THE_URL:file://localhost/home/koos/wu-ftpd-work/wu-ftpd-faq/wu-ftpd-faq.html THE_TITLE:Frequently Asked Questions about wu-ftpd Frequently Asked Questions about wu-ftpd, with answers This article contains the answers to Frequently Asked Questions (FAQ) concerning the wu-ftpd software. To ask questions about wu-ftpd, subscribe to the mailinglist and ask there. If you wish to get the latest version of this file, it is available as Via WWW : Via FTP : Comments : this version is still lacking with details about certain operating systems. Comments about those are welcome. _________________________________________________________________ 1. Contents of this FAQ 1. Contents of this FAQ 2. What is this document 1. What is the intended audience for this document 3. What is WU-FTPD itself ? 1. What is the license status for WU-FTPD ? 2. How do I subscribe/unsubscribe to the mailing lists ? 3. Is this list archived anywhere ? 4. What are related documents ? 5. Are there any alternatives ? 4. Where do I get WU-FTPD ? 1. Where do I get the latest version ? 2. What were the VR patches for WU-FTPD ? 3. What is BeroFTPD ? 4. PGP verification of the package fails! 5. Compiling WU-FTPD 1. cc complains about strunames, typenames, modenames, .. being undeclared. 2. I don't have yacc 3. WU-FTPD doesn't 'see' that users are in multiple groups. 4. I get "conflicting types for `realpath'" 5. WU-FTPD doesn't use the shadow passwords on my Linux machine. 6. It doesn't compile at all on newer Linux installs. The error is : 7. The timezone in the xferlog is wrong 8. The timezone in the ls output is wrong 9. Digital Unix doesn't log commands after an anonymous user logs in 10. install fails with 'install: ..' 11. Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced C2 security, 12. It doesn't compile at all on Digital Unix, errors about struct timeval 13. What should I do to be able to use WU-FTPD in a HP-UX 10.01 14. What should I do for HP-UX 10.10 to make it work completely. 15. Installation notes for HP-UX 10.20. 16. I want to compile for IPv6 6. Special compilation options/fixes 1. I need to authenticate real users via AFS 2. I need to use S/KEY authorisation 3. I want to block certain default addresses (IE30User@, mozilla@) 7. Installing WU-FTPD 1. Command-line options for WU-FTPD 2. Testing on a different port number then ftp:21 3. Not all command line parameters seem to be used by WU-FTPD 4. How do I use the package file WUFtpd250.wu-ftpd-2.5.0.SPARC.ULTRASparc.2.5.1.2.5.pkg.t ar ? 5. How do I enable WU-FTPD under Redhat 7.1 ? 8. Are there year 2000 issues with WU-FTPD? 9. The ftpaccess file 1. Some files (banners, etc) don't get shown to anonymous users. 2. What is the exact format of the parameter in the "limit" 3. What tools are there to check the configuration 4. Why does %M produce (Max unlimited) on the login banner 10. Programs (ls, gzip, tar) work for real users, not for anonymous users, giving errors like 425 Can't create data socket (0.0.0.0,20): Bad file number or simply no output. 1. Solaris 2. Building a statically linked ls for Solaris fails 3. Linux 4. Dec OSF 5. SunOS4.1.x 6. AIX 7. IRIX (5.3, 6.2) 8. SCO Unix 9. BSD vs SVR4 ls 10. It worked, until I upgraded the operating system. 11. Running WU-FTPD 1. ftpd allways says "221 Server shutting down. Goodbye." 2. Anonymous ftp works fine, but real users are denied access 3. ftpconversions doesn't work 4. On-the-fly compression works, on-the-fly tarring, but not both. 5. I want to use zip compression (InfoZip) 6. I want a real user to be able to access the host only via ftp, not via telnet 7. Somebody uploaded a file with a weird name 8. I want anonymous users to be able to upload files, but in the most secure manner possible 9. The upload clause doesn't work with directories as it used to. 10. The default umask used when a real user uploads a file is wrong 11. I heard something about 'SITE EXEC' having a security hole 12. How do I make reports more readable ? 13. Incoming file transfers fail with SunOS and an NFS mounted incoming 14. Normal ftp clients work, Netscape ftp's fail. So, passive mode doesn't work. 15. I made a symbolic link within the anonymous tree or guest tree and it doesn't work for the anonymous/guest users. 16. I want to redirect anonymous users to another machine 17. ftpd stops accepting connections when a lot of connections come in. 18. Running WU-FTPD on a *large* site 19. Only the first 8 characters of the anonymous username are recieved by the server. 