jedisct1/pure-ftpd/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248790358,"owners_count":21161998,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ftp","ftpd-server"],"created_at":"2024-08-04T01:01:23.086Z","updated_at":"2025-05-15T00:09:24.736Z","avatar_url":"https://github.com/jedisct1.png","language":"C","funding_links":["https://opencollective.com/pure-ftpd"],"categories":["C"],"sub_categories":[],"readme":"\n                              .:. PURE-FTPD .:.\n                      Documentation for version 1.0.52\n\n\n           ------------------------ BLURB ------------------------\n\n\nPure-FTPd is a fast, production-quality, standard-conformant FTP server,\nbased upon Troll-FTPd.\n\nThe server has been designed to be secure in default configuration, it has no\nknown vulnerability, it is really trivial to set up and it is especially\ndesigned for modern kernels. It was successfully ported to Linux, FreeBSD,\nDragonfly BSD, NetBSD, OpenBSD, OSX, AIX and more.\n\nFeatures include chroot()ed and/or virtual chroot()ed home directories,\nvirtual domains, built-in 'ls', anti-warez system, configurable ports for\npassive downloads, FXP protocol, bandwidth throttling, ratios,\nLDAP / MySQL / PostgreSQL-based authentication, fortune files, Apache-like\nlog files, fast standalone mode, text / HTML / XML real-time status report,\nvirtual users, virtual quotas, privilege separation, TLS and more.\n\n\n      ------------------------ WHO'S USING IT? ------------------------\n\n\nMany people new to Unix are running Pure-FTPd because they find it easy to\ninstall. But that software is also used on embedded systems and highly loaded\nproduction servers, especially for hosting services.\n\nFor large sites with centralized user management, Pure-FTPd provides flexible\nauthentication schemes including SQL and LDAP backends, plus the ability to\neasily write new custom handlers in any language.\n\n\n        ------------------------ COMPILATION ------------------------\n        \n\nIn its current form, Pure-FTPd uses some OS-specific system calls. And although\nsome portability work has been done in order to ease its port to other\noperating systems, only Linux, FreeBSD, NetBSD, OpenBSD, ISOS, MirBSD, BSDi,\nDragonflyBSD, Darwin, Solaris, Tru64, Irix, AIX and HPUX are known to work,\nother operating systems may need some tweaks. With Linux, any modern\ndistribution should be ok.\n\n* Step 1 (optional but recommended):\n\nCreate a specific, unprivileged user and group called _pure-ftpd, without any\nvalid shell. Don't use this for anything else, including FTP virtual users.\n\ngroupadd _pure-ftpd\nuseradd -g _pure-ftpd -d /var/empty -s /etc _pure-ftpd\n\nIf having a user whose name begins with an underscore is a no-go for you,\nyou can also call it pure-ftpd, without the underscore.\n\n* Step 2:\n\nIf you have Cdialog or Xdialog installed on your system, try the following\ncommand to build and install Pure-FTPd:\n\nmake -f Makefile.gui\n\nIf you don't have Cdialog or if you prefer the conventional way, here it is:\n\n./configure\nmake install-strip\n\nEt voilà! The software is now installed in /usr/local/sbin/pure-ftpd\n\n* Step 3:\n\nTo launch the server, just type the following command:\n\n/usr/local/sbin/pure-ftpd \u0026\n\nIf you installed a binary package (RPM, SLP, Debian), maybe use the\nfollowing command instead:\n\n/usr/sbin/pure-ftpd \u0026\n\nYour server is ready. Just type 'ftp localhost' to test it. If you want to\nautomatically run the server when the system boots, add the previous command\nto /etc/rc.d/rc.local or /etc/rc.d/boot.local . Don't forget the '\u0026' sign.\n\nNote:\n\nTo uninstall Pure-FTPd (no, do you really want to do this?), use:\n./configure\nmake uninstall\n\n\n   ------------------------ ADVANCED COMPILATION ------------------------\n    \n    \nThe \"./configure\" script accepts some arguments you might want to add before\nthe compilation:\n\n\n\n/--------------------\n \"--with-\" switches\n --------------------/\n\n\n--with-altlog: in addition to the syslog output, support logging into a\nspecific file, in an alternative format. Currently, the CLF, Stats, W3C and\nxferlog formats are implemented.\nCLF (common log format) is the basic format produced by Apache, WebFS, Roxen\nand most web servers. These log files only record file transfers and they can\nfeed web statistic software (Analog, Webalizer, etc.) to analyze the load of\nyour FTP server. The Stats format is a special output format designed for log\nfile analysis software. The W3C format is a standard format parsed by most\ncommercial log analyzers (all analyzers with support for IIS should deal with\nit) . Xferlog is the traditional format created by wu-ftpd. Check the -O\noption later in this documentation for additional info.\n\n--with-brokenrealpath: some Solaris versions have a broken realpath()\nimplementation. If altlog and/or pure-uploadscript doesn't seem to work\nproperly on your system, try to recompile with this switch.\n\n--with-tls: enable TLS support. Read README.TLS for more about this feature.\n\n--with-certfile=\u003cfile\u003e: the file with the TLS certificate (see README.TLS). The\ndefault is /etc/ssl/private/pure-ftpd.pem .\n\n--with-cookie: display a fortune or a customized banner when a user logs\nin (see the '-F' option) .\n\n--with-diraliases: support directory aliases (\"shortcuts\" for the \"cd\"\ncommand) . Please read the appropriate section about this (further in this\nmanual) .\n\n--with-everything: build a big server with almost all features turned on:\naltlog, cookies, throttling, ratios, ftpwho, upload script, virtual users\n(puredb), quotas, virtual hosts, directory aliases, external authentication,\nBonjour and privilege separation.\n\n--with-extauth: compiles support for external authentication modules. Please\nread README.Authentication-Modules and the pure-authd(8) man page before\nenabling this feature. Most users don't need it.\n\n--with-ftpwho: support for the 'pure-ftpwho' command. Enabling this feature\nneeds some extra memory. Better use it when the server is run in standalone\nmode. It can be way slower in inetd mode.\n\n--with-language=english\n--with-language=albanian\n--with-language=german\n--with-language=romanian\n--with-language=french\n--with-language=polish\n--with-language=spanish\n--with-language=danish\n--with-language=italian\n--with-language=brazilian-portuguese\n--with-language=slovak\n--with-language=dutch \n--with-language=korean\n--with-language=swedish\n--with-language=norwegian\n--with-language=russian\n--with-language=traditional-chinese\n--with-language=simplified-chinese\n--with-language=hungarian\n--with-language=catalan\n--with-language=czech: change the language of server messages.\nDefault is english. If you want to contribute a translation, please\ntranslate the 'src/messages_en.h' file and send it to \u003cj at pureftpd dot org\u003e .\n\n--with-ldap: use the native LDAP directory support. When this option is\nenabled, system accounts can be bypassed. You need OpenLDAP to use that\nfeature. If OpenLDAP is installed in a custom location, you can use the\n--with-ldap=\u003cdirectory\u003e syntax. See the README.LDAP file for more info about\nLDAP and Pure-FTPd.\n\n--with-minimal: to efficiently use features of modern FTP clients, Pure-FTPd\nimplements the basics of the FTP protocol, with many extensions (SITE IDLE,\nSITE CHMOD, MLSD, ...) . Using the --with-minimal directive, these extensions\nwon't be compiled in. Also, there will be no standalone server, no lookup for\nuser/group names, no humor and no ASCII support. But the executable file size\nwill be smaller than in a default installation. You need at least GCC 3.3 to\ncompile with this option. Regular expressions are compiled in. If you still\nwant to reduce the size, use --without-globbing in conjunction with\n--with-minimal. If you are building an embedded system, use this. In all other\ncases, to avoid complaints from customers (especially with Windows clients),\nforget this.\n\n--with-mysql: use the native MySQL support for users database. When this\noption is enabled, system accounts can be bypassed. MySQL client libraries\nshould be installed to use that feature. If MySQL is installed in a custom\nlocation, you can use the --with-mysql=\u003cdirectory\u003e syntax. See the\nREADME.MySQL file for more info about MySQL and Pure-FTPd. \n\n--with-nonroot: set up a server that doesn't need root privileges to be\nstarted. Any regular user can run the server. It can be useful if you have a\nlimited shell access to a non-dedicated hosting server. But some features\nwill be disabled and passwords can only be checked via LDAP, SQL or PureDB.\nWhen virtual chroot is enabled, people will be restricted to the directory\nthe server was started in. This is an insecure mode, designed for setting up\nvery temporary servers by regular (non-root) users. Port 2121 will be\nlistened by default in standalone mode. If you want to use the nonroot mode,\nyou must compile and *install* the software (./configure --prefix=... \u0026\u0026\nmake install-strip) . /sbin, /bin and /man directories will be created in\nthat prefix. But you must also add an /etc directory (readable and writeable\nby the user pure-ftpd will run as) . You can change the anonymous FTP root\ndirectory through an environment variable named FTP_ANON_DIR.\n\n--with-pam: use pluggable authentication modules. Don't use this option\nif your login/passwd pairs are always refused (but the real fix would be to\nfix your PAM configuration). You need to create a /etc/pam.d/pure-ftpd file\nto properly use the PAM authentication. The 'pam' directory contains an\nexample of such a file.\n\n--with-paranoidmsg: favor paranoid messages over sysadmin-friendly\nmessages. When this option is enabled, login failures will show the same\nmessage to the user, regardless of the source of the problem. Without this\noption, \"Authentication failure\" is displayed when this is a password\nproblem and \"Sorry, I can't trust you\" is displayed when the user has been\nbanned by the sysadmin.