This is the NOTES file -- part of the unofficial enhanced version of
WU-FTPD 2.4 maintained by Academ Consulting Services as a public service
to the Internet. Comments about any of this distribution are welcome
to <wu-ftpd-bugs@academ.com>.
-----------------------------------------------------------------------------
It is STRONGLY recommended that you read chapters on running an FTP archive
in the O'Reilly Book "Managing Internet Information Services" by Liu, Peek,
Jones, Buus and Nye (ISBN 1-56592-062-7) for details on configuration of
this ftp server. This distribution has been tailored to match up as closely
as possible with the server documentation in Chapter 5 and 6 of this book.
Any differences are noted in this file.
-----------------------------------------------------------------------------
There are two FAQ (Frequently Asked Questions) posting that you
may wish to consult as well. The first is maintained (at the time of this 
writing) by Perry Rovers and is called " Anonymous FTP: Frequently Asked
Questions (FAQ) List". It is a general introdution to FTP from a novice
perspective. The second is maintained by Christopher Klaus and is called
"Security: Anonymous FTP FAQ" and contains a good overview of setting up
an secure anonymous ftp server (including specific information about
setting up wu-ftpd). All FAQ are posted periodically to the Usenet newsgroup
"news.answers" and are available via anonyous ftp from rtfm.mit.edu
in the /pub/usenet/news.answers directory. Look for the first faq in the
ftp-list directory under the name "faq". Look for the second faq in the 
computer-security directory under the name "anonymous-ftp-faq". For those of
you with browers the URLs are:

 ftp://rtfm.mit.edu/pub/usenet/news.answers/ftp-list/faq
 ftp://rtfm.mit.edu/pub/usenet/news.answers/computer-security/anonymous-ftp-faq

----------------------------------------------------------------------------

Differences between "Managing Internet Information Services" Chapter 5 
and Chapter 6 and this distribution are in this section.

Section 5.1 says that "build bsd" will build an ftp server for BSDI. This is
no longer true. To build for BSDI/OS, use "./build bdi" instead. There is also
a specific setup for FreeBSD which can be used by entering "./build fbs".

Section 5.2 says that the -a option is the default. This is no longer true.
To make use of the ftpacess file, you must provide this option on the
command line. The -A option is now the default. This makes wu-ftpd act more
like the standard ftp damon by default. It also prevents folks from 
accidentally making use of the ftpaccess file provided as an example without
first reviewing the contents of that file.

Section 5.5 says that ftp and anonymous are seen as being different names by
the server. This is no longer true.

----------------------------------------------------------------------------
Michael Brennen <mbrennen@fni.com> notes that FIXES-2.4-HOBBIT suggests that
the -lskey option should be in LFLAGS. He found that it should be in LIBES.
----------------------------------------------------------------------------
Also, FIXES-2.4-HOBBIT suggestes that skey.h should be put in the src
directory. It should be put in the support directory. 

Finally, the correct s/key library to use is the one from the logdaemon
package by Wietse Venema. Check ftp://ftp.win.tue.nl/pub/security/index.html
for details on geting this package.
-----------------------------------------------------------------------------
If you are going to use the ftpaccess file, you need to have at least 
*one* class defined in the ftpaccess file. In the next major release, 
this will change.
-----------------------------------------------------------------------------
The ftpd(8) man page that came with your Operating System should do a
good job of explaining how to set up the anonymous ftp hierarchy.
At the very least, you will need ~ftp/bin (mode: 111 ---x--x--x)
with a copy of "ls" (mode: 111 ---x--x--x) and ~ftp/etc 
(mode: 111 ---x--x--x) with an /etc/passwd. Alternatively, you
may want to read the secure-ftpd-faq. 
-----------------------------------------------------------------------------
Don't put encrypted passwords in ~ftp/etc/passwd.  In fact, all you
really need is entries for root and ftp.  "ls" is the only software
that uses this information. The server software does not use it.
-----------------------------------------------------------------------------
Anonymous FTP may have some troubles on machines which use dynamic
shared libraries. You will have trouble with using the binaries in 
~ftp/bin if those binaries were compiled using those shared libraries, 
as the chroot() that ftpd does for anonymous users to ~ftp means that
those links to the static libraries are lost.  You cannot make a
hard link or soft link to the libraries as the chroot will make
those links meaningless. There are two ways to fix this:

    1) Track down, using ldd, all the shared libs used by each binary you
       want to put in ~ftp/bin.  Then copy these into their
       corresponding places in ~ftp: i.e., /usr/lib/ld.so must be
       copied into ~ftp/usr/lib/ld.so.  However, ldd does not always
       show all the files that a compiled program may try to reference;
       if you use trace you can see every system call a binary makes,
       and that should show you every dependency.  If you compiled with
       gcc, there are likely to be lots of references made.