20. WU-FTPD fails with '500 Illegal PORT Command' under AIX 4.3 or Solaris 8 21. I want to host multiple ftp servers on the same machine 22. I just upgraded and now nobody can log in. It worked before. 23. I get disconnected directly from the ftp server. 24. Mirror breaks with WU-FTPD >= 2.6.0. 25. Logins to the ftp server take a long time, after that things run smooth 26. ls doesn't show anything except files. It does not show directories and links 27. My client hangs at the end of a transfer 28. Sometimes ftpd stops working and inetd logs 'ftp/tcp server failing (looping), service terminated' 29. I can't login, in the syslog is: get passwd; pwdb: request not recognized 30. Under Solaris, certain user information stays cached even when changed 31. Does WU-FTPD support resuming downloads/uploads 12. Other things 1. Where is the FTP protocol documented ? 2. How can I make my ftp-archive accessible by Email (ftpmail) ? 3. How do I force all clients to switch to binary mode ? 4. My embedded device has a builtin version of WU-FTPD which is outdated according to your site, how do I update it ? 13. Credits/miscellanious 1. How do I contact the WU-FTPD Development team 2. I have a correction / new feature, how do I submit it for the WU-FTPD Development team's consideration 3. I have what I believe to be a critical security problem with the daemon and don't want to talk about it via email. Can I call someone on the telephone 2. What is this document This is the FAQ (frequently asked questions) for newer versions of WU-FTPD as maintained at ftp.wu-ftpd.org. This document is an addition to the man-pages of WU-FTPD which are part of the installation and available online as . Answer number one is: Update to the latest version (at this moment: 2.6.2). A lot of problems have been fixed, including security problems. Note: The various addresses used in this document are for contacting the authors on subjects mentioned in this document. Using these addresses for sending unsolicited Email is forbidden. Again: please update to the latest version for security purposes! 1. What is the intended audience for this document This document (and WU-FTPD in general) need a general knowledge of Unix system management aimed at the Unix version you are trying to install WU-FTPD on. Subjects like user management, password management, file-system management, changing access settings and chroot environments are prerequisite knowledge. Reviews of books about Unix in general (and other books) on The Virtual Bookcase at 3. What is WU-FTPD itself ? Wuarchive-ftpd, more affectionately known as WU-FTPD, is a replacement ftp daemon for Unix systems developed at Washington University (*.wustl.edu) by Chris Myers and later by Bryan D. O'Connor (who are no longer working on it or supporting it!). WU-FTPD is the most popular ftp daemon on the Internet, used on many anonymous ftp sites all around the world. 1. What is the license status for WU-FTPD ? The correct answer to this is in the the 'LICENSE' file which comes with the source tree and is available online as 2. How do I subscribe/unsubscribe to the mailing lists ? Users of WU-FTPD are encouraged to switch to the mailing lists hosted at wu-ftpd.org. The following lists are available : wuftpd-announce Announcements concerning WU-FTPD. This is the ONLY announcement list for WU-FTPD. The list is open subscription, only members of the WU-FTPD Development Group may post. Traffic on this list is very low. Traffic should be signed using the development group's PGP signing key. wuftpd-dev General discussion list for developers. The list is open subscription, only subscribed users may post. Traffic on this list is generally low, but can be high occasionally. wuftpd-doc General discussion list for documentation writers. The list is open subscription, only subscribed members may post. Traffic on this list is generally low but can be high occasionally. wuftpd-questions General support and discussion. This is the list to use if you have questions concerning compiling, installing or configuring WU-FTPD. The list is open subscription. Anyone may post. Traffic on this list is generally high (although there are some medium-traffic days occasionally). To subscribe, send a mail message to Majordomo@wu-ftpd.org with a body of subscribe listname end 3. Is this list archived anywhere ? The old list from wustl.edu is archived from June 1994 until recent, reachable via WWW at , and via ftp at . The search page is at This archive is maintained by Kent Landfield (kent@landfield.com). The lists from wu-ftpd.org are available via Anonymous IMAP. Connect to mail.wu-ftpd.org using IMAP (TCP port 143) and give 'anonymous' as your username and your e-mail address as password. If your mail client cannot see the folder list, give the listname to access that lists archive. 