Frequently Asked Questions about wu-ftpd, with answers

This article contains the answers to Frequently Asked Questions (FAQ) concerning the wu-ftpd software. To submit questions (preferably with an answer) send email to: [email protected]. If you wish to get the latest version of this file, it is available as

Via WWW : <URL:http://www.hvu.nl/~koos/wu-ftpd-faq.html>

Via FTP : <URL:ftp://ftp.cetis.hvu.nl/pub/koos/wu-ftpd-faq.txt>

And via E-mail : Send an e-mail to [email protected] with as subject line send faq.

Comments : this version is still lacking with details about certain operating systems. Comments about those are welcome.


  1. Contents of this FAQ

    1. Contents of this FAQ
    2. What is this document
    3. What is wu-ftpd itself and this mailing list in particular ?
      1. How do I subscribe/unsubscribe ?
      2. Is this list archived anywhere ?
      3. What are related documents ?

    4. Where do I get the wu-ftpd ?
      1. Where do I get the updated version ?

    5. Compiling the wu-ftpd
      1. cc complains about strunames, typenames, modenames, .. being undeclared.
      2. wu-ftpd doesn't 'see' that users are in multiple groups.
      3. wu-ftpd doesn't use the shadow passwords on my Linux machine.
      4. It doesn't compile at all on newer Linux installs. The error is :
      5. I need to use S/KEY authorisation
      6. I need to authenticate real users via AFS
      7. The timezone in the xferlog is wrong
      8. The timezone in the ls output is wrong
      9. Digital Unix doesn't log commands after an anonymous user logs in
      10. install fails with 'install: ..'
      11. Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced C2 security,
      12. It doesn't compile at all on Digital Unix, errors about struct timeval
      13. What should I do to be able to use wu-ftpd in a HP-UX 10.01
      14. What should I do for 10.10.

    6. Installing the wu-ftpd
      1. Command-line options for wu-ftpd
      2. Testing on a different port number then ftp
      3. Not all command line parameters seem to be used by wu-ftpd

    7. The ftpaccess file
      1. Some files (banners, etc) don't get shown to anonymous users.
      2. What is the exact format of the <times> parameter in the "limit"
      3. What tools are there to check the configuration

    8. Programs (ls, gzip, tar) work for real users, not for anonymous users, giving errors like 425 Can't create data socket (0.0.0.0,20): Bad file number or simply no output.
      1. Solaris
      2. Building a statically linked ls for Solaris fails
      3. Linux
      4. Dec OSF
      5. SunOS4.1.x
      6. AIX
      7. IRIX (6.2)
      8. SCO Unix
      9. BSD vs SVR4 ls
      10. It worked, until I upgraded the operating system.

    9. Running wu-ftpd
      1. ftpd allways says "221 Server shutting down. Goodbye."
      2. Anonymous ftp works fine, but real users are denied access
      3. ftpconversions doesn't work
      4. On-the-fly compression works, on-the-fly tarring, but not both.
      5. I want to use zip compression (InfoZip)
      6. I want a real user to be able to access the host only via ftp, not via telnet
      7. Somebody uploaded a file with a weird name
      8. I want anonymous users to be able to upload files, but in the most secure manner possible
      9. The default umask used when a real user uploads a file is wrong
      10. I heard something about 'SITE EXEC' having a security hole
      11. How do I make reports more readable ?
      12. Incoming file transfers fail with SunOS and an NFS mounted incoming
      13. Normal ftp clients work, Netscape ftp's fail. So, passive mode doesn't work.
      14. I want to redirect anonymous users to another machine

    10. Other things

      1. Where is the FTP protocol documented ?
      2. How can I make my ftp-archive accessible by E-mail (ftpmail) ?

    11. Credits

  2. What is this document

    This is the FAQ (frequently asked questions) for newer versions of wu-ftpd as maintained at ftp.academ.com.

    Note: The various addresses used in this document are for contacting the authors on subjects mentioned in this document. Using these addresses for sending unsolicited E-mail is forbidden.

