Via WWW : <URL:http://www.hvu.nl/~koos/wu-ftpd-faq.html>
Via FTP : <URL:ftp://ftp.cetis.hvu.nl/pub/koos/wu-ftpd-faq.txt>
And via E-mail : Send an e-mail to [email protected] with as subject line send faq.
Comments : this version is still lacking with details about certain operating systems. Comments about those are welcome.
This is the FAQ (frequently asked questions) for newer versions of wu-ftpd as maintained at ftp.academ.com.
Note: The various addresses used in this document are for contacting the authors on subjects mentioned in this document. Using these addresses for sending unsolicited E-mail is forbidden.
Wuarchive-ftpd, more affectionately known as wu-ftpd, is a replacement ftp daemon for Un*x systems developed at Washington University (*.wustl.edu) by Bryan D. O'Connor. (who is no longer working on it or supporting it!) wu-ftpd is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world.
This mailing list is for discussing problems with maintaining this daemon and ftp-sites where it is used.
To subscribe, send a mail message with a body of SUBSCRIBE WU-FTPD <your full name> to the list server [email protected].
To unsubscribe, send a mail message with a body of UNSUBSCRIBE WU-FTPD to the list server [email protected].
To send mail to all people on the list, send it to [email protected].
YES. There are two archives. An 'older' one, at <URL:http://www.osat.hq.nasa.gov/wuarchive.html>. This archive can be searched, and is created and maintained by Judy Pellerin ([email protected]). At this moment (February 1997) I cannot reach this host
An archive from June 1994 until recent, reachable via WWW at <URL:http://www.landfield.com/wu-ftpd/mail-archive>, and via ftp at <URL:ftp://ftp.landfield.com/wu-ftpd/mail-archive>. The search page is at <URL:http://www.landfield.com/wu-ftpd/mail-archive/search.html> This archive is maintained by Kent Landfield ([email protected]).
The RFC's that describe the FTP protocol are rfc959 and rfc1579. A possible location to get these is : <URL:http://info.internet.isi.edu:80/in-notes/rfc/files/rfc959.txt> <URL:http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1579.txt>
Kent Landfield maintains a resource center to collect all wu-ftpd related links at <URL:http://www.landfield.com/wu-ftpd/>
Darci Chapman maintains the Solaris/wu-ftpd howto guide at <http://www.teleport.com/~minerva/wu-ftpd/wuftpd.htm>
The manpage for wu-ftpd can be viewed online at <http://www.academ.com/cgi-bin/bsdi-man?proto=1.1&apropos=0&msection=local&query=ftpd>
'ANONYMOUS FTP CONFIGURATION GUIDELINES'
A set of guidelines from CERT (Computer Emergency Response Team) about setting up anonymous ftp.
<URL:ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config>
<URL:ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_abuses>
'How to set up a secure ftp server'
A file describing how to set up anonymous ftp in general in a secure way, avoiding misuse.
<URL:ftp://sunsite.unc.edu/pub/sun-info/sun-faq/FAQs/SettingUpSecureFTP.faq>
'guestgroup howto'
A document describing the set up of guestgroups in the wu-ftpd server. At this moment a seperate document from this document.
<URL:ftp://ftp.fni.com/pub/wu-ftpd/guest-howto>
A document describing virtual ftp servers
<URL:http://www.westnet.com/providers/multi-wu-ftpd.txt>
Ftpaccess on virtual ftp servers
<URL:ftp://ftp.meme.com/pub/software/wu-ftpd-2.4.2/README.ALT.FTPACCESS>
Read these. Something like
#> telnet xxx.yyy.nl Trying XXX.XXX.XXX.XXX ... Connected to xxx.yyy.nl. Escape character is '^]'. SunOS UNIX (xxx.yyy.nl) login: ftp Last login: Sat Oct 28 22:11:36 from xxxxxx.xxx.xxx.nl SunOS Release 4.1.3 (HSIS_X25) #1: Wed Apr 7 14:19:15 MET DST 1993 %>should not happen. And the jokers who try it on my ftp site can stop too
The wu-ftpd home is wuarchive.wustl.edu, the exact URL is:
ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd/
This daemon is available in source code and binaries from many other ftp-sites, ask _archie_ where to find it. Best is to compile it yourself, since it has a lot of compile-time options.
The above is the last version created by wuarchive. On the mailing list, an updated version has been created which is maintained by Stan Barber ([email protected]).
You can get this beta by ftp from the directory :
ftp://ftp.academ.com/pub/wu-ftpd/private/ the directory is not browsable, a .message file will point you to what is the latest version. Read this .message.
