Copyright (c) 1999,2000,2001 WU-FTPD Development Group. All rights reserved. Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 The Regents of the University of California. Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. Portions Copyright (c) 1989 Massachusetts Institute of Technology. Portions Copyright (c) 1998 Sendmail, Inc. Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. Portions Copyright (c) 1997 Stan Barber. Portions Copyright (c) 1997 Kent Landfield. Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 Free Software Foundation, Inc. Use and distribution of this software and its source code are governed by the terms and conditions of the WU-FTPD Software License ("LICENSE"). If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/license.html. $Id: CHANGES,v 1.44.2.1 2001/11/29 17:25:33 wuftpd Exp $ Changes in 2.6.2: Released 29 Nov, 2001 o Added checks for missing "]" and "}" in filename globs, this completes the file globbing heap corruption vulnerability fix. o Added checks to the globbing code for overflow of restbuf, and additional globerr setting and checking to speed up return on error. o Changed the globbing code to use qsort, much faster when sorting a large number of strings. o Handle ftpglob() returning a vector containing just a NULL string, fixes problems caused by CWD ~{ o Somehow the fix for pasv-allow didn't actually make it into 2.6.1 o Provide a compile-time option to revert NLST to showing directories. o Fix missing format strings in debugging code. Changes in 2.6.1: Released 2 Jul, 2000 o Fix security leaks that could result in a root shell compromise. o Fix memory leaks in internal ls (this feature still needs more testing; you should probably not use it on high-traffic production servers yet.) o Fix up the port-allow command in ftpaccess. o Merge in the virtual passwd/virtual shadow features of BeroFTPD. o Some fixes to the configure script. o SITE MINFO was missed in 2.6.0 when disabling SITE NEWER. o Fix documentation of data-limit. Changes in 2.6.0: Released 18 Oct, 1999 o On sigpipe, always log a lost connection. o Added a log message on attempts to download files marked unretrievable. o The SITE NEWER feature has been disabled. A compile-time option has been added to re-enable it. See config.h.noac for more information on this. o With restricted-uid/gid, CWD to a non-existant directory would display the full pathname rather than just relative to the user's home. Actually, the fix catches most cases where this could occur, not just the CWD verb. o Fixed a bug in the restricted-uid/gid feature which could allow access outside the user's home directory in some cases. o Bumped MAXHST (max. hosts allowed on a line) for ftphosts from 10 to 12. Fixed a bug related to this which can cause the server to crash checking host access. o The internal ls (see below) was judged to be unready. It has been disabled by default but can be enabled with a compile-time option for those who wish to attempt to debug it (be warned, it has a lot of problems). o Split the "bad shell or user not in ftpusers" syslog message into two messages to prevent confusion. o Filename globs for LIST, NLST and SITE EXEC, as well as a few internal uses, are cleaned up before processing. For example: */./../* becomes just *. This prevents certain memory starvation DoS attacks. o Corrections for RFC compliance can break some clients. If possible, the broken client should be updated, but a compile-time option has been added. See the config.h.noac for more information on this. o Created doc/HOWTO directory and moved VIRTUAL.FTP.SUPPORT and upload.configuration.HOWTO there. o Add a README.AUTOCONF file describing the autoconf build in detail. o UC, Berkeley, has removed the requirement that all advertising material must include credit to them. Removed the clause from the LICENSE and the historical licenses in the COPYRIGHT file. o Added the email-on-upload feature from BeroFTPD. See the ftpaccess man page for defaults on these added ftpaccess clauses: mailserver incmail mailfrom virtual
incmail virtual
mailfrom defaultserver incmail defaultserver mailfrom o Redhat added the -I option to disable RFC931 (AUTH/ident). Added to the baseline so Redhat users don't see a loss of a feature. Setting the timeout for rfc931 to zero will do the same thing in the ftpaccess file. o The test for whether restricted-uid/restricted-gid applied should have been done before the chroot so it used the system /etc/passwd and /etc/group files. o CDUP when you were already at the home directory, would complain about you being restricted (if you were). Instead it should give a positive reply, and do nothing. This makes it behave more like CDUP when you're not restricted to your home directory. o deny-uid and deny-gid were being tested for anonymous users. Bad move, it's too easy to forget to allow them. Use 'defaultserver private' to keep anonymous users away. o Correct the operation of the NLST command. Finally. mget should now work as users expect it to. o Prevent buffer overruns when processing message files. o Correct a reference through a NULL pointer when doing S/Key authentication and the user is not in the passwd file. o Check the return code from select() when setting up a data connection. Under some rare conditions it is possible that the select was called for an fd_set which has no members, hanging the daemon. o Ensure a pattern of "*" matches everything. The new path_compare (used on upload and throughput clauses in the ftpaccess file) sets the option FNM_PATHNAME, so: * matches everything /* matches everything /*/* matches /dogs/toto and /dogs/toto/photos but not /dogs o setproctitle() support added for UnixWare. o Removed all FIXES files. Merged their contents into this CHANGES file (the one you're reading now). The old doc/FIXES directory has been tar'd and will be placed in the attic when 2.6.0 releases. o Corrected an error in the MAPPING_CHDIR feature which could be used to gain root privileges on the server. o Added -V command-line option to View the copyright and exit. o Added the privatepw command and documentation. o Port for FreeBSD corrected. o Adding the LICENSE file to the baseline. o Added print_copyright function so our copyright is embedded in the executables. o WU-FTPD Development Group copyright headers added. Original Copyright headers moved into the COPYRIGHT file. o RCS Ids from 2.4.x removed and new templates added for wu-ftpd.org usage. o Make sure the signal context is restored when jumping out of signal handlers. This was causing signal 11 on some systems. o Cleaned up the how-to of setting up virtual hosting support. o Corrected header file dependencies. o Changed NLST to nlst, necessary as ftpcmd.c #defines NLST. o Tidied up virtual variables. o Changed so compiles cleanly on SCO OpenServer 5, UnixWare 2 and UnixWare 7. o Anonymous users could get in even though no class was defined for them. o Support for non-ANSI/ISO compilers has been removed. You MUST have and ANSI/ISO C compiler. This has been true for some time, all that has changed is the (incomplete) support for older (K&R) compilers has been removed. o Added Kent Landfield's NEWVIRT scheme for extensive virutal hosting. See the updated documentation on virtual hosting for details. o ftprestart has been added to the base daemon kit. o A buffer overrun in the ftpshut command has been corrected. Since, on most sites, the ftpshut command is only usable by the superuser, this is not considered a security issue. If you have installed ftpshut with suid-root permissions (not the default), then there is the possibility this overrun could be used to leverage root permissions. o Several new ftpaccess clauses have been added. These allow control of the various timeouts used within the daemon. The new clauses are: timeout accept timeout connect timeout data timeout idle timeout maxidle timeout RFC931 o Myriad places where inactivity timeouts were not being properly detected or handled have been corrected. The built-in directory listings, both the original NLST and the build-in LIST (ls), now detect inactivity. The original NLST did not which could lead to hanging daemons. C FILE handles for data connections are now always flushed, then the socket is shutdown cleanly before being closed. As a side effect, the daemon now more often properly detects incomplete transfers. This can lead, though, to the xferlog showing the correct byte count (meaning the daemon read or wrote that many bytes over the data connection), but still log the transfer as incomplete (meaning the socket did not properly shutdown so the client probably missed some data). o The daemon no longer attempts to replace the system's header when compiling. Instead, it uses its own local copy at all times. o The daemon will now wait for the transfer to complete before sending 'Transfer complete' or similar messages. This improves the daemon's reliability for poorly written clients which take recipt of the message as indication the transfer has completed rather than reading until the connection closes. o Guest and anonymous logout was not recorded on Linux. Removed call to updwtmp and returned to old method of updating the lastlog. o Script "vr.sh" is no longer needed. The Development Group will not be releasing patches to upgrade; they can be obtained from CVS if needed. o "realpath_on_steroids" is no longer needed. Removed. o Use a custom version of fnmatch() which changes the rules for matching file and directory names. The most visible result of this is noretrieve and allow-retrieve are now much more flexible. See the ftpaccess manpage for examples. o Use the correct SPT_TYPE for FreeBSD 2.0 or later. o Correct the class= logic on the allow-retrieve clause. o Enhanced DNS extensions. This adds three ftpaccess clauses: dns refuse_mismatch [override] dns refuse_no_reverse [override] dns resolveroptions [options] o Corrected a reference in the manpage for ftpconversions to ftpd. o The string 'path-filter' is now used in the system logs to describe problems resulting from failing a path-filter check. The daemon used to just say 'bad filename' which was misleading to some people. o Added instruction on how to support PAM on Solaris. Right now this means hand editing src/config/config.sol and src/makefiles/Makefile.sol. o Checking that all platforms use config.h, src/config/config.isc was found to have forgotten to include the file. o A security deficency on SunOS 4.1, not having a working getcwd() function, has been corrected by using the provided function. Compilation bugs in the portable getcwd() function have been corrected. o The daemon will no longer hang attempting to close the RFC931 socket when the remote end is firewalled and does not respond to traffic for this protocol. This was determined to be inappropriate handling of SIGALRM; handling for this signal has been cleaned up throughout the daemon. o The daemon may now be built using GNU autoconf. This is in the early stages and not all platforms may be supported. The old build system will be maintained for at least the 2.6.0 release; until the major platforms are all known to be supported. o Two new ftpaccess clauses have been added. These allows the site admin to selectively allow PORT and PASV data connections where the remote IP address does not match the remote IP address on the control connection. The new clauses are: port-allow [ ...] pasv-allow [ ...] o The daemon now includes an internal 'ls' command. o Ported to Mac OS/X. 0 Added (limited) support for AFS and DCE user authentication. This is only know to work on AIX, and needs porting to other platforms. For now, this requires hand work to enable. o Added an ftpaccess clause to enable TCP keepalives. This clause is: keepalive o You can now specify the xferlog filename for the default server just as you can for the virtual hosts; in the ftpaccess file. The new clause is: xferlog o ftpaccess manpage cleaned up. Many typos corrected, some techincal changes. Indentation should now be correct. o Apache's .indent.pro to the src and support directories. Ran all *.c and *.h files through it. ftpcmd.y has been indented by hand. The code is now a lot more readable! o A bug in the parsing for the deny !nameserved ftpaccess clause has been corrected. o Technical corrections in the ftpd manpage. o Add util/recompress.c as a more generic version of gzip2cmp.c ########################################################################### Changes in 2.5.0: Released 25 May, 1999 o Change the handling of wtmp for GNU libc to use the Os-provided function updwtmp(). o Prevent some buffer overruns. o Fix permissions on some files installed by RPM, add the log rotation control file. o Change the seteuid() calls for fchown() and chown() for POSIXLY_CORRECT systems. o pid file locking in ftpcount (ftpwho) is now consistent with the way the daemon locks these files. o Cancel any pending