  3. What is wu-ftpd itself and this mailing list in particular ?

    Wuarchive-ftpd, more affectionately known as wu-ftpd, is a replacement ftp daemon for Un*x systems developed at Washington University (*.wustl.edu) by Bryan D. O'Connor. (who is no longer working on it or supporting it!) wu-ftpd is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world.

    This mailing list is for discussing problems with maintaining this daemon and ftp-sites where it is used.

    1. How do I subscribe/unsubscribe ?

      To subscribe, send a mail message with a body of SUBSCRIBE WU-FTPD <your full name> to the list server [email protected].

      To unsubscribe, send a mail message with a body of UNSUBSCRIBE WU-FTPD to the list server [email protected].

      To send mail to all people on the list, send it to [email protected].

    2. Is this list archived anywhere ?

      YES. There are two archives. An 'older' one, at <URL:http://www.osat.hq.nasa.gov/wuarchive.html>. This archive can be searched, and is created and maintained by Judy Pellerin ([email protected]). At this moment (February 1997) I cannot reach this host

      An archive from June 1994 until recent, reachable via WWW at <URL:http://www.landfield.com/wu-ftpd/mail-archive>, and via ftp at <URL:ftp://ftp.landfield.com/wu-ftpd/mail-archive>. The search page is at <URL:http://www.landfield.com/wu-ftpd/mail-archive/search.html> This archive is maintained by Kent Landfield ([email protected]).

    3. What are related documents ?

      The RFC's that describe the FTP protocol are rfc959 and rfc1579. A possible location to get these is : <URL:http://info.internet.isi.edu:80/in-notes/rfc/files/rfc959.txt> <URL:http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1579.txt>

      Kent Landfield maintains a resource center to collect all wu-ftpd related links at <URL:http://www.landfield.com/wu-ftpd/>

      Darci Chapman maintains the Solaris/wu-ftpd howto guide at <http://www.teleport.com/~minerva/wu-ftpd/wuftpd.htm>

      The manpage for wu-ftpd can be viewed online at <http://www.academ.com/cgi-bin/bsdi-man?proto=1.1&apropos=0&msection=local&query=ftpd>

      'ANONYMOUS FTP CONFIGURATION GUIDELINES'

      A set of guidelines from CERT (Computer Emergency Response Team) about setting up anonymous ftp.

      <URL:ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config>

      <URL:ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_abuses>

      'How to set up a secure ftp server'

      A file describing how to set up anonymous ftp in general in a secure way, avoiding misuse.

      <URL:ftp://sunsite.unc.edu/pub/sun-info/sun-faq/FAQs/SettingUpSecureFTP.faq>

      'guestgroup howto'

      A document describing the set up of guestgroups in the wu-ftpd server. At this moment a seperate document from this document.

      <URL:ftp://ftp.fni.com/pub/wu-ftpd/guest-howto>

      A document describing virtual ftp servers

      <URL:http://www.westnet.com/providers/multi-wu-ftpd.txt>

      Ftpaccess on virtual ftp servers

      <URL:ftp://ftp.meme.com/pub/software/wu-ftpd-2.4.2/README.ALT.FTPACCESS>

      Read these. Something like

      
      #> telnet xxx.yyy.nl
      
      Trying XXX.XXX.XXX.XXX ...
      
      Connected to xxx.yyy.nl.
      
      Escape character is '^]'.
      
      
      
      SunOS UNIX (xxx.yyy.nl)
      
      
      
      login: ftp
      
      Last login: Sat Oct 28 22:11:36 from xxxxxx.xxx.xxx.nl
      
      SunOS Release 4.1.3 (HSIS_X25) #1: Wed Apr 7 14:19:15 MET DST 1993
      
      %>
      
      
      should not happen. And the jokers who try it on my ftp site can stop too

  4. Where do I get the wu-ftpd ?

    The wu-ftpd home is wuarchive.wustl.edu, the exact URL is:

    ftp://wuarchive.wustl.edu/packages/wuarchive-ftpd/

    This daemon is available in source code and binaries from many other ftp-sites, ask _archie_ where to find it. Best is to compile it yourself, since it has a lot of compile-time options.

    1. Where do I get the updated version ?

      The above is the last version created by wuarchive. On the mailing list, an updated version has been created which is maintained by Stan Barber ([email protected]).

