BBS水木清华站∶精华区
发信人: cybergene (活泼的基因), 信区: Linux
标 题: wu-ftpd FAQ
发信站: BBS 水木清华站 (Thu Jul 15 17:43:57 1999)
THE_URL:http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html
THE_TITLE:Frequently Asked Questions about wu-ftpd
Frequently Asked Questions about wu-ftpd, with answers
This article contains the answers to Frequently Asked Questions (FAQ)
concerning the wu-ftpd software. To submit questions (preferably with
an answer) send email to: wu-ftpd-faq@pizza.hvu.nl. If you wish to get
the latest version of this file, it is available as
Via WWW : <URL:http://www.hvu.nl/~koos/wu-ftpd-faq.html>
Via FTP : <URL:ftp://ftp.cetis.hvu.nl/pub/koos/wu-ftpd-faq.txt>
And via E-mail : Send an e-mail to wu-ftpd-faq@pizza.hvu.nl with as
subject line send faq.
Comments : this version is still lacking with details about certain
operating systems. Comments about those are welcome.
_________________________________________________________________
1. Contents of this FAQ
1. Contents of this FAQ
2. What is this document
3. What is wu-ftpd itself and this mailing list in particular ?
1. How do I subscribe/unsubscribe ?
2. Is this list archived anywhere ?
3. What are related documents ?
4. Are there any alternatives ?
4. Where do I get the wu-ftpd ?
1. Where do I get the updated version ?
2. What are the VR patches for wu-ftpd ?
3. What is BeroFTPD ?
5. Compiling the wu-ftpd
1. cc complains about strunames, typenames, modenames, ..
being undeclared.
2. I don't have yacc
3. wu-ftpd doesn't 'see' that users are in multiple groups.
4. I get "conflicting types for `realpath'"
5. wu-ftpd doesn't use the shadow passwords on my Linux
machine.
6. It doesn't compile at all on newer Linux installs. The
error is :
7. The timezone in the xferlog is wrong
8. The timezone in the ls output is wrong
9. Digital Unix doesn't log commands after an anonymous
user logs in
10. install fails with 'install: ..'
11. Digital Unix (The Unix Formerly Known As OSF/1) and
Enhanced C2 security,
12. It doesn't compile at all on Digital Unix, errors about
struct timeval
13. What should I do to be able to use wu-ftpd in a HP-UX
10.01
14. What should I do for HP-UX 10.10 to make it work
completely.
15. Installation notes for HP-UX 10.20.
6. Special compilation options/fixes
1. I need to authenticate real users via AFS
2. I need to use S/KEY authorisation
3. I want to block certain default addresses (IE30User@,
mozilla@)
7. Installing the wu-ftpd
1. Command-line options for wu-ftpd
2. Testing on a different port number then ftp
3. Not all command line parameters seem to be used by
wu-ftpd
8. Are there year 2000 issues with wu-ftpd?
9. The ftpaccess file
1. Some files (banners, etc) don't get shown to anonymous
users.
2. What is the exact format of the <times> parameter in the
"limit"
3. What tools are there to check the configuration
4. Why does %M produce (Max unlimited) on the login banner
10. Programs (ls, gzip, tar) work for real users, not for
anonymous users, giving errors like 425 Can't create data
socket (0.0.0.0,20): Bad file number or simply no output.
1. Solaris
2. Building a statically linked ls for Solaris fails
3. Linux
4. Dec OSF
5. SunOS4.1.x
6. AIX
7. IRIX (5.3, 6.2)
8. SCO Unix
9. BSD vs SVR4 ls
10. It worked, until I upgraded the operating system.
11. Running wu-ftpd
1. ftpd allways says "221 Server shutting down. Goodbye."
2. Anonymous ftp works fine, but real users are denied
access
3. ftpconversions doesn't work
4. On-the-fly compression works, on-the-fly tarring, but
not both.
5. I want to use zip compression (InfoZip)
6. I want a real user to be able to access the host only
via ftp, not via telnet
7. Somebody uploaded a file with a weird name
8. I want anonymous users to be able to upload files, but
in the most secure manner possible
9. The default umask used when a real user uploads a file
is wrong
10. I heard something about 'SITE EXEC' having a security
hole
11. How do I make reports more readable ?
12. Incoming file transfers fail with SunOS and an NFS
mounted incoming
13. Normal ftp clients work, Netscape ftp's fail. So,
passive mode doesn't work.
14. I made a symbolic link within the anonymous tree and it
doesn't work for the anonymous users.
15. I want to redirect anonymous users to another machine
16. ftpd stops accepting connections when a lot of
connections come in.
17. Running wu-ftpd on a *large* site
18. Only the first 8 characters of the anonymous username
are recieved by the server.
19. wu-ftpd fails with '500 Illegal PORT Command' under AIX
4.3
20. I want to host multiple ftp servers on the same machine
21. I just upgraded and now nobody can log in. It worked
before.
12. Other things
1. Where is the FTP protocol documented ?
2. How can I make my ftp-archive accessible by E-mail
(ftpmail) ?
13. Credits
2. What is this document
This is the FAQ (frequently asked questions) for newer versions of
wu-ftpd as maintained at ftp.academ.com.
Note: The various addresses used in this document are for
contacting the authors on subjects mentioned in this document.
Using these addresses for sending unsolicited E-mail is forbidden.