\n\n--with-peruserlimits: enable per-user concurrency limits. Avoid this\non very loaded servers.\n\n--with-pgsql: use the native Postgres support for users database. When this\noption is enabled, system accounts can be bypassed. Postgres client libraries\nshould be installed to use that feature. If Postgres is installed in a custom\nlocation, you can use the --with-pgsql=\u003cdirectory\u003e syntax. See the\nREADME.PGSQL file for more info about Postgres and Pure-FTPd. \n\n--with-probe-random-dev: Pure-FTPd uses /dev/urandom or /dev/random devices\nto provide hardly-predicable random numbers. Presence of these devices are\nusually probed at compile-time. If you want to compile a binary package on\na host, then run it on another host, this option will enable the probe at\nrun-time. This is useless on Linux and BSD systems, but it can be needed on\nSolaris and QNX.\n\n--with-puredb: support virtual users, ie. a local users database,\nindependent of your system accounts. Please read the README.Virtual-Users\nfile for more info about virtual users.\n\n--with-quotas: enable virtual quotas. With virtual quotas, you can restrict\nthe maximal number of files a user can store in his account. You can also\nof course restrict the total size. See the \"quotas\" section later in this\ndocument.\n\n--with-ratios: support upload/download ratios, to please w4r3z fr34k2.\n\n--with-sysquotas: support system quotas (not Pure-FTPd's virtual quotas) .\n\n--with-throttling: support bandwidth throttling (see below).\n\n--with-uploadscript: since 0.98, Pure-FTPd has a nice feature regarding\nuploads. Any external program or script can be automatically called after a\nsuccessful upload. It needs another program installed by the Pure-FTPd\npackage, called 'pure-uploadscript'. Check the man page for more info about\nthis.\n\n--with-virtualchroot: usually, when a user is chrooted (-A and -a\noptions), it's impossible to go out of his home directory. Enabling that\nfeature makes it possible: symbolic links are always followed, even if they\nare pointing to directories not located in the user's home directory. This\nis very useful for having shared directories (for instance, have a symbolic\nlink to /var/incoming in every home directory) .\nThis feature isn't enabled by default.\n\n--with-virtualhosts: support virtual hosting. It means that you can have\ndifferent anonymouns FTP areas for each IP address. If your server has only\none IP address, you don't need that feature. But if you have multiple IP\naddresses and if you want a client that connects to IP xxx to get\nthe content of /etc/pure-ftpd/xxx/ instead of ~ftp/ , enable this option.\nAnd read the the \"VIRTUAL SERVERS\" section at the end of this file.\n\n--with-welcomemsg: read 'welcome.msg' files for compatibility with some\nother FTP servers. This is a security flaw (anonymous users may upload\n'welcome.msg' files to add random banners) . Pure-ftpd uses '.banner' files\nby default.\n\n--with-boring: display boring \"professionnal-looking\" messages.\n\n--with-bonjour: enable Bonjour support on MacOS X (see the -v switch).\n\n--with-rfc2640: enable support for charset conversion. It adds a dependency\nover the iconv library and it requires a little more CPU time. See the -8\nand -9 switches.\n\n--with-implicittls: build a FTPS server (TLS is implicitly enabled).\nThe protocol is incompatible with FTP and listens to another port by default\n(port 990, ftps). Never enable this option unless you know what you're doing.\n\n\n/-----------------------\n \"--without-\" switches\n -----------------------/\n\n--without-privsep: disable privilege separation (see notes about this later),\nnot recommended.\n\n--without-ascii: does not support 7-bits transfers (ASCII) .  If you have\ncustomers using Windows clients to send scripts and HTML files, don't use\nthis option or they will yell at you.\n\n--without-capabilities: if the capabilities library (libcap) is found,\nPure-FTPd will try to use it in order to enhance security. This option\noverrides the test to ignore the library. Try this if capabilities don't\nwork properly on your system. libcap can be downloaded from\nftp://ftp.kernel.org/pub/linux/libs/security/linux-privs/ .\n\n--without-globbing: don't include the globbing code. It reduces the memory\nfootprint but regular expressions won't work any more (things like 'ls\n*.rpm') . Most people shouldn't use --without-globbing. Globbing is a nice\nfeature.\n\n--without-humor: if you find what this option does without peeking at the\nsource code, you're a lucky guy!\n\n--without-inetd: if you will always be running Pure-FTPd in standalone-mode,\nenabling this flag can save a few code bytes. Don't enable --without-inetd\nand --without-standalone, because it's impossible to run a server without\none of them. These options aren't enabled on binary distributions of\nPure-FTPd, so that both inetd-like and standalone mode are supported.\n\n--without-iplogging: don't log any IP address to protect confidentiality,\nespecially for political servers.\n\n--without-nonalnum: paranoid file name checking: only allow basic\nalphanumeric characters. Never enable this switch blindly, or your customers\nwill complain.\n\n--without-unicode: disallow non-latin characters. Recommended if you don't\nhave special characters in file names.\n\n--without-sendfile: on Linux, Solaris, HPUX and FreeBSD kernels, Pure-FTPd\ntries to reduce the CPU/memory usage by using a special system call (sendfile)\n. It works very well with most filesystems. However, this optimization is not\nimplemented for all filesystems in current kernels. Users reported that\ndownloading files with Pure-FTPd failed with SMBFS (Samba) on FreeBSD and\nTmpFS and NTFS on Linux (the error reported by the server is \"broken pipe\" or\n\"Error during write to data connection\") . If you are planning to serve files\nfrom these filesystems, you have to use the --without-sendfile switch to\nenable a workaround. It was also reported that PA-Risc Linux systems need this\nflag.\n\n--without-shadow: ignore the shadow passwords, even though they are\nauto-detected. Usually a bad idea, unless you use PAM, LDAP or SQL.\nPure-FTPd support expiration dates of shadow passwords (both for accounts\nand passwords) .\n\n--without-standalone: the FTP server can normally run in standalone-mode\n(without any super-server) . If you don't need that feature and if you want\nto save few code bytes, add this option. A super-server such as xinetd\nor tcpserver will be mandatory to run the service. But the standalone mode is\nthe recommended mode of operation.\n\n--without-usernames: never outputs user and group names in directory\nlistings, only UIDs and GIDs. It improves security and performances, but\nsome people find this not user-friendly.\n\n\n\n/--------------\n Other notes\n --------------/\n\n\nOther traditional autoconf options are of course recognised, in particular:\n\n- \"--prefix=\" to change the installation prefix, that defaults to \"/usr/local/\"\n\n- \"--sysconfdir=\" to change the configuration files directory (defaults to\n\"/etc\" unless you specified a prefix with --prefix)\n\n- \"--localstatedir=\" to change the runtime files directory (defaults to\n\"/var\" even if you specified a prefix with --prefix)\n\nFYI, the binary RPM packages of Pure-FTPd are configured with the following\ncommand line:\n\n./configure --with-everything --with-paranoidmsg --without-capabilities \\\n            --with-virtualchroot\n\nRPM packages are also compiled with --without-pam to enhance their\nportability.\n\n\n  ------------------------ STANDALONE INSTALLATION ------------------------\n\n\nThis is the recommended way to start the server.\n\nUnless you compiled the server with \"--without-standalone\", running the\nserver is as easy as typing:\n\n/usr/local/sbin/pure-ftpd \u0026\n\nIn the following examples, we will assume that the 'pure-ftpd' file is\nlocated in /usr/local/sbin. This is the default if you compiled the server\nfrom the source code tarball. But as I said earlier in this document, if\nyou installed a binary package (RPM, SLP, DEB, TGZ), the server maybe\ninstalled in /usr/sbin/. So just replace '/usr/local/sbin/pure-ftpd' with\n'/usr/sbin/pure-ftpd'.\n\nWhen the previous command is run, the server will listen for incoming\nconnections on every interface, all IP addresses and the standard FTP port\n(21) . If your system has IPv6 addresses, they should work as well.\n\nNow, if you want to listen for an incoming connection on a non-standard port,\njust append '-S' and the port number:\n\n/usr/local/sbin/pure-ftpd -S 42\n\nService names are also allowed ('-S smtp' and the daemon will be accepting\nconnections on the SMTP port (25) . Very uncommon, but we should please\neverybody anyway, even disturbed minds) .\n\nNow, what if your system has many IP addresses and you want the FTP server\nto be reachable on only one of these addresses, let's say 192.168.0.42?\nJust use the following command line:\n\n/usr/local/sbin/pure-ftpd -S 192.168.0.42,\n\nThe final comma is important, don't forget it. Actually, it's a shorthand for:\n\n/usr/local/sbin/pure-ftpd -S 192.168.0.42,21\n\nIf you prefer host names over IP addresses, it's your choice:\n\n/usr/local/sbin/pure-ftpd -S ftp.example.com,21\n\nIPv6 addresses are of course supported.\n\nWith previous command lines, the server will run in the default\nconfiguration. Anonymous FTP logins will be allowed if there's a system\naccount called 'ftp' and every user of your system will be able to access\nthe FTP server using their regular login/password pair.