- 1.0.x
This is the previous stable version.
- 1.1.x
Development code
- 1.2.0prex
Pre-release testing versions, development code.
- 1.2.0rcx
Release candidate code, these releases are pretty much bug free and are testing releases prior to the final stable code.
- 1.2.x
This will be the stable cycle with the final .x being the incremental patches to fix bugs discovered after the release version is issued.
- 1.3.x
1.3.x is in development, nightly tarballs from the CVS tree are available from ftp.proftpd.org and it's mirror sites.
http://www.proftpd.org is now online and contains copies of this FAQ, other documentation resources and information on the project. The documentation is being brought back into shape at the moment, the configuration on the website is now approaching where it should be but more work is required and is ongoing. There are a number of geographic mirror sites, see http://www.proftpd.org for details or try www.<isocode>.proftpd.org (ie www.uk.proftpd.org).
Helping with documentation
CHECK_CONF(cmd,CONF_ROOT|CONF_VIRTUAL|CONF_ANON|CONF_GLOBAL)Once the documentation is complete run
cvs diff -uw Configuration.html > Configuration.html.patch
Bug reports should be made via http://bugs.proftpd.org/ which uses the bugzilla tracking system. Patches should be mailed to the ProFTPD-Devel mailing list or MacGyver directly.
Please report all security problems with the code to <security@proftpd.org> before releasing the information into the public domain. It would be appreciated if you give the core team a few days to put together a patch and/or new release to address the issue.
Please adhere to the proceedures and timescales given in the RF Policy document http://www.wiretrip.net/rfp/policy.html, this will give the core development team a chance to get a fix or workaround in place before the problem becomes fully public domain.
Mirror sites
There is a complete and maintained list of ftp mirror sites available from http://www.proftpd.org/download.html
CVS
cvs -d :pserver:anonymous@cvs.proftp.sourceforge.net:/cvsroot/proftp -z3 co proftpd
To obtain the latest/greatest updates, just hop into the proftpd directory and do: cvs update
There are a number of mailing lists for ProFTPD
Announce
This is a very low traffic list where only ProFTPD announcements/changes will be announced. Subscribe by sending a message to <proftpd-announce-request@proftpd.org> with "subscribe" in the subject.
Web interface: https://lists.sourceforge.net/lists/listinfo/proftp-announce
Users
Subscribe by sending a message to <proftpd-user-request@proftpd.org> with "subscribe" in the subject.
Web interface: https://lists.sourceforge.net/lists/listinfo/proftp-user
Development
Subscribe by sending a message to <proftpd-devel-request@proftpd.org> with "subscribe" in the subject.
Web interface: https://lists.sourceforge.net/lists/listinfo/proftp-devel
Archives
The mailing list archives can be found at:
Unsubscribing
There is a mini-HOWTO at http://www.castaglia.org/proftpd/doc/ detailing how to tunnel ftp connections over ssh.
Linux 2.0.x
Runtime detection of sendfile()
Johnie Ingram (aka netgod)'s: http://www.proftpd.org/proftpd-devel-archive/99-10/msg00073.html
John Pierce <hawkfan@pyrotechnics.com> http://www.proftpd.org/proftpd-devel-archive/99-10/msg00112.html
Problems with sendfile
Sendfile() also appears to be the source of a number of file corruption problems.
There is currently no official support for IPv6 within the 1.2.x code tree, however there is an http://www.t17.ds.pwr.wroc.pl/~misiek/ipv6/ and more comprehensive support will probably be developed during the 1.3.x development cycle.
Is there anything in the pipeline to fix this?
There is a draft standard http://search.ietf.org/internet-drafts/draft-ietf-ftpext-mlst-12.txt with the IETF which extends and improves on the FTP specification including support for a HOST command. However given that the IP crunch is coming from websites and not virtual ftp servers this is unlikely to be pushed through any time soon.
Find the line in /etc/inetd.conf that looks something like this:
ftp stream tcp nowait root in.ftpd in.ftpd
Replace it with:
ftp stream tcp nowait root in.proftpd in.proftpd
Then, find your inetd process in the process listing and send it the SIGHUP signal so that it will rehash and reconfigure itself. You may also need to add in.ProFTPD to hosts.allow on your system.
Yes the mod_ratio module provides for doing just this.
