THE_URL:http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.html THE_TITLE:Frequently Asked Questions about wu-ftpd Frequently Asked Questions about wu-ftpd, with answers This article contains the answers to Frequently Asked Questions (FAQ) concerning the wu-ftpd software. To submit questions (preferably with an answer) send email to: wu-ftpd-faq@pizza.hvu.nl. If you wish to get the latest version of this file, it is available as Via WWW : Via FTP : And via E-mail : Send an e-mail to wu-ftpd-faq@pizza.hvu.nl with as subject line send faq. Comments : this version is still lacking with details about certain operating systems. Comments about those are welcome. _________________________________________________________________ 1. Contents of this FAQ 1. Contents of this FAQ 2. What is this document 3. What is wu-ftpd itself and this mailing list in particular ? 1. How do I subscribe/unsubscribe ? 2. Is this list archived anywhere ? 3. What are related documents ? 4. Are there any alternatives ? 4. Where do I get the wu-ftpd ? 1. Where do I get the updated version ? 2. What are the VR patches for wu-ftpd ? 3. What is BeroFTPD ? 5. Compiling the wu-ftpd 1. cc complains about strunames, typenames, modenames, .. being undeclared. 2. I don't have yacc 3. wu-ftpd doesn't 'see' that users are in multiple groups. 4. I get "conflicting types for `realpath'" 5. wu-ftpd doesn't use the shadow passwords on my Linux machine. 6. It doesn't compile at all on newer Linux installs. The error is : 7. The timezone in the xferlog is wrong 8. The timezone in the ls output is wrong 9. Digital Unix doesn't log commands after an anonymous user logs in 10. install fails with 'install: ..' 11. Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced C2 security, 12. It doesn't compile at all on Digital Unix, errors about struct timeval 13. What should I do to be able to use wu-ftpd in a HP-UX 10.01 14. What should I do for HP-UX 10.10 to make it work completely. 15. Installation notes for HP-UX 10.20. 6. Special compilation options/fixes 1. I need to authenticate real users via AFS 2. I need to use S/KEY authorisation 3. I want to block certain default addresses (IE30User@, mozilla@) 7. Installing the wu-ftpd 1. Command-line options for wu-ftpd 2. Testing on a different port number then ftp 3. Not all command line parameters seem to be used by wu-ftpd 8. Are there year 2000 issues with wu-ftpd? 9. The ftpaccess file 1. Some files (banners, etc) don't get shown to anonymous users. 2. What is the exact format of the parameter in the "limit" 3. What tools are there to check the configuration 4. Why does %M produce (Max unlimited) on the login banner 10. Programs (ls, gzip, tar) work for real users, not for anonymous users, giving errors like 425 Can't create data socket (0.0.0.0,20): Bad file number or simply no output. 1. Solaris 2. Building a statically linked ls for Solaris fails 3. Linux 4. Dec OSF 5. SunOS4.1.x 6. AIX 7. IRIX (5.3, 6.2) 8. SCO Unix 9. BSD vs SVR4 ls 10. It worked, until I upgraded the operating system. 11. Running wu-ftpd 1. ftpd allways says "221 Server shutting down. Goodbye." 2. Anonymous ftp works fine, but real users are denied access 3. ftpconversions doesn't work 4. On-the-fly compression works, on-the-fly tarring, but not both. 5. I want to use zip compression (InfoZip) 6. I want a real user to be able to access the host only via ftp, not via telnet 7. Somebody uploaded a file with a weird name 8. I want anonymous users to be able to upload files, but in the most secure manner possible 9. The default umask used when a real user uploads a file is wrong 10. I heard something about 'SITE EXEC' having a security hole 11. How do I make reports more readable ? 12. Incoming file transfers fail with SunOS and an NFS mounted incoming 13. Normal ftp clients work, Netscape ftp's fail. So, passive mode doesn't work. 14. I made a symbolic link within the anonymous tree and it doesn't work for the anonymous users. 15. I want to redirect anonymous users to another machine 16. ftpd stops accepting connections when a lot of connections come in. 17. Running wu-ftpd on a *large* site 18. Only the first 8 characters of the anonymous username are recieved by the server. 19. wu-ftpd fails with '500 Illegal PORT Command' under AIX 4.3 20. I want to host multiple ftp servers on the same machine 21. I just upgraded and now nobody can log in. It worked before. 12. Other things 1. Where is the FTP protocol documented ? 2. How can I make my ftp-archive accessible by E-mail (ftpmail) ? 