ORC Owl Logo 2  

Owl River Company

 
  Your IP is: 23.22.173.58

  Open Source projects - OpenBSD's ftpd ported to Linux


     NEWS -- August 15, 2002 -- The next release after RH 7.3 is coming in their Raw Hide; Red Hat's vsftpd is a delight, and seems free of exploits. While updates are a bit slow, no security matters of specific import remain unfixed, and we recommend its use. We have placed this project into an unmaintained state this date.

     If you conclude you are unwilling or unable to discontinue use of this packaging, we strongly recommend that ALL accounts be chrooted, and that NO interactive shell access be allowed to any account able to use FTP. Anonymous FTP of course meets this definition. The possibilities for snagging access through a bootstrapped exploit is too great otherwise.

-- November 15, 2001 -- Pekka Savola has done fine conversion work on the pam #ifdef SA_LEN error, and added IPv6 extensions so that it compiles cleanly once again on the RH 7.x series, and ready for the future. He has renamed his variant with a lower case second part -- ftpd-bsd, at 0.3.3-2, so if we stay with that, we will need to Obsolete: the prior name which we have issued in.
     Trustix's variant seems to be lagging. We also saw Kondara, and a Polish and Russian port in a recent survey, but none compile cleanly, with a current pam and glibc.
     We will probably diverge, or ask Pekka to merge and add a ./contrib/ section to the RPM with our shell tools, and so forth. OpenBSD is about to go gold with its v. 3.0, and we will wait a bit.

     -- July 2, 2001 -- We now (through the ORCchrootftp script) automatically verify a proper /etc/ftpusers file (containing at least root is present. -- We know -- this should not be an issue -- but some folks have reported a 'tagged' robot is looking for writable anon FTP servers, accessible to the ftp userid. This is to make sure you have read the ORCchrootftp script, to know how to re-enable Anon. FTP.

     -- June 2001 -- Red Hat 7.1, has changed building from source -- a header file is being called for and is missing -- in process. For the present, build on an earlier release. Not a good solution for it missed the pam fixes.

     -- February, 2001 -- xinetd, new in Red Hat 7.0, has changed access control -- during the transition period, copy the file ftpd-BSD from this directory into /etc/xinetd.d/ to apply the information needed by the xinetd wrapper control program to pass FTP requests.

     Then restart your xinetd:
     service xinetd restart
to cause it to re-read the configuration files.

     -- December, 2000 -- We have decided to pass on the OpenBSD December 5, 2000 updates. We still are looking at a fold-in of some nice GPLd code from Trustix -- Their approach is to run as a initscript service -- we rely on inetd wrappers for more control. Additionally, we have documented ORCchrootftp -- to automatically place all non-anon. FTP into a per user chroot ftp jail. Additionally, it automatically verifies a proper /etc/ftpusers file, containing at least root, and ftp is present. As before, Linux's alignment issues seem to exempt our port from the NEED to update as to the OpenBSD vulnerability.

     -- July 2000 -- The OpenBSD July 5, 2000 updates on an Owl River SRPM are in place for the recent buffer overflow, addressed by OpenBSD errata, ver. 2.7, patch 019_ftpd.patch. (July 9, 2000) -- Our prior package linked here appears not to be vulnerable to the July 2000 Name or Anon. FTP vulnerability; It did not use the portion of the code involved in the setproctitle() function.

     BACKGROUND -- Robert R. Wal <rrw@reptile.eu.org> initially took OpenBSD's ftpd, and ported it to Linux. This was needful, and we adopted this ftpd at that time, for in late October, 1999, Redhat had issued wu-ftpd-2.6.0-1, to address certain Anonymous FTP vulnerabilities. Unfortunately, it was built without wu-ftpd.org's patchfile for so-called 'broken' ftp clients like perl Net::FTP and mirror.pl -- and some of its own prior products.

     January 2000 -- Red Hat said it was uninterested (a "WONTFIX") in supporting its prior issued 'broken' ftp clients, such as its 6.1 ftp installer. See: Bugzilla 6385. This gave us the 'kick in the rear' to finish making the change throughout all the hosts we admin.

     OTHERS -- David Madore also maintained a prime port site at: this link. He handed this off. See: http://www.eleves.ens.fr:8080/home/madore/programs/#prog_ftpd-BSD but (15 Nov 2001) this version seems unmaintained against later pam, does not build cleanly with the SA_LEN problen, and the potential mis-handling of response IP when aliases interfaces are in use.

     ON YOUR OWN -- The OpenBSD code is under a BSD license, and our additions and this commentary are GPL'd -- As such there is no warranty, express or implied. If it breaks, or is broken, you get to keep the pieces ...

