Copyright (c) 1999-2003 WU-FTPD Development Group.
All rights reserved.
Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994
The Regents of the University of California.
Portions Copyright (c) 1993, 1994 Washington University in Saint Louis.
Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc.
Portions Copyright (c) 1989 Massachusetts Institute of Technology.
Portions Copyright (c) 1998 Sendmail, Inc.
Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman.
Portions Copyright (c) 1997 Stan Barber.
Portions Copyright (c) 1997 Kent Landfield.
Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997
Free Software Foundation, Inc.
Use and distribution of this software and its source code are governed
by the terms and conditions of the WU-FTPD Software License ("LICENSE").
If you did not receive a copy of the license, it may be obtained online
at
http://www.wu-ftpd.info/license.html.
$Id: CHANGES,v 1.38 2011/11/06 14:24:06 wmaton Exp $
###########################################################################
Changes in 2.8.0-CC3: Released 6 November, 2011
o Many URL updates.
o The default email address used by the server in absence of an email
directive in ftpaccess is ftp-bugs, and is noted in ftpaccess now.
o Added code for ADLER-32 checksums for future extension to the list
of algorithms available to do checksums.
o hard-coded links to cksum and md5sum within the FTP root now point to
these utilities in /bin instead of /usr/bin.
o As defined in GFD.20 (GridFTP: Protocol Extension to FTP for the
Grid) by the Global Grid Forum, the SBUF command has been introduced.
This calls the same code as SITE BUFSIZE would. SITE BUFSIZE is
still present for backwards compatibility.
o Thanks to a contribution by Austin Ellis, added RHEL6 packaging info
to the codebase in packages/rpm. This also includes a patch for
building on that particular system.
o Updated ftpd.8 manpage documenting some missing SITE commands that
had been in the server since 1998.
o First cut at implementing the remainder of the RFC3659 extended FTP
commands. FEAT, MLST, OPTS and MLSD are now supported. Based upon
early gridFTP releases which used WU-FTPD 2.6.0 and 2.6.1 code.
o According to draft-somers-ftp-mfxx-04.txt, defined the stubs for the
MFF, MFCT and MFMT commands. These may or may not be supported in the
future, but at the least they are defined for now. If so, they may
become SITE commands instead if the spec is not approved.
o Updated doc/examples/ftpconversions based on Debian changes introduced
sometime in 1995. The server can now deal with such things as bzip2,
xz, zip and unzip.
o If there's an empty /etc/fstab, a segfault can be produced. A fix
from Debian BugID 568235 to path_to_device in src/extensions.c addresses
this. Patch by Chris Butler.
o Added another possible path for quota.h, patch by Chris Butler of
Debian.
o Added missing handler for SIGTERM, patch by Chris Butler of Debian
related to Debian bug #536774.
o Changed -h invocation on the commandline to print out a very brief help
listing all commandline options that could be supplied to the daemon.
Also note that some switches are or have an effect on the configuration
file. The former function assigned to the 'h' option is now 'H'.
o The former function assigned to the 'h' option is now 'H'. Said it
twice now. The manpage has been updated to reflect the changes.
o Implemented the CSID command as found in the IETF draft
draft-peterson-streamlined-ftp-command-extensions. This is meant
to be a standards-based replacement for the CLNT command. Currently
this command is hard-wired with the server name and version, but the
next release will permit customisation.
###########################################################################
Changes in 2.8.0-CC2: Released 26 June, 2009
o Cleaned-up and updated the ftpd.8 manpage which had languished for
some time.
o Added Auto tuning/auto buf, with added commands SITE BUFSIZE and
SITE BUFSIZEMEASURE. Use --enable-autobuf to enable this feature.
Based on a patch on work done on WU-FTPD-2.6.1 by Gaurav Navlakha, et al
of DAST, NLANR (now CAIDA). This code also contains the ability to
report back on buffer usage. Note that an autobuf client needs to
be used to take advantage of this feature. For the time being, the
code for buffer measurement is IPv4 only.
o Updated src/extensions.c to take into account a change in Linux quota
structure. Based on a patch by Chris Butler.
o Added 'quiet' option to util/xferstats based on Debian bug #307152.
Also included a new xferstats(8) man page based on Debian bug #10332.
o src/ftpcount.c's test of LINUX but not Redhat 6.0 removed and a call
to 'ps' has been modified. Based on a patch by Chris Butler.
o src/glob.c modified to permit "LIST ." as per Debian bug #101847.
o Update several Makefile.in files with datarootdir = @datarootdir@,
regenerate configure using the latest GNU autotools. Also added newer
versions of config.guess and confg.sub as hinted at by Debian bug
#356519.
o As hinted at by Chris Butler's patches to a couple of man pages,
headers really should be uppercase. All man pages are now consistently
formatted with this in mind.
o The following FreeBSD patches have been incorporated to one extent
or another:
- patch-aa: OPIE update (again to src/ftpd.c)
- patch-ae: OPIE update (src/config/config.fbs)
- patch-af: Modify strcasestr (support/strcasestr.c)
- patch-aj: Modify strcasestr (src/proto.h)
- patch-al: Modify strcasestr (support/makefiles/Makefile.fbs)
- patch-am: OPIE update (src/makefiles/Makefile.fbs)
- patch-ar: OPIE update (configure.in)
All patches were taken from:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/ftp/wu-ftpd/files/
o Access classes may now be individually restricted by time. For example
one can write a timeout clause like this:
timeout idle 1800 anon-local
This instructs the daemon to enforce an idle timeout of 1800 seconds
on just the anon-local access class. Any combination or permutation
can be used between the standard timeouts and the access classes you
create. Based on a patch by Sylvain Goulart of the National Research
Council of Canada applied to src/timeout.c.
o Patch by John Sutton of SCL Internet to set default behaviour of
internal ls to ls -la. Applied to src/ftpd.c. This will allow users
to see hidden files as well.
o Acknowledge bugfix to internal ls provided by "sashi" via his blog.
Applied to src/ftpd.c.
o Patch by John Sutton of SCL Internet to src/tlsutil.c to simplify
some TLS code involving calling vfprintf. The patch uses tls_vfprintf
instead.
###########################################################################
Changes in 2.8.0-CC1: Released 22 April, 2009
o Add '--' to doc/examples/ftpconversions to appropriate commandlines
to stop hacking via ftpconversion downloads. Based on a Debian and
FreeBSD patch.
o Fix MAIL_ADMIN vulnerability which points to an error within SockPrintf
function. [SECURITY CVE-2003-1327]
o Fix S/KEY buffer overflow in key_challenge function in ftpd.c.
[SECURITY CVE-2004-0185]
o Fix MAXPATHLEN calculation bug that can trigger a vulnerability.
[SECURITY CVE-2003-0466]
o Fixed to stop real users from bypassing restricted-uid and restricted-gid
restrictions. [SECURITY CVE-2004-0148]
o Direct DNS lookups using the resolver library replaced by use of the
system's name service (by calling gethostbyaddr/getnameinfo and
gethostbyname/getaddrinfo). Code donated by Sun Microsystems.
o Scalability and transfer logging enhancements, code donated by Sun
Microsystems. New ftpaccess clauses:
flush-wait yes|no [<typelist>]
ipcos control|data <value> [<typelist>]
quota-info <uid-range> [<uid-range> ...]
recvbuf <size> [<typelist>]
rhostlookup yes|no [<addrglob> ...]
sendbuf <size> [<typelist>]
xferlog format <formatstring>
ipcos replaces iptos. New ftpd -h option added to enable host limits.
New ftpd -4 option added to make the standalone server listen for
connections on an AF_INET type socket (useful when built with IPv6
support). New -v options added to ftpcount and ftpwho to support
virtual hosts.
o Modified configure to insert the correct paths into the doc/*.5 files.
Modified configure to incorporate doc/Makefile for future uses.
Modified configure remove the "build" help file, .bld.hlp.
Modified the 'build' script to insert paths in the references
for FTPLIB for the doc/*.5 files.
o Changed Copyright headers to
'Copyright (c) 1999-2003 WU-FTPD Development Group.'
o Changed strcpy and strncpy calls to strlcpy where appropriate. Changed
sprintf calls to snprintf where appropriate. Changed strcat calls to
strlcat where appropriate. Added strlcat.c and strlcpy.c and supporting
man page to libsupport.a. Modified configure to test for strlcpy and
strlcat availability and include it in libsupport.a if needed.
o Fixed active mode connect retry denial of service vulnerability.
[SECURITY CVE-2003-1329]
o GSS-API, RFC 2228 support added, code donated by Sun Microsystems.
o Fixed a problem which allowed file globs with series of stars to hang
the server. In fixpath, reduce all series of stars to a single star.
o Fixed dir_check and upl_check so they deny access if they can't stat
the current working directory. This effects the DELE command (when
deleting a directory), MKD, RMD, STOR, APPE, and STOU when using "*"
wildcards on the upload clause.
o When expanding ~username, only do the special "/./" processing if the
logged in user is a guest.
o Added option --with-facility=x to configure for specifying the syslog
facility.
o Added the missing -x option to the ftpd getopt() string and to ftpd.8.
o STOU should not require a parameter. In fact, it should not allow one.
Since it traditionally has, WU-FTPD will allow it as an optional
parameter.
o defumask <umask> parsing made consistent with ftpd -u umask parsing, a
leading 0 is no longer required to signify octal and the umask must only
contain octal digits and be <= 0777.
o Nick Maclaren <
[email protected]> submitted patches to prevent certain
sequences from anonymous users gaining elevated privileges. Also a bugfix
to throughput limiting when there's an error in the ftpaccess file.
o
[email protected] provided corrections for Compaq
(DEC) Tru64 Unix. His comment: uploading of files by anonymous users
failed with permission problems if the uid of the ftp daemon did not match
the uid the file was supposed to belong to (as set in ftpaccess with the
upload keyword).
o
[email protected] provided corrections for IRIX (sgi) support.
o TLS, IETF Draft draft-murray-auth-ftp-ssl-07, support added, code donated
by IBM.
o SIZE command in ASCII mode was consuming CPU. The solution is to return
a 504 error reply for all SIZE requests when in ASCII mode.
o Added support for utmp logging. This should work for most systems,
but YMMV; check src/config if you have problems, it's most likely the
pathname. Submitted by
[email protected].
o Separated data connection timeout errors from others. From a patch by
Joe Laffey <
[email protected]> which prevented segmentation faults
on a timeout on the data conection. The segfault was already fixed, but
separating the response sounded like a good idea anyway.
o Changed anonymous password examples so they don't fail validation. Changed
rfc822 validation not to allow "joe@" (as "joe@hostname" isn't allowed).
o IPv6, RFC 1639 (LPRT/LPSV) and RFC 2428 (EPRT/EPSV) support added,
code donated by Sun Microsystems.
o Many corrections to large file support (use of off_t and L_FORMAT).
o Cleaned up the ambigious if/if/else statements by adding braces.
o Modified commented comments so some compilers would not throw off warnings.
o Changed the default CheckMethod to POSIX and changed the paths to
/usr/bin/md5sum and /usr/bin/cksum (from /bin).
o Fixed off by 1 error in limit_time calculation.
o Restored the 2.6.0 behavior where the size of a file transfered is only
used in data_limit calculations after its been transfered (the size of a
file produced by a conversion isn't known in advance).
o Spurious home directory restrictions would occur if the user did not
have permission to read their own home or one of its parent
directories.
o Still MORE changes to ftpaccess parsing. All looping parses now
continue past missing parameters instead of stopping unexpectedly.
o When using PAM, the anonymous user (ftp) can be authenticated but may
not be known to the local system. If this occurs, try the "nobody"
user. If neither exists, log a suitable message and kill the session.
This should probably be done for other network-based authentication
methods: patches would be very welcome.
o Treat ASCII CR (\r) as white space in the fptaccess file. Done the
Wrong Way but good enough to prevent most problems when a clueless
admin uses Windows Notepad to edit the file instead of a real editor
like emacs or vi.
o New ftpaccess clause "iptos" to allow management of IP Type Of Service
for both control and data connections. Note: the default IPTOS changes
to use the same TOS as previous versions you must add the following to
your ftpaccess:
iptos control lowdelay
iptos data throughput
See the ftpaccess manpage for a full description of these options.
o Guestserver clause with no parameters hangs the control socket.
o New ftpaccess clauses "signoff" and "stat" work similar to "greeting".
Please read the ftpaccess man page for more information on these new
options.
o Log security issue on denied umask and chmod.
o Properly log security issue if RMD is denied because deletes are not
allowed for this user.
o Restricted users should be allowed to use chmod and umask as well as
SITE GROUP and SITE GPASS, but still cannot use SITE EXEC and SITE
INDEX.
o Make y/n for chmod, umask, chmod, delete, overwrite case-insensitive.
o Correct chmod, umask, overwrite and rename to match documented
operation. Namely, anonymous users cannot use them and all other can.
o Avoid crashes on certain configuration problems by making parameters
optional and choosing reasonable defaults. Effected clauses are:
private (default is no)
log commands (default is log commands for all users)
log transfers (default to log all transfers)
log security (default to log all issues)
compress (default to allow compression/uncompression)
tar (default to allow tar on-the-fly)
Also, ignore without crashing on banner clause without a pathname.
o In fixpath(), don't remove a trailing '.' at the end of the path. From
John Simmons <
[email protected]>.
o If using OPIE, don't accept regular passwords if OPIE tells us not to.
From Ken Mort <
[email protected]>.
o Added optional parameters to the upload clause. Newly created
directories can now be given user/group ownership different than newly
created files.
o For autoconf, some systems define __SVR4 and not SVR4. So, in
src/config.h.in, if we see __SVR4 and not SVR4, go ahead and define
SVR4. Solaris is the most-cited culprit here, but there may be
others. The old build configs specifically define SVR4 so they
have no problems.
o Add support for tcpwrappers in standalone daemon mode. Read the
comments at the end of src/config.h.noac for instructions on how
to enable them.
o Add logging of restart point and actual byte count in the xferlog.