alarm request to stop acl_remove() from being interrupted then called again via the SIGALRM handler, this should fix the flock on a bad file descriptor looping problem. o Use %m in syslog format strings in place of %s and strerror(), this simplifies #ifdefs. o For SCO, link ftpcount with libsocket, necessary as it now calls syslog(). o Added Redhat's RPM SPEC file for building RPMs. o English corrections in ftpaccess manpage. Technical correction: the noretrieve/allow-retrieve clauses do NOT support regular expressions. o Move where ftpglob stuff is defined to avoid compilation errors on some systems. o Port to SGI Irix version 4 corrected. o Overwrite behavior on uploads has been made consistent with shell usage. The daemon does not change ownership or permissions on overwrite. o Corrected the PASV command to bind to the correct interface (local IP address). o Removed the OVERWRITE and UPLOAD defines from platform config files; they are defined in the main config.h header. o Issuing CWD without any parameters caused a signal 11, crashing the daemon. o Port to HP/UX corrected. o Added ERRATA file to discuss problems with getcwd(). o Added a portable version of the getcwd() function for systems which do not have it or imcorrectly implement it. NextStep 3 uses this new function. o OPIE support was being disabled even though the proper command-line switches were being set. Corrected the use of opieverify(). o The fatal() function was not declared void; this was causing problems with some compilers. o Port to Hitachi HI-UX corrected. o Some calls to fnmatch() were missing parameters. o Corrected the 'restricted' user feature. It now works well with most FTP clients. o Correct usage of -d vs -e in the install Makefile for a number of platforms. o You can now use negated hostnames/addresses on the class ftpaccess clause. o Added an ftpaccess clause to specify random text for the initial greeting: greeting text o Corrected password encryption/checking for Digital Unix with C2 security (SECUREOSF). o Merged the TODO file from the VR series with Stan's TODO file for the Academ betas. o Changed the various permission denial messages sent by the daemon to the client to make it clear the message originated from the server. o Ports to SCO, Solaris, uxw, ptx and isc corrected. o Use the newer SEEK_ defines in place of the old BSD L_ defines and removed the global definition of entry, each function should define it locally. o Removed an unnecessary lseek(L_SET) in ftpcount (ftpwho). o Link ftpcount and ftpshut with ${XXLIBS}. o Made strsep() definition consistent with BSD and Linux. Add strsep() definition to conversions.c. o Added #include to ckconfig.c. o Replaced the _PATH_DEVNULL define with a #include of "pathnames.h" in popen.c. o Support long group access passwords if SecureWare or HPUX_10_TRUSTED are defined (using bigcrypt()). o Fixed a memory leak in restrict.c. o Digital Unix version 4 has a working getcwd(); use it instead of getwd(). o Stop restrict_list_check() from walking off the end of name. o Added -x command-line option to mean 'log syslog+xferlog'. o Changed the log ftpaccess clause to allow logging transfers to both the syslog and xferlog. The log ftpaccess clauses now include: log syslog log xferlog log syslog+xferlog o Formation of the WU-FTPD Development Group on 1 April, 1999. 2.4.2-VR17 chosen as initial baseline for the daemon. ########################################################################### Changes in 2.4.2-VR17: Released 1 April, 1999 o Gregory A Lundberg resigns as the de-facto maintainer of WU-FTPD. "And you thought I was joking." o VIRTUAL is now the default for Solaris; all Solaris systems support multiple interfaces (IP addresses). o Fixed complaints involving virtual_len reported by several beta testers. o Some of the 'C' source code in ftpcmd.y depended upon a particular behavior when ANSI/ISO does not define it. Corrected so all compilers will properly interpret the code. o Corrected the support for QUOTA on Solaris. o The GNU EGCS 'C' compiler is broken. A quick check and we can avoid the brokenness. o Port to Ultrix corrected. o The default shell on NextStep wants -d instead of -e. Changed to test instead of [] since that's more portable; will probably do the same to other systems in a future release. o MNTMAXSTR was possibly undefined on Digital Unix 4.0 even when not using QUOTA_DEVICE, causing compilation errors. o Added daemonaddress to the ftpaccess manpage. o Added a note from Chad Price in src/logwtmp.c about the brokenness of Solaris' last command. o It turns out that not all SunOS 4.1 boxes actually have a getcwd() function. o The labels unix and __unix__ are depricated on BSD, effecting the logic for the reponse to the SYST command. o Added an appnote about OPIE. See src/makefiles/Makefile.lnx for a way to automatically have the daemon use OPIE. Send your Makefile if you do something similar for your system. o Added an appnote about a problem experienced with Trusted Solaris. o Added doc/misc directory to start collecting interesting tidbits which may help people get their servers going. o The FIXES files were really cluttering up the base directory. Moved them to a directory under doc. o The 'log security' ftpaccess clause covered all but a few messages about filesystem operations. It now covers the few it missed. o Under some conditions _PATH_WTMP was not being set in pathnames.h o QUOTA is now supported for Solaris. o Trusted Solaris needed additional functionality in ftpcount (ftpwho). o File locking in ftpcount (ftpwho) was never completed. o Port to HP/UX corrected. o 'make install' now accepts DESTDIR to install into a directory structure other than the root file system. A number of other optional parameters are available to override the default ownership of the installed files. Missing directories are automatically created. File permisssions were reduced to the minimum necessary. o Dead code removed. o The Makefile for Linux now automatically detects if PAM is installed and compiles the daemon to use it. o Fix an uninitialized variable in ftpshut which could effect the way the command works with default values. o Suppress trailing blanks from the output of a wide 'ps' in the ftpcount (ftpwho) command. Just making things pretty. o Updated upload.configuration.HOWTO to describe more of the configuration having to do with class= rules and overwrite, delete and rename clauses. o Added vers.c and edit to 'make cleandir' in the src directory. These files are automatically created during the build process. o Added a restrict_check(".") in the LIST command for consistency with the remainder of the code in ftpcmd.y. o Corrected the 'restricted' users feature so it would play nicely with web clients and the way some of them mis-interpret FTP URLs. ########################################################################### Changes in 2.4.2-VR16: Released 4 March, 1999 o The Makefile for hiu had a typo and would not install two manpages. o Merged 2.4.2-BETA-18-VR15 with 2.4.2 (final) from Academ. Gotta love CVS. :) o Gregory A Lundberg becomes the de-facto maintainer of WU-FTPD pending the formation of the WU-FTPD Development Group. ########################################################################### Changes in 2.4.2: Released 26 Febraury, 1999 (not announced) o With the release of 2.4.2, Stan Barber steps down as the maintainer of WU-FTPD. o Documented that 'upload .. no' allowed directory creation. See doc/examples/ftpaccess.heavy as an example. [Ed: This is not the case for the VR series, but I'm including the change anyway.] o Clarification in the manpage for ftphosts: ftp or anonymous listed in the file will disable anonymous ftp access. o Possible pointer overrun in acl.c parsing ftpaccess corrected. o Literal constant in ftpcmd.y changed to static to reduce program size. o ftpcount/ftpwho interpretation of start/stop times made to match the way the daemon actually does it. o setproctitle() in ftpd.c updated to avoid a buffer overrun and handle low memory conditions; SCO corrections. o Possible buffer overrun parsing 'virtual root' and 'virtual logfile' corrected. o A timeout timer was being reset at the wrong point during STOR. o Corrections for Sun/Solaris paths in pathnames.h. o Makefile for DEC/Unix (dec and du4) changed from cc -std1 to cc -std. o Correction in syslog support for DEC/Unix in support/syslog.c. o util/xferstats corrected to parse your local domain name rather than just assuming you're academ.com. o Other changes are white-noise or simply for style and do not effect the operation of the daemon in any way. ########################################################################### Changes in 2.4.2-BETA-18-VR15: Released 1 March, 1999 o Provided a means to completely disable anonymous FTP access. Done as a compile-time option, see config.h o NLST with a directory ending with / doubled up the slash. This had been there for years. o Completed large file support for AIX. To enable Large File support, use './build aix LF=YES' o The stock compiler on SunOS 4.1 is breaindead. Use gcc instead. Also found during trials that getcwd() works fine on s41 and enabled it. Found that on a SunOS 4.1 using NFS in the FTP area, fchdir() doesn't always work so if you have problems, #define HAS_NO_FCHDIR to see if that helps. o Complete the changeover from SCO Unix to SCO OpenServer 5. o We really don't need to #undef NO_PRIVATE twice in config.h .. it just confuses things. o The -X command-line option and 'log syslog' were not working as documented. The switch was re-initialized by the 'log' clauses. o Additional corrections for AIX 4.2 and large file support. Earlier versions of AIX may need to edit support/makefiles/Makefile.aix if they don't have snprintf() or strdup(). o Corrected a case where _PATH_XFERLOG may not be defined at all in src/pathnames.h. o Code cleanup for the xferlog print which was changed in VR14. o A typo selected the wrong HELP_CRACKERS patch in one place. o Protect a #define conflict on NetBSD with #ifndef. o The reason the daemon won't work on AIX is the size_t_blksize change made as an experiment way-back-when. Backed out that change. Let's see what happens. o Corrected an error which caused AIX to sometimes report 0 for the filesize when a download begins. o There were a number of places there was no check for errors from alloc()/malloc()/calloc(). o defumask was causing problems on HPUX. Another case of mis-matched definition/extern. o There were several places where int was being used and size_t was correct. This may, or may not, fix problems getting the daemon to work on AIX. o Added the ability to restrict users to their home directories. This has the effect of doing a "soft" chroot and is best used with guest users. Several new ftpaccess clauses were added to support this: restricted-uid [...] restricted-gid [...] unrestricted-uid [...] unrestricted-gid [...] o Sun forgot to include RAND_MAX in their implementation of srand()/rand() on SunOS 4.1. Choose a (hopefully) correct value. This has dire consequences for PASV port randomization of it's wrong. o The Perl script for xferstats provided with the daemon calls for /usr/local/bin/perl when Perl is usually in /usr/bin/perl. You shouldn't be using this script anyway, get Phil's version; it's MUCH better. o Corrections to QUOTA support. o OPIE can now use the OPIE access file, allowing some users to user password authentication while requiring others to use OPIE. o Wildcards (*) on hostmatch used to work and don't any more. The were removed because the original method was insecure. Corrected the problem and re-instituted this feature without the potential security problems of the old method. o /etc is cluttered enough but the config files make it harder than it has to be to use /etc/ftpd for the daemon configuration files. Updated config files to test for a value before setting the default. Look in src/makefiles/Makefile.lnx for an example of how to automatically test the target for this, or just add -DUSE_ETC_FTPD to COPTS in your Makefile. ########################################################################### Changes in 2.4.2-BETA-18-VR14: Released 15 February, 1999 o The correction for SCO had an effect on Digital Unix with C2 Security (SECUREOSF). o Fixed some dumb coding mistakes in realpath.c o Port for NextStep 3.3 corrected. o Fixed a compile error for quotas on Linux; seems Redhat or someone forgot to #include a file deep in the OS runtime headers. o Corrections for SecureWare systems so the daemon can build on SCO OpenServer 5. o There were points where multiple replies due to realpath() returning an error could hang the remote client. Removed the extra replies. o The size of a buffer used by the *_realpath() functions is BUFSIZ and should be MAXPATHLEN. Actually, this was the case many places in extensions.c. o The anti-NOOP code didn't work. The timer was being restarted too often. o The reason debug doesn't work in daemon-mode is it's initialized too late. o Back in VR8 I turned off the sleep slowing down password guessers because there are times when signals can be off when the sleep occurs and that would hang the daemon. Let's fix that and re-enable the sleep. o Still more buffer-overflow points which can cause problems. This time it's in the writing of the xferlog. Sigh. This really should be rewritten. o Disallow PASV connections from IP addresses different than the control connection. This is not a complete fix, but it will stop connection theft where the attacker is on a different machine than the victim- client. o There is an old, well-known PASV port race designed into the FTP protocol. To make it harder for this race to succeed, do not depend upon the underlying system to randomly choose the PASV port. The only correct solution to this problem is a client-side issue: open the connection before issueing the transfer command. ########################################################################### Changes in 2.4.2-BETA-18-VR13: Released 1 February, 1999 o Added module loadavg.c stripped from Sendmail. This is not currently compiled. The module is for testing connection limits based upon system load, which is planned for a future version of the daemon. o Fixed a bug where access.c was logging garbage because of bad linkage to ftpd.c, this appeared on a number of syslog messages instead of the remote user identification (via RFC 931). o Added and ftpaccess clause to listen on a single IP address instead of INADDR_ANY. This is incompatible with virtual host support as things now stand and will require a major rewrite to fix. I needed it for a specific site and decided to leave it in. The new clause is: daemonaddress