      You can get this beta by ftp from the directory :

      ftp://ftp.academ.com/pub/wu-ftpd/private/ the directory is not browsable, a .message file will point you to what is the latest version. Read this .message.

      Remember, these are BETA versions. Before asking/trying anything, check first that you have the latest version. And if you run this version, keep up with the list to make sure you get news of updates.

  5. Compiling the wu-ftpd

    In general, editing src/pathnames.h and typing build arch should be enough.

    1. cc complains about strunames, typenames, modenames, .. being undeclared.

      This error is fully explained in the INSTALL/INSTALL.orig file in wu-ftpd package. A few relevant lines :

      
      If cc complains about strunames, typenames, modenames, ... being undefined
      
      you need to install support/ftp.h as /usr/include/arpa/ftp.h (always make
      
      a backup of the old ftp.h just in case!) and do the build again.  The new
      
      ftp.h should be a compatible superset of your existing ftp.h, so you
      
      shouldn't have problems with this replacement.
      
      

    2. wu-ftpd doesn't 'see' that users are in multiple groups.

      This is fixed in the beta versions.

    3. wu-ftpd doesn't use the shadow passwords on my Linux machine.

      Since older Linux distributions (around libc.5.3 this got fixed) don't include shadow passwords, wu-ftpd assumes Linux does not have shadow passwords. To compile for shadow passwords with Linux :

      • Get the shadow.h from the latest shadow package.
      • After building the shadow package, you have a libshadow.a.
      • Copy shadow.h to the src dir.
      • Copy libshadow.a to the support dir.
      • Edit src/config.h to say '#define SHADOW_PASSWORD' instead of #undef.
      • Edit the LIBES line in src/Makefile to read :
        LIBES = -lsupport -lbsd -lshadow

      Modify src/ftpd.c around line 1061 to read :

      
      	xpasswd = pw_encrypt(passwd, salt);
      
      

    4. It doesn't compile at all on newer Linux installs. The error is :

      Add the item -DDIRENT_ILLEGAL_ACCESS to the CFLAGS line in src/makefiles/Makefile.lnx.

    5. I need to use S/KEY authorisation

      Michael Brennen ([email protected]) wrote on the list:

      
      The general SKEY procedure is something like this:
      
      
      
      The last thing in config.h is an #undef SKEY; comment that out.  That is
      
      a gotcha that can take some time to find, although that doesn't seem to
      
      be the problem.
      
      
      
      Copy skey.h into the src directory.
      
      
      
      Copy libskey.a into the support directory.
      
      
      
      Edit the appropriate Makefile.* in src/makefiles and add the following:
      
         add "-DSKEY" to the CFLAGS macro;
      
         add "-lskey" to the LIBES macro.
      
      
      
      That should do it; if not, holler back.
      
      

    6. I need to authenticate real users via AFS

      Edit the Makefile for your OS to add the AFS libs/includes. They only appear in the Makefile for AIX. Then, add the following line to the #include section of src/ftpd.c :

      
      #include <afs/stds.h>
      
      
      Noted by Perry L. Morgan ([email protected]).

    7. The timezone in the xferlog is wrong

      Either, you compiled with support for setting the process title (SPT_TYPE) on a machine that doesn't support this, where changing the process title clobbers the environment and therefore zaps the TZ variable. Recompile with SPT_TYPE set to SPT_NONE.

      Systems which don't support SPT_TYPE : Aix, SGI Irix

      Or, you need to copy the zoneinfo files to the ~ftp tree too. These are :

      
      /etc/TIMEZONE
      
      /etc/default/init
      
      /usr/share/lib/zoneinfo/..
      
      
      The name of the correct file in /usr/share/lib/zoneinfo depends on your current timezone. Exact filenames depend on your operating system too. See the manpages for timezone(4) and zic(1M).

    8. The timezone in the ls output is wrong

      See above, but also check if your system needs /etc/default/init (Solaris 2.5 for example) for setting the correct TZ variable. This file has to be in chrooted environments too then.

      Noted by Francois Belanger ([email protected]).

    9. Digital Unix doesn't log commands after an anonymous user logs in

      The syslog system calls in Digital Unix are a bit different. The following text describes how to fix this.