    2) Recompile any binary you wish to put in ~ftp/bin (ls, gzip, gtar,
       etc) using the -Bstatic (or -static in gcc) option in the CFLAGS
       *and* LDFLAGS options in their respective makefiles.  You can
       get GNU versions of ls and gzip and everything else from
       wuarchive.wustl.edu.  This is the easiest and most foolproof
       method - the statically compiled binaries may be a tad bigger,
       but you can use strip to pare down the size.
    [thanks to Brian Behlendorf for rewriting #4 more elegantly.]

    3) One place to get source from which a statically linked ls can be
       built is: ftp://ftp.funet.fi/pub/local/src/ftpd-ls.tar.gz. 
-----------------------------------------------------------------------------
Make sure that you have a /etc/shells that lists all valid shells on
your system.  Otherwise, those who have shells not listed there will
not be able to log in via ftp.  [Yes, this is the expected behaivor.]

Under Solaris 2.1, there is no /etc/shells by default.
-----------------------------------------------------------------------------
Under Solaris 2.1, you need to have the following in ~ftp/dev
      crw-rw-rw-  1 root      11,  42 Mar 24 17:00 tcp
      cr--r--r--  1 root      13,  12 Mar 24 16:23 zero
-----------------------------------------------------------------------------
Under OSF/1, you need ~ftp/etc/sia/siainitgood. [Do you need this under
DEC UNIX? Someone let me know. == sob]
-----------------------------------------------------------------------------
Under DEC Ultrix, you need ~ftp/etc/svc.conf
-----------------------------------------------------------------------------
NeXT systems:  You need a copy of /usr/shlib/libsys_s.B.shlib in 
    ~ftp/usr/shlib/libsys_s.B.shlib.  Make sure that ~ftp/usr, ~ftp/usr/shlib
    are mode 0555 (dr-xr-xr-x) and ~ftp/usr/shlib/libsys_s.B.shlib is mode 
    0555 (-r-xr-xr-x).
-----------------------------------------------------------------------------
If you are using this system under Linux, you may get lots of warnings
about problems when you compile - Just ignore them...
You will probably need at least libc4.3.3 and gcc2.3.3 to compile this..
You will also get (for now at least) errors (sometimes) when you do an
ls or dir command.. This is a bug in the current Linux libraries..
It will say :-
425 Can not build Data Connection. Transport Endpoint Already Connected.
(Or something like that...) Just retype the ls/dir command until it works
all other commands work fine..
                                [karl@hci.national-physical-lab.co.uk]
-----------------------------------------------------------------------------

How to make wu-ftpd use shadow passwords on a older (a.out) Linux system.

[ Note: on ELF Linux systems it is not necessary to link with libshadow.a
  - /usr/include/shadow.h and getspnam() are in the standard libc-5.x.
  You only need to define SHADOW_PASSWORD in config.h.  The same wu-ftpd
  binary should work with both shadow and non-shadow passwords.  The
  change from crypt() to pw_encrypt() is only necessary if you are using
  DOUBLESIZE passwords (not recommended because of a known weakness).
  -- Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> ]

First :
 
- Get the shadow.h from the latest shadow package.
- After building the shadow package, you have a libshadow.a.
- Build wu-ftpd the normal way, so it is configured for Linux.

Then :
- Copy shadow.h to the src dir.
- Copy libshadow.a to the support dir.
- Edit src/config.h to say '#define SHADOW_PASSWORD' instead of #undef.
- Edit the LIBES line in src/Makefile to read :

LIBES    = -lsupport -lbsd -lshadow

And then modify src/ftpd.c in line 1061 to read :

        xpasswd = pw_encrypt(passwd, salt);
Finally:
- Rebuild wu-ftpd

-----------------------------------------------------------------------------
Certains files need to be inside the anonymous ftp hierarchy.
They are all referenced after the chroot(~ftp):
	all messages (deny, welcome, etc.)
        shutdown 
        _PATH_EXECPATH
-----------------------------------------------------------------------------
In order for shutdown to work properly for real, guest, and anonymous
users -- you must create a link.  

