Date: Wed, 26 Aug 1998 11:29:22 -0400 (EDT) From: Gregory A Lundberg To: WU-FTPD Discussion List Subject: [VR6] More current fixes and extensions for BETA-18 I had originally planned to hold this until the 30th. Looking at the calendar, I see I'll be on holiday that weekend, so I'm pushing this out early. These are available as both patches and pre-patched tarballs at my ftp site: ftp://ftp.vr.net/pub/wu-ftpd/ If you take just the patch files, please remember: they are cumulative. you cannot apply fixes from one set without earlier sets already having been applied. The first set for BETA-18 is VR3; VR1 and two were for BETA-17 only. The ftp site also contains source release kits for compress, gzip tar and ls (in the GNU fileutils) to assist you in building your ftp site. This is a list of fixes to BETA 18 with VR5 applied from lundberg@vr.net --------------------------------------------------------------------------- Add '-VR6' to version string in newsvers.sh. This will be updated with all future patches. The patch for standalone daemon (in VR4) missed including a header. Discovered in testing. The FIXES file for VR4 had a typo; the option is -s and -S (the -D was how the original patch worked, it was change to avoid -d, debug mode). The ftpd man page is unclear on the use of -s and -S. Discovered in testing. Some systems, notable Solaris, have problems with the code the standalone daemon mode used to attempt to detach from the terminal session. This was in the original patch. Upon thinking about the problem, I see no reason to keep the code arround. If you need this feature, use 'nohup' to run the daemon. Discovered in testing. Thanks to wally.winzer@ChampUSA.COM for his assistance in debugging the above fixes on Solaris (2.5.1 fully-patched on a E3000). Both his patience and his dilligence are greatly appreciated. Change the defaults to deny upload, and other site-modification things, for anonymous users. From a suggestion on the mailing list on August 20, 1998, from isf55@tid.es. Well lookidat, fixed a silly bug in the "rename" clause while I was there. Somehow I missed a spot where "*" should be matched for the in an upload clause. Spotted while code-reading for the next patch. Add 'anonymous-root' to select chroot directory based on class of anonymous user. From a proposal on the mailing list by I.A.Saez.Scheihing@urc.tue.nl on Sep 9, 1997. Also, added 'guest-root' to select directory based upon guest UID. Man pages updated. Disallow UIDs and GIDs by numeric range. From the Apache Group's suEXEC module. This can obviate the need for /etc/ftpusers. Add ability to force all UID/GID in a range to be treated as guests. From a patch submitted to the mailing list by fishbowl@netcomi.com on Nov 7, 1996. The original patch used compiled-in limits. Added ftpaccess clause to allow configuration. Updated man page. The original patch included a hard requirement to chroot to the user's home directory; use guest-root instead. This closes Stan's TODO item 16. Fix a bug with realpath. If chroot'd to '/' the xferlog shows '//' at the start of the filename. Noted in testing. Thought I fixed this already but missed a condition. The upload clause should use realpath on the home directory to be sure it matches. Otherwise, real users with /./ in their path will need their upload clause to lexically match the home directory entry in /etc/passwd. Noted in testing. This was not a big issue until I added realuser. The daemon responds differently in some cases when it's denying access. This could be used by attackers to determine the validity of some user names on the target system. Noted on the mailing list by rah@lynxhub.ho.att.com on May 30, 1997. NOTE: the 331 response for some systems, notably BSD S/Key or other challenge/response systems, may differ from the 331 response given. I don't have access to those systems to check out the differences. If you do, and work out how to hide the access refusal until after the password challenge, please forward it to me. Fix handling for the message clause so login and cwd= work as expected. >From a request submitted to the mailing list by seamans@nlm.nih.gov on October 23, 1994. Patch submitted to the mailing list on August 30, 1996, by stanonik@nprdc.navy.mil. ---- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundberg@vr.net Kettering, OH 45409-1615 USA 1-800-809-2195