Since this will break xferstats and other llog analyzers, it is
disabled by default.
o Add To: and Date: headers for upload notification emails. Note the
Date: header is *always* in UTC. If someone wants to change it to
local time with a correct UTC offset, send the patch along.
o Update ftpaccess manpage to better describe lslong, lsshort and
lsplain.
o Fix passive ports, missing ntohl() call caused misinterpretation.
o Document logfile ftpaccess option. Promote it to be usable in all
configurations instead of just new-style virtual hosts (with
/etc/ftphosts existing).
o Fix crash following timeout on a data connection.
o Add an option to track logins via the lastlog file. This option is
enabled by default. [patch by Sylvain Robitaille]
o Add user= to work similarly to class=; this also fixes a long-standing
problem with class=. Things should now work a bit more like we'd
expect when you use class=.
o Add throughput rate limiting to ASCII-mode file transfers. For some
reason it was only applied to binary transfers.
o Use mkstemp() and mktemp() for temp file creation in privatepw if those
functions are available
o Fix so virtual hosts work with the standalone daemon.
o Add an option to define an alternate home directory to log real users
into if we're doing strict_homedir checking or base_homedir checking
and we fail either one of those. [patch by Sylvain Robitaille]
o Split up the PARANOID configuration option into individual options
for finer control. [patch by Sylvain Robitaille]
o Add an option to check a user's home directory against a "base"
directory and refuse the login if the former isn't below the
latter. [patch by Sylvain Robitaille]
o Renamed support/ftw.h to support/wuftpd_ftw.h to ensure the system ftw.h
is used when HAVE_FTW is defined.
o Changed the way support headers are included to work with VPATH.
o Added required fflush() call between input and output, necessary when a
file using stdio is opened in update mode. email on anonymous upload now
works on Solaris and AIX.
o Send a 502 reply instead of a 500 in disabled SITE commands.
o Fixed command and transfer logging so -L, -i and -o work with -a.
o Someone moved the call to get quota data earlier in the msg_massage
function. This little optimization causes a segfault. Rather than
reverse the change, just output "[unknown]" when quota information
is desired and not yet available (for instance in the initial banner).
o Added host-limit configuration which enables the limiting of the
number of sessions from one IP.
o Added NO_UTMP #ifdefs for systems that don't have a wtmp file.
o Improved the error reporting in ftpshut, ftprestart and ftpcount.
o Send a 502 reply instead of a 425 when PASV support is disabled.
Send 502 instead of 500 when PORT is disabled.
o Two PASV commands in the same second get the same port assigned.
Add some salt to spice things up.
o Host matching on the class clause and elsewhere used to allow []
ranges as well as wildcards. They are now allowed once more.
o Off-by-one in wu_fnmatch caused problems parsing [] ranges.
o Fix a segfault if there's a typo on pasv-allow. For instance,
"pasv-allow all *" instead of "pasv-allow all 0.0.0.0/0". To be
save, for NOMATCH result instead of allowing the PASV connection.
o If using restricted-uid and the user's home includes symlinks, the
PWD command can cause a crash. Run both paths through realpath to
fix this.
o guestserver should deny anonymous access with no parameters.
o When using OPIE, don't require an OPIE reply if the user does not
have an opie key.
o Don't lose last character when STOU exceeds 9 probes to find a
unique filename.
o When using OPIE, don't allow normal passwords when OPIE is
required.
o On command-line -u option, don't allow non-octal digits. Doh.
o Need HAVE_QUOTACTL on IRIX.
o In src/extensions.c is a definition of snprintf. If needs to be
protected by HAVE_SNPRINTF.
o SunOS really doesn't have a working fchdir().
o NLST should not send the names of dangling symlinks since they can
not be retrieved.
o guestuser and guestgroup no longer make anonymous users into guests
when matching wildcards and ranges.
o Corrected an information leak when failing a MKD with restricted-uid.
The pathname reported in the error needs to have the user's home
stripped off the error reply. From Richard Mirch <
[email protected]>
o AIX 4.1.x needs libbsd.a & libs.a.
o Added definition for AIX's file system (JFS).
o AIX 4.1.x has getrlimit() but no RLIMIT_NOFILE. It does have
gettablesize().
o Fixed a problem with the order of the includes of sys/mnttab.h and
sys/mntent.h. Solaris has them both but only defines struct mnttab.
o IRIX has no NCARGS in the system's include files but defines it in the
kernel ('systune ncargs' outputs: ncargs = 20480 (0x5000)).
o Local quota updates can now be seen during the session. Two exceptions:
1) It wont work in a chroot() environment unless the quota DB can be
accessed there.
2) WU-FTPD does not support displaying of files with cookies more than
once. So the current solution is to display different files in
different places (in example cd to other directories).
o Fixed file descriptor and memory leaks in the email on anonymous upload
code.
o Michael Brennen has contributed the Guest HOWTO to the project. It is
now located in the doc/HOWTO section and will be included in all
future releases.
o Off-by-one and missing step-increment in a couple routines for
throughput limiting.
###########################################################################
Changes in 2.7.0: Never released
There WAS no version 2.7.0 released. During development a vendor
inadvertently released a 2.6.1 version based upon the 2.7.0 CVS development
snapshot. That version released contained the security problems addressed
by version 2.6.2, but internally claimed version 2.7.0. To avoid confusion
version 2.7.0 was not released, and the development version was renumbered
to version 2.8.0. The following changes are listed here to reflect the
steps taken to help prevent this from recurring:
o Changed newvers.sh to check for the existance of the directory CVS or a
".prerelease" file in the src directory. If either is present this is
assumed to be a prerelease version of the software and the version
number indicates this. For example, "wu-2.8.0-prerelease". This isn't
perfect, but it should help.
o Changed 'build distrib' to check for the existance of CVS and create
src/.prerelease if it is present. Also updated the target to match the
current directory layout and the fact we use CVS and not RCS, so it's
usable once again.
###########################################################################
Changes in 2.6.2: Released 29 Nov, 2001
o Added checks for missing "]" and "}" in filename globs, this completes
the file globbing heap corruption vulnerability fix.
o Added checks to the globbing code for overflow of restbuf, and additional
globerr setting and checking to speed up return on error.
o Changed the globbing code to use qsort, much faster when sorting a large
number of strings.
o Handle ftpglob() returning a vector containing just a NULL string, fixes
problems caused by CWD ~{
o Somehow the fix for pasv-allow didn't actually make it into 2.6.1
o Provide a compile-time option to revert NLST to showing directories.
o Fix missing format strings in debugging code.
###########################################################################
Changes in 2.6.1: Released 2 Jul, 2000
o Fix security leaks that could result in a root shell compromise.
o Fix memory leaks in internal ls (this feature still needs more testing;
you should probably not use it on high-traffic production servers yet.)
o Fix up the port-allow command in ftpaccess.
o Merge in the virtual passwd/virtual shadow features of BeroFTPD.
o Some fixes to the configure script.
o SITE MINFO was missed in 2.6.0 when disabling SITE NEWER.
o Fix documentation of data-limit.
###########################################################################
Changes in 2.6.0: Released 18 Oct, 1999
o On sigpipe, always log a lost connection.
o Added a log message on attempts to download files marked unretrievable.
o The SITE NEWER feature has been disabled. A compile-time option has been
added to re-enable it. See config.h.noac for more information on this.
o With restricted-uid/gid, CWD to a non-existant directory would display the
full pathname rather than just relative to the user's home. Actually, the
fix catches most cases where this could occur, not just the CWD verb.
o Fixed a bug in the restricted-uid/gid feature which could allow access
outside the user's home directory in some cases.
o Bumped MAXHST (max. hosts allowed on a line) for ftphosts from 10 to 12.
Fixed a bug related to this which can cause the server to crash checking
host access.
o The internal ls (see below) was judged to be unready. It has been disabled
by default but can be enabled with a compile-time option for those who wish
to attempt to debug it (be warned, it has a lot of problems).
o Split the "bad shell or user not in ftpusers" syslog message into two
messages to prevent confusion.
o Filename globs for LIST, NLST and SITE EXEC, as well as a few internal
uses, are cleaned up before processing. For example: */./../* becomes
just *. This prevents certain memory starvation DoS attacks.
o Corrections for RFC compliance can break some clients. If possible, the
broken client should be updated, but a compile-time option has been
added. See the config.h.noac for more information on this.
o Created doc/HOWTO directory and moved VIRTUAL.FTP.SUPPORT and
upload.configuration.HOWTO there.
o Add a README.AUTOCONF file describing the autoconf build in detail.
o UC, Berkeley, has removed the requirement that all advertising material
must include credit to them. Removed the clause from the LICENSE and
the historical licenses in the COPYRIGHT file.
o Added the email-on-upload feature from BeroFTPD. See the ftpaccess man
page for defaults on these added ftpaccess clauses:
mailserver <hostname>
incmail <emailaddress>
mailfrom <emailaddress>
virtual <address> incmail <emailaddress>
virtual <address> mailfrom <emailaddress>
defaultserver incmail <emailaddress>
defaultserver mailfrom <emailaddress>
o Redhat added the -I option to disable RFC931 (AUTH/ident). Added to
the baseline so Redhat users don't see a loss of a feature. Setting
the timeout for rfc931 to zero will do the same thing in the ftpaccess
file.
o The test for whether restricted-uid/restricted-gid applied should have
been done before the chroot so it used the system /etc/passwd and
/etc/group files.
o CDUP when you were already at the home directory, would complain about
you being restricted (if you were). Instead it should give a positive
reply, and do nothing. This makes it behave more like CDUP when you're
not restricted to your home directory.
o deny-uid and deny-gid were being tested for anonymous users. Bad move,
it's too easy to forget to allow them. Use 'defaultserver private' to
keep anonymous users away.
o Correct the operation of the NLST command. Finally. mget should now
work as users expect it to.
o Prevent buffer overruns when processing message files.
o Correct a reference through a NULL pointer when doing S/Key
authentication and the user is not in the passwd file.
o Check the return code from select() when setting up a data connection.
Under some rare conditions it is possible that the select was called
for an fd_set which has no members, hanging the daemon.
o Ensure a pattern of "*" matches everything. The new path_compare (used
on upload and throughput clauses in the ftpaccess file) sets the option
FNM_PATHNAME, so:
* matches everything
/* matches everything
/*/* matches /dogs/toto and /dogs/toto/photos but not /dogs
o setproctitle() support added for UnixWare.
o Removed all FIXES files. Merged their contents into this CHANGES file
(the one you're reading now). The old doc/FIXES directory has been
tar'd and will be placed in the attic when 2.6.0 releases.
o Corrected an error in the MAPPING_CHDIR feature which could be used to
gain root privileges on the server.
o Added -V command-line option to View the copyright and exit.
o Added the privatepw command and documentation.
o Port for FreeBSD corrected.
o Adding the LICENSE file to the baseline.
o Added print_copyright function so our copyright is embedded in the
executables.
o WU-FTPD Development Group copyright headers added. Original Copyright
headers moved into the COPYRIGHT file.
o RCS Ids from 2.4.x removed and new templates added for wu-ftpd.org
usage.
o Make sure the signal context is restored when jumping out of signal
handlers. This was causing signal 11 on some systems.
o Cleaned up the how-to of setting up virtual hosting support.
o Corrected header file dependencies.
o Changed NLST to nlst, necessary as ftpcmd.c #defines NLST.
o Tidied up virtual variables.
o Changed so compiles cleanly on SCO OpenServer 5, UnixWare 2 and
UnixWare 7.
o Anonymous users could get in even though no class was defined for them.
o Support for non-ANSI/ISO compilers has been removed. You MUST have and
ANSI/ISO C compiler. This has been true for some time, all that has
changed is the (incomplete) support for older (K&R) compilers has been
removed.
o Added Kent Landfield's NEWVIRT scheme for extensive virutal hosting.
See the updated documentation on virtual hosting for details.
o ftprestart has been added to the base daemon kit.
o A buffer overrun in the ftpshut command has been corrected. Since, on
most sites, the ftpshut command is only usable by the superuser, this
is not considered a security issue. If you have installed ftpshut with
suid-root permissions (not the default), then there is the possibility
this overrun could be used to leverage root permissions.
o Several new ftpaccess clauses have been added. These allow control of
the various timeouts used within the daemon. The new clauses are:
timeout accept <seconds>
timeout connect <seconds>
timeout data <seconds>
timeout idle <seconds>
timeout maxidle <seconds>
timeout RFC931 <seconds>
o Myriad places where inactivity timeouts were not being properly
detected or handled have been corrected.
The built-in directory listings, both the original NLST and the
build-in LIST (ls), now detect inactivity. The original NLST did
not which could lead to hanging daemons.
C FILE handles for data connections are now always flushed, then
the socket is shutdown cleanly before being closed.
As a side effect, the daemon now more often properly detects
incomplete transfers. This can lead, though, to the xferlog
showing the correct byte count (meaning the daemon read or wrote
that many bytes over the data connection), but still log the
transfer as incomplete (meaning the socket did not properly
shutdown so the client probably missed some data).
o The daemon no longer attempts to replace the system's <arpa/ftp.h>
header when compiling. Instead, it uses its own local copy at all
times.
o The daemon will now wait for the transfer to complete before sending
'Transfer complete' or similar messages. This improves the daemon's
reliability for poorly written clients which take recipt of the message
as indication the transfer has completed rather than reading until the
connection closes.
o Guest and anonymous logout was not recorded on Linux. Removed call to
updwtmp and returned to old method of updating the lastlog.
o Script "vr.sh" is no longer needed. The Development Group will not be
releasing patches to upgrade; they can be obtained from CVS if needed.
o "realpath_on_steroids" is no longer needed. Removed.
o Use a custom version of fnmatch() which changes the rules for matching
file and directory names. The most visible result of this is
noretrieve and allow-retrieve are now much more flexible. See the
ftpaccess manpage for examples.
o Use the correct SPT_TYPE for FreeBSD 2.0 or later.
o Correct the class= logic on the allow-retrieve clause.
o Enhanced DNS extensions. This adds three ftpaccess clauses:
dns refuse_mismatch <filename> [override]
dns refuse_no_reverse <filename> [override]
dns resolveroptions [options]
o Corrected a reference in the manpage for ftpconversions to ftpd.
o The string 'path-filter' is now used in the system logs to describe
problems resulting from failing a path-filter check. The daemon used
to just say 'bad filename' which was misleading to some people.
o Added instruction on how to support PAM on Solaris. Right now this
means hand editing src/config/config.sol and
src/makefiles/Makefile.sol.
o Checking that all platforms use config.h, src/config/config.isc was
found to have forgotten to include the file.
o A security deficency on SunOS 4.1, not having a working getcwd()
function, has been corrected by using the provided function.