o Fixed a bug in the 'connection from' message. The AUTH (RFC 931) was too late and the remote address and host name hadn't been determined yet. o Fixed a bug in the quota support which caused a crash if there was no file support (/etc/fstab /etc/mtab) on some systems. o Added documentation for class= phrases missed in VR12 and promised for this release. o The realpath fix in VR12 for NFS had an off-by-one. ########################################################################### Changes in 2.4.2-BETA-18-VR12: Released 1 January, 1999 o Added a missing library building for SGI. o Added a few small tweaks for building on NetBSD. o Added a compile-time option to suppress syslog messages about pid locks forcing a sleep. o Preload the ftpaccess file before becoming a daemon. This can have a big impact on the performance for busy sites. It also loads before the chroot command-line option so the /etc/ftpaccess file does not need to be in the protected area. o The ftpwho and ftpcount commands internally use ps(1). Appearently, on at least Linux, there's a move afoot to change the ps(1) command so it no longer accepts dashes on the command-line options. How annoying. Ah well, if the target is Linux, use ps(1) without dashes to make the silly command shut UP! o The cleanup in the last patch also cleared up some potential problems with the upload clause. The daemon is no longer critically sensitive to minor formatting errors on this clause. o Added 'class=' parameter for noretrieve, allow-retreieve, path-filter, delete, umask, chmod, overwrite, rename and upload clauses. Cleaned up the functions a bit for readability. o Port for Digital Unix 4.0(b) corrected. o Corrected a coding error which prevented proper use of the address:netmask form for access control. o Corrected problems with NFS and the new realpath code in VR10. Some problems with several security models and NFS have been corrected. ########################################################################### Changes in 2.4.2-BETA-18-VR11: Released 1 December, 1998 o Corrected a problem with CWD when no parameter is given and the user is anonymous or guest. The command should work but returns an error instead; the error reveals the underlying file system. CWD with no parameter should work like CWD ~. o Correcte problems with the new realpath.c on SunOS. Basically, the getcwd() function on SunOS is too buggy to use so we had to switch to getwd instead. SunOS has joined AIX as systems which do not provide the runtime support needed to avoid all buffer overruns in realpath(). o Changed the lslong and lsshort ftpaccess clauses to support more complex command lines. Added lsplain to modify the default 'ls' behaviour. o The byte count for ASCII mode file reception was off by a few characters. This bug had been there for a very long time. o A bad extern in ftpcmd.y caused garbage to be logged for the remoteident. o initsetproctitle was once again causing signal 11 crashes. Moved the call further up yet again and they're not happening. o Added an option to completely disable PASV mode and/or PORT mode. o Added syslog message if started as a standalone daemon and there is no ftpaccess file being used. o Linux libraries now define some paths already in src/pathnames.h so we need to #include first. Did this in config/config.lnx. o Linux library includes no longer #define MAXMNTENT so if it's not there #define it in extensions.c until someone has the time to fix this right. o Added -r option to chroot the daemon during startup. ########################################################################### Changes in 2.4.2-BETA-18-VR10: Released 1 November, 1998 o There was a buffer-overrun in the realpath function. Imported the FreeBSD realpath() function to correct this error. o The Perl xferstats wasn't updated to match the new xferlog format with the new completion-code field on the end. o AUTH (ident) the remote user during login. Record the results in the syslog. o RFC-931 (AUTH/IDENT) was finished up. The log messages now show the RFC-931 user if one is known. o Support for some Hitachi flavors of Unix was added. o Major cleanup of build and the makefiles. o A number of minor fixes, mainly having to do with differences between ANSI/ISO and K&R C. o Fixed several points of confusion when some things (like size_t) are not the same size as an int. o Added the -Q command-line option to suppress access to the PID files. NOTE: Without PID files, the limit ftpaccess clause cannot determine the number of users in the given class. o Added a -p option which allows the port to be specified for the control connection. Command-line options are also provided to allow both the data and control port numbers to be specified. o The daemon did not use the correct method to choose the port for the data connection in PORT mode. The daemon will look up the data port in /etc/services. ########################################################################### Changes in 2.4.2-BETA-18-VR9: Released 15 October, 1998 o Cleaned up a few large, confusing 'if' statements in the code. o Changed my mind. Regular expressions don't work well unless there's some way to tell they're there. Backed out all regular expression matching for file/path names in the ftpaccess file. This issue will be re-evaluated in a later version. Globbing still works everywhere it's reasonable to use it. o Dead code removed. o Noted a number of places where strcmp was used but strcasecmp would be more appropriate. This makes the ftpaccess file easier to maintain since small typographical errors won't matter so much any more. o Added regular expression matching to deny-mail. o There were reports of errors on AIX with malloc. Testers confirm problem in send_data(). Working on the supposition that the problem is data alignment: the 'blksize' is off_t and malloc() wants a size_t; added a conversion step which should eliminate the problem. o Fixed another discrepancy between the ANSI and K&R function definitions. o Support globbing/wildcards throughout ftpaccess file for file and directory comparisons. o Added for OPIE (One-time Passwords In Everything). You will need OPIE libraries installed to use this. OPIE is available from ftp://ftp.inner.net/pub/opie/opie-2.32.tar.gz o The extensions for 'absolute' or 'relative' pathname comparison were not case-insensitive. They should have been. o Add 'allow-retrieve' to allow retrieval of files which would be denied by earlier 'noretrieve' clauses. The ftpaccess clause is: allow-retrieve [absolute|relative] [class=]... [-] ... o Support regular expressions in noretrieve. o Port for Digital Unix with C2 Securuty (SECUREOSF) corrected. o Allow access control commands to use address/netmask or CIDR. o Corrected a hostname matching bug. o Allow host names instead of IP numbers. o Reduce the number of DNS lookups needed for virtual host support. o xferlog now indicates success or failure. o realpath() needs root permissions to prevent errors under certain security models. ########################################################################### Changes in 2.4.2-BETA-18-VR8: Released 1 October, 1998 o AIX complained (rightly so) about several problems with the source which prevented compiling using K&R. o DEC Unix 3 complains about the function 'main()' having more than two parameters for STRICT ANSI/ISO C compliance. This warning can be safely ignored. o Corrected several minor problems and fixed errors in syslog in the support/makefiles/Makefile.dec and src/makefiles/Makefile.dec which prevented bulding on DEC Unix 3.x. o Added USE_VAR and USE_ETC for IRIX (sgi) configuration. o Added two more virtual-server features so we can deny anonymous login on a virtual servier and so we can allow specified users to log in even though they're real or chroot'd to another directory. Also added a feature to deny real, guest or anonymous on the default server. The new ftpaccess clauses are: virtual
private virtual
deny [ ...] virtual
allow [ ...] defaultserver private defaultserver deny [ ...] defaultserver allow [ ...] o Testing CLOSED_VIRTUAL_SERVER pointed out a bug in user() .. the attempt to sleep to slow down password guessers can't work since signals are off. The daemon sleeps forever. This has been there for years. o Ported to Digital Unix 4. o If no 'ftp' user existed, the HELP-HACKERS patch failed to send a response which would hang the ftp client. o BSD auth failures crashed the daemon. This looks like it's been a long-standing problem. o An earlier version changed the behavior of the xferlog to always show the full, real path for the file. This should have been a compile-time option. o More typos in ftpaccess.5, some mine, some have been there for ages. o Added the ability to disable all DNS lookups in the daemon. I've done this as a compile-time option and included a discussion of the risks and benefits in the config.h for the daemon. Enabling this feature can be a win for busy sites because it can reduce the time required to make a connection as well as eliminate syslog messages caused by bad DNS management at the remote sites. o Found another undocumented feature. If the on a 'class' or 'deny' clause starts with a slach (/) it names a file which contains any number of additional entries per line and any number of lines. Updated manpage. o Add 'greeting' clause to control the amount of information the server gives out on the greeting. The new ftpaccess clause is: greeting full|brief|terse o Added 'email' option for the 'virtual' clause so we may set this as well. The new ftpaccess clause is: virutal
email o Added the restriction that no real users may log in on the virtual server. o If a guest logs in on the virtual server deny the login unless their chroot point is the virtual server's root. This restricts guest logins to the site admin and anonymous users. o Added 'hostname' option for the 'virtual' clause so we may set the name of our multi-homed ftp sites as we can with our default site. The new ftpaccess clause is: virtual