13. Credits 2. What is this document This is the FAQ (frequently asked questions) for newer versions of wu-ftpd as maintained at ftp.academ.com. Note: The various addresses used in this document are for contacting the authors on subjects mentioned in this document. Using these addresses for sending unsolicited E-mail is forbidden. 3. What is wu-ftpd itself and this mailing list in particular ? Wuarchive-ftpd, more affectionately known as wu-ftpd, is a replacement ftp daemon for Un*x systems developed at Washington University (*.wustl.edu) by Bryan D. O'Connor. (who is no longer working on it or supporting it!) wu-ftpd is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world. This mailing list is for discussing problems with maintaining this daemon and ftp-sites where it is used. 1. How do I subscribe/unsubscribe ? To subscribe, send a mail message with a body of SUBSCRIBE WU-FTPD to the list server listproc@mail.wustl.edu. To unsubscribe, send a mail message with a body of UNSUBSCRIBE WU-FTPD to the list server listproc@mail.wustl.edu. To send mail to all people on the list, send it to wu-ftpd@mail.wustl.edu. 2. Is this list archived anywhere ? YES. There are two archives. An 'older' one, at . This archive can be searched, and is created and maintained by Judy Pellerin (judy@machina.oact.hq.nasa.gov). At this moment (February 1997) I cannot reach this host An archive from June 1994 until recent, reachable via WWW at , and via ftp at . The search page is at This archive is maintained by Kent Landfield (kent@landfield.com). 3. What are related documents ? The RFC's that describe the FTP protocol are rfc959 and rfc1579. A possible location to get these is : The Academ wu-ftpd pages at . Kent Landfield maintains a resource center to collect all wu-ftpd related links at Darci Chapman maintains the Solaris/wu-ftpd howto guide at URL not valid at the moment, what is the new location ? The manpage for wu-ftpd can be viewed online at with the manpage for ftpaccess in 'ANONYMOUS FTP CONFIGURATION GUIDELINES' A set of guidelines from CERT (Computer Emergency Response Team) about setting up anonymous ftp. 'How to set up a secure ftp server' A file describing how to set up anonymous ftp in general in a secure way, avoiding misuse. 'guestgroup howto' A document describing the set up of guestgroups in the wu-ftpd server. At this moment a seperate document from this document. A document describing virtual ftp servers Ftpaccess on virtual ftp servers upload.configuration.HOWTO How to set up the upload configuration for 2.4.2 Beta 18 VR14. Read these. Something like #> telnet xxx.yyy.nl Trying XXX.XXX.XXX.XXX ... Connected to xxx.yyy.nl. Escape character is '^]'. SunOS UNIX (xxx.yyy.nl) login: ftp Last login: Sat Oct 28 22:11:36 from xxxxxx.xxx.xxx.nl SunOS Release 4.1.3 (HSIS_X25) #1: Wed Apr 7 14:19:15 MET DST 1993 %> should not happen. 4. Are there any alternatives ? Troll Ftpd, a free ftpserver, available from FileDrive, a commercial fileserver which needs it's own clients, available from NcFTPd server, commercial server (free for educational domains), available from ProFTPD, a free ftpserver (GPL), available from 4. Where do I get the wu-ftpd ? The original wu-ftpd home is wuarchive.wustl.edu, but with the current developments in the beta versions it's better to use the latest beta, especially for security reasons. The current developments in beta's make it stable enough for production use. 1. Where do I get the updated version ? The above is the last version created by wuarchive. On the mailing list, an updated version has been created which is maintained by Stan Barber (sob@owlman.academ.com). You can get this beta by ftp from the directory : ftp://ftp.academ.com/pub/wu-ftpd/private/ the directory is not browsable, a .message file will point you to what is the latest version. Read this .message. Yes, this works better if you use a real ftp client instead of a browser. Remember, these are BETA versions. Before asking/trying anything, check first that you have the latest version. 2. What are the VR patches for wu-ftpd ? The VR-series offers a number of enhancements and bug fixes not available in the base beta-18 version. Available from : 3. What is BeroFTPD ? BeroFTPD is a derivative of wu-ftpd with extra functionality for virtual hosts. Patches from the VR versions are included. Available from: 5. Compiling the wu-ftpd In general, editing src/pathnames.h and typing build arch should be enough. 1. cc complains about strunames, typenames, modenames, .. being undeclared. This error is fully explained in the INSTALL/INSTALL.orig file in wu-ftpd package. A few relevant lines : If cc complains about strunames, typenames, modenames, ... being undefined you need to install support/ftp.h as /usr/include/arpa/ftp.h (always make a backup of the old ftp.h just in case!) and do the build again. The new ftp.h should be a compatible superset of your existing ftp.h, so you shouldn't have problems with this replacement. 