Compilation bugs in the portable getcwd() function have been corrected.
o The daemon will no longer hang attempting to close the RFC931 socket
when the remote end is firewalled and does not respond to traffic for
this protocol. This was determined to be inappropriate handling of
SIGALRM; handling for this signal has been cleaned up throughout the
daemon.
o The daemon may now be built using GNU autoconf. This is in the early
stages and not all platforms may be supported. The old build system
will be maintained for at least the 2.6.0 release; until the major
platforms are all known to be supported.
o Two new ftpaccess clauses have been added. These allows the site admin
to selectively allow PORT and PASV data connections where the remote IP
address does not match the remote IP address on the control connection.
The new clauses are:
port-allow <class> [<addrglob> ...]
pasv-allow <class> [<addrglob> ...]
o The daemon now includes an internal 'ls' command.
o Ported to Mac OS/X.
0 Added (limited) support for AFS and DCE user authentication. This is
only know to work on AIX, and needs porting to other platforms. For
now, this requires hand work to enable.
o Added an ftpaccess clause to enable TCP keepalives. This clause is:
keepalive <yes|no>
o You can now specify the xferlog filename for the default server just as
you can for the virtual hosts; in the ftpaccess file. The new clause
is:
xferlog <absolute path>
o ftpaccess manpage cleaned up. Many typos corrected, some techincal
changes. Indentation should now be correct.
o Apache's .indent.pro to the src and support directories. Ran all *.c
and *.h files through it. ftpcmd.y has been indented by hand. The
code is now a lot more readable!
o A bug in the parsing for the deny !nameserved ftpaccess clause has been
corrected.
o Technical corrections in the ftpd manpage.
o Add util/recompress.c as a more generic version of gzip2cmp.c
###########################################################################
Changes in 2.5.0: Released 25 May, 1999
o Change the handling of wtmp for GNU libc to use the Os-provided
function updwtmp().
o Prevent some buffer overruns.
o Fix permissions on some files installed by RPM, add the log rotation
control file.
o Change the seteuid() calls for fchown() and chown() for POSIXLY_CORRECT
systems.
o pid file locking in ftpcount (ftpwho) is now consistent with the way
the daemon locks these files.
o Cancel any pending alarm request to stop acl_remove() from being
interrupted then called again via the SIGALRM handler, this should fix
the flock on a bad file descriptor looping problem.
o Use %m in syslog format strings in place of %s and strerror(), this
simplifies #ifdefs.
o For SCO, link ftpcount with libsocket, necessary as it now calls
syslog().
o Added Redhat's RPM SPEC file for building RPMs.
o English corrections in ftpaccess manpage. Technical correction: the
noretrieve/allow-retrieve clauses do NOT support regular expressions.
o Move where ftpglob stuff is defined to avoid compilation errors on some
systems.
o Port to SGI Irix version 4 corrected.
o Overwrite behavior on uploads has been made consistent with shell
usage. The daemon does not change ownership or permissions on
overwrite.
o Corrected the PASV command to bind to the correct interface (local IP
address).
o Removed the OVERWRITE and UPLOAD defines from platform config files;
they are defined in the main config.h header.
o Issuing CWD without any parameters caused a signal 11, crashing the
daemon.
o Port to HP/UX corrected.
o Added ERRATA file to discuss problems with getcwd().
o Added a portable version of the getcwd() function for systems which do
not have it or imcorrectly implement it. NextStep 3 uses this new
function.
o OPIE support was being disabled even though the proper command-line
switches were being set. Corrected the use of opieverify().
o The fatal() function was not declared void; this was causing problems
with some compilers.
o Port to Hitachi HI-UX corrected.
o Some calls to fnmatch() were missing parameters.
o Corrected the 'restricted' user feature. It now works well with most
FTP clients.
o Correct usage of -d vs -e in the install Makefile for a number of
platforms.
o You can now use negated hostnames/addresses on the class ftpaccess
clause.
o Added an ftpaccess clause to specify random text for the initial
greeting:
greeting text <message>
o Corrected password encryption/checking for Digital Unix with C2
security (SECUREOSF).
o Merged the TODO file from the VR series with Stan's TODO file for the
Academ betas.
o Changed the various permission denial messages sent by the daemon to
the client to make it clear the message originated from the server.
o Ports to SCO, Solaris, uxw, ptx and isc corrected.
o Use the newer SEEK_ defines in place of the old BSD L_ defines and
removed the global definition of entry, each function should define it
locally.
o Removed an unnecessary lseek(L_SET) in ftpcount (ftpwho).
o Link ftpcount and ftpshut with ${XXLIBS}.
o Made strsep() definition consistent with BSD and Linux. Add strsep()
definition to conversions.c.
o Added #include <string.h> to ckconfig.c.
o Replaced the _PATH_DEVNULL define with a #include of "pathnames.h" in
popen.c.
o Support long group access passwords if SecureWare or HPUX_10_TRUSTED
are defined (using bigcrypt()).
o Fixed a memory leak in restrict.c.
o Digital Unix version 4 has a working getcwd(); use it instead of
getwd().
o Stop restrict_list_check() from walking off the end of name.
o Added -x command-line option to mean 'log syslog+xferlog'.
o Changed the log ftpaccess clause to allow logging transfers to both the
syslog and xferlog. The log ftpaccess clauses now include:
log syslog
log xferlog
log syslog+xferlog
o Formation of the WU-FTPD Development Group on 1 April, 1999.
2.4.2-VR17 chosen as initial baseline for the daemon.
###########################################################################
Changes in 2.4.2-VR17: Released 1 April, 1999
o Gregory A Lundberg resigns as the de-facto maintainer of WU-FTPD. "And
you thought I was joking."
o VIRTUAL is now the default for Solaris; all Solaris systems support
multiple interfaces (IP addresses).
o Fixed complaints involving virtual_len reported by several beta
testers.
o Some of the 'C' source code in ftpcmd.y depended upon a particular
behavior when ANSI/ISO does not define it. Corrected so all compilers
will properly interpret the code.
o Corrected the support for QUOTA on Solaris.
o The GNU EGCS 'C' compiler is broken. A quick check and we can avoid
the brokenness.
o Port to Ultrix corrected.
o The default shell on NextStep wants -d instead of -e. Changed to test
instead of [] since that's more portable; will probably do the same to
other systems in a future release.
o MNTMAXSTR was possibly undefined on Digital Unix 4.0 even when not
using QUOTA_DEVICE, causing compilation errors.
o Added daemonaddress to the ftpaccess manpage.
o Added a note from Chad Price <
[email protected]> in src/logwtmp.c
about the brokenness of Solaris' last command.
o It turns out that not all SunOS 4.1 boxes actually have a getcwd()
function.
o The labels unix and __unix__ are depricated on BSD, effecting the logic
for the reponse to the SYST command.
o Added an appnote about OPIE. See src/makefiles/Makefile.lnx for a way
to automatically have the daemon use OPIE. Send your Makefile if you
do something similar for your system.
o Added an appnote about a problem experienced with Trusted Solaris.
o Added doc/misc directory to start collecting interesting tidbits which
may help people get their servers going.
o The FIXES files were really cluttering up the base directory. Moved
them to a directory under doc.
o The 'log security' ftpaccess clause covered all but a few messages
about filesystem operations. It now covers the few it missed.
o Under some conditions _PATH_WTMP was not being set in pathnames.h
o QUOTA is now supported for Solaris.
o Trusted Solaris needed additional functionality in ftpcount (ftpwho).
o File locking in ftpcount (ftpwho) was never completed.
o Port to HP/UX corrected.
o 'make install' now accepts DESTDIR to install into a directory
structure other than the root file system. A number of other optional
parameters are available to override the default ownership of the
installed files. Missing directories are automatically created. File
permisssions were reduced to the minimum necessary.
o Dead code removed.
o The Makefile for Linux now automatically detects if PAM is installed
and compiles the daemon to use it.
o Fix an uninitialized variable in ftpshut which could effect the way the
command works with default values.
o Suppress trailing blanks from the output of a wide 'ps' in the ftpcount
(ftpwho) command. Just making things pretty.
o Updated upload.configuration.HOWTO to describe more of the
configuration having to do with class= rules and overwrite, delete and
rename clauses.
o Added vers.c and edit to 'make cleandir' in the src directory. These
files are automatically created during the build process.
o Added a restrict_check(".") in the LIST command for consistency with
the remainder of the code in ftpcmd.y.
o Corrected the 'restricted' users feature so it would play nicely with
web clients and the way some of them mis-interpret FTP URLs.
###########################################################################
Changes in 2.4.2-VR16: Released 4 March, 1999
o The Makefile for hiu had a typo and would not install two manpages.
o Merged 2.4.2-BETA-18-VR15 with 2.4.2 (final) from Academ. Gotta love
CVS. :)
o Gregory A Lundberg becomes the de-facto maintainer of WU-FTPD pending
the formation of the WU-FTPD Development Group.
###########################################################################
Changes in 2.4.2: Released 26 Febraury, 1999 (not announced)
o With the release of 2.4.2, Stan Barber steps down as the maintainer of
WU-FTPD.
o Documented that 'upload .. no' allowed directory creation. See
doc/examples/ftpaccess.heavy as an example. [Ed: This is not the case
for the VR series, but I'm including the change anyway.]
o Clarification in the manpage for ftphosts: ftp or anonymous listed in
the file will disable anonymous ftp access.
o Possible pointer overrun in acl.c parsing ftpaccess corrected.
o Literal constant in ftpcmd.y changed to static to reduce program size.
o ftpcount/ftpwho interpretation of start/stop times made to match the
way the daemon actually does it.
o setproctitle() in ftpd.c updated to avoid a buffer overrun and handle
low memory conditions; SCO corrections.
o Possible buffer overrun parsing 'virtual root' and 'virtual logfile'
corrected.
o A timeout timer was being reset at the wrong point during STOR.
o Corrections for Sun/Solaris paths in pathnames.h.
o Makefile for DEC/Unix (dec and du4) changed from cc -std1 to cc -std.
o Correction in syslog support for DEC/Unix in support/syslog.c.
o util/xferstats corrected to parse your local domain name rather than
just assuming you're academ.com.
o Other changes are white-noise or simply for style and do not effect the
operation of the daemon in any way.
###########################################################################
Changes in 2.4.2-BETA-18-VR15: Released 1 March, 1999
o Provided a means to completely disable anonymous FTP access. Done as a
compile-time option, see config.h
o NLST with a directory ending with / doubled up the slash. This had
been there for years.
o Completed large file support for AIX. To enable Large File support,
use './build aix LF=YES'
o The stock compiler on SunOS 4.1 is breaindead. Use gcc instead. Also
found during trials that getcwd() works fine on s41 and enabled it.
Found that on a SunOS 4.1 using NFS in the FTP area, fchdir() doesn't
always work so if you have problems, #define HAS_NO_FCHDIR to see if
that helps.
o Complete the changeover from SCO Unix to SCO OpenServer 5.
o We really don't need to #undef NO_PRIVATE twice in config.h .. it just
confuses things.
o The -X command-line option and 'log syslog' were not working as
documented. The switch was re-initialized by the 'log' clauses.
o Additional corrections for AIX 4.2 and large file support. Earlier
versions of AIX may need to edit support/makefiles/Makefile.aix if they
don't have snprintf() or strdup().
o Corrected a case where _PATH_XFERLOG may not be defined at all in
src/pathnames.h.
o Code cleanup for the xferlog print which was changed in VR14.
o A typo selected the wrong HELP_CRACKERS patch in one place.
o Protect a #define conflict on NetBSD with #ifndef.
o The reason the daemon won't work on AIX is the size_t_blksize change
made as an experiment way-back-when. Backed out that change. Let's
see what happens.
o Corrected an error which caused AIX to sometimes report 0 for the
filesize when a download begins.
o There were a number of places there was no check for errors from
alloc()/malloc()/calloc().
o defumask was causing problems on HPUX. Another case of mis-matched
definition/extern.
o There were several places where int was being used and size_t was
correct. This may, or may not, fix problems getting the daemon to work
on AIX.
o Added the ability to restrict users to their home directories. This
has the effect of doing a "soft" chroot and is best used with guest
users. Several new ftpaccess clauses were added to support this:
restricted-uid <uid-range> [...]
restricted-gid <gid-range> [...]
unrestricted-uid <uid-range> [...]
unrestricted-gid <gid-range> [...]
o Sun forgot to include RAND_MAX in their implementation of
srand()/rand() on SunOS 4.1. Choose a (hopefully) correct value. This
has dire consequences for PASV port randomization of it's wrong.
o The Perl script for xferstats provided with the daemon calls for
/usr/local/bin/perl when Perl is usually in /usr/bin/perl. You
shouldn't be using this script anyway, get Phil's version; it's MUCH
better.
o Corrections to QUOTA support.
o OPIE can now use the OPIE access file, allowing some users to user
password authentication while requiring others to use OPIE.
o Wildcards (*) on hostmatch used to work and don't any more. The were
removed because the original method was insecure. Corrected the
problem and re-instituted this feature without the potential security
problems of the old method.
o /etc is cluttered enough but the config files make it harder than it
has to be to use /etc/ftpd for the daemon configuration files. Updated
config files to test for a value before setting the default. Look in
src/makefiles/Makefile.lnx for an example of how to automatically test
the target for this, or just add -DUSE_ETC_FTPD to COPTS in your
Makefile.