      
      The standard Digital ftpd does log the commands after the chroot and Benoit 
      
      Maillard ([email protected]) told me that it was because they don't use
      
      the standard system calls.
      
      
      
      While looking at the distribution files, I've found a syslog.c file in support
      
      directory and I've modified the Makefile.osf in support/makefiles to include
      
      it in the library.
      
      There were 2 compilation errors on this file, in fact one warning and one error.
      
       
      
      The warning is on 
      
       
      
      if ((p = malloc(strlen(ident) + 1)) == NULL)
      
       
      
      and to suppress it, modify in 
      
       
      
      if ((p = (char *)malloc(strlen(ident) + 1)) == NULL)
      
       
      
      The error was on the redefinition of openlog (or closelog). It comes from the 
      
      fact that these calls are redefined in <syslog.h>
      
      extern int      openlog __((const char *, int, int));
      
      extern int      syslog __((int, const char *, ...));
      
      extern void     closelog __((void));
      
      extern int      setlogmask __((int));
      
       
      
      So I've copied /usr/include/syslog.h in the support directory and I've modified
      
      it in suppressing these lines. Then I've modified syslog.c in replacing
      
       
      
      #include <syslog.h> by #include "syslog.h"
      
       
      
      So now all is working fine and even for anonymous users the commands are logged 
      
      correctly as for real users in the daemon.log file.
      
      
      Written on the mailing list by Daniel Clar ([email protected]).

    10. install fails with 'install: ..'

      The makefile is setup for the bsd version of the install program. Some OS'es (including Solaris) use the svr4 version. In that case set in the makefile :
      INSTALL = /usr/ucb/install

    11. Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced C2 security,

      For compiling, make the following changes :
      Make these changes to ./src/config/config.osf :

      
      #define SecureWare
      
      #include <sys/secdefines.h>
      
      #include <sys/types.h>
      
      #include <sys/security.h>
      
      #include <sys/audit.h>
      
      #include <prot.h>
      
      
      and add the following to ./src/makefiles/Makefile.osf
      
      LIBES = -lsupport -lsecurity -laud
      
      
      And change all occurences of crypt() to bicrypt.

      To run, you'll need to copy the entire contents of /etc/sia to ~ftp/etc/sia. Easiest way to do this is :

      
      # cd /etc
      
      # tar -cvf - sia | (cd ~ftp/etc;tar -xpf -)
      
      
      See also the DEC documentation on this at <URL:http://sawyer.wustl.edu/du4-docs/Digital_UNIX_Bookshelf.html> Parts of this provided by Andrew C. Saylor ([email protected]).

    12. It doesn't compile at all on Digital Unix, errors about struct timeval

      Add to ./src/ftpd.c

      
      #define SPT_SCO         6       /* write kernel u. area */
      
      
      
      /* FTP server. */
      
      #include "config.h"
      
      #include <cma.h>		<-- add this
      
      
      
      #include <sys/types.h>
      
      
      Information provided by Andrew C. Saylor ([email protected]).

    13. What should I do to be able to use wu-ftpd in a HP-UX 10.01

      To compile for trusted systems you only need a few changes. In file src/config.h change the line

      
      #undef SHADOW_PASWWORD
      
      
      to
      
      #define SHADOW_PASSWORD
      
      
      In file src/makefiles/Makefile.hpx, the LIBES line should look like this:
      
      LIBES = -lsupport -lc -lPW -lsec
      
      
      The root password is crypted in a different way then the ones for normal users. It is neccesary to use the bigcrypt function call. Here are the needed changes in the source code:

      In file src/ftpd.c, at the beginning:

      
      #ifdef _HPUX_SOURCE
      
      #include <hpsecurity.h>
      
      #include <prot.h>
      
      #endif
      
      
      and, in the same file, in function pass(), you should be able to identify the segments of code where this fits:
      
        char *xpasswd,
      
             *bpasswd,*salt;
      
      
      
        #ifdef KERBEROS
      
                xpasswd = crypt16(passwd, salt);
      
        #else
      
                xpasswd = crypt(passwd, salt);
      
                bpasswd = bigcrypt(passwd, salt); <-- THIS IS THE HOT THING
      
        #endif
      
      
      