2. I don't have yacc Replace yacc with bison -y in the Makefile. 3. wu-ftpd doesn't 'see' that users are in multiple groups. This is fixed in the beta versions. 4. I get "conflicting types for `realpath'" This is a bug in your unistd.h. Add the following to the end of the config.xxx file used for your system: #define realpath realpath_on_steroids /* hack to work around unistd.h */ 5. wu-ftpd doesn't use the shadow passwords on my Linux machine. First try if compiling it normally produces a working ftpd with shadow password support. The latest beta versions are updated to automatically use shadow support if needed and available. Since older Linux distributions (around libc.5.3 this got fixed) don't include shadow passwords, wu-ftpd assumes Linux does not have shadow passwords. To compile for shadow passwords with Linux : o Get the shadow.h from the latest shadow package. o After building the shadow package, you have a libshadow.a. o Copy shadow.h to the src dir. o Copy libshadow.a to the support dir. o Edit src/config.h to say '#define SHADOW_PASSWORD' instead of #undef. o Edit the LIBES line in src/Makefile to read : LIBES = -lsupport -lbsd -lshadow (for some releases, -lcrypt is also needed) Modify src/ftpd.c around line 1061 to read : xpasswd = pw_encrypt(passwd, salt); 6. It doesn't compile at all on newer Linux installs. The error is : Add the item -DDIRENT_ILLEGAL_ACCESS to the CFLAGS line in src/makefiles/Makefile.lnx. 7. The timezone in the xferlog is wrong Either, you compiled with support for setting the process title (SPT_TYPE) on a machine that doesn't support this, where changing the process title clobbers the environment and therefore zaps the TZ variable. Recompile with SPT_TYPE set to SPT_NONE. Systems which don't support SPT_TYPE : Aix, SGI Irix Or, you need to copy the zoneinfo files to the ~ftp tree too. These are : /etc/TIMEZONE /etc/default/init /usr/share/lib/zoneinfo/.. The name of the correct file in /usr/share/lib/zoneinfo depends on your current timezone. Exact filenames depend on your operating system too. See the manpages for timezone(4) and zic(1M). 8. The timezone in the ls output is wrong See above, but also check if your system needs /etc/default/init (Solaris 2.5 for example) for setting the correct TZ variable. This file has to be in chrooted environments too then. Noted by Francois Belanger (francois@goltier.com). Digital Unix needs /etc/zoneinfo/localtime. 9. Digital Unix doesn't log commands after an anonymous user logs in The syslog system calls in Digital Unix are a bit different. The following text describes how to fix this. The standard Digital ftpd does log the commands after the chroot and Benoit Maillard (maillard@fgt.dec.com) told me that it was because they don't use the standard system calls. While looking at the distribution files, I've found a syslog.c file in support directory and I've modified the Makefile.osf in support/makefiles to include it in the library. There were 2 compilation errors on this file, in fact one warning and one error . The warning is on if ((p = malloc(strlen(ident) + 1)) == NULL) and to suppress it, modify in if ((p = (char *)malloc(strlen(ident) + 1)) == NULL) The error was on the redefinition of openlog (or closelog). It comes from the fact that these calls are redefined in extern int openlog __((const char *, int, int)); extern int syslog __((int, const char *, ...)); extern void closelog __((void)); extern int setlogmask __((int)); So I've copied /usr/include/syslog.h in the support directory and I've modified it in suppressing these lines. Then I've modified syslog.c in replacing #include by #include "syslog.h" So now all is working fine and even for anonymous users the commands are logged correctly as for real users in the daemon.log file. Written on the mailing list by Daniel Clar (Daniel.Clar@supelec.fr). 10. install fails with 'install: ..' The makefile is setup for the bsd version of the install program. Some OS'es (including Solaris) use the svr4 version. In that case set in the makefile : INSTALL = /usr/ucb/install 11. Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced C2 security, The needed changes seem to depend on which version digital unix. For digital unix 4.0 the LIBES line has just to be the default LIBES = -lsupport and the change in crypt() is not needed. Make these changes to ./src/config/config.osf : #define SecureWare #include #include #include #include #include and add the following to ./src/makefiles/Makefile.osf LIBES = -lsupport -lsecurity -laud And change all occurences of crypt() to bicrypt. To run, you'll need to copy the entire contents of /etc/sia to ~ftp/etc/sia. Easiest way to do this is : # cd /etc # tar -cvf - sia | (cd ~ftp/etc;tar -xpf -) Also, to make passwords longer then 8 characters work, another change is needed. Change the line: crypt_alg = AUTH_CRYPT_OLDCRYPT; to crypt_alg = AUTH_CRYPT_BIGCRYPT; Parts of this provided by Andrew C. Saylor (asaylor@comsource.net). 