4. What are related documents ? The RFC's that describe the FTP protocol are rfc959 (updated by RFC2228) and rfc1579. RFC's relating to WU-FTPD are available from Another possible location to get these is : or Documents on specific parts of the configuration or specific uses of WU-FTPD: o telnet.testing.HOWTO : how to test WU-FTPD using telnet/netcat. o upload.configuration.HOWTO : How to allow uploads by remote users in a secure way. Kent Landfield maintains a resource center to collect all WU-FTPD related links at Darci Chapman maintains the Solaris/wu-ftpd howto guide at The man-page for WU-FTPD can be viewed online at with the man-page for ftpaccess in The Academ WU-FTPD pages at . 'ANONYMOUS FTP CONFIGURATION GUIDELINES' A set of guidelines from CERT (Computer Emergency Response Team) about setting up anonymous ftp. 'How to set up a secure ftp server' A file describing how to set up anonymous ftp in general in a secure way, avoiding misuse. 'guest howto' A document describing the setup of guest groups. A more modern version of the next document. 'guestgroup howto' A document describing the set up of guestgroups in WU-FTPD server. At this moment a separate document from this document. A document describing virtual ftp servers Ftpaccess on virtual ftp servers upload.configuration.HOWTO How to set up the upload configuration for 2.4.2 Beta 18 VR14 and higher (including 2.6.2). There are also some books discussing setting up anonymous FTP. The book links link to the right book on the amazon.com web-site. o TCP/IP Network Administration has a section on setting up anonymous ftp. o Managing Internet Information Services was a good (maybe a bit outdated) book on WU-FTPD. But, it is out of print. Reviews of more books about Unix in general (and other books) on The Virtual Bookcase at 5. Are there any alternatives ? Troll Ftpd, a free ftp-server, available from FileDrive, a commercial file-server which needs its own clients, available from NcFTPd server, commercial server (free for educational domains), available from ProFTPD, a free ftpserver (GPL), available from ftpd-BSD, a port of the OpenBSD ftpd, available from Net::FTPServer, written in Perl, available from 4. Where do I get WU-FTPD ? The original WU-FTPD home is wuarchive.wustl.edu, but at this moment wuarchive no longer supports or maintains WU-FTPD. The correct location at this moment for WU-FTPD releases is ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ (please use a real ftp client to access this). Mirror sites: + Austria: ftp://gd.tuwien.ac.at/infosys/servers/ftp/wu-ftpd/ http://gd.tuwien.ac.at/infosys/servers/ftp/wu-ftpd/ + Canada: ftp://ftp.crc.ca/pub/packages/ftp/servers/wuarchive-ftpd-vr/ + Estonia: ftp://ftp.ut.ee/pub/unix/networking/wu-ftpd/ + Hungary: ftp://ftp.ahol.com/pub/mirrors/wu-ftpd/ ftp://ftp.kfki.hu/pub/infosystems/wu-ftpd/ + Germany: ftp://ftp.dpn.de/pub/mirrors/wu-ftpd/ + Israel: ftp://ftp.tau.ac.il/pub/unix/ftp/wu-ftpd/ + Japan: ftp://ftp.ring.gr.jp/pub/net/wu-ftpd/ http://www.ring.gr.jp/archives/net/wu-ftpd/ ftp://ring.aist.go.jp/pub/net/wu-ftpd/ http://ring.aist.go.jp/archives/net/wu-ftpd/ ftp://ring.asahi-net.or.jp/pub/net/wu-ftpd/ http://ring.asahi-net.or.jp/archives/net/wu-ftpd/ ftp://ring.so-net.ne.jp/pub/net/wu-ftpd/ http://ring.so-net.ne.jp/archives/net/wu-ftpd/ ftp://ring.nacsis.ac.jp/pub/net/wu-ftpd/ http://ring.nacsis.ac.jp/archives/net/wu-ftpd/ ftp://ring.etl.go.jp/pub/net/wu-ftpd/ http://ring.etl.go.jp/archives/net/wu-ftpd/ ftp://ftp.win.ne.jp/pub/network/wu-ftpd/ ftp://mirror.nucba.ac.jp/mirror/wu-ftpd/ http://mirror.nucba.ac.jp/mirror/wu-ftpd/ ftp://ftp.cin.nihon-u.ac.jp/pub/net/ftp/wu-ftpd-vr/ ftp://ftp.riken.go.jp/pub/net/wu-ftpd/ http://SunSITE.sut.ac.jp/pub/archives/packages/wu-ftpd/ ftp://SunSITE.sut.ac.jp/pub/archives/packages/wu-ftpd/ + Norway: ftp://ftp.bitcon.no/pub/unix/networking/wu-ftpd/ http://archive.bitcon.no/pub/unix/networking/wu-ftpd/ + Poland: ftp://ftp.task.gda.pl/pub/unix/ftp/wu-ftpd-vr/ ftp://giswitch.sggw.waw.pl/pub/unix/wu-ftpd/ + Spain: ftp://ftp.upc.es/pub/wu-ftpd/ + Sweden: ftp://ftp.sunet.se/pub/nir/ftp/servers/wuarchive-ftpd-vr/ http://ftp.sunet.se/pub/nir/ftp/servers/wuarchive-ftpd-vr/ + Switzerland: ftp://sunsite.cnlab-switch.ch/mirror/wu-ftpd/ + Taiwan: ftp://ftp.nchu.edu.tw/pub/packages/wu-ftpd/ http://pds.nchu.edu.tw/pub/packages/wu-ftpd/ + Turkey: ftp://ftp.ulak.net.tr/pub/wu-ftpd/ http://ftp.ulak.net.tr/pub/wu-ftpd/ + United Kingdom: ftp://sunsite.org.uk/Mirrors/ftp.vr.net/pub/wu-ftpd/ http://sunsite.org.uk/Mirrors/ftp.vr.net/pub/wu-ftpd/ ftp://ftp.ox.ac.uk/pub/comp/security/COAST/mirrors/ftp.vr.net / + United States: ftp://ftp.academy.rpi.edu/pub/wu-ftpd/ ftp://ftp.vr.net/pub/wu-ftpd/ http://www.landfield.com/wu-ftpd/wu-ftpd.org/ 1. Where do I get the latest version ? The WU-FTPD development group maintains WU-FTPD and makes the latest version available at ftp.wu-ftpd.org in ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ (please use ftp to access this). This version of WU-FTPD is now actively maintained by the WU-FTPD Development Group, reachable by email as (wuftpd-dev@wu-ftpd.org). 2. What were the VR patches for WU-FTPD ? The VR-series offered a number of enhancements and bug fixes not available in the base version. The VR patches have been integrated in WU-FTPD 2.5.0 and the will not be available from ftp.vr.net after the end of August 1999. 3. What is BeroFTPD ? BeroFTPD was a derivative of WU-FTPD with extra functionality for virtual hosts. Patches from the VR versions were included. The enhancements from BeroFTPD are now incorporated into the main daemon. 4. PGP verification of the package fails! The signature has been made with a newer pgp. You need a recent pgp to get the right answer. 5. Compiling WU-FTPD Since WU-FTPD 2.6.0, GNU autoconf is introduced, but it is still in experimental stage. So first try ./configure and if that fails try the old method: In general, editing src/pathnames.h and typing build arch should be enough. 1. cc complains about strunames, typenames, modenames, .. being undeclared. This error is fully explained in the INSTALL/INSTALL.orig file in wu-ftpd package. A few relevant lines : If cc complains about strunames, typenames, modenames, ... being undefined you need to install support/ftp.h as /usr/include/arpa/ftp.h (always make a backup of the old ftp.h just in case!) and do the build again. The new ftp.h should be a compatible superset of your existing ftp.h, so you shouldn't have problems with this replacement. 2. I don't have yacc Replace yacc with bison -y in the Makefile. 3. WU-FTPD doesn't 'see' that users are in multiple groups. This is fixed in recent versions (2.6.2). Upgrade now. 4. I get "conflicting types for `realpath'" This is fixed in recent versions (2.6.2). Upgrade now. 5. WU-FTPD doesn't use the shadow passwords on my Linux machine. Upgrade to version 2.6.2 or later. They automatically use shadow passwords when available. If this gives problems, you might want to upgrade your Linux. For older versions: Since older Linux distributions (around libc.5.3 this got fixed) don't include shadow passwords, WU-FTPD might assume your Linux does not have shadow passwords. To compile for shadow passwords with Linux when this happens : o Get the shadow.h from the latest shadow package. o After building the shadow package, you have a libshadow.a. o Copy shadow.h to the src dir. o Copy libshadow.a to the support dir. o Edit src/config.h to say '#define SHADOW_PASSWORD' instead of #undef. o Edit the LIBES line in src/Makefile to read : LIBES = -lsupport -lbsd -lshadow (for some releases, -lcrypt is also needed) Modify src/ftpd.c around line 1061 to read : xpasswd = pw_encrypt(passwd, salt); 6. It doesn't compile at all on newer Linux installs. The error is : Upgrade to version 2.6.2 7. The timezone in the xferlog is wrong Either, you compiled with support for setting the process title (SPT_TYPE) on a machine that doesn't support this, where changing the process title clobbers the environment and therefore zaps the TZ variable. Recompile with SPT_TYPE set to SPT_NONE. Systems which don't support SPT_TYPE : Aix, SGI Irix Or, you need to copy the zoneinfo files to the ~ftp tree too. These are : /etc/TIMEZONE /etc/default/init /etc/localtime (FreeBSD) /usr/share/lib/zoneinfo/.. The name of the correct file in /usr/share/lib/zoneinfo depends on your current timezone. Exact filenames depend on your operating system too. See the man-pages for timezone(4) and zic(1M). 