\n\nIf you need to tweak that default configuration, other command-lines options\ncan be added. For instance:\n\n/usr/local/sbin/pure-ftpd -c 50 \u0026\n\nor\n\n/usr/local/sbin/pure-ftpd -S ftp.example.com,21 -c 50 \u0026\n\nAnd only 50 simultaneous connections will be allowed. To discover what\noptions are available please jump to the 'OPTIONS' chapter below. If the\nserver runs perfectly for you in standalone mode, you don't need to read the\nfollowing chapter about super-servers. But read the options. '-m' and '-C'\nare recommended. '-D' is also a good choice if you (or your customers) use\nbroken clients. Please read on.\n\nWhen you run 'ps auxw|grep pure-ftpd', the result looks like this:\n\nroot     15211  0.1  0.3  1276  452 ?        S    13:53   0:00 pure-ftpd [SERVER]\nroot     15212  0.1  0.5  1340  672 ?        S    13:54   0:00 pure-ftpd [IDLE]\nroot     15214  0.0  0.5  1340  672 ?        S    13:56   0:00 pure-ftpd [DOWNLOADING]\n\n[SERVER] is the main server. If you kill this process, the server will exit\nafter the next connection.\n[IDLE] shows a client with no transfer activity.\n[DOWNLOADING] shows a client downloading a file.\n[UPLOADING] show a client uploading a file.\n\nFor easy scripting, the file '/var/run/pure-ftpd.pid' is created and it\nalways contains the PID of the main server process.\n\nIf you want to stop the server, you can just kill the processes:\n\npkill -x pure-ftpd\n\nOf course, don't use -9 unless the server is completely stuck. -9 doesn't\nlet processes any chance to clean things up and should never be used except\nwhere there's absolutely nothing else to do.\n\n\n ------------------------ SUPER-SERVER INSTALLATION ------------------------\n    \n    \nPure-FTPd can also run with the help of a super-server, like telnet, wu-ftp,\nfinger or Qmail. This is not recommended. If this is an option, start it in\nstandalone mode instead. Using a super-server is usually slower than the\nstandalone mode. But if you love tcpwrappers or built-in filtering abilities\nof your super-server, Pure-FTPd can cope with them.\n\nUnix has tons of super-servers: Inetd (the most common one), TCPserver,\nG2S, Xinetd, Rlinetd, ... Only the first three will be covered here, but\nintegration with other super-servers should be painless.\n\n\n**** Usage with Inetd ****\n\nImportant: if security matters for you, forget inetd. In the default\nconfiguration, inetd will stop a service after a high rate of connections to\nthe same port. This creates an easy denial-of-service. Also, inetd doesn't\nhave any concurrency limit. Bad guys can fill up your memory and your\ndescriptor tables even if you are restricting the number of connections in\npure-ftpd. Better use a modern replacement for inetd, or run pure-ftpd in\nstandalone mode.\n\n\n1) Check that inetd is up:\n\nps auxw | grep inetd\nroot      3699  0.0  0.3  1072  492 ?        S    15:47   0:00 inetd\n\n2) Edit /etc/inetd.conf and look for a line like:\n\nftp        stream        tcp        nowait        root        /usr/sbin/tcpd        in.ftpd\n\nThe line may also end with \"proftpd\" or \"wuftpd\", but it should start with\n\"ftp stream tcp\".\n\n3) Replace that line with the following one:\n\nftp        stream        tcp        nowait        root        /usr/sbin/tcpd        /usr/local/sbin/pure-ftpd\n\nIf /usr/sbin/tcpd is missing on your system, try the following line instead:\n\nftp        stream        tcp        nowait        root        /usr/local/sbin/pure-ftpd  pure-ftpd\n\n4) Restart the inetd daemon:\n\npkill -x -s HUP inetd\n\nIf 'pkill' is missing on your system, try this:\n\nkill -HUP $(cat /var/run/inetd.pid)\n\n\n**** Usage with Xinetd ****\n\nAdd the following entry to the /etc/xinetd.conf file:\n\n\nservice ftp \n{ \n    socket_type = stream \n    server = /usr/local/sbin/pure-ftpd \n    protocol = tcp \n    user = root \n    wait = no\n    disable = no \n}\n\n\nOn Redhat systems, you can also put this in a /etc/xinetd.d/pure-ftpd file.\n\nThen, restart the server:\n\npkill -x -s USR2 xinetd\n\n\n\n**** Usage with TCPserver ****\n\n\nTCPServer is part of the ucspi-tcp package by Dan Bernstein.\nThe simplest way of running Pure-FTPd with TCPserver is the following command:\n\ntcpserver -DHRl0 0 21 /usr/local/bin/pure-ftpd \u0026\n\nYou can add that line to your system local startup scripts\n(usually /etc/rc.d/boot.local or /etc/rc.d/rc.local) . If it doesn't work,\nreplace 'tcpserver' with its full path (eg. '/usr/local/bin/tcpserver') .\n\n\n          ------------------------ OPTIONS ------------------------\n    \n    \nThe previous steps should be enough to get a running FTP server. But you can\nadd some command-line arguments to change its behavior. These arguments have\nto be added after the pure-ftpd path in your super-server configuration.\nFor instance, you want to add the '-s' and '-a 42' flags. Here are what the\nconfiguration lines will look like in your super-server:\n\n- Inetd:\nftp        stream        tcp        nowait        root        /usr/sbin/tcpd  /usr/local/sbin/pure-ftpd -s -a42\nor\nftp        stream        tcp        nowait        root        /usr/local/sbin/pure-ftpd  pure-ftpd -s -a42\n\nIf you use Inetd, don't put space between options and arguments. e.g. use\n-a42 instead of -a 42 . Inetd has trouble dealing with a lot of options and\nwith characters like ':' .\n\n- Xinetd:\n\nservice ftp \n{ \n    socket_type = stream \n    server = /usr/local/sbin/pure-ftpd\n    server_args = -s -a 42\n    protocol = tcp \n    user = root \n    wait = no\n    disable = no \n}\n\n- TCPserver:\ntcpserver -DHRl0 0 21 /usr/local/bin/pure-ftpd -s -a 42 \u0026\n\n- G2S:\n{  \n    SERVICE ftp\n    DESCRIPTION \"Pure-FTPd\"\n    RUN /usr/local/sbin/pure-ftpd -s -a 42\n}\n\nUsers need a shell listed in /etc/shells to get restricted or unrestricted\nFTP access. Alternatively, you can give them \"ftp\" as a shell. Users with a\n\"ftp\" shell will be able to login through FTP only: no telnet, no SSH. And\nthere's no need (and you shouldn't do so) for an \"ftp\" entry in /etc/shells.\n\nHere are the recognized switches:\n\n- '-0': when a file is uploaded and there is already a previous version of the\nfile with the same name, the old file will neither get removed nor truncated.\nUpload will take place in a temporary file and once the upload is complete,\nthe switch to the new version will be atomic. For instance, when a large PHP\nscript is being uploaded, the web server will still serve the old version and\nimmediately switch to the new one as soon as the full file will have been\ntransferred.\n\n- '-1': log the PID of each session in syslog output.\n\n- '-2 \u003cfile\u003e': when using TLS, set the path to the certificate file.\n\n- '-4': only listen to IPv4 connections.\n\n- '-6': don't listen to IPv4, only listen to IPv6.\n\n- '-a \u003cgid\u003e': authenticated users will be granted access to their home\ndirectory and nothing else (chroot) . This is especially useful for users\nwithout shell access, for instance, WWW-hosting services shared by several\ncustomers. Only member of group number \u003cgid\u003e will have unrestricted access\nto the whole filesystem. So add a \"staff\", \"admin\" or \"ftpadmin\" group and\nput your trusted users in. \u003cgid\u003e is a NUMERIC group number, not a group name.\nThis feature is mainly designed for system users, not for virtual ones.\n\nNote: 'root' (uid 0) always has full filesystem access.\n\nIf you want to chroot() everyone, but root, use the following flag:\n\n- '-A': chroot() everyone, but root. There's no such thing as a trusted\ngroup. '-A' and '-a \u003cgid\u003e' are mutually exclusive.\n\n- '-b': Ignore parts of RFC standards in order to deal with some totally\nbroken FTP clients, or broken firewalls/NAT boxes. Also, non-dangling\nsymbolic links are shown as real files/directories. EPSV is disabled.\n\n- '-B': Have the standalone server start in background (daemonization).\n\n- '-c \u003cnumber of clients\u003e': Allow a maximum of clients to be connected. For\ninstance '-c 42' will limit access to simultaneous 42 clients. There is a\n50 client limit by default.\n\n- '-C \u003cmax connection per ip\u003e': Limit the number of simultaneous connections\ncoming from the same IP address. This is yet another very effective way to\nprevent stupid denial of services and bandwidth starvation by a single user.\nIt works only when the server is launched in standalone mode (if you use a\nsuper-server, it is supposed to do that) . If the server is launched with\n'-C 2', it doesn't mean that the total number of connections is limited to 2.\nBut the same client, coming from the same machine (or at least the same IP),\ncan't have more than two simultaneous connections. This feature needs some\nmemory to track IP addresses, but it's recommended to use it.\n\n- '-d': Send various debugging messages to the syslog. Don't use this\nunless you really want to debug Pure-FTPd. Passwords aren't logged.\nDuplicate '-d' to log responses, too.\n\n- '-D': List files beginning with a dot ('.') even when the client doesn't\nappend the '-a' option to the list command. A workaround for badly\nconfigured FTP clients. If you are a purist, don't enable this. If you\nprovide hosting services and if you have lousy customers, enable this.\n\n- '-e': Only allow anonymous users. Use this on a public FTP site with no\nremote FTP access to real accounts.\n\n- '-E': Only allow authenticated users. Anonymous logins are prohibited.\n\n- '-f \u003cfacility\u003e': Use that facility for syslog logging. It defaults to\n'ftp' (or 'local2' if you got an obsolete libc without that facility).\nLogging can be disabled with '-f none' .\n\n- '-F \u003cfortune file\u003e': Display a fortune cookie on login. The sentence is\na random extract from the text file \u003cfortune file\u003e. This text file should be\nformatted like standard \"fortune\" files (fortunes are separated by a '%'\nsign on a single line) . Pure-FTPd has to be compiled with support for\ncookies (--with-cookie). If you just want a simple banner displayed before\nthe login prompt, add the name of any text file here.\n\n- '-g \u003cpid file\u003e': Change the location of the pid file when the server is\nrun in standalone mode. The default is /var/run/pure-ftpd.pid .