        #ifdef ULTRIX_AUTH
      
                if ((numfails = ultrix_check_pass(passwd, xpasswd)) < 0) {
      
        #elif defined(_HPUX_SOURCE)
      
                if (pw == NULL || *pw->pw_passwd == '\0' ||
      
                    (strcmp(xpasswd, pw->pw_passwd) && 
      
                     strcmp(bpasswd, pw->pw_passwd))) {  <-- ALSO THIS
      
        #else
      
                /* The strcmp does not catch null passwords! */
      
                if (pw == NULL || *pw->pw_passwd == '\0' ||
      
                    strcmp(xpasswd, pw->pw_passwd)) {
      
        #endif
      
                  reply(530, "Login incorrect.");
      
      
      Information provided by Jose Luis Martinez Garcia ([email protected]).

    14. What should I do for 10.10.

      If the above doesn't work, some more notes :

      
      /usr/include/shadow.h:  This *system* file had an apparent typo that caused
      
      gcc to fail.  I changed the following statement:
      
      
      
           extern int lckpwdf(void), 
      
                  to 
      
           extern int lckpwdf(void); <<--- note the ';'
      
      
      
      realpath.c:  I think there was a external reference (maybe more than 1
      
      reference?)  which did not match the internal declaration.  I think I
      
      changed the realpath declaration to match the externals.  I deleted the
      
      original sources so I don't recall the change exactly.
      
      
      
      ftpcmd.c:  This file results from ftpcmd.y (via yacc/bison).  Unfortunately
      
      the resulting c code will not build.  It was necessary to move 2 of the
      
      structures to an earlier section.  I think it was the 'cmdtab[]' and
      
      'sitetab[]' structures which were moved.  They were being called prior to
      
      their declaration.  (`what bison` gives $Revision: 76.162.1.5 $)
      
      
      
      Makefile.hpx:  Modified to not delete the ftpcmd.c file fixed above.
      
      
      
      ftpd.c:  1) installed the shadow password patch per the instructions in the
      
      FAQ.  The new code worked without any problems (I'll probably port it to
      
      the POP3 server I've been wanting to install).  2) Modified the sprintf
      
      calls near SEPPROCTITLE to include "wuftpd" in the process string (similar
      
      to hp-ux ftpd).  this allows "ps -ef | grep ftp" to show all connected ftp
      
      processes.  It might need a little doctoring up since the file names on
      
      RETR have ^M^J tacked on.
      
      
      Notes provided by Chuck Davis ([email protected]).

  6. Installing the wu-ftpd

    In general, change the line for the ftp-server in /etc/inetd.conf (the file that defines the servers started by inetd. For some operating systems, this is another file).

    1. Command-line options for wu-ftpd

      With the latest versions, using no command-line options will set it to a default-mode, in which it will not parse the ftpaccess file. Add the option -a to the command line in inetd.conf.

    2. Testing on a different port number then ftp

      You can test the wu-ftpd on a different port by adding two ports with consecutive numbers in /etc/services, and then starting wu-ftpd on these ports. Add to /etc/services something like :

      
      ftptest         4021/tcp        #command port    
      
      ftptest-data    4020/tcp        #data port
      
      
      Then start wu-ftpd from /etc/inetd.conf like :
      
      ftptest stream tcp nowait root /usr/etc/in.ftpd in.ftpd
      
      
      The key is the name 'ftptest' which associates the port assignment in the /etc/services file to that in the inetd.conf file. Make certain the choice of ports in /etc/services (4021 and 4020 above) are from the local use list and don't conflict with other port assignments (see RFC1700, ASSIGNED NUMBERS). One important subtlety. The data port is not really derived from the data port declaration in the /etc/services file. The FTP specification (RFC765) states the data port is defined as one less than the command port. However, including the data port declaration in the /etc/services file prevents it from being accidentally assigned to something else.