3. What is wu-ftpd itself and this mailing list in particular ?
Wuarchive-ftpd, more affectionately known as wu-ftpd, is a
replacement ftp daemon for Un*x systems developed at Washington
University (*.wustl.edu) by Bryan D. O'Connor. (who is no longer
working on it or supporting it!) wu-ftpd is the most popular ftp
daemon on the Internet, used on many anonymous ftp sites all
around the world.
This mailing list is for discussing problems with maintaining this
daemon and ftp-sites where it is used.
1. How do I subscribe/unsubscribe ?
To subscribe, send a mail message with a body of SUBSCRIBE
WU-FTPD <your full name> to the list server
listproc@mail.wustl.edu.
To unsubscribe, send a mail message with a body of
UNSUBSCRIBE WU-FTPD to the list server
listproc@mail.wustl.edu.
To send mail to all people on the list, send it to
wu-ftpd@mail.wustl.edu.
2. Is this list archived anywhere ?
YES. There are two archives. An 'older' one, at
<URL:http://www.osat.hq.nasa.gov/wuarchive.html>. This
archive can be searched, and is created and maintained by
Judy Pellerin (judy@machina.oact.hq.nasa.gov). At this
moment (February 1997) I cannot reach this host
An archive from June 1994 until recent, reachable via WWW at
<URL:http://www.landfield.com/wu-ftpd/mail-archive>, and via
ftp at <URL:ftp://ftp.landfield.com/wu-ftpd/mail-archive>.
The search page is at
<URL:http://www.landfield.com/wu-ftpd/mail-archive/search.htm
l> This archive is maintained by Kent Landfield
(kent@landfield.com).
3. What are related documents ?
The RFC's that describe the FTP protocol are rfc959 and
rfc1579. A possible location to get these is :
<URL:http://info.internet.isi.edu:80/in-notes/rfc/files/rfc95
9.txt>
<URL:http://info.internet.isi.edu:80/in-notes/rfc/files/rfc15
79.txt>
The Academ wu-ftpd pages at
<URL:http://www.academ.com/academ/wu-ftpd/>.
Kent Landfield maintains a resource center to collect all
wu-ftpd related links at
<URL:http://www.landfield.com/wu-ftpd/>
Darci Chapman maintains the Solaris/wu-ftpd howto guide at
<http://www.teleport.com/~minerva/wu-ftpd/wuftpd.htm> URL
not valid at the moment, what is the new location ?
The manpage for wu-ftpd can be viewed online at
<URL:http://www.academ.com/cgi-bin/bsdi-man?proto=1.1&apropos
=0&msection=local&query=ftpd> with the manpage for ftpaccess
in
<URL:http://www.academ.com/cgi-bin/bsdi-man?proto=1.1&query=f
tpaccess&msection=5&apropos=0>
'ANONYMOUS FTP CONFIGURATION GUIDELINES'
A set of guidelines from CERT (Computer Emergency Response
Team) about setting up anonymous ftp.
<URL:ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config>
<URL:ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_abuses>
'How to set up a secure ftp server'
A file describing how to set up anonymous ftp in general in a
secure way, avoiding misuse.
<URL:ftp://sunsite.unc.edu/pub/sun-info/sun-faq/FAQs/SettingU
pSecureFTP.faq>
'guestgroup howto'
A document describing the set up of guestgroups in the
wu-ftpd server. At this moment a seperate document from this
document.
<URL:ftp://ftp.fni.com/pub/wu-ftpd/guest-howto>
A document describing virtual ftp servers
<URL:http://www.westnet.com/providers/multi-wu-ftpd.txt>
Ftpaccess on virtual ftp servers
<URL:ftp://ftp.meme.com/pub/software/wu-ftpd-2.4.2/README.ALT
.FTPACCESS>
upload.configuration.HOWTO
<URL:ftp://ftp.vr.net/pub/wu-ftpd/upload.configuration.HOWTO>
How to set up the upload configuration for 2.4.2 Beta 18
VR14.
Read these. Something like
#> telnet xxx.yyy.nl
Trying XXX.XXX.XXX.XXX ...
Connected to xxx.yyy.nl.
Escape character is '^]'.
SunOS UNIX (xxx.yyy.nl)
login: ftp
Last login: Sat Oct 28 22:11:36 from xxxxxx.xxx.xxx.nl
SunOS Release 4.1.3 (HSIS_X25) #1: Wed Apr 7 14:19:15 MET DST 1993
%>
should not happen.
4. Are there any alternatives ?
Troll Ftpd, a free ftpserver, available from
<URL:http://www.troll.no/freebies/ftpd.html>
FileDrive, a commercial fileserver which needs it's own
clients, available from <URL:http://www.filedrive.com/>
NcFTPd server, commercial server (free for educational
domains), available from <URL:http://www.ncftpd.com/>
ProFTPD, a free ftpserver (GPL), available from
<URL:http://www.proftpd.org/>
4. Where do I get the wu-ftpd ?
The original wu-ftpd home is wuarchive.wustl.edu, but with the
current developments in the beta versions it's better to use the
latest beta, especially for security reasons. The current
developments in beta's make it stable enough for production use.
1. Where do I get the updated version ?
The above is the last version created by wuarchive. On the
mailing list, an updated version has been created which is
maintained by Stan Barber (sob@owlman.academ.com).
You can get this beta by ftp from the directory :
ftp://ftp.academ.com/pub/wu-ftpd/private/ the directory is
not browsable, a .message file will point you to what is the
latest version. Read this .message. Yes, this works better if
you use a real ftp client instead of a browser.
