NEWS -- August 15, 2002 -- The next release after RH 7.3 is
coming in their Raw Hide; Red Hat's vsftpd is a delight,
and seems free of exploits. While updates are a bit slow, no security
matters of specific import remain unfixed, and we recommend its use.
We have placed this project into an
unmaintained state this date.
If you conclude you are unwilling or unable to discontinue use of
this packaging, we strongly recommend that ALL
accounts be chrooted, and that NO interactive shell access be
allowed to any account able to use FTP. Anonymous FTP
of course meets this definition. The possibilities for
snagging access through a bootstrapped exploit is too great
otherwise.
-- November 15, 2001 -- Pekka Savola has done
fine conversion work on the pam #ifdef SA_LEN error, and added IPv6
extensions so that it compiles cleanly once again on the
RH 7.x series, and
ready for the future. He has renamed his variant with
a lower case second part -- ftpd-bsd, at 0.3.3-2, so
if we stay with that, we will need to Obsolete: the prior name
which we have issued in.
Trustix's variant seems to be lagging. We also saw Kondara,
and a Polish and Russian port in a recent survey, but none
compile cleanly, with a current pam and glibc.
We will probably diverge, or ask Pekka to merge and add a ./contrib/
section to the RPM with our shell tools, and so forth. OpenBSD
is about to go gold with its v. 3.0, and we will wait a bit.
-- July 2, 2001 -- We now (through the ORCchrootftp
script)
automatically verify a proper /etc/ftpusers file (containing
at least root is present. -- We know --
this should not be an issue -- but some folks have reported a 'tagged'
robot is looking for writable anon FTP servers, accessible to the
ftp userid. This is to make sure you have read the
ORCchrootftp script, to know how to re-enable
Anon. FTP.
-- June 2001 -- Red Hat 7.1, has changed building
from source -- a header file is
being called for and is missing -- in process. For the present, build
on an earlier release. Not a good solution for it missed the pam
fixes.
-- February, 2001 -- xinetd,
new in Red Hat 7.0, has changed access control --
during the transition period, copy the file ftpd-BSD
from this directory into /etc/xinetd.d/ to apply
the information needed by
the xinetd wrapper control program to pass FTP requests.
Then restart your xinetd:
service xinetd restart
to cause it to re-read the configuration files.
-- December, 2000 -- We have decided to pass on the
OpenBSD December 5, 2000 updates.
We still are looking at a fold-in of some nice GPLd code
from Trustix -- Their approach is to run as a initscript service --
we rely on inetd wrappers for more control. Additionally, we
have documented ORCchrootftp -- to automatically place
all non-anon. FTP into a per user chroot ftp jail.
Additionally, it
automatically verifies a proper /etc/ftpusers file, containing
at least root, and ftp is present.
As before,
Linux's alignment issues seem to exempt our port from the NEED to update
as to the OpenBSD vulnerability.
-- July 2000 -- The OpenBSD July 5, 2000 updates on an Owl River SRPM are in
place for the recent buffer overflow, addressed by OpenBSD errata,
ver. 2.7, patch 019_ftpd.patch. (July 9, 2000) -- Our
prior package linked here appears not to be vulnerable to the July
2000 Name or Anon. FTP
vulnerability; It did not use the portion of the code involved in the
setproctitle() function.
BACKGROUND -- Robert R. Wal
<rrw@reptile.eu.org> initially took OpenBSD's ftpd,
and ported it to Linux. This was needful, and we adopted this ftpd at
that time, for in late October, 1999, Redhat had
issued wu-ftpd-2.6.0-1, to address certain Anonymous FTP vulnerabilities.
Unfortunately, it was built without wu-ftpd.org's
patchfile for so-called 'broken' ftp clients
like perl Net::FTP and mirror.pl -- and some of its own prior
products.
January 2000 -- Red Hat said it was uninterested (a "WONTFIX")
in supporting its prior issued
'broken' ftp clients, such as its 6.1 ftp installer. See:
Bugzilla
6385.
This gave us the 'kick in the rear' to finish making the change
throughout all the hosts we admin.
OTHERS -- David Madore
also maintained a prime port site at:
this link.
He handed this off. See:
http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD
but (15 Nov 2001) this version seems unmaintained against later pam,
does not build cleanly with the SA_LEN problen, and the
potential mis-handling of response IP when aliases interfaces are
in use.