      From a mail by W. James Showalter ([email protected])

    3. Not all command line parameters seem to be used by wu-ftpd

      Your inetd probably drops some parameters after a given number (4 or 5). You can use the following wrapper program to give additional parameters :

      
      /* wrapper for wuftpd to add command line arguments
      
         that don't fit under inetd */
      
      
      
      #include <stdio.h>
      
      #include <stdlib.h>
      
      #include <unistd.h>
      
      #include <errno.h>
      
      #include <syslog.h>
      
      
      
      int main(argc,argv)
      
         int argc;
      
         char **argv;
      
      {
      
         char *path="/local-adm/bin/ftpd";
      
         char *cmd="ftpd";
      
      
      
         fflush(stderr);
      
         fflush(stdout);
      
         errno=0;
      
         execl(path,cmd,"-a","-l","-L","-u022",NULL);
      
      
      
         openlog("wrapftpd",LOG_PID, LOG_LOCAL6);
      
         syslog(LOG_WARNING,(const char *)strerror(errno));
      
         closelog();
      
         exit(EXIT_FAILURE);
      
      
      
      }
      
      
      Code from Albert Lunde ([email protected])

  7. The ftpaccess file

    1. Some files (banners, etc) don't get shown to anonymous users.

      Files with absolute pathnames are relative to the current root. Put them in the ~ftp filesystem and make a link to there, or use this possibility to use different banners.

    2. What is the exact format of the <times> parameter in the "limit"

      This is a format consisting of day and time parameters. Possible items : Sa,Su,Mo, .. Any (for any day) and time parameters. For example : SaSu|Any1800-0700 means all of Saturday and Sunday or Any day between 18:00 and 07:00. Check if ftpd inherits the correct time zone.

    3. What tools are there to check the configuration

      ftpcheck found at <URL:ftp://ftp.cle.ab.com/pub/ftpcheck.v2.3

  8. Programs (ls, gzip, tar) work for real users, not for anonymous users, giving errors like 425 Can't create data socket (0.0.0.0,20): Bad file number or simply no output.

    First, consider if you can't relink them staticly so the shared libraries aren't needed. You can get the GNU fileutils from : <URL:ftp://prep.ai.mit.edu/pub/gnu/fileutils-3.16.tar.gz> (version numbers may vary).

    For different operating systems, different libraries and/or devices are needed. You can test if things are running correctly by doing a chroot to the ftp homedir. To test if /bin/ls is working in the ~ftp dir, type :

    chroot ~ftp /bin/ls

    1. Solaris

      Solaris needs ~ftp/dev/tcp and ~ftp/dev/zero and the libraries. Check the man-page for your Solaris version for exact details. Use the command ldd to find out which libraries a program uses. Also, the ~ftp/etc/group file is needed for ls to work, without it it will just dump core. Follow the same rules as for /etc/passwd : not too much information in that file, like group passwords (if you have those).

      Needed libraries can include :
      ld.so, ld.so.1, libc.so.1, libdl.so.1, libintl.so.1, libmp.so.1, libnsl.so.1, libsocket.so.1, libw.so.1, nss_compat.so.1, nss_dns.so.1, nss_files.so.1, nss_nis.so.1, nss_nisplus.so.1, straddr.so

      Problem with /etc/group found by Eric ([email protected]).

    2. Building a statically linked ls for Solaris fails

      This is discussed in the comp.unix.solaris Frequently Asked Questions <URL:http://www.fwi.uva.nl/pub/solaris/solaris2> item 6.24 (at this moment).

    3. Linux

      Use the command ldd to find out which libraries a program uses. Also, with ELF binaries you need the ELF file loader, ld-linux.so in ~ftp/lib.

      ELF change remarked by Al Longyear ([email protected]).

    4. Dec OSF

      Copy the static version of ls (/sbin/ls) and not the dynamic one. The static version is about 400K.
      Make passwd and group files in ~ftp/etc. Copy from /etc/sia dir to ~ftp/etc/sia the files matrixconf and siainitgood.

    5. SunOS4.1.x

      SunOS needs ~ftp/dev/zero and the libraries.

    6. AIX

      AIX comes with scripts to automate this installation.

      AIX 3.2.5 - /usr/lpp/tcpip/samples/anon.ftp
      AIX 4.1.4 - /usr/samples/tcpip/anon.ftp

      After it's done, change the mode of ~ftp/pub to something safer.