Remember, these are BETA versions. Before asking/trying
anything, check first that you have the latest version.
2. What are the VR patches for wu-ftpd ?
The VR-series offers a number of enhancements and bug fixes
not available in the base beta-18 version.
Available from : <URL:ftp://ftp.vr.net/pub/wu-ftpd/>
3. What is BeroFTPD ?
BeroFTPD is a derivative of wu-ftpd with extra functionality
for virtual hosts. Patches from the VR versions are included.
Available from:
<URL:ftp://beroftpd.unix.eu.org/pub/BeroFTPD/>
<ftp://ftp.croftj.net/usr/bero/BeroFTPD/>
<ftp://ftp.sunet.se/pub/nir/ftp/servers/BeroFTPD/>
<ftp://sunsite.cnlab-switch.ch/mirror/BeroFTPD/>
5. Compiling the wu-ftpd
In general, editing src/pathnames.h and typing build arch
should be enough.
1. cc complains about strunames, typenames, modenames, .. being
undeclared.
This error is fully explained in the INSTALL/INSTALL.orig
file in wu-ftpd package. A few relevant lines :
If cc complains about strunames, typenames, modenames, ... being undefined
you need to install support/ftp.h as /usr/include/arpa/ftp.h (always make
a backup of the old ftp.h just in case!) and do the build again. The new
ftp.h should be a compatible superset of your existing ftp.h, so you
shouldn't have problems with this replacement.
2. I don't have yacc
Replace yacc with bison -y in the Makefile.
3. wu-ftpd doesn't 'see' that users are in multiple groups.
This is fixed in the beta versions.
4. I get "conflicting types for `realpath'"
This is a bug in your unistd.h. Add the following to the end
of the config.xxx file used for your system:
#define realpath realpath_on_steroids /* hack to work around unistd.h */
5. wu-ftpd doesn't use the shadow passwords on my Linux machine.
First try if compiling it normally produces a working ftpd
with shadow password support. The latest beta versions are
updated to automatically use shadow support if needed and
available. Since older Linux distributions (around libc.5.3
this got fixed) don't include shadow passwords, wu-ftpd
assumes Linux does not have shadow passwords. To compile for
shadow passwords with Linux :
o Get the shadow.h from the latest shadow package.
o After building the shadow package, you have a
libshadow.a.
o Copy shadow.h to the src dir.
o Copy libshadow.a to the support dir.
o Edit src/config.h to say '#define SHADOW_PASSWORD'
instead of #undef.
o Edit the LIBES line in src/Makefile to read :
LIBES = -lsupport -lbsd -lshadow (for some releases,
-lcrypt is also needed)
Modify src/ftpd.c around line 1061 to read :
xpasswd = pw_encrypt(passwd, salt);
6. It doesn't compile at all on newer Linux installs. The error
is :
Add the item -DDIRENT_ILLEGAL_ACCESS to the CFLAGS line in
src/makefiles/Makefile.lnx.
7. The timezone in the xferlog is wrong
Either, you compiled with support for setting the process
title (SPT_TYPE) on a machine that doesn't support this,
where changing the process title clobbers the environment and
therefore zaps the TZ variable. Recompile with SPT_TYPE set
to SPT_NONE.
Systems which don't support SPT_TYPE : Aix, SGI Irix
Or, you need to copy the zoneinfo files to the ~ftp tree too.
These are :
/etc/TIMEZONE
/etc/default/init
/usr/share/lib/zoneinfo/..
The name of the correct file in /usr/share/lib/zoneinfo depends
on your current timezone. Exact filenames depend on your
operating system too. See the manpages for timezone(4) and
zic(1M).
8. The timezone in the ls output is wrong
See above, but also check if your system needs
/etc/default/init (Solaris 2.5 for example) for setting the
correct TZ variable. This file has to be in chrooted
environments too then.
Noted by Francois Belanger (francois@goltier.com).
Digital Unix needs /etc/zoneinfo/localtime.
9. Digital Unix doesn't log commands after an anonymous user
logs in
The syslog system calls in Digital Unix are a bit different.
The following text describes how to fix this.
The standard Digital ftpd does log the commands after the chroot and Benoit
Maillard (maillard@fgt.dec.com) told me that it was because they don't use
the standard system calls.
While looking at the distribution files, I've found a syslog.c file in support
directory and I've modified the Makefile.osf in support/makefiles to include
it in the library.
There were 2 compilation errors on this file, in fact one warning and one error
.
The warning is on
if ((p = malloc(strlen(ident) + 1)) == NULL)
and to suppress it, modify in
if ((p = (char *)malloc(strlen(ident) + 1)) == NULL)
The error was on the redefinition of openlog (or closelog). It comes from the
fact that these calls are redefined in <syslog.h>
extern int openlog __((const char *, int, int));
extern int syslog __((int, const char *, ...));
extern void closelog __((void));
extern int setlogmask __((int));
So I've copied /usr/include/syslog.h in the support directory and I've modified
it in suppressing these lines. Then I've modified syslog.c in replacing
#include <syslog.h> by #include "syslog.h"
So now all is working fine and even for anonymous users the commands are logged
correctly as for real users in the daemon.log file.
Written on the mailing list by Daniel Clar
(Daniel.Clar@supelec.fr).
10. install fails with 'install: ..'
The makefile is setup for the bsd version of the install
program. Some OS'es (including Solaris) use the svr4 version.