\n\n- '-G': Disallow renaming.\n\n- '-H': By default, fully-qualified host names are logged. To achieve this,\nDNS lookups are mandatory. The '-H' flag avoids host names resolution.\n(\"213.41.14.252\" will be logged instead of \"www.toolinux.com\") . It can\nsignificantly speed up connections and reduce bandwidth usage on busy\nservers. Use it especially on public FTP sites. Also, please note that\nwithout -H, host names are informative but shouldn't be trusted: no reverse\nmapping check is done to save DNS queries.\n\n- '-i': Disallow upload for anonymous users, whatever directory permissions\nare. This option is especially useful for virtual hosting, to avoid your\nusers creating warez sites in their account.\n\n- '-I \u003ctimeout\u003e': Change the maximum idle time. The timeout is in minutes\nand defaults to 15 minutes. Modern FTP clients are trying to fool timeouts\nby sending fake commands at regular interval. We disconnect these clients\nwhen they are idle for twice (because they are active anyway) the normal\ntimeout.\n\n- '-j': If the home directory of a user doesn't exist, automatically create\nit. The newly created home directory belongs to the user and permissions are\nset according to the current directory mask. Only the home directory can be\ncreated (so /home/john/./public_html won't work, but /home/john will) . To\navoid local attacks, the parent directory should never belong to an untrusted\nuser. Also note that you must trust whoever manages the users databases,\nbecause with that feature, he'll be able to create/chown directories anywhere\non the server's filesystem.\n\n- '-J \u003cciphers\u003e': Sets the list of ciphers that will be accepted for\nTLS connections.\n\n- '-k \u003cpercentage\u003e': Don't allow uploads if the partition is more than\n\u003cpercentage\u003e% full. For instance, \"-k 95\" will ensure your disks will never\nget filled more than 95% by FTP. No need for the \"percent\" sign after the\nnumber.\n\n- '-K': Allow users to resume and upload files, but *NOT* to delete or rename\nthem. Directories can be removed, but only if they are empty. However,\noverwriting existing files is still allowed (to support upload resume) . If\nyou want to disable this too, add -r (--autorename) .\n\n- '-l \u003cauthentication\u003e' or '-l \u003cauthentication\u003e:\u003cconfig file\u003e': Adds a new\nrule to the authentication chain. Please read the \"Authentication\" section,\nlater in this README file. It's an important section.\n\n- '-L \u003cmax files\u003e:\u003cmax depth\u003e': To avoid stupid denial-of-service attacks\n(or just CPU hogs), Pure-FTPd never displays more than 10000 files in response\nto an 'ls' command. Also, a recursive 'ls' (-R) never goes further than 5\nsubdirectories. You can increase/decrease those limits with the '-L' option.\n\n- '-m \u003ccpu load\u003e': Don't allow anonymous download if the load is above \u003ccpu\nload\u003e . A very efficient way to prevent overloading your server. Upload is\nstill allowed, though.\n\n- '-M': Allow anonymous users to create directories.\n\n- '-n \u003cmax files\u003e:\u003cmax size\u003e': If the server has been compiled with support\nfor virtual quotas, enforce these quota settings for all users (except\nmembers of the 'trusted' group) . \u003cmax size\u003e is in Megabytes. See the\n\"virtual quotas\" section later in this document.\n\n- '-N': NAT mode. Force ACTIVE mode. If your FTP server is behind a NAT box\nthat doesn't support applicative FTP proxying, or if you use port\nredirection without a transparent FTP proxy, use this. Well... the previous\nsentence isn't very clear. Okay: if your network looks like this:\n(FTP server)-------(NAT/masquerading gateway/router)------(Internet)\nand if you want people coming from the internet to have access to your FTP\nserver, please try without this option first. If Netscape clients can\nconnect without any problem, your NAT gateway rulez. If Netscape doesn't\ndisplay directory listings, your NAT gateway sucks. Use '-N' as a workaround.\n\n- '-o': Write all uploaded files to '/var/run/pure-ftpd.upload.pipe' so\nthat the 'pure-uploadscript' program can run. Don't enable that option if\nyou don't actually use 'pure-uploadscript' otherwise pure-ftpd will hang\nwaiting for pure-uploadscript to start.\n\n- '-O \u003cformat\u003e:\u003clog file\u003e': Record all file transfers into a specific log\nfile, in an alternative format. Currently, four formats are supported: CLF\n(Apache-like), Stats, W3C and xferlog.\n\nIf you add '-O clf:/var/log/pureftpd.log' to your starting options,\nPure-FTPd will log transfers in /var/log/pureftpd.log in a format similar to\nthe Apache web server in default configuration. \n\nIf you use '-O stats:/var/log/pureftpd.log' to your starting options,\nPure-FTPd will create log files in a special format, designed for statistical\nreports. The Stats format is compact, more efficient and more accurate that\nCLF and the old broken \"xferlog\" format.\n\nThe Stats format is:\n\u003cdate\u003e \u003csession id\u003e \u003cuser\u003e \u003cip\u003e \u003cU or D\u003e \u003csize\u003e \u003cduration\u003e \u003cfile\u003e\n\n\u003cdate\u003e is a GMT timestamp (time()) and \u003csession id\u003e identifies the current\nsession. \u003cfile\u003e is unquoted, but it's always the last element of a log line.\n\"U\" means \"Upload\" and \"D\" means \"Download\".\n\nWarning: the session id is only designed for statistics purposes. While it's\nalways an unique string in the real world, it's theoretically possible to have\nit non unique in very rare conditions. So don't rely on it for critical\nmissions.\n\nA command called \"pure-statsdecode\" can be used to convert timestamps into\nhuman-readable dates.\n\nThe W3C format is enabled with '-O w3c:/var/log/pureftpd.log' .\n\nFor security purposes, the path must be absolute (eg. /var/log/pureftpd.log\n, not ../log/pureftpd.log) . If this log file is stored on a NFS volume, don't\nforget to start the lock manager (often called \"lockd\" or \"rpc.lockd\").\n\n- '-p \u003cfirst port\u003e:\u003clast port\u003e': Use only ports in the range \u003cfirst port\u003e\nto \u003clast port\u003e inclusive for passive-mode downloads. This is especially\nuseful if the server is behind a firewall without FTP connection tracking.\nUse high ports (40000-50000 for instance), where no regular server should be\nlistening.\n\n- '-P \u003cip address or host name\u003e': Force the specified IP address in reply to\na PASV/EPSV command. If the server is behind a masquerading (NAT) box that\ndoesn't properly handle stateful FTP masquerading, put the ip address of\nthat box here. If you have a dynamic IP address, you can put the public host\nname of your gateway, that will be resolved every time a new client will\nconnect.\n\n- '-q \u003cupload ratio\u003e:\u003cdownload ratio\u003e': Enable ratios for anonymous users.\n\n- '-Q \u003cupload ratio\u003e:\u003cdownload ratio\u003e': Enable ratios for everybody\n(anonymous and non-anonymous). Members of the root (0, something called\n'wheel') have no ratio.\n\n- '-r': Never overwrite existing files. Uploading a file whose name\nalready exists cause an automatic rename. Files are called xyz, xyz.1, xyz.2,\nxyz.3, etc.\n\nTip: if you compile with 'make AUTORENAME_REVERSE_ORDER=1' , the naming\nconvention will be reversed. Files will be called xyz, 1.xyz, 2.xyz, 3.xyz,\netc.\n\n- '-R': Disallow users (even non-anonymous ones) usage of the CHMOD\ncommand. On hosting services, it may prevent newbies from making mistakes,\nlike setting bad permissions on their home directory. Only root can use\nCHMOD when -R is enabled.\n\n- '-s': The \"waReZ protection\". Don't allow anonymous users to download\nfiles owned by \"ftp\" (generally, files uploaded by other anonymous users) .\nSo that uploads have to be validated by a system administrator (chown to\nanother user) before being available for download.\n\n- '-S [\u003cip address\u003e,|\u003chostname\u003e,] [\u003cport\u003e|\u003cservice name\u003e]'. This option is\nonly effective when the server is launched as a standalone server.\nConnections are accepted on the specified IP and port. IPv4 and IPv6 are\nsupported. Numeric and fully-qualified host names are accepted. A service\nname (see /etc/services) can be used instead of a numeric port number.\n\n- '-T \u003cbandwidth\u003e' and '-t \u003cbandwidth\u003e': Enable bandwidth limitation (see\nbelow) . \u003cbandwidth\u003e is specified in kilobytes/seconds. To set up separate\nupload/download bandwidth, the [\u003cupload\u003e]:[\u003cdownload\u003e] syntax is supported.\n\n- '-u \u003cuid\u003e': Don't allow uids below \u003cuid\u003e to log in. '-u 1' denies access\nto root (safe), '-u 100' denies access to virtual accounts on most Linux\ndistros.\n\n- '-U \u003cumask for files\u003e:\u003cumask for dirs\u003e': Change the file creation mask.\nThe default is 133:022. If you want a new file uploaded by a user to only be\nreadable by that user, use '-U 177:077'. If you want uploaded files to be\nexecutable, use 022:022 (files will be readable -but not writable- by other\nusers) or 077:077 (files will only be executable and readable by their\nowner) . Please note that Pure-FTPd support the SITE CHMOD extension, so a\nuser can change the permissions of his own files.\n\n- '-V \u003cip address\u003e': Allow non-anonymous FTP access only on this specific\nlocal IP address. All other IP addresses are only anonymous. With that\noption, you can have routed IPs for public access and a local IP (like\n10.x.x.x) for administration. You can also have a routable trusted IP\nprotected by firewall rules and only that IP can be used to login as a\nnon-anonymous user.\n\n- '-v \u003cname\u003e': Set the service name for Apple's Bonjour. Only available on\nMacOS X when Bonjour support is compiled in.