###########################################################################
Changes in 2.4.2-BETA-18-VR14: Released 15 February, 1999
o The correction for SCO had an effect on Digital Unix with C2 Security
(SECUREOSF).
o Fixed some dumb coding mistakes in realpath.c
o Port for NextStep 3.3 corrected.
o Fixed a compile error for quotas on Linux; seems Redhat or someone
forgot to #include a file deep in the OS runtime headers.
o Corrections for SecureWare systems so the daemon can build on SCO
OpenServer 5.
o There were points where multiple replies due to realpath() returning an
error could hang the remote client. Removed the extra replies.
o The size of a buffer used by the *_realpath() functions is BUFSIZ and
should be MAXPATHLEN. Actually, this was the case many places in
extensions.c.
o The anti-NOOP code didn't work. The timer was being restarted too
often.
o The reason debug doesn't work in daemon-mode is it's initialized too
late.
o Back in VR8 I turned off the sleep slowing down password guessers
because there are times when signals can be off when the sleep occurs
and that would hang the daemon. Let's fix that and re-enable the
sleep.
o Still more buffer-overflow points which can cause problems. This time
it's in the writing of the xferlog. Sigh. This really should be
rewritten.
o Disallow PASV connections from IP addresses different than the control
connection. This is not a complete fix, but it will stop connection
theft where the attacker is on a different machine than the victim-
client.
o There is an old, well-known PASV port race designed into the FTP
protocol. To make it harder for this race to succeed, do not depend
upon the underlying system to randomly choose the PASV port. The only
correct solution to this problem is a client-side issue: open the
connection before issueing the transfer command.
###########################################################################
Changes in 2.4.2-BETA-18-VR13: Released 1 February, 1999
o Added module loadavg.c stripped from Sendmail. This is not currently
compiled. The module is for testing connection limits based upon
system load, which is planned for a future version of the daemon.
o Fixed a bug where access.c was logging garbage because of bad linkage
to ftpd.c, this appeared on a number of syslog messages instead of the
remote user identification (via RFC 931).
o Added and ftpaccess clause to listen on a single IP address instead of
INADDR_ANY. This is incompatible with virtual host support as things
now stand and will require a major rewrite to fix. I needed it for a
specific site and decided to leave it in. The new clause is:
daemonaddress <address>
o Fixed a bug in the 'connection from' message. The AUTH (RFC 931) was
too late and the remote address and host name hadn't been determined
yet.
o Fixed a bug in the quota support which caused a crash if there was no
file support (/etc/fstab /etc/mtab) on some systems.
o Added documentation for class= phrases missed in VR12 and promised for
this release.
o The realpath fix in VR12 for NFS had an off-by-one.
###########################################################################
Changes in 2.4.2-BETA-18-VR12: Released 1 January, 1999
o Added a missing library building for SGI.
o Added a few small tweaks for building on NetBSD.
o Added a compile-time option to suppress syslog messages about pid locks
forcing a sleep.
o Preload the ftpaccess file before becoming a daemon. This can have a
big impact on the performance for busy sites. It also loads before the
chroot command-line option so the /etc/ftpaccess file does not need to
be in the protected area.
o The ftpwho and ftpcount commands internally use ps(1). Appearently, on
at least Linux, there's a move afoot to change the ps(1) command so it
no longer accepts dashes on the command-line options. How annoying.
Ah well, if the target is Linux, use ps(1) without dashes to make the
silly command shut UP!
o The cleanup in the last patch also cleared up some potential problems
with the upload clause. The daemon is no longer critically sensitive
to minor formatting errors on this clause.
o Added 'class=' parameter for noretrieve, allow-retreieve, path-filter,
delete, umask, chmod, overwrite, rename and upload clauses. Cleaned up
the functions a bit for readability.
o Port for Digital Unix 4.0(b) corrected.
o Corrected a coding error which prevented proper use of the
address:netmask form for access control.
o Corrected problems with NFS and the new realpath code in VR10. Some
problems with several security models and NFS have been corrected.
###########################################################################
Changes in 2.4.2-BETA-18-VR11: Released 1 December, 1998
o Corrected a problem with CWD when no parameter is given and the user is
anonymous or guest. The command should work but returns an error
instead; the error reveals the underlying file system. CWD with no
parameter should work like CWD ~.
o Correcte problems with the new realpath.c on SunOS. Basically, the
getcwd() function on SunOS is too buggy to use so we had to switch to
getwd instead. SunOS has joined AIX as systems which do not provide
the runtime support needed to avoid all buffer overruns in realpath().
o Changed the lslong and lsshort ftpaccess clauses to support more
complex command lines. Added lsplain to modify the default 'ls'
behaviour.
o The byte count for ASCII mode file reception was off by a few
characters. This bug had been there for a very long time.
o A bad extern in ftpcmd.y caused garbage to be logged for the
remoteident.
o initsetproctitle was once again causing signal 11 crashes. Moved the
call further up yet again and they're not happening.
o Added an option to completely disable PASV mode and/or PORT mode.
o Added syslog message if started as a standalone daemon and there is no
ftpaccess file being used.
o Linux libraries now define some paths already in src/pathnames.h so we
need to #include <paths.h> first. Did this in config/config.lnx.
o Linux library includes no longer #define MAXMNTENT so if it's not there
#define it in extensions.c until someone has the time to fix this
right.
o Added -r option to chroot the daemon during startup.
###########################################################################
Changes in 2.4.2-BETA-18-VR10: Released 1 November, 1998
o There was a buffer-overrun in the realpath function. Imported the
FreeBSD realpath() function to correct this error.
o The Perl xferstats wasn't updated to match the new xferlog format with
the new completion-code field on the end.
o AUTH (ident) the remote user during login. Record the results in the
syslog.
o RFC-931 (AUTH/IDENT) was finished up. The log messages now show the
RFC-931 user if one is known.
o Support for some Hitachi flavors of Unix was added.
o Major cleanup of build and the makefiles.
o A number of minor fixes, mainly having to do with differences between
ANSI/ISO and K&R C.
o Fixed several points of confusion when some things (like size_t) are
not the same size as an int.
o Added the -Q command-line option to suppress access to the PID files.
NOTE: Without PID files, the limit ftpaccess clause cannot determine
the number of users in the given class.
o Added a -p option which allows the port to be specified for the control
connection. Command-line options are also provided to allow both the
data and control port numbers to be specified.
o The daemon did not use the correct method to choose the port for the
data connection in PORT mode. The daemon will look up the data port in
/etc/services.
###########################################################################
Changes in 2.4.2-BETA-18-VR9: Released 15 October, 1998
o Cleaned up a few large, confusing 'if' statements in the code.
o Changed my mind. Regular expressions don't work well unless there's
some way to tell they're there. Backed out all regular expression
matching for file/path names in the ftpaccess file. This issue will be
re-evaluated in a later version. Globbing still works everywhere it's
reasonable to use it.
o Dead code removed.
o Noted a number of places where strcmp was used but strcasecmp would be
more appropriate. This makes the ftpaccess file easier to maintain
since small typographical errors won't matter so much any more.
o Added regular expression matching to deny-mail.
o There were reports of errors on AIX with malloc. Testers confirm
problem in send_data(). Working on the supposition that the problem is
data alignment: the 'blksize' is off_t and malloc() wants a size_t;
added a conversion step which should eliminate the problem.
o Fixed another discrepancy between the ANSI and K&R function
definitions.
o Support globbing/wildcards throughout ftpaccess file for file and
directory comparisons.
o Added for OPIE (One-time Passwords In Everything). You will need OPIE
libraries installed to use this. OPIE is available from
ftp://ftp.inner.net/pub/opie/opie-2.32.tar.gz
o The extensions for 'absolute' or 'relative' pathname comparison were
not case-insensitive. They should have been.
o Add 'allow-retrieve' to allow retrieval of files which would be denied
by earlier 'noretrieve' clauses. The ftpaccess clause is:
allow-retrieve [absolute|relative] [class=<classname>]... [-] <filename> ...
o Support regular expressions in noretrieve.
o Port for Digital Unix with C2 Securuty (SECUREOSF) corrected.
o Allow access control commands to use address/netmask or CIDR.
o Corrected a hostname matching bug.
o Allow host names instead of IP numbers.
o Reduce the number of DNS lookups needed for virtual host support.
o xferlog now indicates success or failure.
o realpath() needs root permissions to prevent errors under certain
security models.
###########################################################################
Changes in 2.4.2-BETA-18-VR8: Released 1 October, 1998
o AIX complained (rightly so) about several problems with the source
which prevented compiling using K&R.
o DEC Unix 3 complains about the function 'main()' having more than two
parameters for STRICT ANSI/ISO C compliance. This warning can be
safely ignored.
o Corrected several minor problems and fixed errors in syslog in the
support/makefiles/Makefile.dec and src/makefiles/Makefile.dec which
prevented bulding on DEC Unix 3.x.
o Added USE_VAR and USE_ETC for IRIX (sgi) configuration.
o Added two more virtual-server features so we can deny anonymous login
on a virtual servier and so we can allow specified users to log in even
though they're real or chroot'd to another directory. Also added a
feature to deny real, guest or anonymous on the default server. The
new ftpaccess clauses are:
virtual <address> private
virtual <address> deny <username> [<username> ...]
virtual <address> allow <username> [<username> ...]
defaultserver private
defaultserver deny <username> [<username> ...]
defaultserver allow <username> [<username> ...]
o Testing CLOSED_VIRTUAL_SERVER pointed out a bug in user() .. the
attempt to sleep to slow down password guessers can't work since
signals are off. The daemon sleeps forever. This has been there for
years.
o Ported to Digital Unix 4.
o If no 'ftp' user existed, the HELP-HACKERS patch failed to send a
response which would hang the ftp client.
o BSD auth failures crashed the daemon. This looks like it's been a
long-standing problem.
o An earlier version changed the behavior of the xferlog to always show
the full, real path for the file. This should have been a compile-time
option.
o More typos in ftpaccess.5, some mine, some have been there for ages.
o Added the ability to disable all DNS lookups in the daemon. I've done
this as a compile-time option and included a discussion of the risks
and benefits in the config.h for the daemon. Enabling this feature can
be a win for busy sites because it can reduce the time required to make
a connection as well as eliminate syslog messages caused by bad DNS
management at the remote sites.
o Found another undocumented feature. If the <addrglob> on a 'class' or
'deny' clause starts with a slach (/) it names a file which contains
any number of additional <addrglob> entries per line and any number of
lines. Updated manpage.
o Add 'greeting' clause to control the amount of information the server
gives out on the greeting. The new ftpaccess clause is:
greeting full|brief|terse
o Added 'email' option for the 'virtual' clause so we may set this as
well. The new ftpaccess clause is:
virutal <address> email <string>
o Added the restriction that no real users may log in on the virtual
server.
o If a guest logs in on the virtual server deny the login unless their
chroot point is the virtual server's root. This restricts guest logins
to the site admin and anonymous users.
o Added 'hostname' option for the 'virtual' clause so we may set the name
of our multi-homed ftp sites as we can with our default site. The new
ftpaccess clause is:
virtual <address> hostname <string>
o Added an ftpaccess clause to limit total connect time. The new clause
is:
limit-time {*|anonymous|guest} <minutes>
o Disallow certain email addresses as passwords for anonymous ftp. The
new ftpaccess clause for this is:
deny-email <case-insensitive-email-address>
o Fix a bug in the parsing of ftpconversions which I found when I put in
the new conversions for checksums. Turns out this was the same as the
bug I fixed in VR4 parsing the ftpgroups file.
o Cleaned up some of the cross-platform user authentication code for
SECUREOSF.
o Modify the password cryptography for C2 Digital Unix.
o Moved 'retrieve_is_data' to be always compiled into the code since it
was needed for SITE CHECKSUM.
o Add site-exec-max-lines ftpaccess clause. This clause makes the limit
on output lines from SITE EXEC configurable. The default is a 20-line
limit, which was the old compiled-in limit. The new ftpaccess clause
is:
site-exec-max-lines <number> [<class> ...]
o Added IGNORE_NOOP as a new compile-time option. It is now the default.
o Added 'SITE CHECKMETHOD' and 'SITE CHECKSUM'.
SITE CHECKMETHOD [CRC|POSIX|MD5|RFC1321]
Sets or displays the current check method. If no parameter is
given, displays the current method; otherwise the method is set to
the given algorithm. CRC and POSIX are equivalent and are the
output of the GNU cksum(1) utility. MD5 and RFC1321 are equivalent
and are the output of the GNU md5sum(1) utility. The default check
method is RFC1321 (MD5).
SITE CHECKSUM [<file>]
Calculates the checksum for the named file. If no file is given,
the last file transferred (uploaded or download) is used. If no
file has yet been transferred, reports an error. The current
CHECKMETHOD is used to calculate the checksum.
New ftpconversions: .crc and .md5
Two new file conversions were added to the example ftpconversion
which allow using GET to retrieve the CRC or MD5 checksums for
files.
NOTE: SITE CHECKSUM requires the installation of two additional
programs in the ~ftp/bin directory. These programs have the same
requirements as the external ls(1) program also normally required
in that directory. For systems without these programs, or which
require building new copies, the GNU textutils package should be
used. This package is available at
ftp://ftp.gnu.org/pub/gnu/ the
current version at the time of this writing is
textutils-1.22.tar.gz
###########################################################################
Changes in 2.4.2-BETA-18-VR7: Released 15 September, 1998
o Transfer limits tested the wrong values for files uploaded to the
server.
o Added several new log messages missed in other versions having to do
with filesystem change attempts.
o Extended logging for rejected or denied functions such as delete,
rename.
o The QUOTA logic for BSDI doesn't match what's provided by the system.
o My label 'slimy_hack:' appearing just before a '}' causes some
compilers to belch. I guess some are more ANSI/ISO than others. Made
a quick fix which ought to make them shut up until I can rewrite pass()
to make the label go away.
o The include for 'mntent.h' isn't needed unless QUOTE_DEVICE is defined.