In that case set in the makefile :
INSTALL = /usr/ucb/install
11. Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced
C2 security,
The needed changes seem to depend on which version digital
unix. For digital unix 4.0 the LIBES line has just to be the
default LIBES = -lsupport and the change in crypt() is not
needed.
Make these changes to ./src/config/config.osf :
#define SecureWare
#include <sys/secdefines.h>
#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>
and add the following to ./src/makefiles/Makefile.osf
LIBES = -lsupport -lsecurity -laud
And change all occurences of crypt() to bicrypt.
To run, you'll need to copy the entire contents of /etc/sia
to ~ftp/etc/sia. Easiest way to do this is :
# cd /etc
# tar -cvf - sia | (cd ~ftp/etc;tar -xpf -)
Also, to make passwords longer then 8 characters work, another
change is needed. Change the line:
crypt_alg = AUTH_CRYPT_OLDCRYPT;
to
crypt_alg = AUTH_CRYPT_BIGCRYPT;
Parts of this provided by Andrew C. Saylor
(asaylor@comsource.net).
12. It doesn't compile at all on Digital Unix, errors about
struct timeval
Add to ./src/ftpd.c
#define SPT_SCO 6 /* write kernel u. area */
/* FTP server. */
#include "config.h"
#include <cma.h> <-- add this
#include <sys/types.h>
Information provided by Andrew C. Saylor (asaylor@comsource.net).
13. What should I do to be able to use wu-ftpd in a HP-UX 10.01
To compile for trusted systems you only need a few changes.
In file src/config.h change the line
#undef SHADOW_PASWWORD
to
#define SHADOW_PASSWORD
In file src/makefiles/Makefile.hpx, the LIBES line should look
like this:
LIBES = -lsupport -lc -lPW -lsec
The root password is crypted in a different way then the ones for
normal users. It is neccesary to use the bigcrypt function
call. Here are the needed changes in the source code:
In file src/ftpd.c, at the beginning:
#ifdef _HPUX_SOURCE
#include <hpsecurity.h>
#include <prot.h>
#endif
and, in the same file, in function pass(), you should be able
to identify the segments of code where this fits:
char *xpasswd,
*bpasswd,*salt;
#ifdef KERBEROS
xpasswd = crypt16(passwd, salt);
#else
xpasswd = crypt(passwd, salt);
bpasswd = bigcrypt(passwd, salt); <-- THIS IS THE HOT THING
#endif
#ifdef ULTRIX_AUTH
if ((numfails = ultrix_check_pass(passwd, xpasswd)) < 0) {
#elif defined(_HPUX_SOURCE)
if (pw == NULL || *pw->pw_passwd == '\0' ||
(strcmp(xpasswd, pw->pw_passwd) &&
strcmp(bpasswd, pw->pw_passwd))) { <-- ALSO THIS
#else
/* The strcmp does not catch null passwords! */
if (pw == NULL || *pw->pw_passwd == '\0' ||
strcmp(xpasswd, pw->pw_passwd)) {
#endif
reply(530, "Login incorrect.");
Information provided by Jose Luis Martinez Garcia
(jluis@sitecal.es).
14. What should I do for HP-UX 10.10 to make it work completely.
If the above doesn't work, some more notes :
/usr/include/shadow.h: This *system* file had an apparent typo that caused
gcc to fail. I changed the following statement:
extern int lckpwdf(void),
to
extern int lckpwdf(void);
Notes provided by Chuck Davis (cdavis@wrair-amss.army.mil).
Extra remark: On a trusted system HP's getpwnam does not supply the encrypted
password. Instead you have to use getprpwnam. Modify ftpd.c to use getprpwnam.
pr_pw = getprpwnam(pw->pw_name); /* get shadow password */
xpasswd = crypt(passwd, pr_pw->ufld.fd_encrypt);
bpasswd = bigcrypt(passwd, pr_pw->ufld.fd_encrypt);
Installation notes for HP-UX 10.20.
A complete set of installation notes for wu-ftpd on HP-UX 10.20:
I installed wu-ftp2.4 on a clean HPUX 10.20 build. The 10.20 build came
straight from HP, and the only important differences on this build from
a generic build is that the X-libs and X-utils were stripped out
(something I would recommend if you are building an HP 10.20 for ftp
only).
- Get both the wu-ftp2.4 package and the current ansi-c compiler
package (I got mine from HP, you can request the package
ansic.hp-10.20.tar.gz)
- Uncompress and untar the C package first (HP comes with a standard c
compiler, but it is only useful in the kernel compiling and doesn't
function well outside of doing kernel work).
Follow the README/INSTALL docs for installing the c compiler. Make sure
you put this new compiler in your path, or do some editing whenever you
use cc to point to this compiler and not the default.
- Build wu-ftpd normally
- Set up the server
- Special notes about tuning for heavy load:
The ftp servers that I maintain are heavily hit and some kernel
configuration was required to allow more heavy load on lock files and
multiple access to the same file. This was all done through SAM. An
important thing to keep in mind on a heavily accessed machine is that
the fin_wait state needs to be lowered enough to keep open file locks
at a minimum. I set all of my fin_waits to 5 minutes or less.
15. Special compilation options/fixes
This section deals with specialities in compilation for
certain situations.
1. I need to authenticate real users via AFS
Edit the Makefile for your OS to add the AFS
libs/includes. They only appear in the Makefile for AIX.