hostname o Added an ftpaccess clause to limit total connect time. The new clause is: limit-time {*|anonymous|guest} o Disallow certain email addresses as passwords for anonymous ftp. The new ftpaccess clause for this is: deny-email o Fix a bug in the parsing of ftpconversions which I found when I put in the new conversions for checksums. Turns out this was the same as the bug I fixed in VR4 parsing the ftpgroups file. o Cleaned up some of the cross-platform user authentication code for SECUREOSF. o Modify the password cryptography for C2 Digital Unix. o Moved 'retrieve_is_data' to be always compiled into the code since it was needed for SITE CHECKSUM. o Add site-exec-max-lines ftpaccess clause. This clause makes the limit on output lines from SITE EXEC configurable. The default is a 20-line limit, which was the old compiled-in limit. The new ftpaccess clause is: site-exec-max-lines [ ...] o Added IGNORE_NOOP as a new compile-time option. It is now the default. o Added 'SITE CHECKMETHOD' and 'SITE CHECKSUM'. SITE CHECKMETHOD [CRC|POSIX|MD5|RFC1321] Sets or displays the current check method. If no parameter is given, displays the current method; otherwise the method is set to the given algorithm. CRC and POSIX are equivalent and are the output of the GNU cksum(1) utility. MD5 and RFC1321 are equivalent and are the output of the GNU md5sum(1) utility. The default check method is RFC1321 (MD5). SITE CHECKSUM [] Calculates the checksum for the named file. If no file is given, the last file transferred (uploaded or download) is used. If no file has yet been transferred, reports an error. The current CHECKMETHOD is used to calculate the checksum. New ftpconversions: .crc and .md5 Two new file conversions were added to the example ftpconversion which allow using GET to retrieve the CRC or MD5 checksums for files. NOTE: SITE CHECKSUM requires the installation of two additional programs in the ~ftp/bin directory. These programs have the same requirements as the external ls(1) program also normally required in that directory. For systems without these programs, or which require building new copies, the GNU textutils package should be used. This package is available at ftp://ftp.gnu.org/pub/gnu/ the current version at the time of this writing is textutils-1.22.tar.gz ########################################################################### Changes in 2.4.2-BETA-18-VR7: Released 15 September, 1998 o Transfer limits tesed the wrong values for files uploaded to the server. o Added several new log messages missed in other versions having to do with filesystem change attempts. o Extended logging for rejected or denied functions such as delete, rename. o The QUOTA logic for BSDI doesn't match what's provided by the system. o My label 'slimy_hack:' appearing just before a '}' causes some compilers to belch. I guess some are more ANSI/ISO than others. Made a quick fix which ought to make them shut up until I can rewrite pass() to make the label go away. o The include for 'mntent.h' isn't needed unless QUOTE_DEVICE is defined. This caused problems on BSDI. Moving the include to only appear for systems which use QUOTE_DEVICE. o The HELP_CRACKERS patch was too agressive and, if message files were defined for 'deny' and 'limit' could tickle bugs in ftp clients. The patch is backed off to drop the connection immedeately if it violates 'deny' or 'limit'. o Extended upload and noretrieve to have an optional parameter which specifies whether the named file/directory is interpreted as an absolute name or relative to the current chroot'd environment. o Don't respond to *ANY* commands except USER, PASS and QUIT until the remote user logs in successfully. o Added PARANOID check to deny login if a real user's home directory is bad. Something's bunged up in /etc/passwd, why trust it? o Extended logging for rejected and failed login attempts. o Fixed a bug in popen which can cause segmentation faults. It's unknown if this is exploitable (it doesn't look like it is to me). It's been a problem for a long time. o Fixed a typo in the ftpaccess manpage (What, just one? Come on!) o Traffic counters weren't protected by TRANSFER_COUNT in some cases. o The 'daemon' variable conflicts with a 'daemon()' function in some runtimes. Renamed. o Missing . Gotta love Linux's grab-one-get-it-all method for defining system headers, don't ya? Grrr. o DAEMON always includes , it was needed until VR6 removed the attempt to detach from the controlling terminal. o main() is declared void; that's not ANSI, it's just stupid. o routevector.c uses ulong instead of u_long. ulong doesn't exist on many systems. o defumask caused a data alignment problem on HP-UX 10. ########################################################################### Changes in 2.4.2-BETA-18-VR6: Released 26 August, 1998 o Fixed handling for the message clause so login and cwd= work as expected. o The daemon responds differently in some cases when it's denying access. This could be used by attackers to determine the validity of some user names on the target system. NOTE: the 331 response for some systems, notably BSD S/Key or other challenge/response systems, may differ from the 331 response given. I don't have access to those systems to check out the differences. If you do, and work out how to hide the access refusal until after the password challenge, please forward it to me. o The upload clause should use realpath on the home directory to be sure it matches. Otherwise, real users with /./ in their path will need their upload clause to lexically match the home directory entry in /etc/passwd. This was not a big issue until I added realuser. o Fixed a bug with realpath, a missed condition. If chroot'd to '/' the xferlog shows '//' at the start of the filename. o Added the ability to force all UID/GID in a range to be treated as guests. The ftpaccess clause for this are: guestuser [ ...] realgroup [ ...] realuser [ ...] o Disallow UIDs and GIDs by numeric range. This can obviate the need for /etc/ftpusers. The ftpaccess clauses for this are: deny-uid [...] deny-gid [...] allow-uid [...] allow-gid [...] o Added 'guest-root' to select directory based upon guest UID. The new ftpaccess clause is: guest-root [] o Added 'anonymous-root' to select chroot directory based on class of anonymous user. The new ftpaccess clause is: anonymous-root [] o Missed a spot where "*" should be matched for the in an upload clause. o Fixed a silly bug in the "rename" clause. o Change the defaults to deny upload, and other site-modification things, for anonymous users. o Some systems, notably Solaris, have problems with the code the standalone daemon mode used to attempt to detach from the terminal session. This was in the original patch. Upon thinking about the problem, I see no reason to keep the code arround. If you need this feature, use 'nohup' to run the daemon. o Standalone daemon mode (in VR4) missed including a header. o Added '-VR6' to version string in newsvers.sh. This will be updated with all future versions. ########################################################################### Changes in 2.4.2-BETA-18-VR5: Released 15 August, 1998 o Cleaned up some unneeded blank lines sent in responses. o Added a message to show total traffic counts on the response to QUIT. o Added file counts, corrected missed bytes, added counts to STAT command. o Added detail counters and ftpaccess clauses to limit the user's ability to upload/download files based on these. The new ftpaccess clauses are: byte-limit [] [] file-limit [] [] o Restrict throughput for network load management. The ftpaccess clause for this is: throughput o Added 'tcpwindow' to configure TCP window size for performance tweaking. The ftpaccess clause is: tcpwindow [] o Provided address remapping for PASV mode to allow daemon to run behind IP-address translating firewalls (NAT). If you use this with virtual hosts, let me know how it goes; I think it works, but let me know if it needs extensions for virtual hosts. The ftpaccess clauses for this are: passive address o Limit PASV port ranges. The ftpaccess clause for this is: passive ports o The original idea for realpath when it was included in the source kit was that it would provide missing functionality on systems where it was missing or replace existing functionality on systems where it was already present. The VR versions presume the daemon will always use the included realpath function. ########################################################################### Changes in 2.4.2-BETA-18-VR4: Released 30 July, 1998 o Added 'defumask' to specify umask values by class in ftpaccess. The ftpaccess clause is: defumask [] o Added the ability to specifiy groups which have no password. You'll still need to SITE GPASS, but just send no password. o Fixed possible bugs if the ftpgroup file is malformed. o Allow numeric UID and GID values. On systems with large numbers of users and a large number of upload clauses, the daemon can take a significant period to process the ftpaccess, passwd and group files. Effected ftpaccess clauses include: upload, guestgroup and autogroup. o The following problems were noted during testing: - Issuing PORT prior to login changes the state of the daemon - Issuing PASV after PORT does not change the mode reported by STAT - Illegal PORT commands change the state of the daemon This turned out to be two problems: PASV mode was being reset by rejected PORT commands, and PASV mode wasn't reseting the state completely after setting up a data connection. o HELP PORT indicated only 5 bytes were needed. Six are. o Added MAPPING_CHDIR config option to support CWD working like cd command in most Unix shells; the PWD shown is the logical path rather than the physical path. o Added syslog messages for more stuff. MKD, RMD, CHMOD and RNTO now log as DELE has. o Added new command-line option to run in standalone daemon mode. This is a win for busy sites but not the big win it could be if it pre- loaded the ftpaccess file into memory. Also, at this point, the standalone mode loses the tcpwrappers functionality which is available when running from inetd. o The mod to realpath for VR3 wasn't complete. This was mainly visible when logging a deletion message. ########################################################################### Changes in 2.4.2-BETA-18-VR3: Released 15 July, 1998 o Added -w and -W to enable (default, -w) or disable (-W) recording user login and logout for ftp sessions in wtmp. o Noticing 'guestserver' made me look. There are two other undocumented ftpaccess clauses: 'lslong' and 'lsshort'. Man page updated. o While researching 'nice' came across an undocumented ftpaccess clause 'guestserver'. Man page updated. o New ftpaccess clause 'nice' to adjust process priorities based upon the class. The new ftpaccess clause is: nice [] o The upload clause is extended to allow '*' for and so a single upload clause can work for all users. For example: upload /home/ftp /private/*/incoming* yes * * 640 nodirs can be used to create private upload areas for every user. o The noretrieve clause is extended to mark entire directories un-gettable. o The util/xferstats that comes with wu-ftpd 2.4 always produces a count of zero for "Systems Using Archives", because the array whose size is printed ("$systemfiles") never gets anything stored in it. Verified to exist in the current version. o The perl script xferstats incorrectly identifies internet addresses whose host name begins with "inf" or which are only 2 components wide (e.g., "bix.com") as unresolved. I could not verify the "inf" problem, but the 2 component problem has been verified to exist in the current version. o On the upload clause, 'no' should imply 'nodirs'. Good grief, how long has this bug been lurking about? [Ed: Since 2.1!] o The fixes for the CD ~ problem (ALTERNATE_CD option for beta 18) break a few things. Most notably, xferlog doesn't include the full name of the file and the upload command doesn't work properly. In addition, I believe noretrieve should be based on the real file system rather than the chroot'd environment. The man page says '/' means the name is an 'absolute path specification' which I take to mean from the real file system. Discovered during testing; I had the same problem with my CD ~ fix in beta 17 so I was expecting this. o Makefile.lnx from BETA-18 links the daemon and support programs statically. The wisdom of this is debatable at best. o Makefile.lnx from BETA-18 presumes Bison is installed; it isn't always. o BETA-18 had the default to disable the ALTERNATE_CD fix for the CD ~ problem. It should be enabled. o Merged 2.4.2-BETA-18 with 2.4.2-BETA-17-VR2. What a pain; next time I have to be up and ready with CVS! ########################################################################### Changes in 2.4.2-BETA-18: Released 6 July, 1998 o Improve the build process for Solaris. o The response to the MKD command was not RFC 959 compliant. A number of responses given by wu-ftpd were not compliant with RFC 959. I have audited this in the software and corrected as many as I can find. o Make some changes to the installation process for Linux. o Fixed a case where a variable does not get properly defined if UPLOAD is not defined in config.h. o Added more information about the impact of the existance of the shutdown message file to the NOTES file. o The wrong error message would be returned when a write fails (during a PUT). o Add "exit(0);" to the end of the ftpshut.c file. o Permit the daemon to make use of the -A option to /bin/ls when on Solaris 2. o Log information when a transfer data connection comes from somewhere other than the address of the control connection. o Made it easier to compile on HP/UX. o Fixed an "off by one" problem in the "limit" stanza of the ftpaccess file when specific times are specified. o Linux releases other than RedHat 5.0 running kernels with versions greater than 2.0.31 would not compile properly. o Solaris 2.5.1 on sparc would