This caused problems on BSDI. Moving the include to only appear for
systems which use QUOTE_DEVICE.
o The HELP_CRACKERS patch was too agressive and, if message files were
defined for 'deny' and 'limit' could tickle bugs in ftp clients. The
patch is backed off to drop the connection immedeately if it violates
'deny' or 'limit'.
o Extended upload and noretrieve to have an optional parameter which
specifies whether the named file/directory is interpreted as an
absolute name or relative to the current chroot'd environment.
o Don't respond to *ANY* commands except USER, PASS and QUIT until the
remote user logs in successfully.
o Added PARANOID check to deny login if a real user's home directory is
bad. Something's bunged up in /etc/passwd, why trust it?
o Extended logging for rejected and failed login attempts.
o Fixed a bug in popen which can cause segmentation faults. It's unknown
if this is exploitable (it doesn't look like it is to me). It's been a
problem for a long time.
o Fixed a typo in the ftpaccess manpage (What, just one? Come on!)
o Traffic counters weren't protected by TRANSFER_COUNT in some cases.
o The 'daemon' variable conflicts with a 'daemon()' function in some
runtimes. Renamed.
o Missing <grp.h>. Gotta love Linux's grab-one-get-it-all method for
defining system headers, don't ya? Grrr.
o DAEMON always includes <sys/termio.h>, it was needed until VR6 removed
the attempt to detach from the controlling terminal.
o main() is declared void; that's not ANSI, it's just stupid.
o routevector.c uses ulong instead of u_long. ulong doesn't exist on
many systems.
o defumask caused a data alignment problem on HP-UX 10.
###########################################################################
Changes in 2.4.2-BETA-18-VR6: Released 26 August, 1998
o Fixed handling for the message clause so login and cwd= work as
expected.
o The daemon responds differently in some cases when it's denying access.
This could be used by attackers to determine the validity of some user
names on the target system. NOTE: the 331 response for some systems,
notably BSD S/Key or other challenge/response systems, may differ from
the 331 response given. I don't have access to those systems to check
out the differences. If you do, and work out how to hide the access
refusal until after the password challenge, please forward it to me.
o The upload clause should use realpath on the home directory to be sure
it matches. Otherwise, real users with /./ in their path will need
their upload clause to lexically match the home directory entry in
/etc/passwd. This was not a big issue until I added realuser.
o Fixed a bug with realpath, a missed condition. If chroot'd to '/' the
xferlog shows '//' at the start of the filename.
o Added the ability to force all UID/GID in a range to be treated as
guests. The ftpaccess clause for this are:
guestuser <username> [<username> ...]
realgroup <groupname> [<groupname> ...]
realuser <username> [<username> ...]
o Disallow UIDs and GIDs by numeric range. This can obviate the need for
/etc/ftpusers. The ftpaccess clauses for this are:
deny-uid <uid-range> [...]
deny-gid <gid-range> [...]
allow-uid <uid-range> [...]
allow-gid <gid-range> [...]
o Added 'guest-root' to select directory based upon guest UID. The new
ftpaccess clause is:
guest-root <root-dir> [<uid-range>]
o Added 'anonymous-root' to select chroot directory based on class of
anonymous user. The new ftpaccess clause is:
anonymous-root <root-dir> [<class>]
o Missed a spot where "*" should be matched for the <root-dir> in an
upload clause.
o Fixed a silly bug in the "rename" clause.
o Change the defaults to deny upload, and other site-modification things,
for anonymous users.
o Some systems, notably Solaris, have problems with the code the
standalone daemon mode used to attempt to detach from the terminal
session. This was in the original patch. Upon thinking about the
problem, I see no reason to keep the code arround. If you need this
feature, use 'nohup' to run the daemon.
o Standalone daemon mode (in VR4) missed including a header.
o Added '-VR6' to version string in newsvers.sh. This will be updated
with all future versions.
###########################################################################
Changes in 2.4.2-BETA-18-VR5: Released 15 August, 1998
o Cleaned up some unneeded blank lines sent in responses.
o Added a message to show total traffic counts on the response to QUIT.
o Added file counts, corrected missed bytes, added counts to STAT
command.
o Added detail counters and ftpaccess clauses to limit the user's ability
to upload/download files based on these. The new ftpaccess clauses
are:
byte-limit [<raw>] <in|out|total> <count> [<class>]
file-limit [<raw>] <in|out|total> <count> [<class>]
o Restrict throughput for network load management. The ftpaccess clause
for this is:
throughput <root-dir> <subdir-glob> <file-glob-list> <bytes-per-second> <bytes-per-second-multiply> <remote- glob-list>
o Added 'tcpwindow' to configure TCP window size for performance
tweaking. The ftpaccess clause is:
tcpwindow <size> [<class>]
o Provided address remapping for PASV mode to allow daemon to run behind
IP-address translating firewalls (NAT). If you use this with virtual
hosts, let me know how it goes; I think it works, but let me know if it
needs extensions for virtual hosts. The ftpaccess clauses for this
are:
passive address <externalip> <cidr>
o Limit PASV port ranges. The ftpaccess clause for this is:
passive ports <cidr> <min> <max>
o The original idea for realpath when it was included in the source kit
was that it would provide missing functionality on systems where it was
missing or replace existing functionality on systems where it was
already present. The VR versions presume the daemon will always use
the included realpath function.
###########################################################################
Changes in 2.4.2-BETA-18-VR4: Released 30 July, 1998
o Added 'defumask' to specify umask values by class in ftpaccess. The
ftpaccess clause is:
defumask <umask> [<class>]
o Added the ability to specifiy groups which have no password. You'll
still need to SITE GPASS, but just send no password.
o Fixed possible bugs if the ftpgroup file is malformed.
o Allow numeric UID and GID values. On systems with large numbers of
users and a large number of upload clauses, the daemon can take a
significant period to process the ftpaccess, passwd and group files.
Effected ftpaccess clauses include: upload, guestgroup and autogroup.
o The following problems were noted during testing:
- Issuing PORT prior to login changes the state of the daemon
- Issuing PASV after PORT does not change the mode reported by STAT
- Illegal PORT commands change the state of the daemon
This turned out to be two problems: PASV mode was being reset by
rejected PORT commands, and PASV mode wasn't reseting the state
completely after setting up a data connection.
o HELP PORT indicated only 5 bytes were needed. Six are.
o Added MAPPING_CHDIR config option to support CWD working like cd
command in most Unix shells; the PWD shown is the logical path rather
than the physical path.
o Added syslog messages for more stuff. MKD, RMD, CHMOD and RNTO now log
as DELE has.
o Added new command-line option to run in standalone daemon mode. This
is a win for busy sites but not the big win it could be if it pre-
loaded the ftpaccess file into memory. Also, at this point, the
standalone mode loses the tcpwrappers functionality which is available
when running from inetd.
o The mod to realpath for VR3 wasn't complete. This was mainly visible
when logging a deletion message.
###########################################################################
Changes in 2.4.2-BETA-18-VR3: Released 15 July, 1998
o Added -w and -W to enable (default, -w) or disable (-W) recording user
login and logout for ftp sessions in wtmp.
o Noticing 'guestserver' made me look. There are two other undocumented
ftpaccess clauses: 'lslong' and 'lsshort'. Man page updated.
o While researching 'nice' came across an undocumented ftpaccess clause
'guestserver'. Man page updated.
o New ftpaccess clause 'nice' to adjust process priorities based upon the
class. The new ftpaccess clause is:
nice <nice-delta> [<class>]
o The upload clause is extended to allow '*' for <owner> and <group> so a
single upload clause can work for all users. For example:
upload /home/ftp /private/*/incoming* yes * * 640 nodirs
can be used to create private upload areas for every user.
o The noretrieve clause is extended to mark entire directories
un-gettable.
o The util/xferstats that comes with wu-ftpd 2.4 always produces a count
of zero for "Systems Using Archives", because the array whose size is
printed ("$systemfiles") never gets anything stored in it. Verified to
exist in the current version.
o The perl script xferstats incorrectly identifies internet addresses
whose host name begins with "inf" or which are only 2 components wide
(e.g., "bix.com") as unresolved. I could not verify the "inf" problem,
but the 2 component problem has been verified to exist in the current
version.
o On the upload clause, 'no' should imply 'nodirs'. Good grief, how long
has this bug been lurking about? [Ed: Since 2.1!]
o The fixes for the CD ~ problem (ALTERNATE_CD option for beta 18) break
a few things. Most notably, xferlog doesn't include the full name of
the file and the upload command doesn't work properly. In addition, I
believe noretrieve should be based on the real file system rather than
the chroot'd environment. The man page says '/' means the name is an
'absolute path specification' which I take to mean from the real file
system. Discovered during testing; I had the same problem with my CD ~
fix in beta 17 so I was expecting this.
o Makefile.lnx from BETA-18 links the daemon and support programs
statically. The wisdom of this is debatable at best.
o Makefile.lnx from BETA-18 presumes Bison is installed; it isn't always.
o BETA-18 had the default to disable the ALTERNATE_CD fix for the CD ~
problem. It should be enabled.
o Merged 2.4.2-BETA-18 with 2.4.2-BETA-17-VR2. What a pain; next time I
have to be up and ready with CVS!
###########################################################################
Changes in 2.4.2-BETA-18: Released 6 July, 1998
o Improve the build process for Solaris.
o The response to the MKD command was not RFC 959 compliant. A number of
responses given by wu-ftpd were not compliant with RFC 959. I have
audited this in the software and corrected as many as I can find.
o Make some changes to the installation process for Linux.
o Fixed a case where a variable does not get properly defined if UPLOAD
is not defined in config.h.
o Added more information about the impact of the existance of the
shutdown message file to the NOTES file.
o The wrong error message would be returned when a write fails (during a
PUT).
o Add "exit(0);" to the end of the ftpshut.c file.
o Permit the daemon to make use of the -A option to /bin/ls when on
Solaris 2.
o Log information when a transfer data connection comes from somewhere
other than the address of the control connection.
o Made it easier to compile on HP/UX.
o Fixed an "off by one" problem in the "limit" stanza of the ftpaccess
file when specific times are specified.
o Linux releases other than RedHat 5.0 running kernels with versions
greater than 2.0.31 would not compile properly.
o Solaris 2.5.1 on sparc would not correctly determine if the snprintf
family of library routines were to be linked from the C library or from
the support library.
o SITE CHMOD would not accept values greater than 777. Now, you can. Just
define UNRESTRICTED_CHMOD in the root-level config.h file.
o Port correction for HP/UX.
o wu_logwtmp did not include the username when a logout record is
written.
o On SGI, initsetproctitle causes problems. I don't have an SGI to test
the fix on, but I have attempted to address it in this release.
o Fixed a problem with the STAT command when in Passive mode.
o The home directory finding routing in glob.c would not return the right
stuff when the "/./" convention is used for guest users.
o Port correction for DEC UNIX.
o Made it easier to compile of AIX 4.2.
o _LARGE_FILES should not be defined for AIX 4.2 builds. I have changed
the config.h file for aix to do this for AIX 4.2. I don't have AIX, so
I don't know if this will work, but it's in there.
o Changed the strategy for using bigcrypt() on C2 Security on Dec OSF/1.
o NO_PRIVATE was not explicitly defined or undefined in config.h.
o Fix a problem in the output of the ftpcount command.
o Fix the "build" script to make it format the error message properly
when multiple compile targets are provided.
o Corrected a documentation error in describing the impact chroot has on
hard links.
o Address some misplaced or missing calls to alarm(0).
o ftpcmd.y did not have NULL checking in certain places.
o Port corrections for BSD/OS including support for BSD authentication.
This should work on FreeBSD as well, but I have not altered the FreeBSD
configuration to make use of this.
o ftpcount did not always work correctly due to permissions problems on
the login database file that ftpd maintains.
o Fixed problems in the "limit" processing that were introduced in
beta-16.
o Fixed some problems with output formatting for ftpwho.
o Added s/key support on NetBSD.
o Addressed the issue concerning what "cd ~" should do. The alternate
behavior can be obtained by defining ALTERNATE_CD in the root-level
config.h file.
o Fixed processing of the %U directive when the user is unknown.
o RFC 931 calls would fail due to wu-ftpd failing to bind to the correct
address on multi-homed hosts.
o Fixed a problem where ftpd would exit with signal 11.
o Fixed a problem with the handling of standard error messages from
programs called during the file conversion process.
###########################################################################
Changes in 2.4.2-BETA-17-VR2: Released 3 June, 1998
o Left a debugging statement in for syslogmsg in VR1 patches.
o The fix for CD ~ broke the upload and noretrieve access-control
statements and changed what was written to xferlog and the syslog.
Well, actually, it didn't break the noretrieve statement, but the man
page says '/' means the name is an 'absolute path specification' and I
take that to mean relative to the _real_ filesystem, not the chroot'd
one. Discovered when set live on my main server; I really should'a
tested with more than one guestgroup.
###########################################################################
Changes in 2.4.2-BETA-17-VR1: Released 3 June, 1998
o Shutdown warnings were not given to normal (non-anonymous) users on
login.
o Added 'hostname' configuration statement. Normally the server
determines its host name from the system. This allows the admin to set
the name on machines with several names (multihomed) where the default
name is not the desired name. Manpage updated. The new ftpaccess
clause is:
hostname <some.host.name>
o Move Linux to use POSIX regex included with the system instead of the
routines included with wu-ftpd. This allows us to define path-filter
statements which allow spaces in the pathnames. For example:
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_.[:space:]]*$ ^\. ^-
o Somewhere along the way the upload statement was broken. The fix adds
a new parameter to upload so admins can determine the permissions for
any new directories permitted. New features are documented in
ftpaccess manpage.
o Add -X command-line option and syslog option to log statement in
ftpaccess. These options eliminate xferlog output and direct transfer
logs to syslog instead. The new ftpaccess clause is:
log syslog
o Prevent NOOP resetting idle timer.
o The CD command supports ~<username> but gives errors when just ~ is
found. Note: there are still problems with other commands which may or
may not accept tilde-user notation and may or may not understand a
tilde by itself means the current user's home directory. This only
effects chroot'd users.