Remember, these are BETA versions. Before asking/trying anything, check first that you have the latest version. And if you run this version, keep up with the list to make sure you get news of updates.
In general, editing src/pathnames.h and typing build arch should be enough.
This error is fully explained in the INSTALL/INSTALL.orig file in wu-ftpd package. A few relevant lines :
If cc complains about strunames, typenames, modenames, ... being undefined you need to install support/ftp.h as /usr/include/arpa/ftp.h (always make a backup of the old ftp.h just in case!) and do the build again. The new ftp.h should be a compatible superset of your existing ftp.h, so you shouldn't have problems with this replacement.
This is fixed in the beta versions.
Since older Linux distributions (around libc.5.3 this got fixed) don't include shadow passwords, wu-ftpd assumes Linux does not have shadow passwords. To compile for shadow passwords with Linux :
Modify src/ftpd.c around line 1061 to read :
xpasswd = pw_encrypt(passwd, salt);
Add the item -DDIRENT_ILLEGAL_ACCESS to the CFLAGS line in src/makefiles/Makefile.lnx.
Michael Brennen ([email protected]) wrote on the list:
The general SKEY procedure is something like this: The last thing in config.h is an #undef SKEY; comment that out. That is a gotcha that can take some time to find, although that doesn't seem to be the problem. Copy skey.h into the src directory. Copy libskey.a into the support directory. Edit the appropriate Makefile.* in src/makefiles and add the following: add "-DSKEY" to the CFLAGS macro; add "-lskey" to the LIBES macro. That should do it; if not, holler back.
Edit the Makefile for your OS to add the AFS libs/includes. They only appear in the Makefile for AIX. Then, add the following line to the #include section of src/ftpd.c :
#include <afs/stds.h>Noted by Perry L. Morgan ([email protected]).
Either, you compiled with support for setting the process title (SPT_TYPE) on a machine that doesn't support this, where changing the process title clobbers the environment and therefore zaps the TZ variable. Recompile with SPT_TYPE set to SPT_NONE.
Systems which don't support SPT_TYPE : Aix, SGI Irix
Or, you need to copy the zoneinfo files to the ~ftp tree too. These are :
/etc/TIMEZONE /etc/default/init /usr/share/lib/zoneinfo/..The name of the correct file in /usr/share/lib/zoneinfo depends on your current timezone. Exact filenames depend on your operating system too. See the manpages for timezone(4) and zic(1M).
See above, but also check if your system needs /etc/default/init (Solaris 2.5 for example) for setting the correct TZ variable. This file has to be in chrooted environments too then.
Noted by Francois Belanger ([email protected]).
The syslog system calls in Digital Unix are a bit different. The following text describes how to fix this.
The standard Digital ftpd does log the commands after the chroot and Benoit
Maillard ([email protected]) told me that it was because they don't use
the standard system calls.
While looking at the distribution files, I've found a syslog.c file in support
directory and I've modified the Makefile.osf in support/makefiles to include
it in the library.
There were 2 compilation errors on this file, in fact one warning and one error.
The warning is on
if ((p = malloc(strlen(ident) + 1)) == NULL)
and to suppress it, modify in
if ((p = (char *)malloc(strlen(ident) + 1)) == NULL)
The error was on the redefinition of openlog (or closelog). It comes from the
fact that these calls are redefined in <syslog.h>
extern int openlog __((const char *, int, int));
extern int syslog __((int, const char *, ...));
extern void closelog __((void));
extern int setlogmask __((int));
So I've copied /usr/include/syslog.h in the support directory and I've modified
it in suppressing these lines. Then I've modified syslog.c in replacing
#include <syslog.h> by #include "syslog.h"
So now all is working fine and even for anonymous users the commands are logged
correctly as for real users in the daemon.log file.
Written on the mailing list by Daniel Clar ([email protected]).
The makefile is setup for the bsd version of the install program. Some OS'es
(including Solaris) use the svr4 version. In that case set in the makefile :
INSTALL = /usr/ucb/install
For compiling, make the following changes :
Make these changes to ./src/config/config.osf :
#define SecureWare #include <sys/secdefines.h> #include <sys/types.h> #include <sys/security.h> #include <sys/audit.h> #include <prot.h>and add the following to ./src/makefiles/Makefile.osf
LIBES = -lsupport -lsecurity -laudAnd change all occurences of crypt() to bicrypt.
