diff options
Diffstat (limited to 'contrib/lukemftpd/src/ftpd.8')
-rw-r--r-- | contrib/lukemftpd/src/ftpd.8 | 833 |
1 files changed, 833 insertions, 0 deletions
diff --git a/contrib/lukemftpd/src/ftpd.8 b/contrib/lukemftpd/src/ftpd.8 new file mode 100644 index 0000000..65f993a --- /dev/null +++ b/contrib/lukemftpd/src/ftpd.8 @@ -0,0 +1,833 @@ +.\" $NetBSD: ftpd.8,v 1.63 2000/12/18 02:32:51 lukem Exp $ +.\" +.\" Copyright (c) 1997-2000 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Luke Mewburn. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the NetBSD +.\" Foundation, Inc. and its contributors. +.\" 4. Neither the name of The NetBSD Foundation nor the names of its +.\" contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" Copyright (c) 1985, 1988, 1991, 1993 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" @(#)ftpd.8 8.2 (Berkeley) 4/19/94 +.\" +.Dd December 18, 2000 +.Dt FTPD 8 +.Os +.Sh NAME +.Nm ftpd +.Nd +Internet File Transfer Protocol server +.Sh SYNOPSIS +.Nm +.Op Fl dHlqQrsuUwWX +.Op Fl a Ar anondir +.Op Fl c Ar confdir +.Op Fl C Ar user +.Op Fl e Ar emailaddr +.Op Fl h Ar hostname +.Op Fl P Ar dataport +.Op Fl V Ar version +.Sh DESCRIPTION +.Nm +is the Internet File Transfer Protocol server process. +The server uses the +.Tn TCP +protocol and listens at the port specified in the +.Dq ftp +service specification; see +.Xr services 5 . +.Pp +Available options: +.Bl -tag -width Ds +.It Fl a Ar anondir +Define +.Ar anondir +as the directory to +.Xr chroot 2 +into for anonymous logins. +Default is the home directory for the ftp user. +This can also be specified with the +.Xr ftpd.conf 5 +.Sy chroot +directive. +.It Fl c Ar confdir +Change the root directory of the configuration files from +.Dq Pa /etc +to +.Ar confdir . +This changes the directory for the following files: +.Pa /etc/ftpchroot , +.Pa /etc/ftpusers , +.Pa /etc/ftpwelcome , +.Pa /etc/motd , +and the file specified by the +.Xr ftpd.conf 5 +.Sy limit +directive. +.It Fl C Ar user +Check whether +.Ar user +would be granted access under +the restrictions given in +.Xr ftpusers 5 +and exit without attempting a connection. +.Nm +exits with an exit code of 0 if access would be granted, or 1 otherwise. +This can be useful for testing configurations. +.It Fl d +Debugging information is written to the syslog using a facility of +.Dv LOG_FTP . +.It Fl e Ar emailaddr +Use +.Ar emailaddr +for the +.Dq "\&%E" +escape sequence (see +.Sx Display file escape sequences ) +.It Fl h Ar hostname +Explicitly set the hostname to advertise as to +.Ar hostname . +The default is the hostname associated with the IP address that +.Nm +is listening on. +This ability (with or without +.Fl h ) , +in conjunction with +.Fl c Ar confdir , +is useful when configuring +.Sq virtual +.Tn FTP +servers, each listening on separate addresses as separate names. +Refer to +.Xr inetd.conf 5 +for more information on starting services to listen on specific IP addresses. +.It Fl H +Equivalent to +.Do +-h +`hostname` +.Dc . +.It Fl l +Each successful and failed +.Tn FTP +session is logged using syslog with a facility of +.Dv LOG_FTP . +If this option is specified more than once, the retrieve (get), store (put), +append, delete, make directory, remove directory and rename operations and +their file name arguments are also logged. +.It Fl P Ar dataport +Use +.Ar dataport +as the data port, overriding the default of using the port one less +that the port +.Nm +is listening on. +.It Fl q +Enable the use of pid files for keeping track of the number of logged-in +users per class. +This is the default. +.It Fl Q +Disable the use of pid files for keeping track of the number of logged-in +users per class. +This may reduce the load on heavily loaded +.Tn FTP +servers. +.It Fl r +Permanently drop root privileges once the user is logged in. +The use of this option may result in the server using a port other +than the (listening-port - 1) for +.Sy PORT +style commands, which is contrary to the +.Cm RFC 959 +specification, but in practice very few clients rely upon this behaviour. +See +.Sx SECURITY CONSIDERATIONS +below for more details. +.It Fl s +Require a secure authentication mechanism like Kerberos or S/Key to be used. +.It Fl u +Log each concurrent +.Tn FTP +session to +.Pa /var/run/utmp , +making them visible to commands such as +.Xr who 1 . +.It Fl U +Don't log each concurrent +.Tn FTP +session to +.Pa /var/run/utmp . +This is the default. +.It Fl V Ar version +Use +.Ar version +as the version to advertise in the login banner and in the output of +.Sy STAT +and +.Sy SYST +instead of the default version information. +If +.Ar version +is empty or +.Sq - +then don't display any version information. +.It Fl w +Log each +.Tn FTP +session to +.Pa /var/log/wtmp , +making them visible to commands such as +.Xr last 1 . +This is the default. +.It Fl W +Don't log each +.Tn FTP +session to +.Pa /var/log/wtmp . +.It Fl X +Log +.Tn wu-ftpd +style +.Sq xferlog +entries to the syslog, prefixed with +.Dq "xferlog:\ " , +using a facility of +.Dv LOG_FTP . +These syslog entries can be converted to a +.Tn wu-ftpd +style +.Pa xferlog +file suitable for input into a third-party log analysis tool with a command +similar to: +.Dl "grep 'xferlog: ' /var/log/xferlog | \e" +.Dl "\ \ \ sed -e 's/^.*xferlog: //' > wuxferlog" +.El +.Pp +The file +.Pa /etc/nologin +can be used to disable +.Tn FTP +access. +If the file exists, +.Nm +displays it and exits. +If the file +.Pa /etc/ftpwelcome +exists, +.Nm +prints it before issuing the +.Dq ready +message. +If the file +.Pa /etc/motd +exists (under the chroot directory if applicable), +.Nm +prints it after a successful login. +This may be changed with the +.Xr ftpd.conf 5 +directive +.Sy motd . +.Pp +The +.Nm +server currently supports the following +.Tn FTP +requests. +The case of the requests is ignored. +.Bl -column "Request" -offset indent +.It Sy Request Ta Sy Description +.It ABOR Ta "abort previous command" +.It ACCT Ta "specify account (ignored)" +.It ALLO Ta "allocate storage (vacuously)" +.It APPE Ta "append to a file" +.It CDUP Ta "change to parent of current working directory" +.It CWD Ta "change working directory" +.It DELE Ta "delete a file" +.It EPSV Ta "prepare for server-to-server transfer" +.It EPRT Ta "specify data connection port" +.It FEAT Ta "list extra features that are not defined in" Cm "RFC 959" +.It HELP Ta "give help information" +.It LIST Ta "give list files in a directory" Pq Dq Li "ls -lA" +.It LPSV Ta "prepare for server-to-server transfer" +.It LPRT Ta "specify data connection port" +.It MLSD Ta "list contents of directory in a machine-processable form" +.It MLST Ta "show a pathname in a machine-processable form" +.It MKD Ta "make a directory" +.It MDTM Ta "show last modification time of file" +.It MODE Ta "specify data transfer" Em mode +.It NLST Ta "give name list of files in directory" +.It NOOP Ta "do nothing" +.It OPTS Ta "define persistent options for a given command" +.It PASS Ta "specify password" +.It PASV Ta "prepare for server-to-server transfer" +.It PORT Ta "specify data connection port" +.It PWD Ta "print the current working directory" +.It QUIT Ta "terminate session" +.It REST Ta "restart incomplete transfer" +.It RETR Ta "retrieve a file" +.It RMD Ta "remove a directory" +.It RNFR Ta "specify rename-from file name" +.It RNTO Ta "specify rename-to file name" +.It SITE Ta "non-standard commands (see next section)" +.It SIZE Ta "return size of file" +.It STAT Ta "return status of server" +.It STOR Ta "store a file" +.It STOU Ta "store a file with a unique name" +.It STRU Ta "specify data transfer" Em structure +.It SYST Ta "show operating system type of server system" +.It TYPE Ta "specify data transfer" Em type +.It USER Ta "specify user name" +.It XCUP Ta "change to parent of current working directory (deprecated)" +.It XCWD Ta "change working directory (deprecated)" +.It XMKD Ta "make a directory (deprecated)" +.It XPWD Ta "print the