Then, add the following line to the #include section of
src/ftpd.c :
#include <afs/stds.h>
Noted by Perry L. Morgan (pmorgan@uceng.uc.edu).
2. I need to use S/KEY authorisation
Michael Brennen (mbrennen@fni.com) wrote on the list:
The general SKEY procedure is something like this:
The last thing in config.h is an #undef SKEY; comment that out. That is
a gotcha that can take some time to find, although that doesn't seem to
be the problem.
Copy skey.h into the src directory.
Copy libskey.a into the support directory.
Edit the appropriate Makefile.* in src/makefiles and add the following:
add "-DSKEY" to the CFLAGS macro;
add "-lskey" to the LIBES macro.
That should do it; if not, holler back.
3. I want to block certain default addresses (IE30User@,
mozilla@)
Andy Church has written a patch for this (relative to
beta-16). Available from
<URL:ftp://achurch.dragonfire.net/wu-ftpd/deny-email.pat
ch>. Look in the same directory for more information.
16. Installing the wu-ftpd
In general, change the line for the ftp-server in
/etc/inetd.conf (the file that defines the servers started by
inetd. For some operating systems, this is another file).
1. Command-line options for wu-ftpd
With the latest versions, using no command-line options
will set it to a default-mode, in which it will not
parse the ftpaccess file. Add the option -a to the
command line in inetd.conf.
2. Testing on a different port number then ftp
You can test the wu-ftpd on a different port by adding
two ports with consecutive numbers in /etc/services, and
then starting wu-ftpd on these ports. Add to
/etc/services something like :
ftptest 4021/tcp #command port
ftptest-data 4020/tcp #data port
Then start wu-ftpd from /etc/inetd.conf like :
ftptest stream tcp nowait root /usr/etc/in.ftpd in.ftpd
The key is the name 'ftptest' which associates the port
assignment in the /etc/services file to that in the
inetd.conf file. Make certain the choice of ports in
/etc/services (4021 and 4020 above) are from the local
use list and don't conflict with other port assignments
(see RFC1700, ASSIGNED NUMBERS). One important subtlety.
The data port is not really derived from the data port
declaration in the /etc/services file. The FTP
specification (RFC765) states the data port is defined
as one less than the command port. However, including
the data port declaration in the /etc/services file
prevents it from being accidentally assigned to
something else.
From a mail by W. James Showalter
(gamma@mintaka.disa.mil)
3. Not all command line parameters seem to be used by
wu-ftpd
Your inetd probably drops some parameters after a given
number (4 or 5). You can use the following wrapper
program to give additional parameters :
/* wrapper for wuftpd to add command line arguments
that don't fit under inetd */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <syslog.h>
int main(argc,argv)
int argc;
char **argv;
{
char *path="/local-adm/bin/ftpd";
char *cmd="ftpd";
fflush(stderr);
fflush(stdout);
errno=0;
execl(path,cmd,"-a","-l","-L","-u022",NULL);
openlog("wrapftpd",LOG_PID, LOG_LOCAL6);
syslog(LOG_WARNING,(const char *)strerror(errno));
closelog();
exit(EXIT_FAILURE);
}
Code from Albert Lunde (Albert-Lunde@nwu.edu)
17. Are there year 2000 issues with wu-ftpd?
The original version of wu-ftpd had a year 2000
representation problem. No internal workings of wu-ftpd
were affected by this problem.
This problem has been fixed in wu-ftpd 2.4.2 beta 14 which
was published August 1997. With this fix, wu-ftpd is believed
to be completely Y2K-compliant.
The fix that was applied :
The following statement appears in ftpcmd.y. It is part of
the action for the syntax: MDTM check_login SP pathname CRLF
reply(213,
"19%02d%02d%02d%02d%02d%02d",
t->tm_year, t->tm_mon+1, t->tm_mday,
t->tm_hour, t->tm_min, t->tm_sec);
The 19%02d needs to be changed to %04d and t->tm_year needs to be
changed to t->tm_year + 1900:
reply(213,
"%04d%02d%02d%02d%02d%02d",
t->tm_year + 1900, t->tm_mon+1, t->tm_mday,
t->tm_hour, t->tm_min, t->tm_sec);
18. The ftpaccess file
1. Some files (banners, etc) don't get shown to anonymous
users.
When the anonymous user is logged in, bannerfiles are
opened relative to the root of the anonymous user. Keep
this in mind. It can be usefull to have 2 sets of
banners or use links.
2. What is the exact format of the <times> parameter in the
"limit"
This is a format consisting of day and time parameters.
Possible items : Sa,Su,Mo, .. Any (for any day) and time
parameters. For example : SaSu|Any1800-0700 means all of
Saturday and Sunday or Any day between 18:00 and 07:00.
Check if ftpd inherits the correct time zone.
3. What tools are there to check the configuration
ftpcheck found at
<URL:ftp://ftp.cle.ab.com/pub/ftpcheck.v2.3
4. Why does %M produce (Max unlimited) on the login banner
All counts and maximums depend on which class the user
is in, and the class is unknown before login (since
wu-ftpd takes realuser/anonymous/guestuser as a variable
for calculating which class a user is in).
19. Programs (ls, gzip, tar) work for real users, not for
anonymous users, giving errors like 425 Can't create data
socket (0.0.0.0,20): Bad file number or simply no output.