12. It doesn't compile at all on Digital Unix, errors about struct timeval Add to ./src/ftpd.c #define SPT_SCO 6 /* write kernel u. area */ /* FTP server. */ #include "config.h" #include <-- add this #include Information provided by Andrew C. Saylor (asaylor@comsource.net). 13. What should I do to be able to use wu-ftpd in a HP-UX 10.01 To compile for trusted systems you only need a few changes. In file src/config.h change the line #undef SHADOW_PASWWORD to #define SHADOW_PASSWORD In file src/makefiles/Makefile.hpx, the LIBES line should look like this: LIBES = -lsupport -lc -lPW -lsec The root password is crypted in a different way then the ones for normal users. It is neccesary to use the bigcrypt function call. Here are the needed changes in the source code: In file src/ftpd.c, at the beginning: #ifdef _HPUX_SOURCE #include #include #endif and, in the same file, in function pass(), you should be able to identify the segments of code where this fits: char *xpasswd, *bpasswd,*salt; #ifdef KERBEROS xpasswd = crypt16(passwd, salt); #else xpasswd = crypt(passwd, salt); bpasswd = bigcrypt(passwd, salt); <-- THIS IS THE HOT THING #endif #ifdef ULTRIX_AUTH if ((numfails = ultrix_check_pass(passwd, xpasswd)) < 0) { #elif defined(_HPUX_SOURCE) if (pw == NULL || *pw->pw_passwd == '\0' || (strcmp(xpasswd, pw->pw_passwd) && strcmp(bpasswd, pw->pw_passwd))) { <-- ALSO THIS #else /* The strcmp does not catch null passwords! */ if (pw == NULL || *pw->pw_passwd == '\0' || strcmp(xpasswd, pw->pw_passwd)) { #endif reply(530, "Login incorrect."); Information provided by Jose Luis Martinez Garcia (jluis@sitecal.es). 14. What should I do for HP-UX 10.10 to make it work completely. If the above doesn't work, some more notes : /usr/include/shadow.h: This *system* file had an apparent typo that caused gcc to fail. I changed the following statement: extern int lckpwdf(void), to extern int lckpwdf(void); Notes provided by Chuck Davis (cdavis@wrair-amss.army.mil). Extra remark: On a trusted system HP's getpwnam does not supply the encrypted password. Instead you have to use getprpwnam. Modify ftpd.c to use getprpwnam. pr_pw = getprpwnam(pw->pw_name); /* get shadow password */ xpasswd = crypt(passwd, pr_pw->ufld.fd_encrypt); bpasswd = bigcrypt(passwd, pr_pw->ufld.fd_encrypt); Installation notes for HP-UX 10.20. A complete set of installation notes for wu-ftpd on HP-UX 10.20: I installed wu-ftp2.4 on a clean HPUX 10.20 build. The 10.20 build came straight from HP, and the only important differences on this build from a generic build is that the X-libs and X-utils were stripped out (something I would recommend if you are building an HP 10.20 for ftp only). - Get both the wu-ftp2.4 package and the current ansi-c compiler package (I got mine from HP, you can request the package ansic.hp-10.20.tar.gz) - Uncompress and untar the C package first (HP comes with a standard c compiler, but it is only useful in the kernel compiling and doesn't function well outside of doing kernel work). Follow the README/INSTALL docs for installing the c compiler. Make sure you put this new compiler in your path, or do some editing whenever you use cc to point to this compiler and not the default. - Build wu-ftpd normally - Set up the server - Special notes about tuning for heavy load: The ftp servers that I maintain are heavily hit and some kernel configuration was required to allow more heavy load on lock files and multiple access to the same file. This was all done through SAM. An important thing to keep in mind on a heavily accessed machine is that the fin_wait state needs to be lowered enough to keep open file locks at a minimum. I set all of my fin_waits to 5 minutes or less. 15. Special compilation options/fixes This section deals with specialities in compilation for certain situations. 1. I need to authenticate real users via AFS Edit the Makefile for your OS to add the AFS libs/includes. They only appear in the Makefile for AIX. Then, add the following line to the #include section of src/ftpd.c : #include Noted by Perry L. Morgan (pmorgan@uceng.uc.edu). 2. I need to use S/KEY authorisation Michael Brennen (mbrennen@fni.com) wrote on the list: The general SKEY procedure is something like this: The last thing in config.h is an #undef SKEY; comment that out. That is a gotcha that can take some time to find, although that doesn't seem to be the problem. Copy skey.h into the src directory. Copy libskey.a into the support directory. Edit the appropriate Makefile.