ON YOUR OWN -- The OpenBSD code is under a BSD license, and our
additions and this commentary are GPL'd -- As such there is no warranty,
express or implied. If it breaks, or is broken, you get to keep
the pieces ...
DOWNLOADS -- The ported OpenBSD ftpd files, built on a 7.2 host,
are at our FTP site for Anon. FTP transfer,
here.
We fork a bit from others with some tools, early xinetd support, and
a security patch which may have been needed.
INSTALLATION -- A bit of tweeking of the inetd.conf or xinetd.d
setup, and adding a link in /etc/logrotate.d to
/usr/local/bin/ftpd-logrotate
are needed post-install.
Pull and rebuild from SRPM for earlier distributions.
We did the following:
- Initially /bin/touch /var/log/ftpd /var/log/xferlog to
ensure that logging will work
- (pre RH 7.0) Edit /etc/inetd.conf ...
[root@new ftpd-BSD]# grep ftp /etc/inetd.conf | grep -i -v tftp
## non-BSD ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
ftp stream tcp nowait root /usr/sbin/tcpd ftpd-BSD -l -l -S -U -u 022
(still pre RH 7.0) ... and HUP your inetd.
kill -HUP ` ps ax | grep inet | grep -v grep | awk '{print $1}'`
- or in a Red Hat environment:
service inet restart
- (RH 7.0 and following) Attend to getting xinetd working:
[root@new ftpd-BSD]# cat /usr/local/bin/ftpd-BSD
# default: on
# description: The ftpd-BSD FTP server serves FTP connections. It uses \
# normal, unencrypted usernames and passwords for authentication.
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/ftpd-BSD
server_args = -l -l -S -U -u 022
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
Copy ftpd-BSD to
/etc/xinetd.d and put it in effect by:
service xinetd restart
- Please note that this may (should ?) break your tcp-wrappers.
If you are using this product, you are probably interested in avoiding
the morass of problems with wu-ftpd, and want to ride on the audit
coattails of the OpenBSD folks.
So, remember to
run tcpdchk to catch such induced errors. Edit your
/etc/hosts.allow and /etc/hosts.deny to fix them.
- Then, attend to getting logs rotation working:
[root@new ftpd-BSD]# cat /usr/local/bin/ftpd-logrotate
/var/log/ftpd {
missingok
create 0664 root root
}
/var/log/xferlog {
missingok
create 0664 root root
}
[root@new ftpd-BSD]#
Copy ftpd-logrotate to
/usr/local/bin, set its permissions thus:
chmod 755 /usr/local/bin/ftpd-logrotate
and put it in effect by:
ln -s /usr/local/bin/ftpd-logrotate /etc/logrotate.d
- SECURITY -- Please, install the
/etc/ftpusers, /etc/ftpchroot and related
access control files to taste from scratch, or cheat and copy a baseline
from another install:
/etc/ftpusers -- A userid listed here will be denied ftp
access. Good candidates for inclusion: root, all daemon userids.
/etc/ftpaccess -- Lots and lots of options -- no substitute
for reading the man page.
/etc/ftpchroot -- A userid listed here will be allowed ftp, but a chroot
to their home directory will be performed after authentication.
Good candidates for inclusion: all regular userids. Selectively
REMOVE people to be afforded full host view access -- but counsel
them about scp and rsync -av -e ssh first.
See our script
ORCchrootftp
which should be placed into /usr/local/bin with permissions
0700, and run each hour thus:
ln -s /usr/local/bin/ORCchrootftp /etc/cron.hourly
An account with a shell NOT listed in /etc/shells will
NOT be permitted FTP privileges. This is a feature in that it is
an expected behaviour, and not a bug.
- ... A wealth of information about the package is available
when you RTFM on the ftpd-BSD
man page. There is really no substitute for doing so.
We could package some of the foregoing into the
spec file, but by not doing so, are requiring the sysadmin to be thoughtful
about security on this potentially dangerous (clear text passwords,
history of buffer overruns) service. Once installed, do so thus:
man 8 ftpd-BSD
It offers the exact method, for example, to lock ordinary users
in a 'chroot' jail of their own directory tree and no more.
After this, you should be back in operation.
CONTACT -- Please let us know at
info+ftpd@owlriver.com
if you
have any luck, or problems, with these instructions
or the package. We've had some nice feedback, which has allowed us
to fine tune content on this page.
* This product includes software developed by the University of
* California, Berkeley and its contributors.
|
|