###########################################################################
Changes in 2.4.2-BETA-17: Released 10 May, 1998
o Fix the hostacc.c introduced in beta-16. This fixes all the various
alloc/free problems in the memory allocation and retains the dynamic
feature introduced in beta-16.
o Remove a declaration atol() in ftpcmd.y so that wu-ftpd will compile
properly on systems that declare atol as a macro.
o Move "initsetproctitle" from one location in the ftpd.c file to
another. This should fix the problems many people report on some
operating systems concerning the use of command line arguements.
o Make a cosmetic fix to change what setproctitle() puts in the line
returned when you do a ps from "sendmail:" to "ftpd:". This was a
mistake I made when I integrated the new sendmail 8.8.7 proctitle stuff
into beta-16.
###########################################################################
Changes in 2.4.2-BETA-16: Released 21 December, 1997
o The install shell script (when used on OpenServer 5) does not work
correctly. Also, man pages can be installed and used with either nroff
or groff is available. Groff can be obtained for OpenServer 5 from the
sco web site. So, man pages will now be installed on SCO.
o Fix some memory leaks.
o off_t is a long long on AIX 4.2. I have attempted to compensate for
this in ftpd.c, but I don't have an AIX system to test on, so it may
not work. This affects places where wu-ftpd wants to print the size of
files or the size of transfers.
o There is a long standing problem in the code that does port checking.
This bug makes it possible to exploit priviledged ports on the host
system or the client system (but not other systems).
o Fix a bug in the gzip2cmp utility.
o Added a number of small fixes to make it easier to compile on AIX.
o Prevent some systems from faulting when they encounter a null pointer
in ftpcmd.y. Many systems already handle this, but some don't and this
will insure that those are covered as well.
o Correct for differences between SecureWare on Digital Unix 3.2 and
Digital Unix 4.0.
o A number of porting issues for SVR4-derived systems and Solaris 2.
These are mainly centered around support for utmp/wtmp entries.
o There were spaces where there should be tabs in the Makefiles for OSF.
o Add -D_NO_PROTO to CFLAGS in the AIX Makefiles.
o The man pages should be installed mode 644 (not 755).
o Fix a number of errors in the implementation of the reply routines,
especially when vprintf is not available.
o Add a NOTE that the compiler which comes with HP/UX won't work.
o HP/UX now builds with VIRTUAL as the default.
o The man page for the daemon be installed as ftpd.1m instead of
in.ftpd.1m for systems where section 1m is correct.
o Reevaluate guestgroup after autogroup.
o Dynamically allocate the ftphosts file in memory; removing the limit of
100 hosts.
o wu-ftpd can hang in in "read" forever.
o Fix conflicts between some subroutine names (getline and logwtmp) in
wu-ftpd and functions in glibc2.
o Fix a problem which can come up with strings which are not properly NUL
terminated.
o Add a comment in NOTES that for versions of Digital Unix without C2,
you have to undef SECUREOSF in the config file for Digital Unix.
o Porting correction for AIX; some minor code cleanups.
o Correct building the support library under Solaris 2 to prevent ld
from getting upset.
o In ftpcount make sure the numbers listed are no lower than zero.
o Correct S/KEY support for FreeBSD.
###########################################################################
Changes in 2.4.2-BETA-15: Released 12 September, 1997
o Correct a problem in the "NLST" command that could cause a system to
eat up all memory and get sluggish. This could be seen as a Denial of
Service attack. I have changed the software to detect this type of
attack and not permit it.
o The s/key challange in wu-ftpd did not conform to RFC 1760.
o Porting corrections for FreeBSD.
o Porting corrections for BSD/OS.
o Fix a problem with the new, expired password support in beta-14.
o Fix virutal hosting for AIX 4.1.x.
o Fix some problems in S/KEY support. This is conditionalized since
FreeBSD supports the old calling method.
o Fixed a problem in ftpcmd.y concerning correctly recognizing the PASS
command in a non-case sensitive manner.
o Correct some configuration file problems when compiling for NetBSD.
o Correct a typo in fnmatch.c. Also made changes to fnmatch.c to
accomodate the lack of certain flag definitions on systems that claim
to be POSIX compliant. These flags are not used by the current wu-ftpd
server code.
o Correct the description of the command line -o option in the ftpd man
page.
###########################################################################
Changes in 2.4.2-BETA-14: Released 14 August, 1997
o When wu-ftpd is used on Unixware, readdir in glob.c would not work as
expected since the version picked up during the link is the one from
the ucb library, not the regular C library. Changed the UnixWare
Makefile to link the regular C libarary before the ucb library.
o Port for IRIX 6.3 corrected.
o Port for Unixware 2.1 corrected.
o getspnam on Unixware 2.1 is not NIS aware, so the password read from
the password file should not be overwritten should the call fail.
o Removed the dependency on libc in the makefile for Linux.
o Port for AIX corrected.
o NetBSD/sparc uses an int64_t for that stbuf.st_size. This means that
%qu should be used for a sprintf selector instead of %lu.
o Found a problem with Solari 2.5.1 libraries when used in chrooted mode
along with a dynamically linked "ls". Sun has assigned a bugid for this
problem. See the NOTES file for more on this.
o Fixed another possible problem with ABOR verb processing with OOB data.
o Using the /var/tmp directory for storing the pids is a bad idea. All
configurations have been changed not to do this. This was really only
an issue on System V systems and older BSD systems.
o There is a problem attempting to compile beta-13 with the Bellcore skey
library. That's because it doesn't compile with that version. The
version needed is the one from the logdaemon suite by Wietse Venema. I
am updating the documentation to make this clear.
o It's easy for folks to get confused setting up the anonymous login and
use the /./ suffix on the home directory like that used for guestgroup.
When done, it will make other functions (like upload) in the ftpaccess
fail to work. Processing of the two should be the same.
o Made a change to how the upload directive is parsed so that "no dirs"
does allow directories to be created and "no some-other-string" does
not. Previously it didn't work this way.
o A change made during the release of beta 12 changed how the upload
option did filename matching to make it non-intuitive. This change has
been reversed.
o Made some fixes to some of the 5XX responses associated with failed
logins comply with RFC 959
o Correct some logic which would cause the server to send two responses
to a client when passwd-check is used and the user failed to enter a
"valid" password when logging in anonymously.
o The "deny" keyword when followed with a domainname glob did not work.
An IP address or address glob does work on SunOS 4.1.X machines. This
turns out to be an issue only if you are not running yp or if yp is not
able to access DNS. To address this, I have added -lresolv to the
SunOS 4.1 makefile.
o Remove HAVE_REGEX_H from the NeXTStep 3.X configuration.
o Add a NOTE about a way to setup the "chroot" directory for wu-ftpd on
IRIX.
o Correct a benign syntax problem in access.c. This might cause some
compilers to generate a warning.
o A number of places in the software are attempting to print out off_t
values using printf selectors that can't handle the size. Use casts to
work arround the problem for now, but the mess should be revamped.
o Port for AU/X corrected.
o Fix some logic errors in processing the ABOR verb.
o Plug some memory leaks in the glob code.
o The argv array should be zeroed out before loading it. Also, ensure we
don't spill off the end of the argv array when filling it.
o Fixed a problem in realpath that is exposed when it is called with a
rooted path. It could attempt to access an uninitialized location.
o Corrected an error in the ftpaccess.5 man page concerning the
path-filter example.
o Made some cleanups in the ftpaccess file in the doc/examples directory.
o Fixed a bug in some of the debugging code where syslog is called
without a printf format string. This causes the daemon to crash on some
operating environments.
o Added a NOTE about the conflict between using Virtual FTP and
TCPWrappers.
o The passive subroutine might be vunerable to attack because a user
could attempt to start a passive connection without doing a login
first. This is now checked in the passive connection.
o /usr/ucb/installbsd should be used for installation on OSF/1.
o Port correction for C2 security with Digital Unix 4.X. These changes
are made to the Digital Unix configuration. C2 is on by default.
"./build dec" to get this.
o Corrected problems when processing the %E macro. It becomes evident
with the %E macro is used twice in an extended message. The entry
information is not reset between calls. This can cause information to
be printed twice.
o FreeBSD support dirent.h and that sys/dir.h is being phased out. A
change to the FreeBSD configuration header file has been made to use
dirent.h in this release.
o newvers.sh was made more POSIX compliant without affecting its
operation on non-POSIX systems.
o The arguments for select() under HPUX may not have the same types as
those found on other systems.
o Corrected a problem when %U is used in a banner prior to the user
performing a login. Before beta 14, this could cause a segmentation
violation. Now, it will cause %U to print "[unknown]" since login has
not been done as yet.
o Added a NOTE about Digital Unix and C2 security.
o HAVE_STATVFS should be defined in the SGI IRIX configuration file.
o Corrected a logic problem when the socket call fails when trying to
open a data socket. The close() was being made anyway and this would
generate a "bad file number" error since the socket never was opened.
o SPT_TYPE should be SPT_NONE for SGI IRIX to insure that the time stamps
on things didn't get set to GMT.
o The default umask should be 022 instead of 002.
o ftpconversions and ftpgroup parsing was in a sad state. Cleaned up.
o Dealt with expired logins (when shadow passwords are used).
o snprintf should be used now that there is good one for those systems
that don't have it in the support library and for those that do have
snprintf, it should be used where controlling the length of things is
important. To that end a number of changes have been made in ftpd.c to
use snprintf more widely.
o On some versions of SunOS 4.X, the size_t typedef is not pulled in with
the include directives that are there. I have modified snprintf.c to
include <stdlib.h> when an ANSI C compilier is used and <sys/types.h>
when one is not used. Hopefully, that will catch a size_t definition.
If not, let me know, but do be sure to include what OS release and what
compiler you are using. Additionally, I had left "const" definitions in
places where non-ANSI C compilers would encounter them. I have removed
those.
o Port for SunOS 4.1.x corrected.
o Fixed an error in the ftpaccess file handling for the tar and compress
keywords. If any class was permitted to use them, then any class was.
o Fixed some typos in the Makefiles: using .c where .o is correct.
o \r\n is no longer passed to setproctitle since beta-13, so it does not
need to attempt to strip.
o ftpcmd.y has a one-off error in checking the length of a string.
o Fixed popen.c to keep it from overflowing the argv buffer and from
freeing space that was not allocated for that same argv buffer.
o Fixed access.c and ftpcount.c to address a problem in a bug fix in
beta-13 that kept access limits involving days other than Any from
being enforced.
o Fixed the xferstats script to allow it work when the log involves
timestamps from two years.
o Port for IRIX corrected.
o RMD and DELE should both check permissions before attempting to do
anything.
o getdatasock should return the errno to the caller that caused the
socket call to fail (as opposed to anything else that happens in that
routine).
o FreeBSD uses <sys/mount.h> for file system information used by the %F
macro.
o Add a define (HAVE_GETRLIMIT) to the config.hpx for HP-UX 10.10.
o Port for Linux corrected.
o Fixed a bug in the SITE CHMOD command that would cause the server to
send two replies in some cases. This could confuse some FTP clients
(and is a violation of protocol anyway). This should have been in
beta-13, but I missed it somehow.
o The dependencies on vers.c that are not uniform in all makefiles and
can cause problems with certain versions of make. All makefiles for
all operating systems supported in this distribution now have an
explict dependency that should cause newvers.sh to be run if yacc was
successful in building ftpcmd.c from ftpcmd.y. It will also properly
stop attempting to compile anything (other than ckconfig) until this
problem is fixed by the user. This can usually be done by being sure
yacc is installed and in the user's PATH.
o Fixed a Y2K compliance problem in ftpcmd.y where the year would always
be printed as 19XX. wu-ftpd is as Y2K compliant as it can be with this
fix.
o I edited the INSTALL, README and NOTES documents in an attempt to make
them clearer. I had a number of questions about "-a" and
/etc/inetd.conf. People evidently don't read the README file very
closely, so now I have put this information in more places than just
the NOTES file. Hopefully that will stop most of these types of
questions.
###########################################################################
Changes in 2.4.2-BETA-13: Released 3 March, 1997
o I noticed that setproctitle was not being called correctly in a couple
of places in ftpd.c. There were not enough arguments.
o Fixed some coding problems in access.c when determining host access
information.
o Added some bounds checking ftpd when building the directory command to
send to the operating system. These changes may not be portable to all
platforms, since they use snprintf, but we'll give it a try.
o Port for SCO Openserver 5 corrected.
o ftpcount.c does not include stdlib.h, which will cause malloc to
allocate too little space to hold st_size on FreeBSD.
o The failsafe number of fds in popen.c should be bigger than
sizeof(long). I am setting it to 31. We'll see if that helps folks
have fewer signal 10 or 11 errors that are unexplained.
o FreeBSD already had the fnmatch function in its C library and didn't
need the version in the support library.
o Removed all references to LOG_TOOMANY, since it is no longer being
actually implemented.
o Enforce FreeBSD (when this software is built on FreeBSD) concerning the
logging of numeric addresses when DNS name is larger than UT_HOSTSIZE
field.
o Removed \r\n from any string put in setproctitle.
o Made some fixes to skey support.
o Fixed some problems with the INSTALL file. There was a missing step and
other problems.
o sysconf be used to get the number of fds. This has been added to
popen.c and a change has been made to config.hpx to use that. I have
also tried to add this to other configurations that are documented (or
are known) to support sysconf.
o There was an extra %s in one of the reply strings. This is now fixed.
o Corrected a problem in the code I put into popen.c to attempt to
address an overflow problem. Too much late night coding for me:-).
o Corrected an inconsistency in the forward definition of realpath when a
STDC compiler is used.
o Corrected a problem with compiling wu-ftpd on OSF. This is due to an
failure in the software to include the correct include file.