* in src/makefiles and add the following: add "-DSKEY" to the CFLAGS macro; add "-lskey" to the LIBES macro. That should do it; if not, holler back. 3. I want to block certain default addresses (IE30User@, mozilla@) Andy Church has written a patch for this (relative to beta-16). Available from . Look in the same directory for more information. 16. Installing the wu-ftpd In general, change the line for the ftp-server in /etc/inetd.conf (the file that defines the servers started by inetd. For some operating systems, this is another file). 1. Command-line options for wu-ftpd With the latest versions, using no command-line options will set it to a default-mode, in which it will not parse the ftpaccess file. Add the option -a to the command line in inetd.conf. 2. Testing on a different port number then ftp You can test the wu-ftpd on a different port by adding two ports with consecutive numbers in /etc/services, and then starting wu-ftpd on these ports. Add to /etc/services something like : ftptest 4021/tcp #command port ftptest-data 4020/tcp #data port Then start wu-ftpd from /etc/inetd.conf like : ftptest stream tcp nowait root /usr/etc/in.ftpd in.ftpd The key is the name 'ftptest' which associates the port assignment in the /etc/services file to that in the inetd.conf file. Make certain the choice of ports in /etc/services (4021 and 4020 above) are from the local use list and don't conflict with other port assignments (see RFC1700, ASSIGNED NUMBERS). One important subtlety. The data port is not really derived from the data port declaration in the /etc/services file. The FTP specification (RFC765) states the data port is defined as one less than the command port. However, including the data port declaration in the /etc/services file prevents it from being accidentally assigned to something else. From a mail by W. James Showalter (gamma@mintaka.disa.mil) 3. Not all command line parameters seem to be used by wu-ftpd Your inetd probably drops some parameters after a given number (4 or 5). You can use the following wrapper program to give additional parameters : /* wrapper for wuftpd to add command line arguments that don't fit under inetd */ #include #include #include #include #include int main(argc,argv) int argc; char **argv; { char *path="/local-adm/bin/ftpd"; char *cmd="ftpd"; fflush(stderr); fflush(stdout); errno=0; execl(path,cmd,"-a","-l","-L","-u022",NULL); openlog("wrapftpd",LOG_PID, LOG_LOCAL6); syslog(LOG_WARNING,(const char *)strerror(errno)); closelog(); exit(EXIT_FAILURE); } Code from Albert Lunde (Albert-Lunde@nwu.edu) 17. Are there year 2000 issues with wu-ftpd? The original version of wu-ftpd had a year 2000 representation problem. No internal workings of wu-ftpd were affected by this problem. This problem has been fixed in wu-ftpd 2.4.2 beta 14 which was published August 1997. With this fix, wu-ftpd is believed to be completely Y2K-compliant. The fix that was applied : The following statement appears in ftpcmd.y. It is part of the action for the syntax: MDTM check_login SP pathname CRLF reply(213, "19%02d%02d%02d%02d%02d%02d", t->tm_year, t->tm_mon+1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); The 19%02d needs to be changed to %04d and t->tm_year needs to be changed to t->tm_year + 1900: reply(213, "%04d%02d%02d%02d%02d%02d", t->tm_year + 1900, t->tm_mon+1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); 18. The ftpaccess file 1. Some files (banners, etc) don't get shown to anonymous users. When the anonymous user is logged in, bannerfiles are opened relative to the root of the anonymous user. Keep this in mind. It can be usefull to have 2 sets of banners or use links. 2. What is the exact format of the parameter in the "limit" This is a format consisting of day and time parameters. Possible items : Sa,Su,Mo, .. Any (for any day) and time parameters. For example : SaSu|Any1800-0700 means all of Saturday and Sunday or Any day between 18:00 and 07:00. Check if ftpd inherits the correct time zone. 3. What tools are there to check the configuration ftpcheck found at (version numbers may vary). For different operating systems, different libraries and/or devices are needed. You can test if things are running correctly by doing a chroot to the ftp homedir. To test if /bin/ls is working in the ~ftp dir, type : chroot ~ftp /bin/ls Or, the partition is mounted -nosuid which gives the same error under SunOS or Solaris, more information on the page 1. Solaris First, have a look at the manpage for the original in.ftpd(1m). It has a