      Also, AIX comes with a 'dump' utility that can show which libraries a program uses.

      Noted by Eilon Gishri ([email protected])

    7. IRIX (6.2)

      IRIX 6.2 needs ~/ftp/dev/zero and libraries. You will probably need to copy /lib/libc.so.1 to ~ftp/lib/libc.so.1 and /lib/rld to ~ftp/lib/rld. These are required by ls, compress, gtar and gzip.

      You can see what libraries a program needs by doing the following:

      
      csh# setenv _RLD_PATH /usr/lib/rld.debug
      
      csh# setenv _RLD_ARGS '-v -quickstart_info -stat'
      
      
      To stop seeing what libraries are needed unset the environment variables:
      
      csh# unsetenv _RLD_PATH
      
      csh# unsetenv _RLD_ARGS
      
      

    8. SCO Unix

      SCO needs /dev/socksys.

    9. BSD vs SVR4 ls

      This is a very sneaky one. To quote : The problem was that ls_short and ls_long were being defined incorrectly (since the system was compiled with a BSDish compiler, the BSD config file was used) using ls -lA and ls -lgA respectively. It turns out that the ls command was running but it was erroring out (this is because the system is actually running SVR4), since a failed ls produces output only to stderr not stdout I saw nothing for my output.

      Information from Perry A. Stupp ([email protected])

    10. It worked, until I upgraded the operating system.

      Something in the upgrade changed in your OS. Most likely : newer shared libraries. Also : other major/minor numbers in /dev. Redo the shared libs and devices after an upgrade if things like the above happen.

  9. Running wu-ftpd

    1. ftpd allways says "221 Server shutting down. Goodbye."

      The directive ftpshut in the ftpaccess file points to a file that exists at that moment. Either change the directive or delete the file.

      Also, after you've used the ftpshut command, you'll need to remove the ftpshut file by hand.

    2. Anonymous ftp works fine, but real users are denied access

      Check the following :

      • Their shell is in the /etc/shells file. Note : AIX doesn't even have this file, so you need to create it for wu-ftpd.
      • Or, for AIX: get the patch from tigger.itc.virginia.edu:/pub/AIX/wu-ftpd.diffs.txt.gz which gets the shells list 'the AIX way'.
      • If you're using shadow passwords : make sure the daemon is compiled with shadow password support.

    3. ftpconversions doesn't work

      There are a lot of possible reasons, mostly having to do with the fact that some versions tar use different command line parameters.

      • Solaris 2.4 : if you use Solaris tar, and give the commandline as /bin/tar -cf - %s, the effect will be the same as /bin/tar -cvf - %s. The -v option will add extraneous data to the stream. Solution : replace it with /bin/tar cf - %s (no leading -).
      • Also, check your 'tar' and 'compress' directives in ftpaccess.

    4. On-the-fly compression works, on-the-fly tarring, but not both.

      With Solaris 2.4 and GNU's tar-1.11.8 (configured and compiled with --disable-nls flag) use the GNU tar flag --use-compress-program=path to compression program

      sample :
      : : :.tar.Z:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/compress -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
      : : :.tar.gz:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/gzip -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP

    5. I want to use zip compression (InfoZip)

      Lines for ftpconversions :

      
       :.zip: : :/bin/unzip  -qq -p %s:T_REG|T_ASCII:O_UNCOMPRESS:UNZIP
      
       : : :.zip:/bin/zip -qq -r - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:ZIP
      
      
      Info-ZIP can be found at <URL:http://quest.jpl.nasa.gov/Info-ZIP/>

    6. I want a real user to be able to access the host only via ftp, not via telnet

      Create a shell for this purpose (for example, a program that says the above or a copy of /bin/true). Put this shell in /etc/shells. Change the shell of the user to that shell.
      Next : make sure mail cannot be delivered locally to the account. Using the fact that the shell is valid for sendmail (it is in /etc/shells) a user can be able to start commands as that user.

      The same, for AIX.
      Use chuser (or SMIT) to set the user to login=no, su=no, telnet=no, rlogin=no.

