Date: Wed, 3 Jun 1998 23:55:19 -0400 (EDT) From: Gregory A Lundberg To: WU-FTPD Discussion List Subject: Fixes for VR1 patches Found some problems with my earlier patches. The first is something that's been niggling at me for a while; just didn't realize what was wrong until _after_ I'd posted. The second is just plain dumb, sorry. For people's convenience, I've put both sets of patches in my ftp site: ftp://ftp.vr.net/pub/wu-ftpd-2.4.2-beta-17-vr1.patch and ftp://ftp.vr.net/pub/wu-ftpd-2.4.2-beta-17-vr2.patch Anyone who's applied either of the CD patches posted to the mailing list last year will definitely want to take a look at my vr2 set. I'm planning on doing a vr3 in a week or so, the items I've identified so far (from digging backward in the mailing list archives, or my own testing) include: - Limit the number of concurrent logins for a given user. From a posting. How draconian, but I guess it's a good idea. - Limit the range of passive ports so firewalls are easier to manage. From a posting. Actually, I'm gonna think on this one; sounds like a good idea, though. - Allow _both_ syslog and xferlog, specify the syslog LOG_FACILITY. Personal wish .. the more places you log the more work a hacker has to go through to wipe his footsteps. - Specify the location of xferlog and pid file(s). From a posted request. The responce, "Hack the source" was lame, and it's a good idea. - Someone said something about not being able to 'deny all' then specifically allow certain users or hosts in /etc/ftphosts, if this is true I'll see if I can fix it. Don't recall seeing a patch or even a response to his request/observation. There are two class of patches I won't make from the mailing list archives: ratios and quotas. Quotas are better handled outside the daemon by the file system. Upload/download ratios are a BBS thing and this is the 'net. I pay for my access; don't tell me I gotta waste bandwidth uploading to you so I can download one of your files or I'll just send you a couple gigs from /dev/random and see if you have quotas set too .. maybe I'll even get lucky and you'll be running your entire box on a single file system .. muhahaha!!! People have asked so I'll tell you my policy: right now I'm taking patches from the mailing list archives, going back though the mailing list archives for ideas/problems, and trying to roll them all into a single set of patches. If you send patches directly to me they may get lost anywhere between my inbox and my keyboard; if you like your patch, share it, I'll find it in the archives. I will, of course, pay attention to problems with my patches. What Stan does with these patches is up to him; they may, or may not, make it into the next BETA. Don't ask me what his plans are. If my patches don't make it into the next BETA, I'll just roll them forward against whatever Stan releases. Anyway, here's the FIXES file for vr2: ---- This is a list of fixes to BETA 17 from lundberg@vr.net These fixes require VR1 fixes to have been installed. --------------------------------------------------------------------------- The fix for CD ~ broke the upload and noretrieve access-control statements and changed what was written to xferlog and the syslog. Well, actually, it didn't break the noretrieve statement, but the man page says '/' means the name is an 'absolute path specification' and I take that to mean relative to the _real_ filesystem, not the chroot'd one. Discovered when set live on my main server; I really should'a tested with more than one guestgroup. Drat. Left a debugging statement in for syslogmsg in VR1 patches. ---- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundberg@vr.net Kettering, OH 45409-1615 USA 1-800-809-2195