To run, you'll need to copy the entire contents of /etc/sia to ~ftp/etc/sia. Easiest way to do this is :
# cd /etc # tar -cvf - sia | (cd ~ftp/etc;tar -xpf -)See also the DEC documentation on this at <URL:http://sawyer.wustl.edu/du4-docs/Digital_UNIX_Bookshelf.html> Parts of this provided by Andrew C. Saylor ([email protected]).
Add to ./src/ftpd.c
#define SPT_SCO 6 /* write kernel u. area */ /* FTP server. */ #include "config.h" #include <cma.h> <-- add this #include <sys/types.h>Information provided by Andrew C. Saylor ([email protected]).
To compile for trusted systems you only need a few changes. In file src/config.h change the line
#undef SHADOW_PASWWORDto
#define SHADOW_PASSWORDIn file src/makefiles/Makefile.hpx, the LIBES line should look like this:
LIBES = -lsupport -lc -lPW -lsecThe root password is crypted in a different way then the ones for normal users. It is neccesary to use the bigcrypt function call. Here are the needed changes in the source code:
In file src/ftpd.c, at the beginning:
#ifdef _HPUX_SOURCE #include <hpsecurity.h> #include <prot.h> #endifand, in the same file, in function pass(), you should be able to identify the segments of code where this fits:
char *xpasswd, *bpasswd,*salt; #ifdef KERBEROS xpasswd = crypt16(passwd, salt); #else xpasswd = crypt(passwd, salt); bpasswd = bigcrypt(passwd, salt); <-- THIS IS THE HOT THING #endif #ifdef ULTRIX_AUTH if ((numfails = ultrix_check_pass(passwd, xpasswd)) < 0) { #elif defined(_HPUX_SOURCE) if (pw == NULL || *pw->pw_passwd == '\0' || (strcmp(xpasswd, pw->pw_passwd) && strcmp(bpasswd, pw->pw_passwd))) { <-- ALSO THIS #else /* The strcmp does not catch null passwords! */ if (pw == NULL || *pw->pw_passwd == '\0' || strcmp(xpasswd, pw->pw_passwd)) { #endif reply(530, "Login incorrect.");Information provided by Jose Luis Martinez Garcia ([email protected]).
If the above doesn't work, some more notes :
/usr/include/shadow.h: This *system* file had an apparent typo that caused gcc to fail. I changed the following statement: extern int lckpwdf(void), to extern int lckpwdf(void); <<--- note the ';' realpath.c: I think there was a external reference (maybe more than 1 reference?) which did not match the internal declaration. I think I changed the realpath declaration to match the externals. I deleted the original sources so I don't recall the change exactly. ftpcmd.c: This file results from ftpcmd.y (via yacc/bison). Unfortunately the resulting c code will not build. It was necessary to move 2 of the structures to an earlier section. I think it was the 'cmdtab[]' and 'sitetab[]' structures which were moved. They were being called prior to their declaration. (`what bison` gives $Revision: 76.162.1.5 $) Makefile.hpx: Modified to not delete the ftpcmd.c file fixed above. ftpd.c: 1) installed the shadow password patch per the instructions in the FAQ. The new code worked without any problems (I'll probably port it to the POP3 server I've been wanting to install). 2) Modified the sprintf calls near SEPPROCTITLE to include "wuftpd" in the process string (similar to hp-ux ftpd). this allows "ps -ef | grep ftp" to show all connected ftp processes. It might need a little doctoring up since the file names on RETR have ^M^J tacked on.Notes provided by Chuck Davis ([email protected]).
In general, change the line for the ftp-server in /etc/inetd.conf (the file that defines the servers started by inetd. For some operating systems, this is another file).
With the latest versions, using no command-line options will set it to a default-mode, in which it will not parse the ftpaccess file. Add the option -a to the command line in inetd.conf.
You can test the wu-ftpd on a different port by adding two ports with consecutive numbers in /etc/services, and then starting wu-ftpd on these ports. Add to /etc/services something like :
ftptest 4021/tcp #command port ftptest-data 4020/tcp #data portThen start wu-ftpd from /etc/inetd.conf like :
ftptest stream tcp nowait root /usr/etc/in.ftpd in.ftpdThe key is the name 'ftptest' which associates the port assignment in the /etc/services file to that in the inetd.conf file. Make certain the choice of ports in /etc/services (4021 and 4020 above) are from the local use list and don't conflict with other port assignments (see RFC1700, ASSIGNED NUMBERS). One important subtlety. The data port is not really derived from the data port declaration in the /etc/services file. The FTP specification (RFC765) states the data port is defined as one less than the command port. However, including the data port declaration in the /etc/services file prevents it from being accidentally assigned to something else.