8. The timezone in the ls output is wrong See above, but also check if your system needs /etc/default/init (Solaris 2.5 for example) for setting the correct TZ variable. This file has to be in chrooted environments too then. Digital Unix needs /etc/zoneinfo/localtime. 9. Digital Unix doesn't log commands after an anonymous user logs in Upgrade to version 2.6.2 or later. 10. install fails with 'install: ..' The makefile is setup for the bsd version of the install program. Some OS'es (including Solaris) use the svr4 version. In that case set in the makefile : INSTALL = /usr/ucb/install 11. Digital Unix (The Unix Formerly Known As OSF/1) and Enhanced C2 security, First, upgrade to version 2.6.2 or later. Then, make the changes noted in src/makefiles/Makefile.{dec,du4}. 12. It doesn't compile at all on Digital Unix, errors about struct timeval Upgrade to version 2.6.2 or later. 13. What should I do to be able to use WU-FTPD in a HP-UX 10.01 Upgrade to version 2.6.2 or later. If you are not using C2 security, you may need to change the definitions for SHADOW_PASSWORD and HPUX_10_TRUSTED. Some kernel configuration may be required to allow more heavy load on lock files and multiple access to the same file. This can all be done through SAM. An important thing to keep in mind on a heavily accessed machine is that the fin_wait state needs to be lowered enough to keep open file locks at a minimum. 14. What should I do for HP-UX 10.10 to make it work completely. If the above doesn't work, some more notes : /usr/include/shadow.h: This *system* file had an apparent typo that caused gcc to fail. I changed the following statement: extern int lckpwdf(void), to extern int lckpwdf(void); <<--- note the ';' realpath.c: I think there was a external reference (maybe more than 1 reference?) which did not match the internal declaration. I think I changed the realpath declaration to match the externals. I deleted the original sources so I don't recall the change exactly. ftpcmd.c: This file results from ftpcmd.y (via yacc/bison). Unfortunately the resulting c code will not build. It was necessary to move 2 of the structures to an earlier section. I think it was the 'cmdtab[]' and 'sitetab[]' structures which were moved. They were being called prior to their declaration. (`what bison` gives $Revision: 76.162.1.5 $) Makefile.hpx: Modified to not delete the ftpcmd.c file fixed above. ftpd.c: 1) installed the shadow password patch per the instructions in the FAQ. The new code worked without any problems (I'll probably port it to the POP3 server I've been wanting to install). 2) Modified the sprintf calls near SEPPROCTITLE to include "wuftpd" in the process string (similar to hp-ux ftpd). this allows "ps -ef | grep ftp" to show all connected ftp processes. It might need a little doctoring up since the file names on RETR have ^M^J tacked on. Extra remark: On a trusted system HP's getpwnam does not supply the encrypted password. Instead you have to use getprpwnam. Modify ftpd.c to use getprpwnam. pr_pw = getprpwnam(pw->pw_name); /* get shadow password */ xpasswd = crypt(passwd, pr_pw->ufld.fd_encrypt); bpasswd = bigcrypt(passwd, pr_pw->ufld.fd_encrypt); 15. Installation notes for HP-UX 10.20. A complete set of installation notes for WU-FTPD on HP-UX 10.20: This section is written by someone else who wishes to remain unnamed. I installed wu-ftp2.4 on a clean HPUX 10.20 build. The 10.20 build came straight from HP, and the only important differences on this build from a generic build is that the X-libs and X-utils were stripped out (something I would recommend if you are building an HP 10.20 for ftp only). - Get both the wu-ftp2.4 package and the current ansi-c compiler package (I got mine from HP, you can request the package ansic.hp-10.20.tar.gz) - Uncompress and untar the C package first (HP comes with a standard c compiler, but it is only useful in the kernel compiling and doesn't function well outside of doing kernel work). Follow the README/INSTALL docs for installing the c compiler. Make sure you put this new compiler in your path, or do some editing whenever you use cc to point to this compiler and not the default. - Build WU-FTPD normally - Set up the server - Special notes about tuning for heavy load: The ftp servers that I maintain are