\n\n- '-w': Support the FXP protocol only for authenticated users. FXP works\nwith IPv4 and IPv6 addresses.\n\n- '-W': Support the FXP protocol. FXP allows transfers between two remote\nservers without any file data going to the client asking for the transfer.\n\nHowever:\n\n****************************************************************************\n\n   *FXP IS AN INSECURE PROTOCOL* (third-party hosts can steal the current\nconnection) . In Pure-FTPd, specific precautions have been taken to reduce\nFXP insertion attacks. But if your FTP server serves private data:\n   NEVER ALLOW FXP ACCESS TO UNTRUSTED HOSTS. YOU CAN PLAY WITH IT ON AN\nINTERNAL SERVER, BUT _DON'T_ GIVE FXP ACCESS TO ANONYMOUS INTERNET USERS.\n\n****************************************************************************\n\n        It's why FXP is disabled by default on Pure-FTPd unless you\nexplicitly enable it with '-W' or '-w'.\n\n- '-x': In normal operation mode, authenticated users can read/write files\nbeginning with a dot ('.') . Anonymous users can't, for security reasons\n(like changing banners or a forgotten .rhosts) . When '-x' is used,\nauthenticated users can download dot-files, but not overwrite/create them,\neven if they own them. That way, you can prevent hosted users from messing\n.qmail files. If you want to give user access to a special dot-file, create a\nsymbolic link to the dot-file with a file name that has no dot in it and the\nclient will be able to retrieve the file through that link.\n\n- '-X': This flag is identical to the previous one (writing dot-files is\nprohibited), but in addition, users can't even *read* files and directories\nbeginning with a dot (like \"cd .ssh\") .\n\n****************************************************************************\n\nWhen used in conjunction with \"-a\", members of the trusted group can bypass\n'-x'/'-X' restrictions.\n\n****************************************************************************\n\n- '-y \u003cmax user logins\u003e:\u003cmax anonymous logins\u003e': This option only\nworks if the server has been compiled with --with-peruserlimits. It\nrestricts the number of concurrent sessions the same user can have.\n  A null value ('0') means 'unlimited'.\n\nHere's a concrete example:\n\n/usr/local/sbin/pure-ftpd -y 3:20 -c 15 -C 5 -B\n\nHere, we allow:\n  * A max total of 15 sessions.\n  * 5 connections max coming from the same IP address.\n  * 3 connections max with the same user name.\n  * 20 anonymous users max.\n  \nWith such a setup, a single user can't easily fill all slots.  \n\n- '-Y 0': Disable the TLS encryption layer (default).\n  '-Y 1': Accept both standard and encrypted sessions.\n  '-Y 2': Refuse connections that aren't using TLS security mechanisms,\nincluding anonymous sessions. The server must have been compiled with\n--with-tls and a valid certificate must be in place to get this feature.\nSee the README.TLS file for more info about TLS.\n  '-Y 3': Cleartext sessions are refused and only TLS compatible \nclients are accepted. Clear data connections are also refused, so private \ndata connections are enforced.\n\n- '-z': Allow anonymous users to read files and directories starting with a\ndot ('.') .\n\n- '-Z': Try to protect customers against common mistakes to avoid your\ntechnical support being busy with stupid issues. Right now, the '-Z' switch\nprevents your users against making bad 'chmod' commands, that would deny\naccess to files/directories to themselves. The switch may turn on other\nfeatures in the future. If you are a hosting provider, turn this on.\n\nIf you prefer long options (GNU-style) over standard ones, the following\naliases are available. You can get this list at any time by typing\n'pure-ftpd --help' .\n\n\n--(switches sorted by ##standard switches## lexical order)--\n\n-0  --notruncate\n-1  --logpid                \u003cfile\u003e\n-4  --ipv4only\n-6  --ipv6only\n-8  --fscharset             \u003ccharset\u003e\n-9  --clientcharset         \u003ccharset\u003e\n-a  --trustedgid            \u003cgid\u003e\n-A  --chrooteveryone    \n-b  --brokenclientscompatibility    \n-B  --daemonize \n-c  --maxclientsnumber      \u003cnumber\u003e\n-C  --maxclientsperip       \u003cnumber\u003e\n-d  --verboselog    \n-D  --displaydotfiles   \n-e  --anonymousonly \n-E  --noanonymous   \n-f  --syslogfacility        \u003cfacility\u003e\n-F  --fortunesfile          \u003cfile\u003e\n-g  --pidfile               \u003cpath to pid file\u003e\n-G  --norename\n-h  --help  \n-H  --dontresolve   \n-i  --anonymouscantupload\n-I  --maxidletime           \u003ctime (min)\u003e\n-j  --createhomedir\n-J  --tlsciphersuite        \u003cciphers\u003e\n-k  --maxdiskusagepct       \u003cpercentage\u003e\n-K  --keepallfiles\n-l  --login                 \u003cauth\u003e or \u003cauth\u003e:\u003cconfig file\u003e\n-L  --limitrecursion        \u003cnumber:number\u003e\n-m  --maxload               \u003cload\u003e\n-M  --anonymouscancreatedirs    \n-N  --natmode\n-o  --uploadscript\n-O  --altlog                \u003cformat\u003e:\u003clog file\u003e\n-p  --passiveportrange      \u003cminport:maxport\u003e\n-P  --forcepassiveip        \u003cip address\u003e\n-q  --anonymousratio        \u003cupload ratio\u003e:\u003cdownload ratio\u003e\n-Q  --userratio             \u003cupload ratio\u003e:\u003cdownload ratio\u003e\n-r  --autorename\n-R  --nochmod\n-s  --antiwarez \n-S  --bind                  \u003cip address,port\u003e\n-t  --anonymousbandwidth    \u003cbandwidth (KB/s)\u003e\n-T  --userbandwidth         \u003cbandwidth (KB/s)\u003e or [\u003cup bw\u003e]:[\u003cdown bw\u003e]\n-u  --minuid                \u003cuid\u003e\n-U  --umask                 \u003cmask\u003e\n-v  --bonjour               \u003cname\u003e\n-V  --trustedip             \u003cip address\u003e\n-w  --allowuserfxp  \n-W  --allowanonymousfxp\n-x  --prohibitdotfileswrite \n-X  --prohibitdotfilesread  \n-y  --peruserlimits         \u003cper user max\u003e:\u003cmax anonymous sessions\u003e\n-Y  --tls                   \u003c0:no TLS | 1:TLS+cleartext | 2:enforce TLS |\n                             3: enforce encrypted data channel as well\u003e\n-z  --allowdotfiles\n-Z  --customerproof\n\n\n\n--(switches sorted by ##GNU-style long switches## lexical order)--\n\n-W  --allowanonymousfxp\n-z  --allowdotfiles\n-w  --allowuserfxp  \n-O  --altlog                \u003cformat\u003e:\u003clog file\u003e\n-t  --anonymousbandwidth    \u003cbandwidth (KB/s)\u003e\n-M  --anonymouscancreatedirs    \n-i  --anonymouscantupload\n-e  --anonymousonly \n-q  --anonymousratio        \u003cupload ratio\u003e:\u003cdownload ratio\u003e\n-s  --antiwarez \n-r  --autorename\n\n-S  --bind                  \u003cip address,port\u003e\n-b  --brokenclientscompatibility    \n\n-A  --chrooteveryone\n-9  --clientcharset         \u003ccharset\u003e\n-j  --createhomedir\n-Z  --customerproof\n\n-B  --daemonize \n-D  --displaydotfiles   \n-H  --dontresolve   \n\n-Y  --tls                   \u003c0:no TLS | 1:TLS+cleartext | 2:enforce TLS |\n                             3:enforce encrypted data channel as well\u003e\n\n-P  --forcepassiveip        \u003cip address\u003e\n-F  --fortunesfile          \u003cfile\u003e\n-8  --fscharset             \u003ccharset\u003e\n\n-h  --help  \n\n-4  --ipv4only\n-6  --ipv6only\n\n-K  --keepallfiles\n\n-l  --login                 \u003cauth\u003e or \u003cauth\u003e:\u003cconfig file\u003e\n-1  --logpid                \u003cfile\u003e\n-L  --limitrecursion        \u003cnumber:number\u003e\n\n-c  --maxclientsnumber      \u003cnumber\u003e\n-C  --maxclientsperip       \u003cnumber\u003e\n-k  --maxdiskusagepct       \u003cpercentage\u003e\n-I  --maxidletime           \u003ctime (min)\u003e\n-m  --maxload               \u003cload\u003e\n-u  --minuid                \u003cuid\u003e\n\n-N  --natmode\n-E  --noanonymous   \n-R  --nochmod\n-G  --norename\n-0  --notruncate\n\n-v  --bonjour               \u003cname\u003e\n\n-p  --passiveportrange      \u003cminport:maxport\u003e\n-y  --peruserlimits         \u003cper user max\u003e:\u003cmax anonymous sessions\u003e\n-g  --pidfile               \u003cpath to pid file\u003e\n-X  --prohibitdotfilesread  \n-x  --prohibitdotfileswrite \n\n-f  --syslogfacility        \u003cfacility\u003e\n\n-J  --tlsciphersuite        \u003cciphers\u003e\n-a  --trustedgid            \u003cgid\u003e\n-V  --trustedip             \u003cip address\u003e\n\n-U  --umask                 \u003cmask\u003e\n-o  --uploadscript\n-T  --userbandwidth         \u003cbandwidth (KB/s)\u003e or [\u003cup bw\u003e]:[\u003cdown bw\u003e]\n-Q  --userratio             \u003cupload ratio\u003e:\u003cdownload ratio\u003e\n\n-d  --verboselog    \n\n\n------------------------ SETTING UP AN ANONYMOUS FTP ------------------------\n    \n    \nIf a 'ftp' user exists and its home directory exists, Pure-FTPd will\naccept anonymous login, as 'ftp' or 'anonymous'.\n\nThe root directory of the files served when logged as 'anonymous' is\nthe home directory of the 'ftp' user.\n\nThere's no need for 'bin', 'lib', 'etc' and 'dev' directories, nor any\nexternal program. Don't chown the public files to 'ftp', just writable\ndirectories such as 'incoming'.\n\n\n    ------------------------ DISPLAYING BANNERS ------------------------\n    \n\nIf a '.banner' file is located in the 'ftp' user home directory (or in the\nroot directory of a virtual server, see below), it will be printed when the\nclient logs in. Put a nice ASCII-art logo with your name in that file.\n\nThis file shouldn't be larger than 4000 bytes, or it won't be displayed.\n\nIn each directory, you may also have a '.message' file. Its content will be\nprinted when a client enters the directory. Such a file can contain important\ninformation (\"Don't download version 1.7, it's broken!\") .