###########################################################################
Changes in 2.4.2-BETA-12: Released 19 January, 1997
o The use of putchar in ftpd.c and ftpcmd.y might have side effects on
argument lists when putchar is a macro. The use of putchar has been
changed to putc in these files for this release.
o Made some changes to ftpcount.c to make it return more useful
information when used with Solaris2 and AIX.
o Added a mechanism to permit AIX hosts to make effective use of the
virtual host feature in wu-ftpd.
o FreeBSD configuration should not install the sample configuration files
over previously existing ones. This release does not install them at
all.
o Added additional protection for some operating system over the
protection already provided.
o Made a fix to the virtual host code that permits guest groups to
continue to work.
o Made a significant security fix without which regular and anonymous
users could access files as the root user.
o Made a fix to permit bad autogroup entries in the ftpaccess file to be
ignored.
o The readme directive should really only apply to regular files.
o Corrected a number of problems with upload.
o Corrected an inconsistency between the documentation and how the server
logs information. The server has been fixed to document guest users in
the xferlog with a "g" and real users with a "r".
o Corrected an inconsistent use of #if verus #ifdef in authenticate.c.
o Fixed some bugs in the build program.
o ftpd.c should use getopt.
o Fixed a bug in how ftpcount reports classes that can have an unlimited
number of users.
o All filename checking should be case sensitive.
o Fixed a bug in how the shutdown feature works. The bug is that new
connections may continue to be accepted after shutdown is in effect.
o Fixed a bug in how the ftw.h file in the support directory gets
included when it shouldn't be for Unixware 2.1.
o Made changes to ftpcmd.y to ensure that free() is only called when the
arguments are non-null.
o Ported to AU/X 3.0
o Fixed it so that "anonymous" and "ftp" are made to be the same as far
as the server is concerned.
o Corrected a mispelling in the NOTES file.
o Corrected a bug introduced in the academ betas with the T_ASCII flag in
ftpconversions. Its meaning had become reverse from what it used to be.
o Fixed a problem in the old virtual code where an illegal strcpy was
being done.
o Fixed the basic problems introduced in beta-11 with the virtual host
code. There have been no changes in how the configuration files are
configured.
o The ftpgroups and ftpconversions file checks in conversions.c and acl.c
should be done using an fstat after an open succeeds.
o There were places where files could or should be closed.
o Corrected some macro inconsistencies in the manual pages.
o Corrected some typos in the manual pages.
o fnmatch.c did not have the right flags defined correctly.
o Unixware 2.1 supports getrlimit. So, this is now added to config.uxw
in the src/config directory.
o stderr output from ftpd when being started by inetd were problematical.
These error messages now go to syslog.
o AUSCERT brought to my attention a need to check to be sure the 100
element argv array in the popen subroutine is not overflowed. This is
now done.
o Subsequent files requests couldn't be aborted correctly.
o Prevented a possible overflow problem when processing the SITE CHMOD
and SITE UMASK commands. The server did not check for overflow
conditions.
o STAT was using a 211 response when a 213 is probably better.
o RFC 1127's suggestions are not being followed by this server
o Subsequent files upload requests couldn't be restarted correctly.
o Having the debug mode log passwords is not good.
o Corrected a typo on one of the URLs in the NOTES file.
o When a null is sent to the server, it should ignore it but was treating
it like EOF. Now it does ignore it.
o Corrected errors in the ftpd.8 manual page.
o Made some adjustments for making better use of available library
routines in Unixware 2.1.
o Solaris 2.X does support getrlimit. Changed config.sol to make use of
it.
o Ported to Digital Unix 3.2 with C2 Security.
o There were some instances in ftpcmd.y where values could be NULL. This
would cause segmentation violations on may flavors of Unix.
o Fixed a bug in processing "SITE CHMOD 0". The command didn't work and
the server didn't give a reply.
o Linux 2.0 (actually libc 5.3.12) changed the way that directory
manupulation was done. The problem was that glob.c would not compile
on Linux 2.X systems. Ensured that Linux 1.X users would still be able
to use this on their systems.
###########################################################################
Changes in 2.4.2-BETA-11: Released 15 April, 1996
o The manual pages for ftpaccess.5 and ftpd.8 have been modified. ftpd.8
now documentes the previously undocumented "-u umask" option.
ftpaccess.5 now clarifies the fact that the root-dir specified in the
upload configuration line MUST match the home directory in the
operation system password database.
o Fixes for the optional shadow password file support for Linux.
o The configuration file for Solaris specified the MAXHOSTNAMELEN before
it was possible to check to see if was defined and this caused there to
be spurious (and benign) error messages to be generated.
o The file size in BSDI 1.1 is a long not a quad_t. This means that the
conversion arguement should not be qd for sprintf's involving this
variable.
###########################################################################
Changes in 2.4.2-BETA-10: Released 15 March, 1996
o Made some changes for AIX that I can't verify since I don't have AIX.
o Added a number of small changes for FreeBSD.
o Modified support for virtual domains. Modified the
VIRTUAL.FTP.SUPPPORT support file and the man pages to reflect this
change.
o Added back an idle timeout routine that appears to compile cleanly on
all the systems I test on.
o Fixed some configuration problems for Linux.
o Fixed the output of "site help" command to return the email address
listed in the "email" entry from the ftpaccess file (if available).
###########################################################################
Changes in 2.4.2-BETA-9: Released 23 January, 1996
o Two changes to popen.c: In the child process, the port attached to the
ftp protocol port is now closed before exec(); In the child process,
the effective user and group ids are set as the real user and group ids
prior to exec().
o The "nodirs" option of the upload directive in an ftpaccess file is now
fixed and actually works.
o Added endgrent() to access.c, private.c and extensions.c to ensure the
/etc/group or ~ftp/etc/group file is closed after it is used. Fix
suggested by CERT.
o Moved openlog() in ftpd.c up closer to the beginning of the program.
Fix suggested by CERT.
o Fixed all the support makefiles to build vsnprintf in the support
library since most systems do not have it. I have left it out of
systems that I know do have the real library routine (all BSD 4.4-Lite
based OSes have this).
###########################################################################
Changes in 2.4.2-BETA-8: Released 5 December, 1995
o Overhauled reply, lreply and setproctitle to make appropriate use of
varargs or stdargs as appropriate.
o Added some FAQ references in the README file.
o Added HAVE_GETRLIMIT and changes config files to support it where
available in preference to HAVE_GETDTABLESIZE, which is now obsolete.
o Added HAVE_SETPROCTITLE as a possible define to include the
setproctitle() library routine from the system if it is available.
o Added differentiator so that BSDI 1.X setproctitle() library routine is
not used since it appears to be buggy.
o Made a number of changes for BSD/OS.
o Lowered optimization level from O3 to O2 for AIX.
o Added some information in NOTES for adding shadow support under Linux.
o Added some fixed for the use of sys_siglist. HAS_SIGLIST must be
defined for this to be used.
o Added some fixes for CPP processing problems with Digital Unix.
###########################################################################
Changes in 2.4.2-BETA-7: Released 23 October, 1995
o Support for Hitachi Unix variant added.
o Changes in the configuration files for BSD/OS to accomodate a bug in
the sprintf inheritied from BSD 4.4 Lite. (Effects FreeBSD, NetBSD and
BSD/OS.)
o Addition of a cookie '%u' to extensions.c which will show the RFC931
remote username when available. I somehow like it to have the remote
user see we take the 'all actions are logged' line seriously.
o Support for SCO added.
o Corrected the diagnostics from the randomsig subroutine.
###########################################################################
Changes in 2.4.2-BETA-6: Released 15 October, 1995
If you have an original copy of 2.4.2-BETA-6, the WU-FTPD Development
Group would like a copy.
o Added virtual ftp server support.
o Added some AIX patches.
o Added some notes concerning skey support in the NOTES file.
o Config files for BSD 4.4-based OSes added.
o Closing some file descriptors before exec in ftpd_popen (popen.c).
o Missed changes to fnmatch in access.c.
o Fixed ftpconversion problems when gzcating plain files.
###########################################################################
Changes in 2.4.2-BETA-5: Released 11 July, 1995
o Fixed ftpcmd.y parser for bug that has been present since the release
of the NET-2 ftp daemon. Multiple 500 lines are not returned when
certain bad commands are presented to the server.
o Changed build to make the tar file create a directory that is the
current release name and unpack into that newly created directory
relative to the current directory.
o Keep wu-ftpd from hanging when trying to use ident to identify someone.
o More fixes to the config.hpx file for HP-UX.
###########################################################################
Changes in 2.4.2-BETA-4: Released 29 June, 1995
o Replaced a large part of the noretrieve subroutine in extensions.c.
o Fixes for HPUX.
o Fixed up the Makefiles for SunOS 4.1.X to make use of the dynamic load
library correctly. This should probably be reworked to only use static
linking, but that will be looked at another time.
o Fixed some more bad NULL versus '\0' problems in ftpd.c and realpath.c
in the src directory.
###########################################################################
Changes in 2.4.2-BETA-3: Released 18 June, 1995
If you have an original copy of 2.4.2-BETA-3, the WU-FTPD Development
Group would like a copy.
o Created the NOTES file and revised the README and INSTALL documents.
o Fixed some minor source code cast that the SunPro C compiler was
complaining about. Files affected (all in the src directory) are:
ftpcmd.y, realpath.c, private.c, logwtmp.c, ftpd.c extensions.c
o Revised the LINUX support to conform to LINUX 1.2.8 with gcc 2.6.3 from
the slakware distribution.
###########################################################################
Changes in 2.4.2-BETA-2: Released 18 June, 1995
This version merged much of the functionality of 2.4-hobbit into Stan's
baseline.
If you have an original copy of 2.4.2-BETA-2, or 2.4-hobbit, the
WU-FTPD Development Group would like a copy.
o Removed the timeout patch from Dan Thorson that was in BETA-1. However,
it will be back in a future beta.
o Lifted from the Debian wu-ftpd-2.4-4 release with little or no change:
doc/ftpaccess.5
doc/ftpd.8
config/config.lnx
config/config.s41
src/access.c
src/acl.c
src/ftpcount.c
src/ftpshut.c
src/hostacc.c
src/logwtmp.c
o build: added a kludge for enabling these changes, by spawning a shell.
Added specific support for FreeBSD 2.0. Also, copy the Makefiles and
config.h instead of hardlinking them, so that edits don't trash the
original copies!
o support/authuser.c: limit sscanf() of identd strings.
o support/makefiles/*: minor changes to a couple of system-specific
Makefiles.
o extensions.c: [Debian -- "noretrieve" ACL keyword handler, NULL fixups]
o extensions.c: Fix losing null dereference in Debian checknoretrieve().
o extensions.c: #ifdef PARANOID -- disallow file deletion completely.
o ftpcmd.y: [Debian -- "bison" patch for linux just moved some decls
around]
o ftpcmd.y: check PORT command against a bunch of things: being logged
in, the client's source address, and the actual port number 1024 or
greater.
o ftpcmd.y: require login before various other things work: PASV, RNTO
o ftpcmd.y: #ifdef PARANOID -- disable, trap, and log all SITE commands.
Comments withheld about the lineage of whoever cooked up *that* gem.
o ftpd.c: [Debian -- support "noretrieve" ACL keyword; misc NULL fixups]
o ftpd.c: preload assorted variables with reasonable values. Globalize
guestpw and authuser and update them so all routines can access them
for correct logging.
o ftpd.c: disallow "re-login".
o ftpd.c: #ifdef ANON_ONLY -- only allow anonymous logins. Designed for
the ftpd you hang out on your external machine.
o ftpd.c: various places -- if told not to use the "ftpaccess" file,
genuinely don't use routines that deal with it at all. [May save some
of our butts when someone finds a bug in the extensions code!]
o ftpd.c: #ifdef SKEY, added s/key functionality. The challenge emerges
where the "Password required for username" response is normally sent.
o ftpd.c: add endspent() to the shadow code, per Marek M.
o ftpd.c: Flag attempts to exploit the trojanized 2.2c version.
o ftpd.c: #ifdef STUPID_SPRINTF -- break up big "sprintf" for xferlog
into two pieces. On some systems, sprintf is BROKEN. If you're using
xferlog and your ftpd crashes right after a transfer, you probably need
this.
o ftpd.c: #ifdef PARANOID, disable file overwriting, with either "put" or
"rename".
o ftpd.c: Fix an ACL bug in renamefrom(). Doing two renames in a row
would bypass the setting in the ACL file.
o ftpd.c: call realpath() to get current wd.
o ftpd.c: close data ports upon exiting, and close old PASV port if told
to open a new one.
o newvers.sh: include tiny little advertisement.
o makefiles/Makefile.lnx: Mostly Debian; add -static, remove -DDEBUG, put
in the "bison fix".
o makefiles/Makefile.fbs: Add for FreeBSD 2.0; slight mod of "bsd".
o config/config.fbs: config.h for Freebsd 2.0. Contains a hack to work
around the fact that freebsd stdlib.h comes with a realpath() and the
define in ftpd.c conflicts with it.
o config/config.lnx: Debian version, with the same realpath() hack added.
Linux has trouble with this too, but in unistd.h. Put "realpath" back
into SRCS and OBJS definitions.
o pathnames.linux: From Debian. Use this as a starting point for
customizing pathnames.h on linux. A remaining deficiency is that NONE
of the sources even *try* to reference the /usr/include/paths.h that
many systems now have.
o Version bumped to 2.4.2; no reason given but we can safely presume the
reason was the confusion in version names in Stan's earlier releases.
###########################################################################
Changes in 2.4.1-BETA-1: Released 13 May, 1995
AKA 2.4.1-BETA
AKA 2.4.2-BETA-1
This version was announced and released as wu-ftpd-2.4.1-beta-1.tar, but
other emails, and internal notes in later versions, refer to this version
under all three names interchangably.
If you have an original copy of 2.4.1-BETA-1, the WU-FTPD Development
Group would like a copy.
o Added changes for Solaris 2.4 compatibility. Changed the flag from
SOLARIS21 to SOLARIS and made the changes generic for all releases of
Solaris.
o Added changes for UnixWare 4.2 compatibility. Added Makefiles and config.h
header files.
o Added ftruncate support routine for machines that don't have ftruncate, but
do have chsize call.
o Added a timeout patch created by Dan Thorson at Seagate to keep the server
from creating a zombie process when a PASV client never actually connects.
NOTE: This patch is commented out since I could not get it to work
correctly and I hope someone will be able to fix this before we go to
release. There was also another timeout patch that may be more suitable.