heavily hit and some kernel configuration was required to allow more heavy load on lock files and multiple access to the same file. This was all done through SAM. An important thing to keep in mind on a heavily accessed machine is that the fin_wait state needs to be lowered enough to keep open file locks at a minimum. I set all of my fin_waits to 5 minutes or less. 16. I want to compile for IPv6 At this moment, IPv6 support is not available in WU-FTPD from the WU-FTPD Development Group. But, there is hope, the Kame project makes a patchset available for IPv6 support under BSD and Linux. More info at the Kame project homepage: 6. Special compilation options/fixes This section deals with specialities in compilation for certain situations. 1. I need to authenticate real users via AFS Edit the Makefile for your OS to add the AFS libs/includes. They only appear in the Makefile for AIX. Then, add the following line to the #include section of src/ftpd.c : #include 2. I need to use S/KEY authorisation Method for 'configure' : (For Solaris 7): 1. copied skey.h /usr/include 2. copied libskey.a /usr/lib 3. ran configure --enable-skey Method for 'build' : The general SKEY procedure is something like this: The last thing in config.h is an #undef SKEY; comment that out. That is a gotcha that can take some time to find, although that doesn't seem to be the problem. Copy skey.h into the src directory. Copy libskey.a into the support directory. Edit the appropriate Makefile.* in src/makefiles and add the following: add "-DSKEY" to the CFLAGS macro; add "-lskey" to the LIBES macro. That should do it; if not, holler back. 3. I want to block certain default addresses (IE30User@, mozilla@) Check the option 'deny-mail' in the ftpaccess(5) manpage. 7. Installing WU-FTPD In general, change the line for the ftp-server in /etc/inetd.conf (the file that defines the servers started by inetd. For some operating systems, this is another file). 1. Command-line options for WU-FTPD With the latest versions, using no command-line options will set it to a default-mode, in which it will not parse the ftpaccess file. Add the option -a to the command line in inetd.conf. 2. Testing on a different port number then ftp:21 This can be done from the command line or with a special definition in /etc/services / /etc/inetd.conf. For command-line, look up -P and -p in the ftpaccess(5) manpage. To set up with special definitions, add 2 ports with consecutive numbers in /etc/services, and then start WU-FTPD on these ports. Add to /etc/services something like : ftptest 4021/tcp #command port ftptest-data 4020/tcp #data port Then start WU-FTPD from /etc/inetd.conf like : ftptest stream tcp nowait root /usr/etc/in.ftpd in.ftpd The key is the name 'ftptest' which associates the port assignment in the /etc/services file to that in the inetd.conf file. Make certain the choice of ports in /etc/services (4021 and 4020 above) are from the local use list and don't conflict with other port assignments (see RFC1700, ASSIGNED NUMBERS). One important subtlety. The data port is not really derived from the data port declaration in the /etc/services file. The FTP specification (RFC765) states the data port is defined as one less than the command port. However, including the data port declaration in the /etc/services file prevents it from being accidentally assigned to something else. 3. Not all command line parameters seem to be used by WU-FTPD Your inetd probably drops some parameters after a given number (4 or 5). You can use the following wrapper program to give additional parameters : /* wrapper for wuftpd to add command line arguments that don't fit under inetd */ #include #include #include #include #include int main(argc,argv) int argc; char **argv; { char *path="/local-adm/bin/ftpd"; char *cmd="ftpd"; fflush(stderr); fflush(stdout); errno=0; execl(path,cmd,"-a","-l","-L","-u022",NULL); openlog("wrapftpd",LOG_PID, LOG_LOCAL6); syslog(LOG_WARNING,(const char *)strerror(errno)); closelog(); exit(EXIT_FAILURE); } 4. How do I use the package file WUFtpd250.wu-ftpd-2.5.0.SPARC.ULTRASparc.2.5.1.2.5.pkg.tar ? Unpack the tar into an empty directory which will then have a subdirectory named WUFtpd250 Do not enter this directory, but type 'pkgadd -d .', you will get something like: # pkgadd -d . The following packages are available: 1 WUFtpd250 wu-ftpd 2.5.0 SPARC/ULTRAsparc 2.5.1 - 2.5 (sun4c,sun4d,sun4e,sun4m,sun4u,sun4u1) 2.5.0 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 5. How do I enable WU-FTPD under Redhat 7.1 ? Redhat 7.1 uses xinetd instead of inetd. Use chkconfig wu-ftpd on or edit /etc/xinetd.d/ftp to enable the service (it is disabled by default even when WU-FTPD is installed). 