Date: Wed, 26 Aug 1998 11:29:22 -0400 (EDT)
From: Gregory A Lundberg <[email protected]>
To: WU-FTPD Discussion List <[email protected]>
Subject: [VR6] More current fixes and extensions for BETA-18

I had originally planned to hold this until the 30th.  Looking at the
calendar, I see I'll be on holiday that weekend, so I'm pushing this out
early.

These are available as both patches and pre-patched tarballs at my ftp
site:

 ftp://ftp.vr.net/pub/wu-ftpd/

If you take just the patch files, please remember: they are cumulative.
you cannot apply fixes from one set without earlier sets already having
been applied.  The first set for BETA-18 is VR3; VR1 and two were for
BETA-17 only.

The ftp site also contains source release kits for compress, gzip tar and
ls (in the GNU fileutils) to assist you in building your ftp site.



This is a list of fixes to BETA 18 with VR5 applied from [email protected]
---------------------------------------------------------------------------
Add '-VR6' to version string in newsvers.sh.  This will be updated with
all future patches.

The patch for standalone daemon (in VR4) missed including a header.
Discovered in testing.

The FIXES file for VR4 had a typo; the option is -s and -S (the -D was how
the original patch worked, it was change to avoid -d, debug mode).  The
ftpd man page is unclear on the use of -s and -S.  Discovered in testing.

Some systems, notable Solaris, have problems with the code the standalone
daemon mode used to attempt to detach from the terminal session.  This was
in the original patch.  Upon thinking about the problem, I see no reason
to keep the code arround.  If you need this feature, use 'nohup' to run
the daemon.  Discovered in testing.

Thanks to [email protected] for his assistance in debugging the
above fixes on Solaris (2.5.1 fully-patched on a E3000).  Both his
patience and his dilligence are greatly appreciated.

Change the defaults to deny upload, and other site-modification things,
for anonymous users.  From a suggestion on the mailing list on August 20,
1998, from [email protected].  Well lookidat, fixed a silly bug in the "rename"
clause while I was there.

Somehow I missed a spot where "*" should be matched for the <root-dir> in
an upload clause.  Spotted while code-reading for the next patch.

Add 'anonymous-root' to select chroot directory based on class of
anonymous user.  From a proposal on the mailing list by
[email protected] on Sep 9, 1997.  Also, added 'guest-root' to
select directory based upon guest UID.  Man pages updated.

Disallow UIDs and GIDs by numeric range.  From the Apache Group's suEXEC
module.  This can obviate the need for /etc/ftpusers.

Add ability to force all UID/GID in a range to be treated as guests.  From
a patch submitted to the mailing list by [email protected] on Nov 7,
1996.  The original patch used compiled-in limits.  Added ftpaccess clause
to allow configuration.  Updated man page.  The original patch included a
hard requirement to chroot to the user's home directory; use guest-root
instead.  This closes Stan's TODO item 16.

Fix a bug with realpath.  If chroot'd to '/' the xferlog shows '//' at the
start of the filename.  Noted in testing.  Thought I fixed this already
but missed a condition.

The upload clause should use realpath on the home directory to be sure it
matches.  Otherwise, real users with /./ in their path will need their
upload clause to lexically match the home directory entry in /etc/passwd.
Noted in testing.  This was not a big issue until I added realuser.

The daemon responds differently in some cases when it's denying access.
This could be used by attackers to determine the validity of some user
names on the target system.  Noted on the mailing list by
[email protected] on May 30, 1997.  NOTE: the 331 response for some
systems, notably BSD S/Key or other challenge/response systems, may differ
from the 331 response given.  I don't have access to those systems to
check out the differences.  If you do, and work out how to hide the access
refusal until after the password challenge, please forward it to me.

Fix handling for the message clause so login and cwd= work as expected.
>From a request submitted to the mailing list by [email protected] on
October 23, 1994.  Patch submitted to the mailing list on August 30, 1996,
by [email protected].

----

Gregory A Lundberg              Senior Partner, VRnet Company
1441 Elmdale Drive              [email protected]
Kettering, OH 45409-1615 USA    1-800-809-2195

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.