scipt for setting everything up. Solaris needs ~ftp/dev/tcp and ~ftp/dev/zero and the libraries. Check the man-page for your Solaris version for exact details. Use the command ldd to find out which libraries a program uses. Also, the ~ftp/etc/group file is needed for ls to work, without it it will just dump core. Follow the same rules as for /etc/passwd : not too much information in that file, like group passwords (if you have those). Needed libraries can include : ld.so, ld.so.1, libc.so.1, libdl.so.1, libintl.so.1, libmp.so.1, libnsl.so.1, libsocket.so.1, libw.so.1, nss_compat.so.1, nss_dns.so.1, nss_files.so.1, nss_nis.so.1, nss_nisplus.so.1, straddr.so Problem with /etc/group found by Eric (ewedaa@kset.com). 2. Building a statically linked ls for Solaris fails This is discussed in the comp.unix.solaris Frequently Asked Questions item 6.24 (at this moment). 3. Linux Use the command ldd to find out which libraries a program uses. Also, with ELF binaries you need the ELF file loader, ld-linux.so in ~ftp/lib. ELF change remarked by Al Longyear (longyear@sii.com). 4. Dec OSF Copy the static version of ls (/sbin/ls) and not the dynamic one. The static version is about 400K. Make passwd and group files in ~ftp/etc. Copy from /etc/sia dir to ~ftp/etc/sia the files matrixconf and siainitgood. 5. SunOS4.1.x SunOS needs ~ftp/dev/zero, ~ftp/dev/tcp and the libraries. Check permissions on the device files. 6. AIX AIX comes with scripts to automate this installation. AIX 3.2.5 - /usr/lpp/tcpip/samples/anon.ftp AIX 4.1.4 - /usr/samples/tcpip/anon.ftp After it's done, change the mode of ~ftp/pub to something safer. Also, AIX comes with a 'dump' utility that can show which libraries a program uses. Noted by Eilon Gishri (eilon@aristo.tau.ac.il) 7. IRIX (5.3, 6.2) IRIX 6.2 needs ~/ftp/dev/zero and libraries. To create /dev/zero, check it's current major and minor number with : ls -lL /dev/zero And then create it in ~ftp using : cd ~ftp/dev mknod zero c cd .. chmod 555 dev You will probably need to copy /lib/libc.so.1 to ~ftp/lib/libc.so.1 and /lib/rld to ~ftp/lib/rld. These are required by ls, compress, gtar and gzip. You can see what libraries a program needs by doing the following: csh# setenv _RLD_PATH /usr/lib/rld.debug csh# setenv _RLD_ARGS '-v -quickstart_info -stat' To stop seeing what libraries are needed unset the environment variables: csh# unsetenv _RLD_PATH csh# unsetenv _RLD_ARGS Useful information on Irix also in the IRIX Insight Library (Online Books) in the book/chapter "IRIX Admin: Networking and Mail" in the paragraph "How to Set Up a Proper Anonymous FTP Account". Information from Frans Stekelenburg (gjs@knmi.nl) and Jim Davis (jdavis@cs.arizona.edu) 8. SCO Unix SCO needs /dev/socksys. 9. BSD vs SVR4 ls This is a very sneaky one. To quote : The problem was that ls_short and ls_long were being defined incorrectly (since the system was compiled with a BSDish compiler, the BSD config file was used) using ls -lA and ls -lgA respectively. It turns out that the ls command was running but it was erroring out (this is because the system is actually running SVR4), since a failed ls produces output only to stderr not stdout I saw nothing for my output. Information from Perry A. Stupp (pstupp@i-com.com) 10. It worked, until I upgraded the operating system. Something in the upgrade changed in your OS. Most likely : newer shared libraries. Also : other major/minor numbers in /dev. Redo the shared libs and devices after an upgrade if things like the above happen. 20. Running wu-ftpd There is a nice set of manpages with wu-ftpd. They do contain a lot of information. Also, note that a lot of things about the chrooted environment for anonymous users also applies to the chrooted environment for guest users. 1. ftpd allways says "221 Server shutting down. Goodbye." The directive ftpshut in the ftpaccess file points to a file that exists at that moment. Either change the directive or delete the file. Also, after you've used the ftpshut command, you'll need to remove the ftpshut file by hand. 2. Anonymous ftp works fine, but real users are denied access Check the following : # Their shell is in the /etc/shells file. Note : AIX doesn't even have this file, so you need to create it for wu-ftpd. # The problem has been fixed in the latest beta for AIX. Get this one. Don't use the fix from tigger.itc.virginia.edu anymore, it's for older (insecure) beta versions. # /etc/shells needs the correct access rights (world readable and not world writable). # If you're using shadow passwords : make sure the daemon is compiled with shadow password support. 