8. Are there year 2000 issues with WU-FTPD? The original version of WU-FTPD had a year 2000 representation problem in the handling of the MDTM (modification time of file) command. No internal workings of WU-FTPD were affected by this problem. This problem has been fixed in WU-FTPD 2.4.2 beta 14 which was published August 1997. With this fix, WU-FTPD is believed to be completely Y2K-compliant. The fix that was applied : The following statement appears in ftpcmd.y. It is part of the action for the syntax: MDTM check_login SP pathname CRLF reply(213, "19%02d%02d%02d%02d%02d%02d", t->tm_year, t->tm_mon+1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); The 19%02d needs to be changed to %04d and t->tm_year needs to be changed to t->tm_year + 1900: reply(213, "%04d%02d%02d%02d%02d%02d", t->tm_year + 1900, t->tm_mon+1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec); And WU-FTPD versions that old also have gaping security holes. 9. The ftpaccess file 1. Some files (banners, etc) don't get shown to anonymous users. When the anonymous user is logged in, bannerfiles are opened relative to the root of the anonymous user. Keep this in mind. It can be usefull to have 2 sets of banners or use links. 2. What is the exact format of the parameter in the "limit" This is a format consisting of day and time parameters. Possible items : Sa,Su,Mo, .. Any (for any day) and time parameters. For example : SaSu|Any1800-0700 means all of Saturday and Sunday or Any day between 18:00 and 07:00. Check if ftpd inherits the correct time zone. 3. What tools are there to check the configuration ftpcheck found at (version numbers may vary). For different operating systems, different libraries and/or devices are needed. You can test if things are running correctly by doing a chroot to the ftp homedir. To test if /bin/ls is working in the ~ftp dir, type : chroot ~ftp /bin/ls Or, the partition is mounted -nosuid which gives the same error under SunOS or Solaris, more information on the page 1. Solaris First, have a look at the manpage for the original in.ftpd(1m). It has a scipt for setting everything up. If the filesystem with ~ftp is mounted -nosuid, the special device files will not work. Solaris needs ~ftp/dev/tcp and ~ftp/dev/zero and the libraries. Check the man-page for your Solaris version for exact details. Use the command ldd to find out which libraries a program uses. Also, the ~ftp/etc/group file is needed for ls to work, without it it will just dump core. Follow the same rules as for /etc/passwd : not too much information in that file, like group passwords (if you have those). Needed libraries can include : ld.so, ld.so.1, libc.so.1, libdl.so.1, libintl.so.1, libmp.so.1, libnsl.so.1, libsocket.so.1, libw.so.1, nss_compat.so.1, nss_dns.so.1, nss_files.so.1, nss_nis.so.1, nss_nisplus.so.1, straddr.so 2. Building a statically linked ls for Solaris fails This is discussed in the comp.unix.solaris Frequently Asked Questions item 6.24 (at this moment). 3. Linux Use the command ldd to find out which libraries a program uses. Create ~ftp/dev/null and ~ftp/dev/zero. You will need the ELF file loader, ld-linux.so in ~ftp/lib. 4. Dec OSF Copy the static version of ls (/sbin/ls) and not the dynamic one. The static version is about 400K. Make passwd and group files in ~ftp/etc. Copy from /etc/sia dir to ~ftp/etc/sia the files matrixconf and siainitgood. 5. SunOS4.1.x SunOS needs ~ftp/dev/zero, ~ftp/dev/tcp and the libraries. Check permissions on the device files. 6. AIX AIX comes with scripts to automate this installation. AIX 3.2.5 - /usr/lpp/tcpip/samples/anon.ftp AIX 4.1.4 - /usr/samples/tcpip/anon.ftp After the script is done, change the mode of ~ftp/pub to something safer. Also, AIX comes with a 'dump' utility that can show which libraries a program uses. 7. IRIX (5.3, 6.2) IRIX 6.2 needs ~/ftp/dev/zero and libraries. To create /dev/zero, check its current major and minor number with : ls -lL /dev/zero And then create it in ~ftp using : cd ~ftp/dev mknod zero c cd .. chmod 555 dev You will probably need to copy /lib/libc.so.1 to ~ftp/lib/libc.so.1 and /lib/rld to ~ftp/lib/rld. These are required by ls, compress, gtar and gzip. You can see what libraries a program needs by doing the following: csh# setenv _RLD_PATH /usr/lib/rld.debug csh# setenv _RLD_ARGS '-v -quickstart_info -stat' To stop seeing what libraries are needed unset the environment variables: csh# unsetenv _RLD_PATH csh# unsetenv _RLD_ARGS Useful information on Irix also in the IRIX Insight Library (Online Books) in the book/chapter "IRIX Admin: Networking and Mail" in the paragraph "How to Set Up a Proper Anonymous FTP Account". 