Date: Wed, 3 Jun 1998 23:55:19 -0400 (EDT)
From: Gregory A Lundberg <
[email protected]>
To: WU-FTPD Discussion List <
[email protected]>
Subject: Fixes for VR1 patches
Found some problems with my earlier patches. The first is something
that's been niggling at me for a while; just didn't realize what was wrong
until _after_ I'd posted. The second is just plain dumb, sorry.
For people's convenience, I've put both sets of patches in my ftp site:
ftp://ftp.vr.net/pub/wu-ftpd-2.4.2-beta-17-vr1.patch
and
ftp://ftp.vr.net/pub/wu-ftpd-2.4.2-beta-17-vr2.patch
Anyone who's applied either of the CD patches posted to the mailing list
last year will definitely want to take a look at my vr2 set.
I'm planning on doing a vr3 in a week or so, the items I've identified so
far (from digging backward in the mailing list archives, or my own
testing) include:
- Limit the number of concurrent logins for a given user. From a
posting. How draconian, but I guess it's a good idea.
- Limit the range of passive ports so firewalls are easier to manage.
From a posting. Actually, I'm gonna think on this one; sounds like
a good idea, though.
- Allow _both_ syslog and xferlog, specify the syslog LOG_FACILITY.
Personal wish .. the more places you log the more work a hacker has
to go through to wipe his footsteps.
- Specify the location of xferlog and pid file(s). From a posted
request. The responce, "Hack the source" was lame, and it's a good
idea.
- Someone said something about not being able to 'deny all' then
specifically allow certain users or hosts in /etc/ftphosts, if
this is true I'll see if I can fix it. Don't recall seeing a patch
or even a response to his request/observation.
There are two class of patches I won't make from the mailing list
archives: ratios and quotas. Quotas are better handled outside the daemon
by the file system. Upload/download ratios are a BBS thing and this is
the 'net. I pay for my access; don't tell me I gotta waste bandwidth
uploading to you so I can download one of your files or I'll just send you
a couple gigs from /dev/random and see if you have quotas set too .. maybe
I'll even get lucky and you'll be running your entire box on a single file
system .. muhahaha!!!
People have asked so I'll tell you my policy: right now I'm taking patches
from the mailing list archives, going back though the mailing list
archives for ideas/problems, and trying to roll them all into a single set
of patches. If you send patches directly to me they may get lost anywhere
between my inbox and my keyboard; if you like your patch, share it, I'll
find it in the archives. I will, of course, pay attention to problems
with my patches.
What Stan does with these patches is up to him; they may, or may not, make
it into the next BETA. Don't ask me what his plans are. If my patches
don't make it into the next BETA, I'll just roll them forward against
whatever Stan releases.
Anyway, here's the FIXES file for vr2:
----
This is a list of fixes to BETA 17 from
[email protected]
These fixes require VR1 fixes to have been installed.
---------------------------------------------------------------------------
The fix for CD ~ broke the upload and noretrieve access-control statements
and changed what was written to xferlog and the syslog. Well, actually, it
didn't break the noretrieve statement, but the man page says '/' means the
name is an 'absolute path specification' and I take that to mean relative
to the _real_ filesystem, not the chroot'd one. Discovered when set live
on my main server; I really should'a tested with more than one guestgroup.
Drat. Left a debugging statement in for syslogmsg in VR1 patches.
----
Gregory A Lundberg Senior Partner, VRnet Company
1441 Elmdale Drive
[email protected]
Kettering, OH 45409-1615 USA 1-800-809-2195