Comments are welcome.
o Added patches to hostacc.c to insure that memory dynamically allocated with
malloc() is not free()d more than once. Patch from Jaakko Hyvatti.
o Split the support/strcasestr.c into two files: strcaststr.c and strstr.c
and altered the Makefiles to include the appropriate libraries in the
support library.
o Stan Barber took over stewardship of the daemon using 2.4-academ as the
baseline for future development on 6 May, 1995. This ended a 13-month
period where there was no maintainer at all!
###########################################################################
Changes in 2.4-academ: Released 5 July, 1994
AKA 2.4.1-academ
It is unknown whether Stan ever publicly released this version under
the 2.4.1-academ name. Emails, and internal notes in later versions,
refer to this version under both names interchangably.
If you have an original copy of 2.4.1-academ, the WU-FTPD Development
Group would like a copy.
The WU-FTPD Development Group gratefully acknowledges the contribution
of 2.4-academ by Jochen Bern. While not completely un-altered, his
archival copy was clean enough to re-create 2.4-academ.
o Ported to BSDi.
o Changed the fnmatch.c program in the support directory to return values
that corresponded with the manual page. This was not necessary to
support BSDi since it has its own fnmatch, but this make it possible
for other platforms to make use of these changes transparently.
o Changed the access.c program to do a case-insensitive search on the
hostname without using fnmatch. This option is not supported by the
bsdi or bsd-net2 fnmatch subroutine.
o Changed all uses of fnmatch in the src directory to use the correct
return values.
o Added pathnames appropriate to bsdi to the pathnames.h file in the src
directory. These are bracketed by appropriate #ifdef/#endif blocks.
o Changed the root level makefile to copy files when installing them
instead of moving them.
o Created a set of root level makefiles for each supported platform. This
will allow the ftpd to be installed exactly over the OS-based makefile
if used generically.
###########################################################################
Changes in 2.4: Rereleased on 6 January, 1997
o Documentation update to point to the new address for the list server at
Washington University at Saint Louis.
o Corrected documentation error: this is version 2.4 not 2.2
o Prevent reception of SIGURG from resulting in a resumption back to the
main program loop.
###########################################################################
Changes in 2.4: Rereleased on 13 November, 1995
o Documentation update to point toward Stan Barber as the maintainer of
WU-FTPD.
###########################################################################
Changes in 2.4: Released on 13 April, 1994
o This marks the end of Byran D O'Connor's tenure as prinicple developer.
With his graduation, grants funding development were not renewed.
o Removed some race conditions.
o Fixed a spelling mistake.
o Now uses sys/syslog.h on Ultrix systems.
###########################################################################
Changes in 2.3: Released on 4 April, 1994
o Bump the version number to avoid confusing with Trojan version.
###########################################################################
Changes in 2.2: Released on 1 April, 1994
o Fixed a bug in path processing of SITE EXEC commands.
o Rewrote parts of private.c parsing routine, fixing problems with
overloading the definition of gid_t.
o Added support for class lists in separate file.
o Changed a couple of occurrences of stat() to lstat() in delete() and
renamefrom().
o Changed #ifdef LOG_LOCAL7 to #ifdef FACILITY in ftpd.c
###########################################################################
Changes in 2.1f: Released 25 March, 1994
o Fixed NeXT config problem with NGROUPS_MAX.
o Fixed multiple response bug with ftp|anonymous in /etc/ftpusers file.
o Fixed BUS ERROR on upload on Sun 4.1.x systems.
###########################################################################
Changes in 2.1e: Released 24 March, 1994
o Fixed class determination code from failing after failed attempt.
o Moved ACCESS DENIED syslog messages to LOG_NOTICE from LOG_INFO.
o Fixed problems with NFS and server running as root.
o Fixed problems with APPEND/OVERWRITE.
o Patched SCO files to work with 3.2.4.
o Fixed problems with uid/gid's.
o Changed upload examples in ftpaccess.5 to be correct.
o Allow for escaped #s in the ftpaccess file.
o hostacc.c patches.
o ftpshut.c: fixed file open problem when shutdown not defined.
o Added acl_remove() to fix problems with dangling PIDs in PID files.
o Fixed bug with real users > limit hanging clients.
###########################################################################
Changes in 2.1d: Release date lost in the mists of time.
If you have an original copy of 2.1d, the WU-FTPD Development Group
would like a copy.
o The changes for 2.1d were lost.
###########################################################################
Changes in 2.1c: Released on 25 August, 1993
o Fixed stupid bug with non-initialized pointers in *_check() functions.
###########################################################################
Changes in 2.1b: Released on 16 July, 1993
o Append now works again. A previous fix to solved files not getting
truncated properly had broken it.
o Double conversions were not working properly for some conversions.
o Minor HP-UX portability problems corrected.
o Minor Host Access case sensitivity bug fixed.
o syslog after chroot fixed for SunOS by addition of TCP version of
syslog functions. (It is syslog.c in the support directory.)
o Data General support added.
o ISC support added.
o Added "rename <type> <yes|no>" option to prevent renaming files.
o Fixed unsigned int comparisons to -1.
o Added ckconfig program for checking proper locations of config files.
o Changed syntax of "upload" command to include which ftp hierarchy it
pertains.
o Fixed some documentation errors.
###########################################################################
Changes in 2.1a: Released on 27 May, 1993
o Tabs were put back into the Makefiles for AIX.
o acl_join() did not open the pid file is pidfd was invalid.
o acl_join() did not unlock the pid file if user was already in there.
###########################################################################
Changes in 2.1: Released on 12 May, 1993
o Replaced xferstats.
o Default was to not allow uploads ever. This is backwards, if no upload
keywords are given, it should act like a normal server.
o Double conversion stuff works now, but you know that already. Included
is a gzip2comp (in util) for converting from gzip format to compress.
o cwd_beenhere() now calls realpath(".", cwd) to figure out the path.
This works for people in directories that are private. That is that
some component of their path is not readable by them. (cwdir() fails
in such a case.)
o In an upload command, trying to set a file mode of 0000 would fail.
This is now possible.
o makedir() did not work properly for real users. This has also been
fixed.
o Fixed up support for NeXT and other systems. I cannot test these
things, so there are bound to be problems.
o In getgrent.c, removed the need for getgrent.c from the support
library. This caused problems with systems running yellow pages (NIS).
All gids in the private file are now parsed before the chroot(). This
gives us one less open file descriptor.
o For upload/truncate, STORE was not properly trunctating files when
overwriting them.
o Upload failing with directories in makedir/put commands: STORE and
MAKEDIR were failing when giving full path names.
o Multiple process ids were written into the pid-files when a failed
login attempt was made. This caused problems with usage counts.
o Added the %E magic cookie which gets replaced with the "email" string
from the ftpaccess file.
o For the %F magic cookie: added trivial support for Solaris 2.1 (at
least). If you fix this for your system, send me a patch.
o The %N magic cookie did not work after the chroot(). The pid file has
to remain open for the duration of the server's life now in order for
this to work.
o In support/paths.h, removed the need for this file. It caused more
problems than it was worth. The two #defines that were used were moved
to src/pathnames.h
o upload * no dirs: you can now specify a directory that does not allow
uploads but does allow the creation of directories.
o You can now get a listing of what aliases are available. At the ftp
prompt type "quote site alias".
o You can now specify a cdpath (like the csh variable).
o You can specify an email address for the maintainer of the archive.
This string will be used for the %E magic cookie.
###########################################################################
Changes in 2.0: Rereleased on 12 April, 1993
o Changed support/ftp.h to use the BSD copyright and remove the DEC
copyright. DEC's version was just a copy of BSD's.
###########################################################################
Changes in 2.0: Released on 8 April, 1993
o guestgroup access no longer needs an entry in the secondary passwd file
(~ftp/etc/passwd). The home directory is now specified as
"root/./home" For example:
ftptest:<encrypted>:100:200:Guest User:/var/ftp/./incoming:/etc/noshell
When ftptest logs in, it will chroot to /var/ftp and then chdir to
/incoming (which is actually /var/ftp/incoming before the chroot).
Since the directory in /etc/passwd actually points to the guest's home
directory, they can use .forward files, etc.
o ftpshut program generates shutdown file for ftp server. Works
similarly to shutdown(8). See ftpshut(8).
o The conversion table has been moved to a separate file. The fields
are:
%s:%s:%s:%s:%s:%s:%s:%s
Field Description
1 strip prefix
2 strip postfix
3 addon prefix
4 addon postfix
5 external command
6 types
7 options
8 description
o Added following abilites configurable in the ftpaccess file. See
ftpaccess(5).
chmod <yes|no> <typelist>
delete <yes|no> <typelist>
overwrite <yes|no> <typelist>
umask <yes|no> <typelist>
upload <dir> <yes|no> <owner> <group> <mode>
passwd_check <none|trivial|rfc822> {<warn|enforce>}
alias <name> <dir>
path_filter <typelist> <msg> <charset> {<disallowed> ...}
o ftpcount no longer displays multiple listings for classes that have
multiple "class ..." lines.
o Bryan D O'Conner took over as the principal developer for Release 2.
This ended a 19-month period where no updates were released. At this
time the name was also shortened from wuarchive-ftpd to wu-ftpd.
Bryan used BSD ftpd version 5.60 as his base, merging the changes from
the earlier BSD ftpd Chris used. BSD ftpd version 5.60 was the version
included in the "Final BSD Release". UUnet Technologies maintains a
full copy of the final BSD release at ftp.uu.net.
###########################################################################
Changes in 1.1: Released 23 September, 1991
This was an interim release of wuarchive's modified FTP server. It is
believed to be the first public release of the daemon.
There are indications of attempts to track BSD versions, through BSD
6.14, but internal information in the releases lead me to believe these
were local to the FTP site we found them at, and not official releases
from Chris Myers.
o The changes for 1.1 were lost. Most likely they were to merge the
changes from the BSD version he first used (probably 5.59) and 5.60,
or they were minor bug fixes which Chris felt no need to discuss since
1.0 had not been publicly released.
###########################################################################
Changes in 1.0: Believed not to have been publicly released.
This is believed to have not been publicly released, but was the
original version used to implement wuarchive.wustl.edu; the success of
this version appears to have prompted the public release of version
1.1 after some minor corrections.
If you have an original copy of 1.0, the WU-FTPD Development Group
would like a copy. Probable release dates are between 3 December,
1990, and 23 September, 1991.
o Some older clients cannot handle multi-line replies. These can be
disabled on a per-connection basis by using a dash (-) as the first
character of the user's password.
o Added ftpaccess control file. The following commands are available:
limit <class> <n> <times> <message_file>
class <class> <typelist> <addrglob>{ <addrglob>}{ <addrglob>}{ <addrglob>}
deny <addrglob> <message_file>
loginfails <number>
log transfers <typelist> <directions>
log commands <typelist>
readme <path> {<when>}
message <path> {<when>}
banner <path>
private <path>
guestgroup <groupname> [<groupname> ...]
autogroup <groupname> <class> [<class> ...]
compress <yes|no> <classglob> [<classglob> ...]
tar <yes|no> <classglob> [<classglob> ...]
shutdown <path>
Refer to the CHANGES file in the release for a full description of
these new features.
o Added the following command-line options:
-a Enable use of ftpaccess file (access file MUST exist if used)
-A Disable use of ftpaccess file
-L Turn on command logging (See note. Overridden by ftpaccess, if used)
-i Turn on file reception logging (overridden by ftpaccess, if used)
-o Turn on file transmission logging (overridden by ftpaccess, if used)
NOTE: If the -L flag is used, command logging will be on by default as
soon as the ftp server is invoked. This will cause the server to log
all USER commands, which if a user accidentally enters a password for
that command instead of the username, will cause passwords to be logged
via syslog.
The -L flag is overridden by the ftpaccess file, if it is used --
command logging options in the ftpaccess file take effect IMMEDIATELY
upon entry of the USER command (before logging takes place).
o There are some extensions to the FTP server such that if the user
specifies a filename (when using a RETRIEVE command) such that:
True Filename Specified Filename Action
------------------ -------------------- ---------------------------------------
<filename>.Z <filename> Decompress file before transmitting
<filename> <filename>.Z Compress <filename> before transmitting
<filename> <filename>.tar Tar <filename> before transmitting
<filename> <filename>.tar.Z Tar and compress <filename> before transmitting
o The FTP server will attempt to check for valid e-mail addresses and
chide the user if he doesn't pass the test. For users whose FTP client
will hang on "long replies" (i.e. multiline responses), using a dash as
the first character of the password will disable the server's lreply()
function.
o The FTP server can also log all file transmission and reception,
keeping the following information for each file transmission that takes
place.
Mon Dec 3 18:52:41 1990 1 wuarchive.wustl.edu 568881 /files.lst.Z a _ o a
[email protected] ftp 0 *
%.24s %d %s %d %s %c %s %c %c %s %s %d %s
1 2 3 4 5 6 7 8 9 10 11 12 13
1 current time in the form DDD MMM dd hh:mm:ss YYYY
2 transfer time in seconds
3 remote host name
4 file size in bytes
5 name of file
6 transfer type (a>scii, b>inary)
7 special action flags (concatenated as needed):
C file was compressed
U file was uncompressed
T file was tar'ed
_ no action taken
8 file was sent to user (o>utgoing) or received from user (i>ncoming)
9 accessed anonymously (r>eal, a>nonymous) -- mostly for FTP
10 local username or, if guest, ID string given (anonymous FTP password)
11 service name ('ftp', other)
12 authentication method (bitmask)
0 none
1 RFC931 Authentication
13 authenticated user id (if available, '*' otherwise)
o Chris Myers was the original author of wuarchive-ftpd. He based his
work upon the University of California, Berkeley, (BSD) ftpd, most
likely version 5.59.
The WU-FTPD Development Group has BSD ftpd versions 5.51 and 5.60 (both
found at the UUnet FTP site). An analysis of these versions shows
Chris Myers used a version somewhere between them; most likely 5.59.
If you have an original copy of BSD ftpd between these versions, dated
between 8 May, 1989, and 12 April, 1991, we would like to examine a
copy.
###########################################################################
In the beginning there was the void.
And BSD said ...