current working directory (deprecated)" +.It XRMD Ta "remove a directory (deprecated)" +.El +.Pp +The following non-standard or +.Ux +specific commands are supported by the SITE request. +.Pp +.Bl -column Request -offset indent +.It Sy Request Ta Sy Description +.It CHMOD Ta "change mode of a file, e.g. ``SITE CHMOD 755 filename''" +.It HELP Ta "give help information." +.It IDLE Ta "set idle-timer, e.g. ``SITE IDLE 60''" +.It RATEGET Ta "set maximum get rate throttle in bytes/second, e.g. ``SITE RATEGET 5k''" +.It RATEPUT Ta "set maximum put rate throttle in bytes/second, e.g. ``SITE RATEPUT 5k''" +.It UMASK Ta "change umask, e.g. ``SITE UMASK 002''" +.El +.Pp +The following +.Tn FTP +requests (as specified in +.Cm RFC 959 ) +are recognized, but are not implemented: +.Sy ACCT , +.Sy SMNT , +and +.Sy REIN . +.Sy MDTM +and +.Sy SIZE +are not specified in +.Cm RFC 959 , +but will appear in the +next updated +.Tn FTP +RFC. +.Pp +The +.Nm +server will abort an active file transfer only when the +.Sy ABOR +command is preceded by a Telnet "Interrupt Process" (IP) +signal and a Telnet "Synch" signal in the command Telnet stream, +as described in Internet +.Cm RFC 959 . +If a +.Sy STAT +command is received during a data transfer, preceded by a Telnet IP +and Synch, transfer status will be returned. +.Pp +.Nm +interprets file names according to the +.Dq globbing +conventions used by +.Xr csh 1 . +This allows users to utilize the metacharacters +.Dq Li \&*?[]{}~ . +.Sh User authentication +.Pp +.Nm +authenticates users according to five rules. +.Pp +.Bl -enum -offset indent +.It +The login name must be in the password data base, +.Pa /etc/pwd.db , +and not have a null password. +In this case a password must be provided by the client before any +file operations may be performed. +If the user has an S/Key key, the response from a successful +.Sy USER +command will include an S/Key challenge. +The client may choose to respond with a +.Sy PASS +command giving either +a standard password or an S/Key one-time password. +The server will automatically determine which type of password it +has been given and attempt to authenticate accordingly. +See +.Xr skey 1 +for more information on S/Key authentication. +S/Key is a Trademark of Bellcore. +.It +The login name must be allowed based on the information in +.Xr ftpusers 5 . +.It +The user must have a standard shell returned by +.Xr getusershell 3 . +If the user's shell field in the password database is empty, the +shell is assumed to be +.Pa /bin/sh . +.It +If directed by the file +.Xr ftpchroot 5 +the session's root directory will be changed by +.Xr chroot 2 +to the directory specified in the +.Xr ftpd.conf 5 +.Sy chroot +directive (if set), +or to the home directory of the user. +However, the user must still supply a password. +This feature is intended as a compromise between a fully anonymous account +and a fully privileged account. +The account should also be set up as for an anonymous account. +.It +If the user name is +.Dq anonymous +or +.Dq ftp , +an +anonymous +.Tn FTP +account must be present in the password +file (user +.Dq ftp ) . +In this case the user is allowed +to log in by specifying any password (by convention an email address for +the user should be used as the password). +.Pp +The server performs a +.Xr chroot 2 +to the directory specified in the +.Xr ftpd.conf 5 +.Sy chroot +directive (if set), +the +.Fl a Ar anondir +directory (if set), +or to the home directory of the +.Dq ftp +user. +.Pp +The server then performs a +.Xr chdir 2 +to the directory specified in the +.Xr ftpd.conf 5 +.Sy homedir +directive (if set), otherwise to +.Pa / . +.Pp +If other restrictions are required (such as disabling of certain +commands and the setting of a specific umask), then appropriate +entries in +.Xr ftpd.conf 5 +are required. +.Pp +If the first character of the password supplied by an anonymous user +is +.Dq - , +then the verbose messages displayed at login and upon a +.Sy CWD +command are