First, consider if you can't relink them staticly so the
shared libraries aren't needed. You can get the GNU fileutils
from :
<URL:ftp://prep.ai.mit.edu/pub/gnu/fileutils-3.16.tar.gz>
(version numbers may vary).
For different operating systems, different libraries and/or
devices are needed. You can test if things are running
correctly by doing a chroot to the ftp homedir. To test if
/bin/ls is working in the ~ftp dir, type :
chroot ~ftp /bin/ls
Or, the partition is mounted -nosuid which gives the same
error under SunOS or Solaris, more information on the page
<URL:http://www.stokely.com/stokely/sunservice.tips/11991.htm
l>
1. Solaris
First, have a look at the manpage for the original
in.ftpd(1m). It has a scipt for setting everything up.
Solaris needs ~ftp/dev/tcp and ~ftp/dev/zero and the
libraries. Check the man-page for your Solaris version
for exact details. Use the command ldd to find out
which libraries a program uses. Also, the ~ftp/etc/group
file is needed for ls to work, without it it will just
dump core. Follow the same rules as for /etc/passwd :
not too much information in that file, like group
passwords (if you have those).
Needed libraries can include :
ld.so, ld.so.1, libc.so.1, libdl.so.1, libintl.so.1,
libmp.so.1, libnsl.so.1, libsocket.so.1, libw.so.1,
nss_compat.so.1, nss_dns.so.1, nss_files.so.1,
nss_nis.so.1, nss_nisplus.so.1, straddr.so
Problem with /etc/group found by Eric
(ewedaa@kset.com).
2. Building a statically linked ls for Solaris fails
This is discussed in the comp.unix.solaris Frequently
Asked Questions
<URL:http://www.fwi.uva.nl/pub/solaris/solaris2> item
6.24 (at this moment).
3. Linux
Use the command ldd to find out which libraries a
program uses. Also, with ELF binaries you need the ELF
file loader, ld-linux.so in ~ftp/lib.
ELF change remarked by Al Longyear (longyear@sii.com).
4. Dec OSF
Copy the static version of ls (/sbin/ls) and not the
dynamic one. The static version is about 400K.
Make passwd and group files in ~ftp/etc. Copy from
/etc/sia dir to ~ftp/etc/sia the files matrixconf and
siainitgood.
5. SunOS4.1.x
SunOS needs ~ftp/dev/zero, ~ftp/dev/tcp and the
libraries. Check permissions on the device files.
6. AIX
AIX comes with scripts to automate this installation.
AIX 3.2.5 - /usr/lpp/tcpip/samples/anon.ftp
AIX 4.1.4 - /usr/samples/tcpip/anon.ftp
After it's done, change the mode of ~ftp/pub to
something safer.
Also, AIX comes with a 'dump' utility that can show
which libraries a program uses.
Noted by Eilon Gishri (eilon@aristo.tau.ac.il)
7. IRIX (5.3, 6.2)
IRIX 6.2 needs ~/ftp/dev/zero and libraries. To create
/dev/zero, check it's current major and minor number
with :
ls -lL /dev/zero
And then create it in ~ftp using :
cd ~ftp/dev
mknod zero c <major> <minor>
cd ..
chmod 555 dev
You will probably need to copy /lib/libc.so.1 to
~ftp/lib/libc.so.1 and /lib/rld to ~ftp/lib/rld. These
are required by ls, compress, gtar and gzip.
You can see what libraries a program needs by doing the
following:
csh# setenv _RLD_PATH /usr/lib/rld.debug
csh# setenv _RLD_ARGS '-v -quickstart_info -stat'
To stop seeing what libraries are needed unset the
environment variables:
csh# unsetenv _RLD_PATH
csh# unsetenv _RLD_ARGS
Useful information on Irix also in the IRIX Insight Library
(Online Books) in the book/chapter "IRIX Admin:
Networking and Mail" in the paragraph "How to Set Up a
Proper Anonymous FTP Account". Information from Frans
Stekelenburg (gjs@knmi.nl) and Jim Davis
(jdavis@cs.arizona.edu)
8. SCO Unix
SCO needs /dev/socksys.
9. BSD vs SVR4 ls
This is a very sneaky one. To quote : The problem was
that ls_short and ls_long were being defined incorrectly
(since the system was compiled with a BSDish compiler,
the BSD config file was used) using ls -lA and ls -lgA
respectively. It turns out that the ls command was
running but it was erroring out (this is because the
system is actually running SVR4), since a failed ls
produces output only to stderr not stdout I saw nothing
for my output.
Information from Perry A. Stupp (pstupp@i-com.com)
10. It worked, until I upgraded the operating system.
Something in the upgrade changed in your OS. Most likely
: newer shared libraries. Also : other major/minor
numbers in /dev. Redo the shared libs and devices after
an upgrade if things like the above happen.
20. Running wu-ftpd
There is a nice set of manpages with wu-ftpd. They do contain
a lot of information.
Also, note that a lot of things about the chrooted
environment for anonymous users also applies to the chrooted
environment for guest users.
1. ftpd allways says "221 Server shutting down. Goodbye."
The directive ftpshut in the ftpaccess file points to a
file that exists at that moment. Either change the
directive or delete the file.
Also, after you've used the ftpshut command, you'll need
to remove the ftpshut file by hand.
2. Anonymous ftp works fine, but real users are denied
access
Check the following :
# Their shell is in the /etc/shells file. Note : AIX
doesn't even have this file, so you need to create
it for wu-ftpd.