\n\n\n    ------------------------ DISPLAYING A COOKIE ------------------------\n\n\nA funny random message can be displayed in the initial login banner. The\nrandom cookies are extracted from a text file, in the standard \"fortune\"\nformat. If you installed the \"fortune\" package, you should have a directory\n(usually /usr/share/fortune) with binary files (xxxx.dat) and text files\n(without the .dat extension) . To use Pure-FTPd cookies, just add the name\nof a text file to the '-F' option. For instance:\n\n/usr/local/sbin/pure-ftpd -F /usr/share/fortune/zippy\n\nIf you want to have your own fortune files, just create a text file with the\nfollowing structure.\n\nHello... this is the first fortune...\n%\nWelcome to the real world.\n%\nFollow the white rabbit.\n%\nHave fun...\nWell... lotsa fun!\n%\nYop is good for you.\n\nGoddit? Fortunes are delimited by a '%' sign on a single line. But a\nfortune itself can be multi-line (see the fourth example) .\n\nFor security reasons, the text file has to be readable by everybody (chmod\n644 the file if necessary), or the server will ignore it.\n\nOf course, the fortune file can contain a single message.\n\n\n  ------------------------ PER-USER CHROOT() RULES ------------------------\n\n\nApart from the \"-a\" flag, Pure-FTPd has another way to fine-tune chroot()\nrules. Let's take an /etc/passwd entry:\n\nmimi:x:501:100:Mimi:/home/mimi:/bin/zsh\n\nWithout any special rule, mimi will be able to log in and to retrieve any\npublic-readable file in the filesystem. Now, let's change a bit of her home\ndirectory:\n\nmimi:x:501:100:Mimi:/home/mimi/./:/bin/zsh\n\nSo what? Mimi's home directory is still the same and common applications\nshouldn't notice any difference. But Pure-FTPd understands \"chroot() until\n/./\". So when mimi next carries out a FTP log in, only the /home/mimi\ndirectory will be reachable, not the whole filesystem. If you don't like the\n\"-a\" and its trusted gid thing, this is a good way to only chroot() some\nusers. Another trick is to add something after \"/./\":\n\nmimi:x:501:100:Mimi:/home/mimi/./public_html:/bin/zsh\n\nWhen Mimi will log in, two things will happen:\n- chroot(\"/home/mimi\") so that Mimi can't see anything except her home directory.\n- chdir(\"public_html\") so the session will start in the public_html\ndirectory. \"cd ..\" is still allowed, though.\nThat \"url-style\" handling is especially handy for FTP-only users (ie.\nwithout shell access) .\n\nIf a user is chrooted with the /./ trick *and* belongs to the trusted group\n(-a) he *will* be chrooted, but he will have no ratio and will be allowed to\naccess dot files.\n\n\n         ------------------------ RATIOS ------------------------\n\n\nIf you want to require people to upload new files before being able to\ndownload other files, ratios are for you. It's a very good way to get lots of\nfresh content on a public FTP server and a must for file traders. Pure-FTPd\nhas to be designed to please everybody.\n\nTo enable ratios, just use the '-q' option, followed by the upload:download\nratio:\n\n                                   -q 2:5\n                                   \n...means that an anonymous user has to upload at least 2 Mb of goodies to be\nable to download 5 Mb.\n\nIf ratios should apply to everyone (anon and non-anon), use the '-Q' option\nthe same way.\n\nNote: 'root' never has ratios. Neither have users of the trusted group when\n'-Q' in used with the '-a' or '-A' option.\n\n\n   ------------------------ BANDWIDTH THROTTLING ------------------------\n\n\nPure-FTPd has an interesting built-in feature: simple bandwidth throttling.\n\n* You want to limit FTP throughput so that uploading and downloading files\nthrough that protocol can't fill up your network bandwidth.\n\n-\u003e Compile Pure-FTPd with --with-throttling\n-\u003e Run it with the '-T' flag, followed by a number. That number is the\nmaximum bandwidth a user can use in a session, in kilobytes/seconds.\n\n* You want to allow less bandwidth to your anonymous users than your\nauthenticated ones. So that during a bandwidth starvation, real users can\nstill upload/download properly.\n\n-\u003e Compile Pure-FTPd with --with-throttling\n-\u003e Run it with the '-t' flag, followed by a number.\n\nExample:\n\n/usr/local/sbin/pure-ftpd -t 64\n\nAnd uploading/downloading files can't take more than 64 KB/sec whatever real\nbandwidth you have.\n\n* It is possible to have different bandwidth limits for uploads and for\ndownloads. '-t' and '-T' can indeed be followed by two numbers delimited by\na column (':') . The first number is the upload bandwidth and the next one\napplies only to downloads. One of them can be left blank which means infinity.\n\nExample 1: 256 KB/s for uploads, 64 KB/s for downloads\n\n/usr/local/sbin/pure-ftpd -t 256:64\n\nExample 2: 256 KB/s for uploads, no limit for downloads\n\n/usr/local/sbin/pure-ftpd -t 256:\n\nExample 3: no limit for uploads, 64 KB/s for downloads\n\n/usr/local/sbin/pure-ftpd -t:64\n\nWith no column, the value applies to both, so '-t 64' is an alias for \n'-t 64:64' .\n\n* When Pure-FTPd serves a session with restricted bandwidth, it decreases\nits process priority to 10. So, '-t 0' makes sense: during a CPU\nstarvation, authenticated sessions may be more responsible than anonymous\nones. '-T 0' is quite useless, but it also works and it will always be nice to\nthe server process.\n\n* If you need advanced bandwidth management, have a look at your kernel\nQ.O.S. abilities.\n\n\n      ------------------------ VIRTUAL SERVERS ------------------------\n\n\nUsing Virtual servers is a convenient way of hosting several FTP sites on the same\ncomputer. Let's say, you got two customers. The former owns the 'cgx.org'\ndomain name, while the latter owns the 'example.com' domain name. Both are\nhosted on the same computer, but they don't want to share the same files.\nftp://ftp.cgx.org/ should show different content than ftp://ftp.example.com/\n.\n\nThe FTP protocol doesn't allow name-based selection. So, if you want to host\n\u003cN\u003e different virtual FTP servers on the same host and keep the standard port,\nyou need \u003cN\u003e different IP addresses. Yes, Sir. Or use HTTP.\n\nAssign the needed IP addresses to your network adapter (with \"ifconfig eth0:x\n...\" or \"ip addr add dev eth0 a.b.c.d\").\n\nNow, create a /etc/pure-ftpd directory if it doesn't exist:\n\nmkdir /etc/pure-ftpd\n\nTo add a virtual FTP server, you only need to create a symbolic link in\n/etc/pure-ftpd/ from the virtual host IP to the directory that contains the\nfile for that virtual host.\n\nExample:\n\nln -s /home/customers/example.com/ftp /etc/pure-ftpd/216.226.17.77\nln -s /home/customers/cgx.org/ftp    /etc/pure-ftpd/212.73.209.252\n\nDone! Put the CGX files in /home/customers/cgx.org/ftp/ and the Example\nfiles in /home/customers/example.com/ftp/ .\n\nWith that feature, every account on the server can have its own public\nanonymous FTP area. If you are providing hosting services, this is a nice\nfeature for your customers.\n\n* WARNING *: it also means that your customers can create \"incoming\"\ndirectories with 1777 permissions. It can be nice, but it can also fill up\nyour disk with warez. You can stop uploads for anonymous users with the\n'-i' (or --anonymouscantupload) option.\n\nBy default, all IP addresses assigned to your server can be accessed by real\nor anonymous users. You can restrict this with -e (only anonymous) or -E\n(only real) .\n\nA more flexible way is to use '-V \u003cip address\u003e' to define a \"trusted\" IP\naddress. When a client connects to that trusted IP, anonymous and real\nlogins are permitted. But on all other IP, only anonymous users are permitted.\n\nIf you are a hosting service provider and if each customer has its own IP\naddress, it may be a nice idea to have a trusted IP you give to all your\ncustomers, so that they can manage the files in their account. That IP is\nthe same for all customers. You can easily restrict access to that IP with\nfirewall rules if your customers have static IP addresses.\nUse '-V \u003ctrusted ip\u003e' and link /etc/pure-ftpd/\u003ccustomer ip\u003e to\n~customer/ftp . Every customer will have his own *anonymous only* FTP\nserver and hackers will have to find the trusted IP to get in.\n\n\n       ------------------------ IPv6 SUPPORT ------------------------\n\n\nPure-FTPd has full IPv6 support (native IPv6 addresses and 4-in-6\naddresses). But use a super-server that also understands the IPv6 protocol,\nlike Rlinetd or Xinetd. Recent versions of Inetd should also be ok\n(unverified). IPv6 is supported everywhere: logging, configuration\nswitches, virtual hosts, protocol (EPSV/EPRT support), name resolution...\n\n\n             --------------------- LOGGING ---------------------\n\n\nLog messages are sent to the syslog daemon. You can disable logging with\n'-f none'.\nIf you want all FTP messages to be redirected to a file, say /var/log/ftp,\nadd this line to your /etc/syslog.conf file:\n\nftp.*   /var/log/ftp\n\nThen restart your syslogd daemon:\n\npkill -x -s HUP syslogd\n\nYou can also drop your old \"syslogd\" and \"klogd\" programs for Metalog, an\nefficient alternative: http://metalog.sourceforge.net/\n\nNames of uploaded/downloaded files are logged with paths like this:\n\n                           /home/ftp//pub/bla.jpg\n                           \nThe double-slash ('//') is the chroot limit.\n\n\n    --------------------- WATCHING CURRENT SESSIONS ---------------------\n\n\nSince 0.97.7, you can type 'pure-ftpwho' at any time to watch current active\nsessions.\n\nIf typing 'pure-ftpwho' answers 'Command not found', you have to add\n/usr/local/sbin in your PATH environment variable.