3. ftpconversions doesn't work There are a lot of possible reasons, mostly having to do with the fact that some versions tar use different command line parameters. # Solaris 2.4 : if you use Solaris tar, and give the commandline as /bin/tar -cf - %s, the effect will be the same as /bin/tar -cvf - %s. The -v option will add extraneous data to the stream. Solution : replace it with /bin/tar cf - %s (no leading -). # Also, check your 'tar' and 'compress' directives in ftpaccess. 4. On-the-fly compression works, on-the-fly tarring, but not both. With Solaris 2.4 and GNU's tar-1.11.8 (configured and compiled with --disable-nls flag) use the GNU tar flag --use-compress-program=path to compression program sample : : : :.tar.Z:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/compress -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/gzip -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP 5. I want to use zip compression (InfoZip) Lines for ftpconversions : :.zip: : :/bin/unzip -qq -p %s:T_REG|T_ASCII:O_UNCOMPRESS:UNZIP : : :.zip:/bin/zip -qq -r - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:ZIP Info-ZIP can be found at 6. I want a real user to be able to access the host only via ftp, not via telnet Create a shell for this purpose (for example, a program that says the above or a copy of /bin/true). Put this shell in /etc/shells. Change the shell of the user to that shell. Next : make sure mail cannot be delivered locally to the account. Using the fact that the shell is valid for sendmail (it is in /etc/shells) a user can be able to start commands as that user. Information and a sample script on The same, for AIX. Use chuser (or SMIT) to set the user to login=no, su=no, telnet=no, rlogin=no. 7. Somebody uploaded a file with a weird name Somebody is trying to misuse your ftp-site for transferring software (worst case scenario). Check if the directive path-filter in the ftpaccess file is something like : path-filter anonymous /etc/paths.msg ^[-A-Za-z0-9\._]*$ ^\. ^- 8. I want anonymous users to be able to upload files, but in the most secure manner possible In general: you don't want this. But, if you're stubborn... In that case, set your path-filter to the one mentioned above. Make the incoming directory owned by something else then ftp (root, or nobody) with another group then ftp (nobody). Something like : drwx-wx-wt root nobody incoming This will allow ftp to write in the directory, but not read it. Set the upload directive in ftpaccess to something like : upload /home/ftp /incoming yes root daemon 0400 nodirs One note : files get created as root and changed to the owner mentioned in the upload line. This will fail on some secure NFS setups. 9. The default umask used when a real user uploads a file is wrong The default umask is inherited from inetd. This can be a wrong one. There is an undocumented command line parameter -u. Edit the line in inetd.conf to something like ftpd -A -L -l -u077. 10. I heard something about 'SITE EXEC' having a security hole In some slackware distributions the _PATH_EXECPATH is set to something like /bin. Recompile wu-ftpd with it set to a special path like /bin/ftp-exec. To test for this hole, type (when logged in as a real user, not anonymous) : ftp> SITE EXEC bash -c id If you get a return with '200-uid=0(root) gid=0(root)' in it, you have the problem. 11. How do I make reports more readable ? There are a couple of scripts to make better reports from the xferlog. # dumpxfer processes the xferlog and gives more humanly readable output # processlog script to run dumpxfer, email you the output and truncate the log These are available via anonymous ftp via both need Perl. I (Koos van den Hout) also wrote a Perl script to process the log, mail daily statistics and uploaded files, and create a top most downloaded files. It is available from iistat generates nice transfer graphs from the xferlog file (and from a lot of other sources). Available from Phil Swan wrote xferstats, available from or 12. Incoming file transfers fail with SunOS and an NFS mounted incoming You get errors like : Dec 7 11:14:33 ftphost vmunix: NFS write error 13 on host fileserver fh 746 1 a0000 5fea7 3b5a1bd8 a0000 2 1e0a6aed That's a known problem. Possible solutions : # Have the incoming disk on the ftpserver itself # /etc/ftpaccess sets owner to ftp, group to a restricted group and mode to 0040 (only group read) Thanks to Peter Glassenbury (pete@cosc.canterbury.ac.nz) for this one. 13. Normal ftp clients work, Netscape ftp's fail. So, passive mode doesn't work. Apparantly ftpd needs write permission on ~ftp/dev/tcp in order to operate correctly in passive mode (Solaris). Set it to the same mode as permissions shown by ls -lL /dev/tcp, being 666. Also read the Solaris man page for ftpd for Solaris-specific information. Changed from previous versions Fix: cd ~ftp/dev chmod 666 tcp Thanks to Simon Rakov (Simon_Rakov@iongate.staff.ichange.com) for this one. 14. I made a symbolic link within the anonymous tree and it doesn't work for the anonymous users. Symbolic links are relative to your active root. If you want to access files/directories/diskspace outside your chrooted environment, you'll have to import it using loopback mounts. These are available on at least Solaris and Linux. 