     DOWNLOADS -- The ported OpenBSD ftpd files, built on a 7.2 host, are at our FTP site for Anon. FTP transfer, here. We fork a bit from others with some tools, early xinetd support, and a security patch which may have been needed.

     INSTALLATION -- A bit of tweeking of the inetd.conf or xinetd.d setup, and adding a link in /etc/logrotate.d to /usr/local/bin/ftpd-logrotate are needed post-install. Pull and rebuild from SRPM for earlier distributions.

     We did the following:
  1. Initially /bin/touch /var/log/ftpd /var/log/xferlog to ensure that logging will work

  2. (pre RH 7.0) Edit /etc/inetd.conf ...
    [root@new ftpd-BSD]# grep ftp /etc/inetd.conf | grep -i -v tftp
    ## non-BSD ftp  stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
    ftp  stream  tcp  nowait  root  /usr/sbin/tcpd  ftpd-BSD -l -l -S -U -u 022
    
    (still pre RH 7.0) ... and HUP your inetd.

         kill -HUP ` ps ax | grep inet | grep -v grep | awk '{print $1}'`
    

        - or in a Red Hat environment:
         service inet restart
    


  3. (RH 7.0 and following) Attend to getting xinetd working:
    [root@new ftpd-BSD]# cat /usr/local/bin/ftpd-BSD
    # default: on
    # description: The ftpd-BSD FTP server serves FTP connections. It uses \
    #       normal, unencrypted usernames and passwords for authentication.
    service ftp
    {
            disable = no
            socket_type             = stream
            wait                    = no
            user                    = root
            server                  = /usr/sbin/ftpd-BSD
            server_args             = -l -l -S -U -u 022
            log_on_success          += DURATION USERID
            log_on_failure          += USERID
            nice                    = 10
    }
    
    Copy ftpd-BSD to /etc/xinetd.d and put it in effect by:
        service xinetd restart
    

  4. Please note that this may (should ?) break your tcp-wrappers. If you are using this product, you are probably interested in avoiding the morass of problems with wu-ftpd, and want to ride on the audit coattails of the OpenBSD folks. So, remember to run tcpdchk to catch such induced errors. Edit your /etc/hosts.allow and /etc/hosts.deny to fix them.

  5. Then, attend to getting logs rotation working:
    [root@new ftpd-BSD]# cat /usr/local/bin/ftpd-logrotate
    /var/log/ftpd {
        missingok
        create 0664 root root 
    }
    
    /var/log/xferlog {
        missingok
        create 0664 root root 
    }
    [root@new ftpd-BSD]# 
    
    Copy ftpd-logrotate to /usr/local/bin, set its permissions thus: chmod 755 /usr/local/bin/ftpd-logrotate and put it in effect by:
       ln -s /usr/local/bin/ftpd-logrotate /etc/logrotate.d
    

  6. SECURITY -- Please, install the /etc/ftpusers, /etc/ftpchroot and related access control files to taste from scratch, or cheat and copy a baseline from another install:

    /etc/ftpusers -- A userid listed here will be denied ftp access. Good candidates for inclusion: root, all daemon userids.

    /etc/ftpaccess -- Lots and lots of options -- no substitute for reading the man page.

    /etc/ftpchroot -- A userid listed here will be allowed ftp, but a chroot to their home directory will be performed after authentication. Good candidates for inclusion: all regular userids. Selectively REMOVE people to be afforded full host view access -- but counsel them about scp and rsync -av -e ssh first. See our script ORCchrootftp which should be placed into /usr/local/bin with permissions 0700, and run each hour thus:

    ln -s /usr/local/bin/ORCchrootftp /etc/cron.hourly

    An account with a shell NOT listed in /etc/shells will NOT be permitted FTP privileges. This is a feature in that it is an expected behaviour, and not a bug.

  7. ... A wealth of information about the package is available when you RTFM on the ftpd-BSD man page. There is really no substitute for doing so.

    We could package some of the foregoing into the spec file, but by not doing so, are requiring the sysadmin to be thoughtful about security on this potentially dangerous (clear text passwords, history of buffer overruns) service. Once installed, do so thus:

        man 8 ftpd-BSD
    
    It offers the exact method, for example, to lock ordinary users in a 'chroot' jail of their own directory tree and no more.

     After this, you should be back in operation.

     CONTACT -- Please let us know at info+ftpd@owlriver.com if you have any luck, or problems, with these instructions or the package. We've had some nice feedback, which has allowed us to fine tune content on this page.


 *      This product includes software developed by the University of 
 *      California, Berkeley and its contributors.                              
Last updated 011115 RPH

       

Back to Top Page
[legal] [ no spam policy ] [ Copyright] © 2008 Owl River Company
All rights reserved.

Last modified: Tue, 27 Aug 2002 22:12:17 -0400
http://www.owlriver.com/projects/ftpd-BSD/index.php