\n\nThe default output looks like this:\n\n+------+---------+-------+------+-------------------------------------------+\n| PID  |  Login  |For/Spd| What |                 File/IP                   |\n+------+---------+-------+------+-------------------------------------------+\n| 2239 | jedi    | 00:17 |  D/L | XFree86-clients-4.0.3.tar.gz              |\n|  ''  |    ''   |  41K/s|  33% | -\u003e                     nestea.funboard.de |\n+------+---------+-------+------+-------------------------------------------+\n| 2385 | ftp     | 00:02 | IDLE |                                           |\n|  ''  |    ''   |       |      | -\u003e                     gw2.crn.kjop.co.uk |\n+------+---------+-------+------+-------------------------------------------+\n\n'D/L' means that the client is downloading and 'U/L' means he's uploading\nsome file whose name is shown in the next column. '33%' is the real-time\ncompletion of the current operation. '41K/s' is the bandwidth used by the\nclient. You can track down who's starving your bandwidth with this.\n\nThe 'pureftp-who' command accepts interesting options:\n\n'-c': the program is called via a web server (CGI interface) . Output is a\nfull HTML page with the initial content-type header. This option is\nautomatically enabled if an environment variable called GATEWAY_INTERFACE is\nfound. This is the default if you can access the program from a CGI-enabled web\nserver (Apache, Roxen, Caudium, WN, ...) .\n\n'-h': show command-line options summary.\n\n'-n': don't resolve host names and only show IP addresses (faster).\n\n'-s': output an easily parsable format for shell scripts (but not very user\nfriendly) . \nThere's only one line per client, with only numeric data, delimited by a '|'\ncharacter. It's not very human-readable, but it's designed for easy parsing by\nshell scripts (cut/sed) . '|' characters in user names or file names are\nquoted ('|' becomes '\\|') .\n\nType 'pure-ftpwho -h' to check the format. \n\n'-w': output a complete HTML page (web mode).\n\n'-W': output an HTML page with no header and no footer. This is an embedded\nmode, suitable for inline calls from CGI, SSI or PHP scripts.\n\n'-x': output well-formed XML data for post-processing. This is the most\naccurate mode. Time is in seconds and file sizes are in bytes (in other\noutput formats, sizes are in kbytes for easier readability) .\n\n'-v': verbose output in text mode. Additional info includes the size of\nfiles being downloaded/uploaded, the local IP or local host name and the\nconnection port. This is especially useful for virtual hosts. Here's a\nsample output of 'pure-ftpwho -v':\n\n+------+---------+-------+------+-------------------------------------------+\n| PID  |  Login  |For/Spd| What |     File/Remote IP/Size(Kb)/Local IP      |\n+------+---------+-------+------+-------------------------------------------+\n| 9086 | j       | 00:04 |  DL  | linux-2.4.4.tar.bz2                       |\n|  ''  |    ''   |  22K/s|  27% | -\u003e                              localhost |\n|  ''  |    ''   |       |      | Total size:    20859 Transferred:     5632 |\n|  ''  |    ''   |       |      | \u003c-                        localhost:21    |\n+------+---------+-------+------+-------------------------------------------+\n\n\n      ------------------------ AFTER AN UPLOAD ------------------------\n\n\nAfter an upload, any external program or shell script can be spawned with the\nname of the newly uploaded file as an argument. You can use that feature to\nautomatically send a mail when a new file arrives. Or you can pass it to a\nmoderation system, an anti-virus, a digest generator or whatever you decide\ncan be done with a file.\n\nTo support this, the server has to be configured --with-uploadscript at\ncompilation time. Upload scripts won't be spawned on unreadable directories.\nSo it's highly recommended to use upload scripts with the --customerproof\nrun-time option and without unreadable parent directories.\nTo tell the FTP server to use upload scripts, it has to be launched with the\n'-o' option. Finally, you have to run another daemon called 'pure-uploadscript'\nprovided by this package.\n\nIMPORTANT:\n\nYOU MUST START PURE-FTPD _FIRST_ and _THEN_ START PURE-UPLOADSCRIPT.\nTHE REVERSE ORDER WON'T WORK.\n\nFor security purposes, the server never launches any external program. It's\nwhy there is a separate daemon, that reads new uploads pushed into a named\npipe by the server. Uploads are processed synchronously and sequentially.\nIt's why on loaded or untrusted servers, it might be a bad idea to use\npure-uploadscript with lengthy or cpu-intensive scripts.\n\nThe easiest way to run pure-uploadscript is 'pure-uploadscript -r \u003cscript\u003e':\n\n/usr/local/sbin/pure-uploadscript -r /bin/antivirus.sh\n\nThe absolute path of the newly uploaded file is passed as a first argument.\nSome environment variables are also filled with interesting values:\n\n- UPLOAD_SIZE  : the size of the file, in bytes.\n- UPLOAD_PERMS : the permissions, as an octal value.\n- UPLOAD_UID   : the uid of the owner.\n- UPLOAD_GID   : the group the file belongs to.\n- UPLOAD_USER  : the name of the owner.\n- UPLOAD_GROUP : the group name the file belongs to.\n- UPLOAD_VUSER : the full user name, or the virtual user name. (127 chars max)\n\nThere are also some options to \"pure-uploadscript\":\n\n- '-u \u003cuid\u003e' and '-g \u003cgid\u003e' to switch the account pure-uploadscript will run\nas. The script will be spawned with the same identity.\n\n- '-B' to fork in background.\n\nPlease have a look at the man page ('man pure-uploadscript') for additional\ninfo.\n\n\n    ------------------------ LISTING DIRECTORIES ------------------------\n\n\nThe built-in 'ls' supports all common options of a regular 'ls' command.\nHere are the ones you should know for a better life with FTP:\n\n- '-l': verbose listing, reporting dates, owners, perms and sizes.\n- '-a': also lists files and directories beginning with a dot.\n- '-F': adds a '/' after directory names.\n- '-d': list the directory itself, not its content.\n- '-R': recursive listing.\n- '-S': sort by size.\n- '-t': sort by date.\n- '-r': reverse the sorting order.\n\nIf you aren't very familiar with Unix, log in to your FTP server and try\nthese variants:\n\nls\nls -F\nls -l\nls -la\nls -lR\nls -Sl\nls -Slr\nls -tl\nls -tlr\n\nGlobbing is also supported. So if you are looking for a GNOME RPM in\n\u003cI don't know the directory name\u003e/gnome-xxxxxxxx.rpm , you can find it that\nway:\n\nls */gnome*.rpm\n\n\n      ------------------------ VIRTUAL QUOTAS ------------------------\n\n\nWith virtual quotas, you can restrict the maximum number of files and the\ntotal size of a user directory.\n\nThese quotas are \"virtual\" because they aren't handled at kernel-level, but\nby the FTP server itself. There are some advantages over kernel quotas:\n\n- Virtual quotas are specific to the FTP server. You can have different\nsystem quotas to handle other files (eg. mail) on the same partition.\n\n- You can have different virtual quotas for every user, even if they share\nthe same system uid.\n\n- Virtual quotas are working even on filesystems that don't support system\nquotas.\n\nHowever, virtual quotas are slower and can't be as reliable as kernel quotas,\nso don't trust them ultimately, they are probably races allowing to bypass\nthem. Also the filesystem users directories are on must properly support file\nlocking.\n\nVirtual quotas are implemented in Pure-FTPd as simple files called\n\".ftpquota\", located in the home directory of chrooted users. This file only\ncontains two numbers: the current number of files for this user and the\ntotal size of the directory (+ its subdirectories), in bytes. When a new\nfile is uploaded, these numbers grow. When a file is deleted, these numbers\nget smaller. Simple. Of course, when virtual quotas are enabled for one\nuser, that user must be 1) chrooted, 2) not allowed to write quota files, 3)\nnot allowed to forbid access to some directories to fool the counter.\n\nQuotas can be enabled for all users for the -n (--quotas) option. This\noption is followed by the max number of files and the max size (in Megabytes)\n. Every user will have the same quota. Exception: members of the trusted\ngroup, if -a is enabled.\n\nYou can also have different quotas for every user if you use PureDB or SQL\ndatabases. See the \"README.Virtual-Users\" file for more info about PureDB\ndatabases.\n\nSo, if you want 1000 files max and 10 Mb max for all your customers, run\nthe server like this:\n\n/usr/local/sbin/pure-ftpd -n 1000:10\n\n\".ftpquota\" files are created on demand when they are missing. However, when\nthey are created, the server assumes that the account was empty. If this is\nnot the case, you must run the \"pure-quotacheck\" utility to create an\ninitial \".ftpquota\" file.\n\n\"pure-quotacheck\" is a tool that computes the size and the number of files\nin a directory and create a \".ftpquota\" file with this info.\n\nThe syntax is:\n\npure-quotacheck -u username/uid -d home directory [-g group/gid]\n\nFor instance, if you want to summarize usage for the /home/ftpusers/john\ndirectory, whose files are owned by the \"ftpusers\" system account, just run:\n\npure-quotacheck -u ftpusers -d /home/ftpusers/john\n\nYou can run pure-quotacheck whenever you want, even when \".ftpquota\" files\nare already there. This is even a good idea to run this for all users in\ncrontab, so that stored quotas are always exact, even if something went wrong\n(server bug, filesystem corruption, savagely killed server, etc) .\n\n\n      ------------------------ AUTHENTICATION ------------------------\n\n\nPure-FTPd supports multiple methods of authentication. To use a method, you\nmust have it compiled in (check the ./configure options) .