15. I want to redirect anonymous users to another machine That's a not-so-well-known ftpaccess feature : just add 'guestserver anon.ftp.server.hostname' to your ftpaccess file.. 16. ftpd stops accepting connections when a lot of connections come in. This is a feature of inetd, not ftpd. Inetd will limit the amount of connections that can be made to a service per minute. Some versions allow to specify this amount in inetd.conf, by specifying it in the nowait flag, like : ftp stream tcp nowait.256 root /usr/sbin/ftpd ftpd -a which will allow 256 connections per minute. Check the manpage for inetd. 17. Running wu-ftpd on a *large* site There are some really large sites running wu-ftpd versions with special modifications in order to make it work under that load. For example sunsite.doc.ic.ac.uk has made some modifications available at From the notes on those patches: DAEMON If ftpd called with -D then run as a standalone daemon listing on the ftp port. This can speed up ftpd response as all ftpd then needs to do is fork off a copy to handle an incoming request. Under inetd a new copy has to be opened and exec'd. FILEWHAT If SETPROCTITLE doesn't work or if you have so many users that ps takes a long time then FILEWHAT keeps the info in a file so that ftpcount can just print it. 18. Only the first 8 characters of the anonymous username are recieved by the server. This is actually a bug in older ftp-clients which only send the first 8 characters because the password is limited to 8 characters anyway. Upgrade your client. 19. wu-ftpd fails with '500 Illegal PORT Command' under AIX 4.3 AIX 4.3 defaults services in inetd.conf to ipv6 which wu-ftpd doesn't support (yet). Fix: change the protocol from tcp6 to tcp. 20. I want to host multiple ftp servers on the same machine At this moment this is only possible with one IP number for each ftp server and a version of wu-ftpd that supports this functionality, which are the VR versions and BeroFTPD. There is a draft for an extension to the ftp protocol named HOST to support virtual hosts like HTTP. But, this is a draft and there are a lot of old ftp clients out there. So do not count on using this. 21. I just upgraded and now nobody can log in. It worked before. Did you look in the system log? The daemon will log the reason for the failure there. It helps a lot to know why. Most plausible (at the moment) you're upgrading to the VR version and, if you'd look, the syslog says 'not in any class'. That means you're using the old, unsafe wildcards on your class statements such as the following: class lcl real,guest,anonymous 127.*.*.* The VR update currently does not support this notation. Use netmask or CIDR instead, as in either of the following: class lcl real,guest,anonymous 127.0.0.0/8 or class lcl real,guest,anonymous 127.0.0.0:255.0.0.0. The VR15 update will include support for the old wildcards as they were most commonly used (as in the example above), but without the errors which allowed matching unintended hosts. 21. Other things 1. Where is the FTP protocol documented ? RFC959 documents the FTP protocol. 2. How can I make my ftp-archive accessible by E-mail (ftpmail) ? There is a Perl-script collection available named ftpmail. It is available on a lot of ftp-sites (archie for 'ftpmail'), some of which are : , nic.funet.fi, ftp.warwick.ac.uk, ftp.loria.fr, ftp.germany.eu.net. 22. Credits A number of people deserve credit : o Alexander L. Haiut (alx@cs.bgu.ac.il), creator of the original faq. o *Hobbit* (hobbit@avian.org) for the first security patches to wu-ftpd. o Stan Barber (sob@owlman.academ.com), maintainer of the current patch-archive for wu-ftpd. o Reinier Post (reinpost@win.tue.nl), for the scripts that maintain this FAQ. o And of course, Bryan O'Connor at Washington University who wrote wu-ftpd in the first place. Warning : Bryan is no longer working on wu-ftpd, or even working at Washington University. Please don't mail him with questions. o And all the people who send me updates for the FAQ or other information. (No chocolate cookies. Yet) Last modified : Fri Feb 26 10:31:32 MET 1999 _____________________________________________________________ Created by : Koos van den Hout koos@pizza.hvu.nl