suppressed. +.El +.Sh Display file escape sequences +.Pp +When +.Nm +displays various files back to the client (such as +.Pa /etc/ftpwelcome +and +.Pa /etc/motd ) , +various escape strings are replaced with information pertinent +to the current connection. +.Pp +The supported escape strings are: +.Bl -tag -width "Escape" -offset indent -compact +.It Sy "Escape" +.Sy Description +.It "\&%c" +Class name. +.It "\&%C" +Current working directory. +.It "\&%E" +Email address given with +.Fl e . +.It "\&%L" +Local hostname. +.It "\&%M" +Maximum number of users for this class. +Displays +.Dq unlimited +if there's no limit. +.It "\&%N" +Current number of users for this class. +.It "\&%R" +Remote hostname. +.It "\&%s" +If the result of the most recent +.Dq "\&%M" +or +.Dq "\&%N" +was not +.Dq Li 1 , +print an +.Dq s . +.It "\&%S" +If the result of the most recent +.Dq "\&%M" +or +.Dq "\&%N" +was not +.Dq Li 1 , +print an +.Dq S . +.It "\&%T" +Current time. +.It "\&%U" +User name. +.It "\&%\&%" +A +.Dq \&% +character. +.El +.Sh Setting up a restricted ftp subtree +.Pp +In order that system security is not breached, it is recommended +that the +subtrees for the +.Dq ftp +and +.Dq chroot +accounts be constructed with care, following these rules +(replace +.Dq ftp +in the following directory names +with the appropriate account name for +.Sq chroot +users): +.Bl -tag -width "~ftp/incoming" -offset indent +.It Pa ~ftp +Make the home directory owned by +.Dq root +and unwritable by anyone. +.It Pa ~ftp/bin +Make this directory owned by +.Dq root +and unwritable by anyone (mode 555). +Generally any conversion commands should be installed +here (mode 111). +.It Pa ~ftp/etc +Make this directory owned by +.Dq root +and unwritable by anyone (mode 555). +The files +.Pa pwd.db +(see +.Xr passwd 5 ) +and +.Pa group +(see +.Xr group 5 ) +must be present for the +.Sy LIST +command to be able to display owner and group names instead of numbers. +The password field in +.Xr passwd 5 +is not used, and should not contain real passwords. +The file +.Pa motd , +if present, will be printed after a successful login. +These files should be mode 444. +.It Pa ~ftp/pub +This directory and the subdirectories beneath it should be owned +by the users and groups responsible for placing files in them, +and be writable only by them (mode 755 or 775). +They should +.Em not +be owned or writable by ftp or its group. +.It Pa ~ftp/incoming +This directory is where anonymous users place files they upload. +The owners should be the user +.Dq ftp +and an appropriate group. +Members of this group will be the only users with access to these +files after they have been uploaded; these should be people who +know how to deal with them appropriately. +If you wish anonymous +.Tn FTP +users to be able to see the names of the +files in this directory the permissions should be 770, otherwise +they should be 370. +.Pp +The following +.Xr ftpd.conf 5 +directives should be used: +.Dl "modify guest off" +.Dl "umask guest 0707" +.Pp +This will result in anonymous users being able to upload files to this +directory, but they will not be able to download them, delete them, or +overwrite them, due to the umask and disabling of the commands mentioned +above. +.It Pa ~ftp/tmp +This directory is used to create temporary files which contain +the error messages generated by a conversion or +.Sy LIST +command. +The owner should be the user +.Dq ftp . +The permissions should be 300. +.Pp +If you don't enable conversion commands, or don't want anonymous users +uploading files here (see +.Pa ~ftp/incoming +above), then don't create this directory. +However, error messages from conversion or +.Sy LIST +commands won't be returned to the user. +(This is the traditional behaviour.) +Note that the +.Xr ftpd.conf 5 +directive +.Sy upload +can be used to prevent users uploading here. +.El +.Pp +To set up "ftp-only" accounts that provide only +.Tn FTP , +but no valid shell +login, you can copy/link +.Pa /sbin/nologin +to +.Pa /sbin/ftplogin , +and enter +.Pa /sbin/ftplogin +to +.Pa /etc/shells +to allow logging-in via +.Tn FTP +into the accounts, which must have +.Pa /sbin/ftplogin +as login shell. +.Sh FILES +.Bl -tag -width /etc/ftpwelcome -compact +.It Pa /etc/ftpchroot +List of normal users who should be +.Xr chroot 2 ed. +.It Pa /etc/ftpd.conf +Configure file conversions and other settings. +.It Pa /etc/ftpusers +List of unwelcome/restricted users. +.It Pa /etc/ftpwelcome +Welcome notice before login. +.It Pa /etc/motd +Welcome notice after login. +.It Pa /etc/nologin +If it exists, displayed and access is refused. +.It Pa /var/run/ftpd.pids-CLASS +State file of logged-in processes for the +.Nm +class +.Sq CLASS . +.It Pa /var/run/utmp +List of logged-in users on the system. +.It Pa /var/log/wtmp +Login history database. +.El +.Sh SEE ALSO +.Xr ftp 1 , +.Xr skey 1 , +.Xr who 1 , +.Xr getusershell 3 , +.Xr ftpd.conf 5 , +.Xr ftpchroot 5 , +.Xr ftpusers 5 , +.Xr syslogd 8 +.Sh STANDARDS +.Nm +recognizes all commands in +.Cm RFC 959 , +follows the guidelines in +.Cm RFC 1123 , +recognizes all commands in +.Cm RFC 2228 +(although they are not supported yet), +and supports the extensions from +.Cm RFC 2389 , +.Cm RFC 2428 +and +.Cm draft-ietf-ftpext-mlst-11 . +.Sh HISTORY +The +.Nm +command appeared in +.Bx 4.2 . +.Pp +Various features such as the +.Xr ftpd.conf 5 +functionality, +.Cm RFC 2389 , +and +.Cm draft-ietf-ftpext-mlst-11 +support was implemented in +.Nx 1.3 +and later releases by Luke Mewburn <lukem@netbsd.org>. +.Sh BUGS +The server must run as the super-user to create sockets with +privileged port numbers (i.e, those less than +.Dv IPPORT_RESERVED , +which is 1024). +If +.Nm +is listening on a privileged port +it maintains an effective user id of the logged in user, reverting +to the super-user only when binding addresses to privileged sockets. +The +.Fl r +option can be used to override this behaviour and force privileges to +be permanently revoked; see +.Sx SECURITY CONSIDERATIONS +below for more details. +.Pp +.Nm +may have trouble handling connections from scoped IPv6 addresses, or +IPv4 mapped addresses +.Po +IPv4 connection on +.Dv AF_INET6 +socket +.Pc . +For the latter case, running two daemons, +one for IPv4 and one for IPv6, will avoid the problem. +.Sh SECURITY CONSIDERATIONS +.Cm RFC 959 +provides no restrictions on the +.Sy PORT +command, and this can lead to security problems, as +.Nm +can be fooled into connecting to any service on any host. +With the +.Dq checkportcmd +feature of the +.Xr ftpd.conf 5 , +.Sy PORT +commands with different host addresses, or TCP ports lower than +.Dv IPPORT_RESERVED +will be rejected. +This also prevents +.Sq third-party proxy ftp +from working. +Use of this option is +.Em strongly +recommended, and enabled by default. +.Pp +By default +.Nm +uses a port that is one less than the port it is listening on to +communicate back to the client for the +.Sy EPRT , +.Sy LPRT , +and +.Sy PORT +commands, unless overridden with +.Fl P Ar dataport . +As the default port for +.Nm +(21) is a privileged port below +.Dv IPPORT_RESERVED , +.Nm +retains the ability to switch back to root privileges to bind these +ports. +In order to increase security by reducing the potential for a bug in +.Nm +providing a remote root compromise, +.Nm +will permanently drop root privileges if one of the following is true: +.Bl -enum -offset indent +.It +.Nm +is running on a port greater than +.Dv IPPORT_RESERVED +and the user has logged in as a +.Sq guest +or +.Sq chroot +user. +.It +.Nm +was invoked with +.Fl r . +.El +.Pp +Don't create +.Pa ~ftp/tmp +if you don't want anonymous users to upload files there. +That directory is only necessary if you want to display the error +messages of conversion commands to the user. +Note that if uploads are disabled with the +.Xr ftpd.conf 5 +directive +.Sy upload , +then this directory cannot be abused by the user in this way, so it +should be safe to create. |