\n\n- To use Unix authentication (the traditional /etc/passwd file), add the\nfollowing option when you run the server:\n\n                                   -l unix\n\n\n- To use PAM authentication, add this:\n\n                                   -l pam\n                                   \n                                   \n- To use PureDB (virtual users), add this:\n\n                     -l puredb:/path/to/puredb_database\n\n(read README.Virtual-Users for more info about PureDB indexed files)\n\n\n- To use LDAP directories, add this:\n\n                      -l ldap:/path/to/ldap_config_file\n\n(read README.LDAP for more info about LDAP directories)\n\n\n- To use MySQL databases, add this:\n\n                     -l mysql:/path/to/mysql_config_file\n\n(read README.MySQL for more info about MySQL databases)\n\n- To use Postgres databases, add this:\n\n                     -l pgsql:/path/to/postgres_config_file\n\n(read README.PGSQL for more info about Postgres databases)\n\n- To use external authentication handlers (with pure-authd), use:\n\n                     -l extauth:/path/to/authd/socket\n\n(read README.Authentication-Modules for more info about external\nauthentication)\n\n\nMultiple authentication methods can be chained. For instance, you can run the\nserver like this:\n\n/usr/local/sbin/pure-ftpd -lldap:/etc/pureftpd-ldap.conf      \\\n                          -lpuredb:/etc/pureftpd.pdb -lunix\n\nEvery method is tried in order. With the previous command line, an LDAP\ndirectory is probed first. If a user isn't found in the directory, a\nPureDB database is scanned for the same user name. If that user is still not\nfound, /etc/passwd is scanned.\n\nIf the user is found in the LDAP directory, but the given password is wrong,\nfurther authentication methods are skipped.\n\nIf you don't specify any -l option, PAM is assumed by default if the server\nis compiled with PAM support and Unix is assumed by default otherwise.\n\n\n     ------------------------ DIRECTORY ALIASES ------------------------\n\n\nDirectory aliases provides \"shortcuts\" for the \"cd\" command. For instance,\nif you define an alias called \"pictures\" for \"/usr/misc/pictures\", when an\nuser will type \"cd pictures\" and if no real \"pictures\" directory exists, he\nwill be automatically redirected to \"/usr/misc/pictures\". Unlike symbolic\nlinks, \"cd pictures\" will work from any directory. Tildes are *not* expanded.\n\na user can get the list of available aliases with the following command:\n\nSITE ALIAS\n\nTo support that feature, the server must be compiled with --with-diraliases\npassed to ./configure .\n\nTo define alias/directory pairs, you must create a file called\n/etc/pureftpd-dir-aliases, whose format is:\n\nAlternating lines of alias and dir\n(this enables embedded whitespace in dir and alias without quoting rules)\nOptional blank lines\nOptional lines beginning with '#' as comments\n(no you can't put a '#' just anywhere)\n\nExample:\n\npictures\n/usr/misc/pictures\n\nsources\n/usr/src\n\n# This is for the OpenBSD port tree\npureftpd-port\n/usr/ports/net/pure-ftpd\n\n\n    ------------------------ PRIVILEGE SEPARATION ------------------------\n\n\nWhen privilege separation is enabled, each session will spawn two processes :\na \"privileged\" process running as root, but that can only do very basic\nand trusted actions (binding a port and remove the ftpwho scoreboard) and\nthe \"client\" process. The \"client\" process definitely revokes all privileges\nafter authentication and chroot() and punctually communicates with the\nparent over a private channel.\n\nPrivilege separation decreases performance of loaded servers, but it\nincreases security and reliability. Enabling it is recommended.\n\nSome old broken operating systems may allow the ptrace() system call on\nprocesses that revoked privileges. On these platforms, enabling privilege\nseparation is a bad idea if untrusted users also have shell access. Use the\nsrc/ptracetest program to check this. At least Solaris, ISOS, MirBSD,\nOpenBSD, DragonflyBSD, FreeBSD and Linux are known to be safe.\n\n\n    ------------------------ CHARSETS (RFC2640) ------------------------\n        \n\nSince version 1.0.21, pure-ftpd has *experimental* support for charsets\nconversion. The server filesystem can use a different charset than the\ncharset assumed by clients, and pure-ftpd translates file names through the\niconv library.\n\nSome modern clients like lftp will also try to use UTF-8 if the server\nsupports it.\n\nThus, charsets conversion can be very useful when dealing with file names\ncontaining non-english characters.\n\nIn order to support this, pure-ftpd has to be compiled with:\n\n./configure ... --with-rfc2640\n\nThis is not supported by default because it requires libiconv.\n\nThen the server has to be started with --fscharset=\u003ccharset\u003e. Replace\n\u003ccharset\u003e with the charset of the server's filesystem. For instance:\n\n/usr/local/sbin/pure-ftpd --fscharset=ISO-8859-15\n\nThis is often enough to properly work with UTF-8 capable clients.\n\nBut optionally, you can specify the default charset for clients, with\n--clientcharset:\n\n/usr/local/sbin/pure-ftpd --fscharset=iso-8859-15 --clientcharset=big5\n\n\n ------------------------ OPTIMIZING FOR HIGH LOAD ------------------------\n\n\nIf you are going to use Pure-FTPd on a highly loaded server, here are some\nhints to get the best performances:\n\n- Compile with:\n\nenv CFLAGS=\"-O2 -fomit-frame-pointer -fgcse -Os\" ./configure --with-minimal --without-inetd --without-pam\nmake install-strip\n\n- Run it in standalone mode. Don't use -C, don't enable pure-ftpwho nor\npure-uploadscript (-o), nor per-user limits (-y) .\n\n- Increase your system max descriptors number and local port range. On a\nLinux kernel, you can try:\n\necho 2000 \u003e /proc/sys/fs/super-max\necho 60000 \u003e /proc/sys/fs/file-max\nulimit -n 60000\necho 30000 65534 \u003e /proc/sys/net/ipv4/ip_local_port_range\n\n- On a Linux kernel, disable syncookies, ecn, timestamps and window scaling:\n\necho 0 \u003e /proc/sys/net/ipv4/tcp_syncookies\necho 0 \u003e /proc/sys/net/ipv4/tcp_ecn\necho 0 \u003e /proc/sys/net/ipv4/tcp_timestamps\necho 0 \u003e /proc/sys/net/ipv4/tcp_window_scaling\n\n- Disable access time update on your mounted filesystems. On a Linux system,\njust add 'noatime,nodiratime' for each mount point in your /etc/fstab file.\n\n- Disable syslog output and DNS lookups. Run it with:\n\n/usr/local/sbin/pure-ftpd -f none -H\n\n\nFor FreeBSD, DJ_Oggy recommends the following setting:\n\n\u003e\u003e\u003e QUOTE:\n\nDrop into single user mode (do a shutdown now or boot -s) and enter\n\ntunefs -n enable \u003cfilesystem\u003e\n\ni sugest / /usr /var\n\nIn /etc/fstab add \",noatime\" to the options of all filesystems.\n\nIn /boot/loader.conf add the following:\n\nhw.ata.wc=\"1\"\nkern.ipc.nmbclusters=\"60000\"\n\nIn /etc/sysctl.conf add the following:\n\nvfs.vmiodirenable=1\nkern.ipc.maxsockbuf=2097152\nkern.ipc.somaxconn=8192\nkern.ipc.maxsockets=16424\nkern.maxfiles=65536\nkern.maxfilesperproc=32768\nnet.inet.tcp.rfc1323=1\nnet.inet.tcp.delayed_ack=0\nnet.inet.tcp.sendspace=65535\nnet.inet.tcp.recvspace=65535\nnet.inet.udp.recvspace=65535\nnet.inet.udp.maxdgram=57344\nnet.local.stream.recvspace=65535\nnet.local.stream.sendspace=65535\n\ngive it two asprin, a reboot and call me in the morning!!!!! \n\n\u003c\u003c\u003c END OF QUOTE\n\n\n       ------------------------ KNOWN ISSUES ------------------------\n\n\n- On non-linux systems, '-c' only works in standalone mode.\n\n- You should always avoid the use of spaces in login names: applications\nthat are parsing log files often choke on this.\n\n- Incomplete transfers aren't logged in alternative formats.\n\n- On Solaris, to get chroot to work with pure-ftpd you need a dev directory\nin your new rootdir with these:\n\ncrw-rw-rw-   1 root     other     11, 42 Dec 10 15:02 tcp\ncrw-rw-rw-   1 root     other    105,  1 Dec 10 15:02 ticotsord\ncrw-rw-rw-   1 root     other     11, 41 Dec 10 15:03 udp\ncrw-rw-rw-   1 root     other     13, 12 Dec 10 15:03 zero\n\nelse you get this\n\nftp\u003e ls\n425 Can't create the data socket: Bad file number.\n\nIf all your users are chrooted, you have to create these files in every home\ndirectory. Here's how:\n\nmkdir dev\nmknod dev/tcp c 11 42\nchmod 0666 dev/tcp\nmknod dev/udp c 11 41\nmknod dev/zero c 13 12\nmknod dev/ticotsord c 105 1\n\n(Reported by Kenneth Stailey)\n\n- Resuming ASCII transfers is refused. ASCII transfers are hell, because\nthey are consuming CPU time both at client and server sides. And they even\nconsume *more* bandwidth than binary transfers. But they allow Windows\nclients to upload scripts to Unix servers, stripping these nasty ^M signs.\nASCII transfers are implemented in Pure-FTPd. But they can't be resumed and\nthis is intentional. To restart an ASCII transfer, the file has to be\nread and analyzed byte by byte. It can be very long and by sending two\ntrivial commands, a client can completely kill a server (take a lot of CPU and\ndisk resources) . And there's no workaround.\nAnother point is that while RFC describe a way to resume ASCII transfers,\nmany clients and servers implement them in another way. The result is that\nresumed ASCII transfers can lead to data corruption. Some major servers\ndidn't follow RFC, so some clients did the same mistake to support these\nservers, while some other modern clients and servers are trying to fully\nconform to RFC. So when clients and servers are speaking the same dialect, it\nworks. When it's not the case, you get corrupted files. Messy, eh?\nAnd what if a customer uploads a script to your server and thinks he can\nsafely delete it from its hard disk? If the remote file is corrupted, he\nwill get really angry.\nIt's why Pure-FTPd *refuses* to resume ASCII transfers. If a customer tells\nyou that he isn't able to upload/download a partially transferred ASCII file,\nplease tell them to remove the partial file and to retransfer it again. This\nis a safe bet.\n\n\n   ------------------------ DOWNLOADING PURE-FTPD ------------------------\n\n\nPure-FTPd home page is: https://www.pureftpd.org/ .\n\nGit repository: https://github.com/jedisct1/pure-ftpd\n\nThank you, \n\n                       -Frank DENIS \"Jedi/Sector One\" \u003cj at pureftpd dot org\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjedisct1%2Fpure-ftpd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjedisct1%2Fpure-ftpd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjedisct1%2Fpure-ftpd/lists"}