# The problem has been fixed in the latest beta for
AIX. Get this one. Don't use the fix from
tigger.itc.virginia.edu anymore, it's for older
(insecure) beta versions.
# /etc/shells needs the correct access rights (world
readable and not world writable).
# If you're using shadow passwords : make sure the
daemon is compiled with shadow password support.
3. ftpconversions doesn't work
There are a lot of possible reasons, mostly having to do
with the fact that some versions tar use different
command line parameters.
# Solaris 2.4 : if you use Solaris tar, and give the
commandline as /bin/tar -cf - %s, the effect will
be the same as /bin/tar -cvf - %s. The -v option
will add extraneous data to the stream. Solution :
replace it with /bin/tar cf - %s (no leading -).
# Also, check your 'tar' and 'compress' directives in
ftpaccess.
4. On-the-fly compression works, on-the-fly tarring, but
not both.
With Solaris 2.4 and GNU's tar-1.11.8 (configured and
compiled with --disable-nls flag) use the GNU tar flag
--use-compress-program=path to compression program
sample :
: : :.tar.Z:/bin/ftp-exec/tar -c
--use-compress-program=/bin/ftp-exec/compress -f -
%s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/ftp-exec/tar -c
--use-compress-program=/bin/ftp-exec/gzip -f -
%s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
5. I want to use zip compression (InfoZip)
Lines for ftpconversions :
:.zip: : :/bin/unzip -qq -p %s:T_REG|T_ASCII:O_UNCOMPRESS:UNZIP
: : :.zip:/bin/zip -qq -r - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:ZIP
Info-ZIP can be found at
<URL:http://quest.jpl.nasa.gov/Info-ZIP/>
6. I want a real user to be able to access the host only
via ftp, not via telnet
Create a shell for this purpose (for example, a program
that says the above or a copy of /bin/true). Put this
shell in /etc/shells. Change the shell of the user to
that shell.
Next : make sure mail cannot be delivered locally to
the account. Using the fact that the shell is valid for
sendmail (it is in /etc/shells) a user can be able to
start commands as that user.
Information and a sample script on
<URL:http://www.landfield.com/wu-ftpd/ftponly/ftponly.ht
ml>
The same, for AIX.
Use chuser (or SMIT) to set the user to
login=no, su=no, telnet=no, rlogin=no.
7. Somebody uploaded a file with a weird name
Somebody is trying to misuse your ftp-site for
transferring software (worst case scenario). Check if
the directive path-filter in the ftpaccess file is
something like :
path-filter anonymous /etc/paths.msg ^[-A-Za-z0-9\._]*$ ^\. ^-
8. I want anonymous users to be able to upload files, but
in the most secure manner possible
In general: you don't want this. But, if you're
stubborn...
In that case, set your path-filter to the one mentioned
above. Make the incoming directory owned by something
else then ftp (root, or nobody) with another group then
ftp (nobody). Something like :
drwx-wx-wt root nobody incoming
This will allow ftp to write in the directory, but not read
it. Set the upload directive in ftpaccess to something
like :
upload /home/ftp /incoming yes root daemon 0400 nodirs
One note : files get created as root and changed to the
owner mentioned in the upload line. This will fail on
some secure NFS setups.
9. The default umask used when a real user uploads a file
is wrong
The default umask is inherited from inetd. This can be a
wrong one. There is an undocumented command line
parameter -u. Edit the line in inetd.conf to something
like ftpd -A -L -l -u077.
10. I heard something about 'SITE EXEC' having a security
hole
In some slackware distributions the _PATH_EXECPATH is
set to something like /bin. Recompile wu-ftpd with it
set to a special path like /bin/ftp-exec.
To test for this hole, type (when logged in as a real
user, not anonymous) :
ftp> SITE EXEC bash -c id
If you get a return with '200-uid=0(root) gid=0(root)'
in it, you have the problem.
11. How do I make reports more readable ?
There are a couple of scripts to make better reports
from the xferlog.
# dumpxfer processes the xferlog and gives more
humanly readable output
# processlog script to run dumpxfer, email you the
output and truncate the log
These are available via anonymous ftp via
<URL:ftp://tnt.microimages.com/tools/> both need Perl.
I (Koos van den Hout) also wrote a Perl script to
process the log, mail daily statistics and uploaded
files, and create a top most downloaded files. It is
available from
<URL:ftp://ftp.cetis.hvu.nl/pub/koos/ftplogcheck>
iistat generates nice transfer graphs from the xferlog
file (and from a lot of other sources). Available from
<URL:ftp://ftp.support.lotus.com/pub/utils/InternetServi
ces/iisstat/iisstat.html>
Phil Swan wrote xferstats, available from
<URL:ftp://sod.off.net:211/pub/xferstats/xferstats-2.00/
> or <URL:http://xferstats.off.net:8080>
12. Incoming file transfers fail with SunOS and an NFS
mounted incoming
You get errors like :
Dec 7 11:14:33 ftphost vmunix: NFS write error 13 on host fileserver
fh 746 1 a0000 5fea7 3b5a1bd8 a0000 2 1e0a6aed
That's a known problem. Possible solutions :
# Have the incoming disk on the ftpserver itself
# /etc/ftpaccess sets owner to ftp, group to a
restricted group and mode to 0040 (only group read)
Thanks to Peter Glassenbury (pete@cosc.canterbury.ac.nz)
for this one.
13. Normal ftp clients work, Netscape ftp's fail. So,
passive mode doesn't work.