From a mail by W. James Showalter ([email protected])
Your inetd probably drops some parameters after a given number (4 or 5). You can use the following wrapper program to give additional parameters :
/* wrapper for wuftpd to add command line arguments that don't fit under inetd */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <errno.h> #include <syslog.h> int main(argc,argv) int argc; char **argv; { char *path="/local-adm/bin/ftpd"; char *cmd="ftpd"; fflush(stderr); fflush(stdout); errno=0; execl(path,cmd,"-a","-l","-L","-u022",NULL); openlog("wrapftpd",LOG_PID, LOG_LOCAL6); syslog(LOG_WARNING,(const char *)strerror(errno)); closelog(); exit(EXIT_FAILURE); }Code from Albert Lunde ([email protected])
Files with absolute pathnames are relative to the current root. Put them in the ~ftp filesystem and make a link to there, or use this possibility to use different banners.
This is a format consisting of day and time parameters. Possible items : Sa,Su,Mo, .. Any (for any day) and time parameters. For example : SaSu|Any1800-0700 means all of Saturday and Sunday or Any day between 18:00 and 07:00. Check if ftpd inherits the correct time zone.
ftpcheck found at <URL:ftp://ftp.cle.ab.com/pub/ftpcheck.v2.3
First, consider if you can't relink them staticly so the shared libraries aren't needed. You can get the GNU fileutils from : <URL:ftp://prep.ai.mit.edu/pub/gnu/fileutils-3.16.tar.gz> (version numbers may vary).
For different operating systems, different libraries and/or devices are needed. You can test if things are running correctly by doing a chroot to the ftp homedir. To test if /bin/ls is working in the ~ftp dir, type :
chroot ~ftp /bin/ls
Solaris needs ~ftp/dev/tcp and ~ftp/dev/zero and the libraries. Check the man-page for your Solaris version for exact details. Use the command ldd to find out which libraries a program uses. Also, the ~ftp/etc/group file is needed for ls to work, without it it will just dump core. Follow the same rules as for /etc/passwd : not too much information in that file, like group passwords (if you have those).
Needed libraries can include :
ld.so, ld.so.1, libc.so.1, libdl.so.1, libintl.so.1, libmp.so.1, libnsl.so.1,
libsocket.so.1, libw.so.1, nss_compat.so.1, nss_dns.so.1, nss_files.so.1,
nss_nis.so.1, nss_nisplus.so.1, straddr.so
Problem with /etc/group found by Eric ([email protected]).
This is discussed in the comp.unix.solaris Frequently Asked Questions <URL:http://www.fwi.uva.nl/pub/solaris/solaris2> item 6.24 (at this moment).
Use the command ldd to find out which libraries a program uses. Also, with ELF binaries you need the ELF file loader, ld-linux.so in ~ftp/lib.
ELF change remarked by Al Longyear ([email protected]).
Copy the static version of ls (/sbin/ls) and not the dynamic one. The static
version is about 400K.
Make passwd and group files in ~ftp/etc. Copy from /etc/sia
dir to ~ftp/etc/sia the files matrixconf and
siainitgood.
SunOS needs ~ftp/dev/zero and the libraries.
AIX comes with scripts to automate this installation.
AIX 3.2.5 - /usr/lpp/tcpip/samples/anon.ftp
AIX 4.1.4 - /usr/samples/tcpip/anon.ftp
After it's done, change the mode of ~ftp/pub to something safer.
Also, AIX comes with a 'dump' utility that can show which libraries a program uses.
Noted by Eilon Gishri ([email protected])
IRIX 6.2 needs ~/ftp/dev/zero and libraries. You will probably need to copy /lib/libc.so.1 to ~ftp/lib/libc.so.1 and /lib/rld to ~ftp/lib/rld. These are required by ls, compress, gtar and gzip.
You can see what libraries a program needs by doing the following:
csh# setenv _RLD_PATH /usr/lib/rld.debug csh# setenv _RLD_ARGS '-v -quickstart_info -stat'To stop seeing what libraries are needed unset the environment variables:
csh# unsetenv _RLD_PATH csh# unsetenv _RLD_ARGS
SCO needs /dev/socksys.
This is a very sneaky one. To quote : The problem was that ls_short and ls_long were being defined incorrectly (since the system was compiled with a BSDish compiler, the BSD config file was used) using ls -lA and ls -lgA respectively. It turns out that the ls command was running but it was erroring out (this is because the system is actually running SVR4), since a failed ls produces output only to stderr not stdout I saw nothing for my output.