    7. Somebody uploaded a file with a weird name

      Somebody is trying to misuse your ftp-site for transferring software (worst case scenario). Check if the directive path-filter in the ftpaccess file is something like :

      
      path-filter anonymous /etc/paths.msg ^[-A-Za-z0-9\._]*$ ^\. ^-
      
      

    8. I want anonymous users to be able to upload files, but in the most secure manner possible

      In that case, set your path-filter to the one mentioned above. Make the incoming directory owned by something else then ftp (root, or nobody) with another group then ftp (nobody). Something like :

      
      drwx-wx-wt       root    nobody        incoming
      
      
      This will allow ftp to write in the directory, but not read it. Set the upload directive in ftpaccess to something like :
      
      upload    /home/ftp    /incoming   yes root daemon 0400 nodirs
      
      
      One note : files get created as root and changed to the owner mentioned in the upload line. This will fail on some secure NFS setups.

    9. The default umask used when a real user uploads a file is wrong

      The default umask is inherited from inetd. This can be a wrong one. There is an undocumented command line parameter -u. Edit the line in inetd.conf to something like ftpd -A -L -l -u077.

    10. I heard something about 'SITE EXEC' having a security hole

      In some slackware distributions the _PATH_EXECPATH is set to something like /bin. Recompile wu-ftpd with it set to a special path like /bin/ftp-exec.

      To test for this hole, type (when logged in as a real user, not anonymous) :
      ftp> SITE EXEC bash -c id

      If you get a return with '200-uid=0(root) gid=0(root)' in it, you have the problem.

    11. How do I make reports more readable ?

      There are a couple of scripts to make better reports from the xferlog.

      • dumpxfer processes the xferlog and gives more humanly readable output
      • processlog script to run dumpxfer, email you the output and truncate the log
      These are available via anonymous ftp via <URL:ftp://tnt.microimages.com/tools/> both need Perl.

      I (Koos van den Hout) also wrote a Perl script to process the log, mail daily statistics and uploaded files, and create a top most downloaded files. It is available from <URL:ftp://ftp.cetis.hvu.nl/pub/koos/ftplogcheck>

      iistat generates nice transfer graphs from the xferlog file (and from a lot of other sources). Available from <URL:ftp://ftp.support.lotus.com/pub/utils/InternetServices/iisstat/iisstat.html>

    12. Incoming file transfers fail with SunOS and an NFS mounted incoming

      You get errors like :

      
      Dec 7 11:14:33 ftphost vmunix: NFS write error 13 on host fileserver
      
      fh 746 1 a0000 5fea7 3b5a1bd8 a0000 2 1e0a6aed 
      
      
      That's a known problem. Possible solutions :
      • Have the incoming disk on the ftpserver itself
      • /etc/ftpaccess sets owner to ftp, group to a restricted group and mode to 0040 (only group read)
      Thanks to Peter Glassenbury ([email protected]) for this one.

    13. Normal ftp clients work, Netscape ftp's fail. So, passive mode doesn't work.

      Apparantly ftpd needs write permission on ~ftp/dev/tcp in order to operate correctly in passive mode (Solaris). Set it to the same mode as permissions shown by ls -lL /dev/tcp, being 666. Also read the Solaris man page for ftpd for Solaris-specific information. Changed from previous versions

      Fix:

      
      cd ~ftp/dev
      
      chmod 666 tcp
      
      
      Thanks to Simon Rakov ([email protected]) for this one.

    14. I want to redirect anonymous users to another machine

      That's a not-so-well-known ftpaccess feature : just add 'guestserver anon.ftp.server.hostname' to your ftpaccess file..

  10. Other things

    1. Where is the FTP protocol documented ?

      RFC959 documents the FTP protocol.

    2. How can I make my ftp-archive accessible by E-mail (ftpmail) ?

      There is a Perl-script collection available named ftpmail. It is available on a lot of ftp-sites (archie for 'ftpmail'), some of which are :

      nic.funet.fi, ftp.warwick.ac.uk, ftp.loria.fr, ftp.germany.eu.net.

  11. Credits

    A number of people deserve credit :

    (No chocolate cookies. Yet)

Last modified : Wed Sep 10 19:16:55 MET 1997
Created by : Koos van den Hout
[email protected]