not correctly determine if the snprintf family of library routines were to be linked from the C library or from the support library. o SITE CHMOD would not accept values greater than 777. Now, you can. Just define UNRESTRICTED_CHMOD in the root-level config.h file. o Port correction for HP/UX. o wu_logwtmp did not include the username when a logout record is written. o On SGI, initsetproctitle causes problems. I don't have an SGI to test the fix on, but I have attempted to address it in this release. o Fixed a problem with the STAT command when in Passive mode. o The home directory finding routing in glob.c would not return the right stuff when the "/./" convention is used for guest users. o Port correction for DEC UNIX. o Made it easier to compile of AIX 4.2. o _LARGE_FILES should not be defined for AIX 4.2 builds. I have changed the config.h file for aix to do this for AIX 4.2. I don't have AIX, so I don't know if this will work, but it's in there. o Changed the strategy for using bigcrypt() on C2 Security on Dec OSF/1. o NO_PRIVATE was not explicitly defined or undefined in config.h. o Fix a problem in the output of the ftpcount command. o Fix the "build" script to make it format the error message properly when multiple compile targets are provided. o Corrected a documentation error in describing the impact chroot has on hard links. o Address some misplaced or missing calls to alarm(0). o ftpcmd.y did not have NULL checking in certain places. o Port corrections for BSD/OS including support for BSD authentication. This should work on FreeBSD as well, but I have not altered the FreeBSD configuration to make use of this. o ftpcount did not always work correctly due to permissions problems on the login database file that ftpd maintains. o Fixed problems in the "limit" processing that were introduced in beta-16. o Fixed some problems with output formatting for ftpwho. o Added s/key support on NetBSD. o Addressed the issue concerning what "cd ~" should do. The alternate behavior can be obtained by defining ALTERNATE_CD in the root-level config.h file. o Fixed processing of the %U directive when the user is unknown. o RFC 931 calls would fail due to wu-ftpd failing to bind to the correct address on multi-homed hosts. o Fixed a problem where ftpd would exit with signal 11. o Fixed a problem with the handling of standard error messages from programs called during the file conversion process. ########################################################################### Changes in 2.4.2-BETA-17-VR2: Released 3 June, 1998 o Left a debugging statement in for syslogmsg in VR1 patches. o The fix for CD ~ broke the upload and noretrieve access-control statements and changed what was written to xferlog and the syslog. Well, actually, it didn't break the noretrieve statement, but the man page says '/' means the name is an 'absolute path specification' and I take that to mean relative to the _real_ filesystem, not the chroot'd one. Discovered when set live on my main server; I really should'a tested with more than one guestgroup. ########################################################################### Changes in 2.4.2-BETA-17-VR1: Released 3 June, 1998 o Shutdown warnings were not given to normal (non-anonymous) users on login. o Added 'hostname' configuration statement. Normally the server determines its host name from the system. This allows the admin to set the name on machines with several names (multihomed) where the default name is not the desired name. Manpage updated. The new ftpaccess clause is: hostname o Move Linux to use POSIX regex included with the system instead of the routines included with wu-ftpd. This allows us to define path-filter statements which allow spaces in the pathnames. For example: path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_.[:space:]]*$ ^\. ^- o Somewhere along the way the upload statement was broken. The fix adds a new parameter to upload so admins can determine the permissions for any new directories permitted. New features are documented in ftpaccess manpage. o Add -X command-line option and syslog option to log statement in ftpaccess. These options eliminate xferlog output and direct transfer logs to syslog instead. The new ftpaccess clause is: log syslog o Prevent NOOP resetting idle timer. o The CD command supports ~ but gives errors when just ~ is found. Note: there are still problems with other commands which may or may not accept tilde-user notation and may or may not understand a tilde by itself means the current user's home directory. This only effects chroot'd users. ########################################################################### Changes in 2.4.2-BETA-17: Released 10 May, 1998 o Fix the hostacc.c introduced in beta-16. This fixes all the various alloc/free problems in the memory allocation and retains the dynamic feature introduced in beta-16. o Remove a declaration atol() in ftpcmd.y so that wu-ftpd will compile properly on systems that declare atol as a macro. o Move "initsetproctitle" from one location in the ftpd.c file to another. This should fix the problems many people report on some operating systems concerning the use of command line arguements. o Make a cosmetic fix to change what setproctitle() puts in the line returned when you do a ps from "sendmail:" to "ftpd:". This was a mistake I made when I integrated the new sendmail 8.8.7 proctitle stuff into beta-16. ########################################################################### Changes in 2.4.2-BETA-16: Released 21 December, 1997 o The install shell script (when used on OpenServer 5) does not work correctly. Also, man pages can be installed and used with either nroff or groff is available. Groff can be obtained for OpenServer 5 from the sco web site. So, man pages will now be installed on SCO. o Fix some memory leaks. o off_t is a long long on AIX 4.2. I have attempted to compensate for this in ftpd.c, but I don't have an AIX system to test on, so it may not work. This affects places where wu-ftpd wants to print the size of files or the size of transfers. o There is a long standing problem in the code that does port checking. This bug makes it possible to exploit priviledged ports on the host system or the client system (but not other systems). o Fix a bug in the gzip2cmp utility. o Added a number of small fixes to make it easier to compile on AIX. o Prevent some systems from faulting when they encounter a null pointer in ftpcmd.y. Many systems already handle this, but some don't and this will insure that those are covered as well. o Correct for differences between SecureWare on Digital Unix 3.2 and Digital Unix 4.0. o A number of porting issues for SVR4-derived systems and Solaris 2. These are mainly centered around support for utmp/wtmp entries. o There were spaces where there should be tabs in the Makefiles for OSF. o Add -D_NO_PROTO to CFLAGS in the AIX Makefiles. o The man pages should be installed mode 644 (not 755). o Fix a number of errors in the implementation of the reply routines, especially when vprintf is not available. o Add a NOTE that the compiler which comes with HP/UX won't work. o HP/UX now builds with VIRTUAL as the default. o The man page for the daemon be installed as ftpd.1m instead of in.ftpd.1m for systems where section 1m is correct. o Reevaluate guestgroup after autogroup. o Dynamically allocate the ftphosts file in memory; removing the limit of 100 hosts. o wu-ftpd can hang in in "read" forever. o Fix conflicts between some subroutine names (getline and logwtmp) in wu-ftpd and functions in glibc2. o Fix a problem which can come up with strings which are not properly NUL terminated. o Add a comment in NOTES that for versions of Digital Unix without C2, you have to undef SECUREOSF in the config file for Digital Unix. o Porting correction for AIX; some minor code cleanups. o Correct building the support library under Solaris 2 to prevent ld from getting upset. o In ftpcount make sure the numbers listed are no lower than zero. o Correct S/KEY support for FreeBSD. ########################################################################### Changes in 2.4.2-BETA-15: Released 12 September, 1997 o Correct a problem in the "NLST" command that could cause a system to eat up all memory and get sluggish. This could be seen as a Denial of Service attack. I have changed the software to detect this type of attack and not permit it. o The s/key challange in wu-ftpd did not conform to RFC 1760. o Porting corrections for FreeBSD. o Porting corrections for BSD/OS. o Fix a problem with the new, expired password support in beta-14. o Fix virutal hosting for AIX 4.1.x. o Fix some problems in S/KEY support. This is conditionalized since FreeBSD supports the old calling method. o Fixed a problem in ftpcmd.y concerning correctly recognizing the PASS command in a non-case sensitive manner. o Correct some configuration file problems when compiling for NetBSD. o Correct a typo in fnmatch.c. Also made changes to fnmatch.c to accomodate the lack of certain flag definitions on systems that claim to be POSIX compliant. These flags are not used by the current wu-ftpd server code. o Correct the description of the command line -o option in the ftpd man page. ########################################################################### Changes in 2.4.2-BETA-14: Released 14 August, 1997 o When wu-ftpd is used on Unixware, readdir in glob.c would not work as expected since the version picked up during the link is the one from the ucb library, not the regular C library. Changed the UnixWare Makefile to link the regular C libarary before the ucb library. o Port for IRIX 6.3 corrected. o Port for Unixware 2.1 corrected. o getspnam on Unixware 2.1 is not NIS aware, so the password read from the password file should not be overwritten should the call fail. o Removed the dependency on libc in the makefile for Linux. o Port for AIX corrected. o NetBSD/sparc uses an int64_t for that stbuf.st_size. This means that %qu should be used for a sprintf selector instead of %lu. o Found a problem with Solari 2.5.1 libraries when used in chrooted mode along with a dynamically linked "ls". Sun has assigned a bugid for this problem. See the NOTES file for more on this. o Fixed another possible problem with ABOR verb processing with OOB data. o Using the /var/tmp directory for storing the pids is a bad idea. All configurations have been changed not to do this. This was really only an issue on System V systems and older BSD systems. o There is a problem attempting to compile beta-13 with the Bellcore skey library. That's because it doesn't compile with that version. The version needed is the one from the logdaemon suite by Wietse Venema. I am updating the documentation to make this clear. o It's easy for folks to get confused setting up the anonymous login and use the /./ suffix on the home directory like that used for guestgroup. When done, it will make other functions (like upload) in the ftpaccess fail to work. Processing of the two should be the same. o Made a change to how the upload directive is parsed so that "no dirs" does allow directories to be created and "no some-other-string" does not. Previously it didn't work this way. o A change made during the release of beta 12 changed how the upload option did filename matching to make it non-intuitive. This change has been reversed. o Made some fixes to some of the 5XX responses associated with failed logins comply with RFC 959 o Correct some logic which would cause the server to send two responses to a client when passwd-check is used and the user failed to enter a "valid" password when logging in anonymously. o The "deny" keyword when followed with a domainname glob did not work. An IP address or address glob does work on SunOS 4.1.X machines. This turns out to be an issue only if you are not running yp or if yp is not able to access DNS. To address this, I have added -lresolv to the SunOS 4.1 makefile. o Remove HAVE_REGEX_H from the NeXTStep 3.X configuration. o Add a NOTE about a way to setup the "chroot" directory for wu-ftpd on IRIX. o Correct a benign syntax problem in access.c. This might cause some compilers to generate a warning. o A number of places in the software are attempting to print out off_t values using printf selectors that can't handle the size. Use casts to work arround the problem for now, but the mess should be revamped. o Port for AU/X corrected. o Fix some logic errors in processing the ABOR verb. o Plug some memory leaks in the glob code. o The argv array should be zeroed out before loading it. Also, ensure we don't spill off the end of the argv array when filling it. o Fixed a problem in realpath that is exposed when it is called with a rooted path. It could attempt to access an uninitialized location. o Corrected an error in the ftpaccess.5 man page concerning the path-filter example. o Made some cleanups in the ftpaccess