Information from Perry A. Stupp ([email protected])
Something in the upgrade changed in your OS. Most likely : newer shared libraries. Also : other major/minor numbers in /dev. Redo the shared libs and devices after an upgrade if things like the above happen.
The directive ftpshut in the ftpaccess file points to a file that exists at that moment. Either change the directive or delete the file.
Also, after you've used the ftpshut command, you'll need to remove the ftpshut file by hand.
Check the following :
There are a lot of possible reasons, mostly having to do with the fact that some versions tar use different command line parameters.
/bin/tar -cf - %s
, the effect will be the same as /bin/tar
-cvf - %s
. The -v
option will add extraneous data to the
stream. Solution : replace it with /bin/tar cf - %s
(no leading -).
With Solaris 2.4 and GNU's tar-1.11.8 (configured and compiled with --disable-nls flag) use the GNU tar flag --use-compress-program=path to compression program
sample :
: : :.tar.Z:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/compress -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/gzip -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
Lines for ftpconversions :
:.zip: : :/bin/unzip -qq -p %s:T_REG|T_ASCII:O_UNCOMPRESS:UNZIP : : :.zip:/bin/zip -qq -r - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:ZIPInfo-ZIP can be found at <URL:http://quest.jpl.nasa.gov/Info-ZIP/>
Create a shell for this purpose (for example, a program that says the above
or a copy of /bin/true). Put this shell in
/etc/shells. Change the shell of the user to that shell.
Next : make sure mail cannot be delivered locally to the account. Using
the fact that the shell is valid for sendmail (it is in /etc/shells)
a user can be able to start commands as that user.
Somebody is trying to misuse your ftp-site for transferring software (worst case scenario). Check if the directive path-filter in the ftpaccess file is something like :
path-filter anonymous /etc/paths.msg ^[-A-Za-z0-9\._]*$ ^\. ^-
In that case, set your path-filter to the one mentioned above. Make the incoming directory owned by something else then ftp (root, or nobody) with another group then ftp (nobody). Something like :
drwx-wx-wt root nobody incomingThis will allow ftp to write in the directory, but not read it. Set the upload directive in ftpaccess to something like :
upload /home/ftp /incoming yes root daemon 0400 nodirsOne note : files get created as root and changed to the owner mentioned in the upload line. This will fail on some secure NFS setups.
The default umask is inherited from inetd. This can be a wrong one. There is an undocumented command line parameter -u. Edit the line in inetd.conf to something like ftpd -A -L -l -u077.
In some slackware distributions the _PATH_EXECPATH is set to something like /bin. Recompile wu-ftpd with it set to a special path like /bin/ftp-exec.
To test for this hole, type (when logged in as a real user, not anonymous) :
ftp> SITE EXEC bash -c id
If you get a return with '200-uid=0(root) gid=0(root)' in it, you have the problem.
There are a couple of scripts to make better reports from the xferlog.
I (Koos van den Hout) also wrote a Perl script to process the log, mail daily statistics and uploaded files, and create a top most downloaded files. It is available from <URL:ftp://ftp.cetis.hvu.nl/pub/koos/ftplogcheck>
iistat generates nice transfer graphs from the xferlog file (and from a lot of other sources). Available from <URL:ftp://ftp.support.lotus.com/pub/utils/InternetServices/iisstat/iisstat.html>
You get errors like :
Dec 7 11:14:33 ftphost vmunix: NFS write error 13 on host fileserver fh 746 1 a0000 5fea7 3b5a1bd8 a0000 2 1e0a6aedThat's a known problem. Possible solutions :
Apparantly ftpd needs write permission on ~ftp/dev/tcp in order to operate
correctly in passive mode (Solaris). Set it to the same mode as permissions
shown by ls -lL /dev/tcp
,
being 666. Also read the Solaris man page for ftpd for Solaris-specific
information. Changed from previous versions
Fix:
cd ~ftp/dev chmod 666 tcpThanks to Simon Rakov ([email protected]) for this one.
That's a not-so-well-known ftpaccess feature : just add 'guestserver anon.ftp.server.hostname' to your ftpaccess file..
RFC959 documents the FTP protocol.
There is a Perl-script collection available named ftpmail. It is available on a lot of ftp-sites (archie for 'ftpmail'), some of which are :
nic.funet.fi, ftp.warwick.ac.uk, ftp.loria.fr, ftp.germany.eu.net.
A number of people deserve credit :