Ratios on # enable module UserRatio ftp 0 0 0 0 HostRatio master.debian.org 0 0 0 0 # leech access (default) GroupRatio proftpd 100 10 5 100000 # 100:1 files, 10 file cred 5:1 bytes, 100k byte cred AnonRatio billg@microsoft.com 1 0 1 0 # 1:1 ratio, no credits UserRatio * 5 5 5 50000 # special default case
Version 2.0 and above of this module integrate with mod_sql.
Limitations of mod_ratio
Problems encountered in trying to make the server behave exactly as required after compilation and installation are complete and the server is running.
... <VirtualHost myhost.mynet.foo> DefaultRoot ~ ... </VirtualHost>
... <VirtualHost myhost.mynet.foo> DefaultRoot /u2/public users,!staff ... </VirtualHost>
Security Implications
A more detailed http://www.bpfh.net/simes/computing/chroot-break.html on this subject and on the breaking of chroot jails has been written by Simon Burr
Non-root server issues
Symlinks
mount -Flofs /home/data1 /ftp/data1 mount -Flofs /home/data2 /ftp/data2
Create an `anon-ftp" and `anon-ftp/incoming" directory in each user's home directory.
<VirtualHost my.per-user.virtual.host.address> # the next line limits all logins to this virtual host, so that only anonftp users can connect <Limit LOGIN> DenyGroup !anonftp </Limit> # limit access to each user's anon-ftp directory, we want read-only except on incoming <Directory ~/anon-ftp> <Limit WRITE> DenyAll </Limit> </Directory> # permit stor access to each user's anon-ftp/incoming directory, but deny everything else <Directory ~/anon-ftp/incoming> <Limit STOR> AllowAll </Limit> <Limit READ WRITE> DenyAll </Limit> </Directory> # provide a default root for all logins to this virtual host. DefaultRoot ~/anon-ftp # Finally, force all logins to be anonymous for the anonftp group AnonymousGroup anonftp </VirtualHost>
What about using Stackguard?
Stackguard (http://immunix.org) is a gcc variant which can protect programs from stack-smashing attacks, programs compiled using Stackguard dies without executing the stack code. While this approach is a good first line of defense against future problems it"s not a complete cure-all. Some of the buffer overflows were found on static variables, which are not protected by stack protection mechanisms.
rwx r-x r-x | | | | | |_____________ Others: READ/NO WRITE/EXECUTE | |__________________ Group: READ/NO WRITE/EXECUTE |_______________________ User: READ/WRITE/EXECUTE
prince> ls -l /home/ftp total 8 drwxr-xr-x 2 andrea users 4096 May 3 00:40 andrea drwxr-xr-x 2 eve users 4096 May 3 00:40 eve prince> ls -l /home/ftp/andrea total 156 -rw-r--r-- 1 andrea users 85991 May 3 01:12 bland.txt -rwxr-xr-x 1 root root 65107 May 3 01:12 secret.txt
This section is being re-written due to major structural changes to the SQL module prior to 1.2.0
There is a README.Pam in the top directory of the ProFTPD install directory :
Redhat Linux
#%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.soSuSE Linux
The following fragment is reported to work fine on SuSE 6.2
/etc/pam.d/ftpd #%PAM-1.0 # Uncomment this to achieve what used to be ftpd -A. # auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient /lib/security/pam_ftp.so auth required /lib/security/pam_unix.so auth required /lib/security/pam_shells.so account required /lib/security/pam_unix.so password required /lib/security/pam_unix.so session required /lib/security/pam_unix.soFreeBSD
ftp session required pam_unix.so try_first_pass
mod_ldap is currently stable; there were a couple bugs that were squashed after release 1.0 of the module. it is still udner development , check the http://horde.net/~jwm/software/proftpd-ldap/ for more information. There is an example config fragment on the author's site which gives a reasonable idea on how to use this module.
It requires http://inner.net/opie/ to be installed on the server. There are key gen clients for win95/98, *nix, mac.
Some specific mentions, in no particular order, and I've missed anyone please drop me a line.
Updates to the SQL section, Michael Grabenstein <mgrabens@popd.isinet.com> |
Matt Mozur, who's been cleaning up some of my mess and generally stuffing patches in my direction. |
TJ Saunders, for the HOWTOs and other docs. |