file in the doc/examples directory. o Fixed a bug in some of the debugging code where syslog is called without a printf format string. This causes the daemon to crash on some operating environments. o Added a NOTE about the conflict between using Virtual FTP and TCPWrappers. o The passive subroutine might be vunerable to attack because a user could attempt to start a passive connection without doing a login first. This is now checked in the passive connection. o /usr/ucb/installbsd should be used for installation on OSF/1. o Port correction for C2 security with Digital Unix 4.X. These changes are made to the Digital Unix configuration. C2 is on by default. "./build dec" to get this. o Corrected problems when processing the %E macro. It becomes evident with the %E macro is used twice in an extended message. The entry information is not reset between calls. This can cause information to be printed twice. o FreeBSD support dirent.h and that sys/dir.h is being phased out. A change to the FreeBSD configuration header file has been made to use dirent.h in this release. o newvers.sh was made more POSIX compliant without affecting its operation on non-POSIX systems. o The arguments for select() under HPUX may not have the same types as those found on other systems. o Corrected a problem when %U is used in a banner prior to the user performing a login. Before beta 14, this could cause a segmentation violation. Now, it will cause %U to print "[unknown]" since login has not been done as yet. o Added a NOTE about Digital Unix and C2 security. o HAVE_STATVFS should be defined in the SGI IRIX configuration file. o Corrected a logic problem when the socket call fails when trying to open a data socket. The close() was being made anyway and this would generate a "bad file number" error since the socket never was opened. o SPT_TYPE should be SPT_NONE for SGI IRIX to insure that the time stamps on things didn't get set to GMT. o The default umask should be 022 instead of 002. o ftpconversions and ftpgroup parsing was in a sad state. Cleaned up. o Dealt with expired logins (when shadow passwords are used). o snprintf should be used now that there is good one for those systems that don't have it in the support library and for those that do have snprintf, it should be used where controlling the length of things is important. To that end a number of changes have been made in ftpd.c to use snprintf more widely. o On some versions of SunOS 4.X, the size_t typedef is not pulled in with the include directives that are there. I have modified snprintf.c to include when an ANSI C compilier is used and when one is not used. Hopefully, that will catch a size_t definition. If not, let me know, but do be sure to include what OS release and what compiler you are using. Additionally, I had left "const" definitions in places where non-ANSI C compilers would encounter them. I have removed those. o Port for SunOS 4.1.x corrected. o Fixed an error in the ftpaccess file handling for the tar and compress keywords. If any class was permitted to use them, then any class was. o Fixed some typos in the Makefiles: using .c where .o is correct. o \r\n is no longer passed to setproctitle since beta-13, so it does not need to attempt to strip. o ftpcmd.y has a one-off error in checking the length of a string. o Fixed popen.c to keep it from overflowing the argv buffer and from freeing space that was not allocated for that same argv buffer. o Fixed access.c and ftpcount.c to address a problem in a bug fix in beta-13 that kept access limits involving days other than Any from being enforced. o Fixed the xferstats script to allow it work when the log involves timestamps from two years. o Port for IRIX corrected. o RMD and DELE should both check permissions before attempting to do anything. o getdatasock should return the errno to the caller that caused the socket call to fail (as opposed to anything else that happens in that routine). o FreeBSD uses for file system information used by the %F macro. o Add a define (HAVE_GETRLIMIT) to the config.hpx for HP-UX 10.10. o Port for Linux corrected. o Fixed a bug in the SITE CHMOD command that would cause the server to send two replies in some cases. This could confuse some FTP clients (and is a violation of protocol anyway). This should have been in beta-13, but I missed it somehow. o The dependencies on vers.c that are not uniform in all makefiles and can cause problems with certain versions of make. All makefiles for all operating systems supported in this distribution now have an explict dependency that should cause newvers.sh to be run if yacc was successful in building ftpcmd.c from ftpcmd.y. It will also properly stop attempting to compile anything (other than ckconfig) until this problem is fixed by the user. This can usually be done by being sure yacc is installed and in the user's PATH. o Fixed a Y2K compliance problem in ftpcmd.y where the year would always be printed as 19XX. wu-ftpd is as Y2K compliant as it can be with this fix. o I edited the INSTALL, README and NOTES documents in an attempt to make them clearer. I had a number of questions about "-a" and /etc/inetd.conf. People evidently don't read the README file very closely, so now I have put this information in more places than just the NOTES file. Hopefully that will stop most of these types of questions. ########################################################################### Changes in 2.4.2-BETA-13: Released 3 March, 1997 o I noticed that setproctitle was not being called correctly in a couple of places in ftpd.c. There were not enough arguments. o Fixed some coding problems in access.c when determining host access information. o Added some bounds checking ftpd when building the directory command to send to the operating system. These changes may not be portable to all platforms, since they use snprintf, but we'll give it a try. o Port for SCO Openserver 5 corrected. o ftpcount.c does not include stdlib.h, which will cause malloc to allocate too little space to hold st_size on FreeBSD. o The failsafe number of fds in popen.c should be bigger than sizeof(long). I am setting it to 31. We'll see if that helps folks have fewer signal 10 or 11 errors that are unexplained. o FreeBSD already had the fnmatch function in its C library and didn't need the version in the support library. o Removed all references to LOG_TOOMANY, since it is no longer being actually implemented. o Enforce FreeBSD (when this software is built on FreeBSD) concerning the logging of numeric addresses when DNS name is larger than UT_HOSTSIZE field. o Removed \r\n from any string put in setproctitle. o Made some fixes to skey support. o Fixed some problems with the INSTALL file. There was a missing step and other problems. o sysconf be used to get the number of fds. This has been added to popen.c and a change has been made to config.hpx to use that. I have also tried to add this to other configurations that are documented (or are known) to support sysconf. o There was an extra %s in one of the reply strings. This is now fixed. o Corrected a problem in the code I put into popen.c to attempt to address an overflow problem. Too much late night coding for me:-). o Corrected an inconsistency in the forward definition of realpath when a STDC compiler is used. o Corrected a problem with compiling wu-ftpd on OSF. This is due to an failure in the software to include the correct include file. ########################################################################### Changes in 2.4.2-BETA-12: Released 19 January, 1997 o The use of putchar in ftpd.c and ftpcmd.y might have side effects on argument lists when putchar is a macro. The use of putchar has been changed to putc in these files for this release. o Made some changes to ftpcount.c to make it return more useful information when used with Solaris2 and AIX. o Added a mechanism to permit AIX hosts to make effective use of the virtual host feature in wu-ftpd. o FreeBSD configuration should not install the sample configuration files over previously existing ones. This release does not install them at all. o Added additional protection for some operating system over the protection already provided. o Made a fix to the virtual host code that permits guest groups to continue to work. o Made a significant security fix without which regular and anonymous users could access files as the root user. o Made a fix to permit bad autogroup entries in the ftpaccess file to be ignored. o The readme directive should really only apply to regular files. o Corrected a number of problems with upload. o Corrected an inconsistency between the documentation and how the server logs information. The server has been fixed to document guest users in the xferlog with a "g" and real users with a "r". o Corrected an inconsistent use of #if verus #ifdef in authenticate.c. o Fixed some bugs in the build program. o ftpd.c should use getopt. o Fixed a bug in how ftpcount reports classes that can have an unlimited number of users. o All filename checking should be case sensitive. o Fixed a bug in how the shutdown feature works. The bug is that new connections may continue to be accepted after shutdown is in effect. o Fixed a bug in how the ftw.h file in the support directory gets included when it shouldn't be for Unixware 2.1. o Made changes to ftpcmd.y to ensure that free() is only called when the arguments are non-null. o Ported to AU/X 3.0 o Fixed it so that "anonymous" and "ftp" are made to be the same as far as the server is concerned. o Corrected a mispelling in the NOTES file. o Corrected a bug introduced in the academ betas with the T_ASCII flag in ftpconversions. Its meaning had become reverse from what it used to be. o Fixed a problem in the old virtual code where an illegal strcpy was being done. o Fixed the basic problems introduced in beta-11 with the virtual host code. There have been no changes in how the configuration files are configured. o The ftpgroups and ftpconversions file checks in conversions.c and acl.c should be done using an fstat after an open succeeds. o There were places where files could or should be closed. o Corrected some macro inconsistencies in the manual pages. o Corrected some typos in the manual pages. o fnmatch.c did not have the right flags defined correctly. o Unixware 2.1 supports getrlimit. So, this is now added to config.uxw in the src/config directory. o stderr output from ftpd when being started by inetd were problematical. These error messages now go to syslog. o AUSCERT brought to my attention a need to check to be sure the 100 element argv array in the popen subroutine is not overflowed. This is now done. o Subsequent files requests couldn't be aborted correctly. o Prevented a possible overflow problem when processing the SITE CHMOD and SITE UMASK commands. The server did not check for overflow conditions. o STAT was using a 211 response when a 213 is probably better. o RFC 1127's suggestions are not being followed by this server o Subsequent files upload requests couldn't be restarted correctly. o Having the debug mode log passwords is not good. o Corrected a typo on one of the URLs in the NOTES file. o When a null is sent to the server, it should ignore it but was treating it like EOF. Now it does ignore it. o Corrected errors in the ftpd.8 manual page. o Made some adjustments for making better use of available library routines in Unixware 2.1. o Solaris 2.X does support getrlimit. Changed config.sol to make use of it. o Ported to Digital Unix 3.2 with C2 Security. o There were some instances in ftpcmd.y where values could be NULL. This would cause segmentation violations on may flavors of Unix. o Fixed a bug in processing "SITE CHMOD 0". The command didn't work and the server didn't give a reply. o Linux 2.0 (actually libc 5.3.12) changed the way that directory manupulation was done. The problem was that glob.c would not compile on Linux 2.X systems. Ensured that Linux 1.X users would still be able to use this on their systems. ########################################################################### Changes in 2.4.2-BETA-11: Released 15 April, 1996 o The manual pages for ftpaccess.5 and ftpd.8 have been modified. ftpd.8 now documentes the previously undocumented "-u umask" option. ftpaccess.5 now clarifies the fact that the root-dir specified in the upload configuration line MUST match the home directory in the operation system password database. o Fixes for the optional shadow password file support for Linux. o The configuration file for Solaris specified the MAXHOSTNAMELEN before it was possible to check to see if was defined and this caused there to be spurious (and benign) error messages to be generated. o The file size in BSDI 1.1 is a long not a quad_t. This means that the conversion arguement should not be qd for sprintf's involving this variable. ########################################################################### Changes