    For example... if shutdown is defined to be /etc/shutmsg:
        root# ln -s ~ftp/etc/shutmsg /etc/shutmsg

That way, when ftpshut creates the shutdown message, it will be
within the real user space and the anonymous user space.
-----------------------------------------------------------------------------
On many operating systems, you will need to duplicate the necessary
database files that support the ctime() family of routines. On SunOS,
this means duplicating the /usr/share/lib/zoneinfo directory relative
to ~ftp. On BSD/OS, this means copying the /etc/localtime file to
~ftp/localtime.
-----------------------------------------------------------------------------
If your version of yacc does not know how to convert ftpcmd.y to ftpcmd.c,
then get a copy of GNU BISON and use it instead. You will need to
modify the makefile to use "bison -y" anywhere that "yacc" is listed.
-----------------------------------------------------------------------------
On IRIX systems, this is one approach that has been suggested for setting
up the chrooted file system:

cp /bin/ls ~ftp/bin
cp /lib/libc.so.1 ~ftp/lib
cp /lib/rld ~ftp/lib
/sbin/mknod ~ftp/dev/zero c 37 0 
chmod 444 ~ftp/dev/zero
chown root.sys ~ftp
chmod 555 ~ftp
chown root.sys ~ftp/bin ~ftp/dev ~ftp/etc ~ftp/incoming ~ftp/lib
chown ftp.ftp ~ftp/pub
chmod 111 ~ftp/bin ~ftp/etc
chmod 555 ~ftp/lib ~ftp/dev ~ftp/pub
chmod 1733 ~ftp/incoming
chmod 444 ~ftp/etc/passwd ~ftp/etc/group
[Courtesy of Bas Meijer <brmeijer@worldonline.nl>]
-----------------------------------------------------------------------------
On Digital Unix, the default configuration assumes you have installed
C2 security  OSFC2SEC4xx subset installed. If you don't want this, you
should edit src/makefile.dec and edit as noted in that file. You will
also need to edit src/config/config.dec to undef SECUREOSF.
[Miguel Mena <migi@zuo.dec.com>] [Becki Kain <beckers@josephus.furph.com>]
-----------------------------------------------------------------------------
If you want to protect the access to FTP and use VIRTUAL FTP, you must use
the built-in ftpaccess facility and not TCP-Wrapper since the latter
binds all the local address with no distinction, thus rendering the VIRTUAL
FTP impossible. [Philippe Langlois <Philippe.Langlois@INTRINsec.com>]
-----------------------------------------------------------------------------
On Solaris 2.5 and 2.5.1, there is a bug in the interaction between NFS
mounted filesystems and the flock system call which will cause the system
to crash (BugID 1248041). Be sure to get the patch that fixes this or 
avoid using NFS mounted file systems with this daemon.
-----------------------------------------------------------------------------
On Solaris 2.5.1, the 2.5.1 libraries that are supposed to go into
~ftp/usr/lib directory when the ftp users want to use dynamically
linked 'ls' don't work when used that way.  Apparantly, the problem 
could be fixed by replacing all the libraries with their respective 
Solaris 2.5 versions. The BugID for this is 4018605.
-----------------------------------------------------------------------------
On Solaris 2.6, snprintf is in the C library. The file that build the support
library, support/makefiles/Makefile.sol, will need to be altered not to
create snprintf.o. Look in this file to see what to do. 
NOTE: I didn't have access to Solaris 2.6 to verify this, so this is a guess
on my part.
-----------------------------------------------------------------------------
Eilon Gishri says that VIRTUAL will work on AIX 3.2 and 4.1. He also believes
it will work on 4.2. It's still off by default for versions other than 4.1,
but you can turn it on and try it if you like. Eilon can be reached via
email at <eilon@aristo.tau.ac.il>.
-----------------------------------------------------------------------------
For those of you who have a desire to alter the defaults, the way to do this
is to alter the Makefile and config.h file for the particular operating system
you are running and then do a "./build clean" followed by "./build XXX" where
XXX is the operating system abbreviation used by wu-ftpd. There are
three places where Makefiles for the operating systems are stored. The 
locations are the "makefiles" directory in the root of the distrbution
(./makefiles) , the "makefiles" directory in the support directory 
(./support/makefiles) and the "makefiles" directory in the src directory
(./src/makefiles). The config.h file respository is in the config directory 
in the src directory (./src/config).
-----------------------------------------------------------------------------
The C compiler bundled with HP-UX 10.X is not adequate for building wu-ftpd.
GCC or the unbundled C/ANSI compiler should be able to build wu-ftpd correctly.
-----------------------------------------------------------------------------
$Id: NOTES,v 1.12 1997/12/21 23:01:03 sob beta16 sob $