Apparantly ftpd needs write permission on ~ftp/dev/tcp
in order to operate correctly in passive mode (Solaris).
Set it to the same mode as permissions shown by ls -lL
/dev/tcp, being 666. Also read the Solaris man page for
ftpd for Solaris-specific information. Changed from
previous versions
Fix:
cd ~ftp/dev
chmod 666 tcp
Thanks to Simon Rakov
(Simon_Rakov@iongate.staff.ichange.com) for this one.
14. I made a symbolic link within the anonymous tree and it
doesn't work for the anonymous users.
Symbolic links are relative to your active root. If
you want to access files/directories/diskspace outside
your chrooted environment, you'll have to import it
using loopback mounts. These are available on at least
Solaris and Linux.
15. I want to redirect anonymous users to another machine
That's a not-so-well-known ftpaccess feature : just add
'guestserver anon.ftp.server.hostname' to your ftpaccess
file..
16. ftpd stops accepting connections when a lot of
connections come in.
This is a feature of inetd, not ftpd. Inetd will limit
the amount of connections that can be made to a service
per minute. Some versions allow to specify this amount
in inetd.conf, by specifying it in the nowait flag, like
:
ftp stream tcp nowait.256 root /usr/sbin/ftpd ftpd -a
which will allow 256 connections per minute. Check the
manpage for inetd.
17. Running wu-ftpd on a *large* site
There are some really large sites running wu-ftpd
versions with special modifications in order to make it
work under that load. For example sunsite.doc.ic.ac.uk
has made some modifications available at
<URL:ftp://sunsite.doc.ic.ac.uk/packages/mirror/experime
ntal/wu-2.4.2-upd13.shar>
From the notes on those patches:
DAEMON
If ftpd called with -D then run as a standalone daemon listing on the
ftp port. This can speed up ftpd response as all ftpd then needs to
do is fork off a copy to handle an incoming request. Under inetd
a new copy has to be opened and exec'd.
FILEWHAT
If SETPROCTITLE doesn't work or if you have so many users that ps
takes a long time then FILEWHAT keeps the info in a file so that
ftpcount can just print it.
18. Only the first 8 characters of the anonymous username
are recieved by the server.
This is actually a bug in older ftp-clients which only
send the first 8 characters because the password is
limited to 8 characters anyway. Upgrade your client.
19. wu-ftpd fails with '500 Illegal PORT Command' under AIX
4.3
AIX 4.3 defaults services in inetd.conf to ipv6 which
wu-ftpd doesn't support (yet). Fix: change the protocol
from tcp6 to tcp.
20. I want to host multiple ftp servers on the same machine
At this moment this is only possible with one IP number
for each ftp server and a version of wu-ftpd that
supports this functionality, which are the VR versions
and BeroFTPD.
There is a draft for an extension to the ftp protocol
named HOST to support virtual hosts like HTTP. But, this
is a draft and there are a lot of old ftp clients out
there. So do not count on using this.
21. I just upgraded and now nobody can log in. It worked
before.
Did you look in the system log? The daemon will log the
reason for the failure there. It helps a lot to know
why. Most plausible (at the moment) you're upgrading to
the VR version and, if you'd look, the syslog says 'not
in any class'. That means you're using the old, unsafe
wildcards on your class statements such as the
following: class lcl real,guest,anonymous 127.*.*.* The
VR update currently does not support this notation. Use
netmask or CIDR instead, as in either of the following:
class lcl real,guest,anonymous 127.0.0.0/8 or class lcl
real,guest,anonymous 127.0.0.0:255.0.0.0.
The VR15 update will include support for the old
wildcards as they were most commonly used (as in the
example above), but without the errors which allowed
matching unintended hosts.
21. Other things
1. Where is the FTP protocol documented ?
RFC959 documents the FTP protocol.
2. How can I make my ftp-archive accessible by E-mail
(ftpmail) ?
There is a Perl-script collection available named
ftpmail. It is available on a lot of ftp-sites (archie
for 'ftpmail'), some of which are :
<URL:ftp://sunsite.doc.ic.ac.uk/packages/ftpmail/>,
nic.funet.fi, ftp.warwick.ac.uk, ftp.loria.fr,
ftp.germany.eu.net.
22. Credits
A number of people deserve credit :
o Alexander L. Haiut (alx@cs.bgu.ac.il), creator of the
original faq.
o *Hobbit* (hobbit@avian.org) for the first security
patches to wu-ftpd.
o Stan Barber (sob@owlman.academ.com), maintainer of the
current patch-archive for wu-ftpd.
o Reinier Post (reinpost@win.tue.nl), for the scripts that
maintain this FAQ.
o And of course, Bryan O'Connor at Washington University
who wrote wu-ftpd in the first place. Warning : Bryan
is no longer working on wu-ftpd, or even working at
Washington University. Please don't mail him with
questions.
o And all the people who send me updates for the FAQ or
other information.
(No chocolate cookies. Yet)
Last modified : Fri Feb 26 10:31:32 MET 1999
_____________________________________________________________
Created by : Koos van den Hout
koos@pizza.hvu.nl
--
Talking the way you are talking now. There are things that
have to be done and you do them and you never talk about them.
You don't try to justify them, they can't be justified. You just
do them, then you forget it...
Welcome to DNA Studio: http://202.112.87.24/main.html
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: 210.78.135.238]
BBS水木清华站∶精华区