in 2.4.2-BETA-10: Released 15 March, 1996 o Made some changes for AIX that I can't verify since I don't have AIX. o Added a number of small changes for FreeBSD. o Modified support for virtual domains. Modified the VIRTUAL.FTP.SUPPPORT support file and the man pages to reflect this change. o Added back an idle timeout routine that appears to compile cleanly on all the systems I test on. o Fixed some configuration problems for Linux. o Fixed the output of "site help" command to return the email address listed in the "email" entry from the ftpaccess file (if available). ########################################################################### Changes in 2.4.2-BETA-9: Released 23 January, 1996 o Two changes to popen.c: In the child process, the port attached to the ftp protocol port is now closed before exec(); In the child process, the effective user and group ids are set as the real user and group ids prior to exec(). o The "nodirs" option of the upload directive in an ftpaccess file is now fixed and actually works. o Added endgrent() to access.c, private.c and extensions.c to ensure the /etc/group or ~ftp/etc/group file is closed after it is used. Fix suggested by CERT. o Moved openlog() in ftpd.c up closer to the beginning of the program. Fix suggested by CERT. o Fixed all the support makefiles to build vsnprintf in the support library since most systems do not have it. I have left it out of systems that I know do have the real library routine (all BSD 4.4-Lite based OSes have this). ########################################################################### Changes in 2.4.2-BETA-8: Released 5 December, 1995 o Overhauled reply, lreply and setproctitle to make appropriate use of varargs or stdargs as appropriate. o Added some FAQ references in the README file. o Added HAVE_GETRLIMIT and changes config files to support it where available in preference to HAVE_GETDTABLESIZE, which is now obsolete. o Added HAVE_SETPROCTITLE as a possible define to include the setproctitle() library routine from the system if it is available. o Added differentiator so that BSDI 1.X setproctitle() library routine is not used since it appears to be buggy. o Made a number of changes for BSD/OS. o Lowered optimization level from O3 to O2 for AIX. o Added some information in NOTES for adding shadow support under Linux. o Added some fixed for the use of sys_siglist. HAS_SIGLIST must be defined for this to be used. o Added some fixes for CPP processing problems with Digital Unix. ########################################################################### Changes in 2.4.2-BETA-7: Released 23 October, 1995 o Support for Hitachi Unix variant added. o Changes in the configuration files for BSD/OS to accomodate a bug in the sprintf inheritied from BSD 4.4 Lite. (Effects FreeBSD, NetBSD and BSD/OS.) o Addition of a cookie '%u' to extensions.c which will show the RFC931 remote username when available. I somehow like it to have the remote user see we take the 'all actions are logged' line seriously. o Support for SCO added. o Corrected the diagnostics from the randomsig subroutine. ########################################################################### Changes in 2.4.2-BETA-6: Released 15 October, 1995 If you have an original copy of 2.4.2-BETA-6, the WU-FTPD Development Group would like a copy. o Added virtual ftp server support. o Added some AIX patches. o Added some notes concerning skey support in the NOTES file. o Config files for BSD 4.4-based OSes added. o Closing some file descriptors before exec in ftpd_popen (popen.c). o Missed changes to fnmatch in access.c. o Fixed ftpconversion problems when gzcating plain files. ########################################################################### Changes in 2.4.2-BETA-5: Released 11 July, 1995 o Fixed ftpcmd.y parser for bug that has been present since the release of the NET-2 ftp daemon. Multiple 500 lines are not returned when certain bad commands are presented to the server. o Changed build to make the tar file create a directory that is the current release name and unpack into that newly created directory relative to the current directory. o Keep wu-ftpd from hanging when trying to use ident to identify someone. o More fixes to the config.hpx file for HP-UX. ########################################################################### Changes in 2.4.2-BETA-4: Released 29 June, 1995 o Replaced a large part of the noretrieve subroutine in extensions.c. o Fixes for HPUX. o Fixed up the Makefiles for SunOS 4.1.X to make use of the dynamic load library correctly. This should probably be reworked to only use static linking, but that will be looked at another time. o Fixed some more bad NULL versus '\0' problems in ftpd.c and realpath.c in the src directory. ########################################################################### Changes in 2.4.2-BETA-3: Released 18 June, 1995 If you have an original copy of 2.4.2-BETA-3, the WU-FTPD Development Group would like a copy. o Created the NOTES file and revised the README and INSTALL documents. o Fixed some minor source code cast that the SunPro C compiler was complaining about. Files affected (all in the src directory) are: ftpcmd.y, realpath.c, private.c, logwtmp.c, ftpd.c extensions.c o Revised the LINUX support to conform to LINUX 1.2.8 with gcc 2.6.3 from the slakware distribution. ########################################################################### Changes in 2.4.2-BETA-2: Released 18 June, 1995 This version merged much of the functionality of 2.4-hobbit into Stan's baseline. If you have an original copy of 2.4.2-BETA-2, or 2.4-hobbit, the WU-FTPD Development Group would like a copy. o Removed the timeout patch from Dan Thorson that was in BETA-1. However, it will be back in a future beta. o Lifted from the Debian wu-ftpd-2.4-4 release with little or no change: doc/ftpaccess.5 doc/ftpd.8 config/config.lnx config/config.s41 src/access.c src/acl.c src/ftpcount.c src/ftpshut.c src/hostacc.c src/logwtmp.c o build: added a kludge for enabling these changes, by spawning a shell. Added specific support for FreeBSD 2.0. Also, copy the Makefiles and config.h instead of hardlinking them, so that edits don't trash the original copies! o support/authuser.c: limit sscanf() of identd strings. o support/makefiles/*: minor changes to a couple of system-specific Makefiles. o extensions.c: [Debian -- "noretrieve" ACL keyword handler, NULL fixups] o extensions.c: Fix losing null dereference in Debian checknoretrieve(). o extensions.c: #ifdef PARANOID -- disallow file deletion completely. o ftpcmd.y: [Debian -- "bison" patch for linux just moved some decls around] o ftpcmd.y: check PORT command against a bunch of things: being logged in, the client's source address, and the actual port number 1024 or greater. o ftpcmd.y: require login before various other things work: PASV, RNTO o ftpcmd.y: #ifdef PARANOID -- disable, trap, and log all SITE commands. Comments withheld about the lineage of whoever cooked up *that* gem. o ftpd.c: [Debian -- support "noretrieve" ACL keyword; misc NULL fixups] o ftpd.c: preload assorted variables with reasonable values. Globalize guestpw and authuser and update them so all routines can access them for correct logging. o ftpd.c: disallow "re-login". o ftpd.c: #ifdef ANON_ONLY -- only allow anonymous logins. Designed for the ftpd you hang out on your external machine. o ftpd.c: various places -- if told not to use the "ftpaccess" file, genuinely don't use routines that deal with it at all. [May save some of our butts when someone finds a bug in the extensions code!] o ftpd.c: #ifdef SKEY, added s/key functionality. The challenge emerges where the "Password required for username" response is normally sent. o ftpd.c: add endspent() to the shadow code, per Marek M. o ftpd.c: Flag attempts to exploit the trojanized 2.2c version. o ftpd.c: #ifdef STUPID_SPRINTF -- break up big "sprintf" for xferlog into two pieces. On some systems, sprintf is BROKEN. If you're using xferlog and your ftpd crashes right after a transfer, you probably need this. o ftpd.c: #ifdef PARANOID, disable file overwriting, with either "put" or "rename". o ftpd.c: Fix an ACL bug in renamefrom(). Doing two renames in a row would bypass the setting in the ACL file. o ftpd.c: call realpath() to get current wd. o ftpd.c: close data ports upon exiting, and close old PASV port if told to open a new one. o newvers.sh: include tiny little advertisement. o makefiles/Makefile.lnx: Mostly Debian; add -static, remove -DDEBUG, put in the "bison fix". o makefiles/Makefile.fbs: Add for FreeBSD 2.0; slight mod of "bsd". o config/config.fbs: config.h for Freebsd 2.0. Contains a hack to work around the fact that freebsd stdlib.h comes with a realpath() and the define in ftpd.c conflicts with it. o config/config.lnx: Debian version, with the same realpath() hack added. Linux has trouble with this too, but in unistd.h. Put "realpath" back into SRCS and OBJS definitions. o pathnames.linux: From Debian. Use this as a starting point for customizing pathnames.h on linux. A remaining deficiency is that NONE of the sources even *try* to reference the /usr/include/paths.h that many systems now have. o Version bumped to 2.4.2; no reason given but we can safely presume the reason was the confusion in version names in Stan's earlier releases. ########################################################################### Changes in 2.4.1-BETA-1: Released 13 May, 1995 AKA 2.4.1-BETA AKA 2.4.2-BETA-1 This version was announced and released as wu-ftpd-2.4.1-beta-1.tar, but other emails, and internal notes in later versions, refer to this version under all three names interchangably. If you have an original copy of 2.4.1-BETA-1, the WU-FTPD Development Group would like a copy. o Added changes for Solaris 2.4 compatibility. Changed the flag from SOLARIS21 to SOLARIS and made the changes generic for all releases of Solaris. o Added changes for UnixWare 4.2 compatibility. Added Makefiles and config.h header files. o Added ftruncate support routine for machines that don't have ftruncate, but do have chsize call. o Added a timeout patch created by Dan Thorson at Seagate to keep the server from creating a zombie process when a PASV client never actually connects. NOTE: This patch is commented out since I could not get it to work correctly and I hope someone will be able to fix this before we go to release. There was also another timeout patch that may be more suitable. Comments are welcome. o Added patches to hostacc.c to insure that memory dynamically allocated with malloc() is not free()d more than once. Patch from Jaakko Hyvatti. o Split the support/strcasestr.c into two files: strcaststr.c and strstr.c and altered the Makefiles to include the appropriate libraries in the support library. o Stan Barber took over stewardship of the daemon using 2.4-academ as the baseline for future development on 6 May, 1995. This ended a 13-month period where there was no maintainer at all! ########################################################################### Changes in 2.4-academ: Release date lost in the mists of time AKA 2.4.1-academ It is unknown whether Stan ever publicly released this version under either name. Emails, and internal notes in later versions, refer to this version under both names interchangably. If you have an original copy of 2.4-academ, or 2.4.1-academ, the WU-FTPD Development Group would like a copy. o Ported to BSDi. o Changed the fnmatch.c program in the support directory to return values that corresponded with the manual page. This was not necessary to support BSDi since it has its own fnmatch, but this make it possible for other platforms to make use of these changes transparently. o Changed the access.c program to do a case-insensitive search on the hostname without using fnmatch. This option is not supported by the bsdi or bsd-net2 fnmatch subroutine. o Changed all uses of fnmatch in the src directory to use the correct return values. o Added pathnames appropriate to bsdi to the pathnames.h file in the src directory. These are bracketed by appropriate #ifdef/#endif blocks. o Changed the root level makefile to copy files when installing them instead of moving them. o Created a set of root level makefiles for each supported platform. This will allow the ftpd to be installed exactly over the OS-based makefile if used generically. ########################################################################### Changes in 2.4: Rereleased on 6 January, 1997 o Documentation update to point to the new address for the list server at Washington University at Saint Louis. o Corrected documentation error: this is version 2.4 not 2.2 o Prevent reception of SIGURG from resulting in a resumption back to the main program loop. ########################################################################### Changes in 2.4: Rereleased on 13 November, 1995 o Documentation update to point toward Stan Barber as the maintainer of WU-FTPD. ########################################################################### Changes in 2.4: Released on 13 April, 1994 o This marks the end of Byran D O'Connor's tenure as prinicple developer. With his graduation, grants funding development were not renewed. o Removed some race conditions. o Fixed a spelling mistake. o Now uses sys/syslog.h on Ultrix systems. ########################################################################### Changes in 2.3: Released on 4 April, 1994 o Bump the version number to avoid confusing with Trojan version. ########################################################################### Changes in 2.2: Released on 1 April, 1994 o Fixed a bug in path processing of SITE EXEC commands. o Rewrote parts of private.c parsing routine, fixing problems with overloading the definition of gid_t. o Added support for class lists in separate file. o Changed a couple of occurrences of stat() to lstat() in delete() and renamefrom(). o Changed #ifdef LOG_LOCAL7 to #ifdef FACILITY in ftpd.c ########################################################################### Changes in 2.1f: Released 25 March, 1994 o Fixed NeXT config problem with NGROUPS_MAX. o Fixed multiple response bug with ftp|anonymous in /etc/ftpusers file. o Fixed BUS ERROR on upload on Sun 4.1.x systems. ########################################################################### Changes in 2.1e: Released 24 March, 1994 o Fixed class determination code from failing after failed attempt. o Moved ACCESS DENIED syslog messages to LOG_NOTICE from LOG_INFO. o Fixed problems with NFS and server running as root. o Fixed problems with APPEND/OVERWRITE. o Patched SCO files to work with 3.2.4. o Fixed problems with uid/gid's. o Changed upload examples in ftpaccess.5 to be correct. o Allow for escaped #s in the ftpaccess file. o hostacc.c patches. o ftpshut.c: fixed file open problem when shutdown not defined. o Added acl_remove() to fix problems with dangling PIDs in PID files. o Fixed bug with real users > limit hanging clients. ########################################################################### Changes in 2.1d: Release date lost in the mists of time. If you have an original copy of 2.1d, the WU-FTPD Development Group would like a copy. o The changes for 2.1d were lost. ########################################################################### Changes in 2.1c: Released on 25 August, 1993 o Fixed stupid bug with non-initialized pointers in *_check() functions. ########################################################################### Changes in 2.1b: Released on 16 July, 1993 o Append now works again. A previous fix to solved files not getting truncated properly had broken it. o Double conversions were not working properly for some conversions. o Minor HP-UX portability problems corrected. o Minor Host Access case sensitivity bug fixed. o syslog after chroot fixed for SunOS by addition of TCP version of syslog functions. (It is syslog.c in the support directory.) o Data General support added. o ISC support added. o Added "rename " option to prevent renaming files. o Fixed unsigned int comparisons to -1. o Added ckconfig program for checking proper locations of config files. o Changed syntax of "upload" command to include which ftp hierarchy it pertains. o Fixed some documentation errors. ########################################################################### Changes in 2.1a: Released on 27 May, 1993 o Tabs were put back into the Makefiles for AIX. o acl_join() did not open the pid file is pidfd was invalid. o acl_join() did not unlock the pid file if user was already in there. ########################################################################### Changes in 2.1: Released on 12 May, 1993 o Replaced xferstats. o Default was to not allow uploads ever. This is backwards, if no upload keywords are given, it should act like a normal server. o Double conversion stuff works now, but you know that already. Included is a gzip2comp (in util) for converting from gzip format to compress. o cwd_beenhere() now calls realpath(".", cwd) to figure out the path. This works for people in directories that are private. That is that some component of their path is not readable by them. (cwdir() fails in such a case.) o In an upload command, trying to set a file mode of 0000 would fail. This is now possible. o makedir() did not work properly for real users. This has also been fixed. o Fixed up support for NeXT and other systems. I cannot test these things, so there are bound to be problems. o In getgrent.c, removed the need for getgrent.c from the support library. This caused problems with systems running yellow pages (NIS). All gids in the private file are now parsed before the chroot(). This gives us one less open file descriptor. o For upload/truncate, STORE was not properly trunctating files when overwriting them. o Upload failing with directories in makedir/put commands: STORE and MAKEDIR were failing when giving full path names. o Multiple process ids were written into the pid-files when a failed login attempt was made. This caused problems with usage counts. o Added the %E magic cookie which gets replaced with the "email" string from the ftpaccess file. o For the %F magic cookie: added trivial support for Solaris 2.1 (at least). If you fix this for your system, send me a patch. o The %N magic cookie did not work after the chroot(). The pid file has to remain open for the duration of the server's life now in order for this to work. o In support/paths.h, removed the need for this file. It caused more problems than it was worth. The two #defines that were used were moved to src/pathnames.h o upload * no dirs: you can now specify a directory that does not allow uploads but does allow the creation of directories. o You can now get a listing of what aliases are available. At the ftp prompt type "quote site alias". o You can now specify a cdpath (like the csh variable). o You can specify an email address for the maintainer of the archive. This string will be used for the %E magic cookie. ########################################################################### Changes in 2.0: Rereleased on 12 April, 1993 o Changed support/ftp.h to use the BSD copyright and remove the DEC copyright. DEC's version was just a copy of BSD's. ########################################################################### Changes in 2.0: Released on 8 April, 1993 o guestgroup access no longer needs an entry in the secondary passwd file (~ftp/etc/passwd). The home directory is now specified as "root/./home" For example: ftptest::100:200:Guest User:/var/ftp/./incoming:/etc/noshell When ftptest logs in, it will chroot to /var/ftp and then chdir to /incoming (which is actually /var/ftp/incoming before the chroot). Since the directory in /etc/passwd actually points to the guest's home directory, they can use .forward files, etc. o ftpshut program generates shutdown file for ftp server. Works similarly to shutdown(8). See ftpshut(8). o The conversion table has been moved to a separate file. The fields are: %s:%s:%s:%s:%s:%s:%s:%s Field Description 1 strip prefix 2 strip postfix 3 addon prefix 4 addon postfix 5 external command 6 types 7 options 8 description o Added following abilites configurable in the ftpaccess file. See ftpaccess(5). chmod delete overwrite umask upload passwd_check {} alias path_filter { ...} o ftpcount no longer displays multiple listings for classes that have multiple "class ..." lines. o Bryan D O'Conner took over as the principal developer for Release 2. This ended a 19-month period where no updates were released. At this time the name was also shortened from wuarchive-ftpd to wu-ftpd. Bryan used BSD ftpd version 5.60 as his base, merging the changes from the earlier BSD ftpd Chris used. BSD ftpd version 5.60 was the version included in the "Final BSD Release". UUnet Technologies maintains a full copy of the final BSD release at ftp.uu.net. ########################################################################### Changes in 1.1: Released 23 September, 1991 This was an interim release of wuarchive's modified FTP server. It is believed to be the first public release of the daemon. There are indications of attempts to track BSD versions, through BSD 6.14, but internal information in the releases lead me to believe these were local to the FTP site we found them at, and not official releases from Chris Myers. o The changes for 1.1 were lost. Most likely they were to merge the changes from the BSD version he first used (probably 5.59) and 5.60, or they were minor bug fixes which Chris felt no need to discuss since 1.0 had not been publicly released. ########################################################################### Changes in 1.0: Believed not to have been publicly released. This is believed to have not been publicly released, but was the original version used to implement wuarchive.wustl.edu; the success of this version appears to have prompted the public release of version 1.1 after some minor corrections. If you have an original copy of 1.0, the WU-FTPD Development Group would like a copy. Probable release dates are between 3 December, 1990, and 23 September, 1991. o Some older clients cannot handle multi-line replies. These can be disabled on a per-connection basis by using a dash (-) as the first character of the user's password. o Added ftpaccess control file. The following commands are available: limit class { }{ }{ } deny loginfails log transfers log commands readme {} message {} banner private guestgroup [ ...] autogroup [ ...] compress [ ...] tar [ ...] shutdown Refer to the CHANGES file in the release for a full description of these new features. o Added the following command-line options: -a Enable use of ftpaccess file (access file MUST exist if used) -A Disable use of ftpaccess file -L Turn on command logging (See note. Overridden by ftpaccess, if used) -i Turn on file reception logging (overridden by ftpaccess, if used) -o Turn on file transmission logging (overridden by ftpaccess, if used) NOTE: If the -L flag is used, command logging will be on by default as soon as the ftp server is invoked. This will cause the server to log all USER commands, which if a user accidentally enters a password for that command instead of the username, will cause passwords to be logged via syslog. The -L flag is overridden by the ftpaccess file, if it is used -- command logging options in the ftpaccess file take effect IMMEDIATELY upon entry of the USER command (before logging takes place). o There are some extensions to the FTP server such that if the user specifies a filename (when using a RETRIEVE command) such that: True Filename Specified Filename Action ------------------ -------------------- --------------------------------------- .Z Decompress file before transmitting .Z Compress before transmitting .tar Tar before transmitting .tar.Z Tar and compress before transmitting o The FTP server will attempt to check for valid e-mail addresses and chide the user if he doesn't pass the test. For users whose FTP client will hang on "long replies" (i.e. multiline responses), using a dash as the first character of the password will disable the server's lreply() function. o The FTP server can also log all file transmission and reception, keeping the following information for each file transmission that takes place. Mon Dec 3 18:52:41 1990 1 wuarchive.wustl.edu 568881 /files.lst.Z a _ o a chris@wugate.wustl.edu ftp 0 * %.24s %d %s %d %s %c %s %c %c %s %s %d %s 1 2 3 4 5 6 7 8 9 10 11 12 13 1 current time in the form DDD MMM dd hh:mm:ss YYYY 2 transfer time in seconds 3 remote host name 4 file size in bytes 5 name of file 6 transfer type (a>scii, b>inary) 7 special action flags (concatenated as needed): C file was compressed U file was uncompressed T file was tar'ed _ no action taken 8 file was sent to user (o>utgoing) or received from user (i>ncoming) 9 accessed anonymously (r>eal, a>nonymous) -- mostly for FTP 10 local username or, if guest, ID string given (anonymous FTP password) 11 service name ('ftp', other) 12 authentication method (bitmask) 0 none 1 RFC931 Authentication 13 authenticated user id (if available, '*' otherwise) o Chris Myers was the original author of wuarchive-ftpd. He based his work upon the University of California, Berkeley, (BSD) ftpd, most likely version 5.59. The WU-FTPD Development Group has BSD ftpd versions 5.51 and 5.60 (both found at the UUnet FTP site). An analysis of these versions shows Chris Myers used a version somewhere between them; most likely 5.59. If you have an original copy of BSD ftpd between these versions, dated between 8 May, 1989, and 12 April, 1991, we would like to examine a copy. ########################################################################### In the beginning there was the void. And BSD said ...