8. SCO Unix SCO needs /dev/socksys. 9. BSD vs SVR4 ls This is a very sneaky one. To quote : The problem was that ls_short and ls_long were being defined incorrectly (since the system was compiled with a BSDish compiler, the BSD config file was used) using ls -lA and ls -lgA respectively. It turns out that the ls command was running but it was erroring out (this is because the system is actually running SVR4), since a failed ls produces output only to stderr not stdout I saw nothing for my output. 10. It worked, until I upgraded the operating system. Something in the upgrade changed in your OS. Most likely : newer shared libraries. Also : other major/minor numbers in /dev. Redo the shared libs and devices after an upgrade if things like the above happen. 11. Running WU-FTPD There is a nice set of man-pages with WU-FTPD. They do contain a lot of information. Also, note that a lot of things about the chrooted environment for anonymous users also applies to the chrooted environment for guest users. 1. ftpd allways says "221 Server shutting down. Goodbye." The directive shutdown in the ftpaccess file points to a file that exists at that moment. Either change the directive or delete the file. Also, after you've used the ftpshut command, you'll need to remove the ftpshut file by hand. 2. Anonymous ftp works fine, but real users are denied access Check the following : o Reasons for denial are logged using syslog. Check your logs. o Their shell is in the /etc/shells file. Note : AIX doesn't even have this file, so you need to create it for WU-FTPD. o The problem has been fixed in the latest versions for AIX. Get the latest version. o /etc/shells needs the correct access rights (world readable and not world writable). o If you're using shadow passwords : make sure the daemon is compiled with shadow password support. 3. ftpconversions doesn't work There are a lot of possible reasons, mostly having to do with the fact that some versions tar use different command line parameters. o Solaris 2.4 : if you use Solaris tar, and give the commandline as /bin/tar -cf - %s, the effect will be the same as /bin/tar -cvf - %s. The -v option will add extraneous data to the stream. Solution : replace it with /bin/tar cf - %s (no leading -). o Also, check your 'tar' and 'compress' directives in ftpaccess. 4. On-the-fly compression works, on-the-fly tarring, but not both. With Solaris 2.4 and GNU's tar-1.11.8 (configured and compiled with --disable-nls flag) use the GNU tar flag --use-compress-program=path to compression program sample : : : :.tar.Z:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/compress -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS : : :.tar.gz:/bin/ftp-exec/tar -c --use-compress-program=/bin/ftp-exec/gzip -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP 5. I want to use zip compression (InfoZip) Lines for ftpconversions : :.zip: : :/bin/unzip -qq -p %s:T_REG|T_ASCII:O_UNCOMPRESS:UNZIP : : :.zip:/bin/zip -qq -r - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:ZIP Info-ZIP can be found at 6. I want a real user to be able to access the host only via ftp, not via telnet Create a shell for this purpose (for example, a program that says the above or a copy of /bin/true). Put this shell in /etc/shells. Change the shell of the user to that shell. Next : make sure mail cannot be delivered locally to the account. Using the fact that the shell is valid for sendmail (it is in /etc/shells) a user can be able to start commands as that user. Information and a sample script on The same, for AIX. Use chuser (or SMIT) to set the user to login=no, su=no, telnet=no, rlogin=no. 7. Somebody uploaded a file with a weird name Somebody is trying to misuse your ftp-site for transferring software (worst case scenario). Check if the directive path-filter in the ftpaccess file is something like : path-filter anonymous /etc/paths.msg ^[-A-Za-z0-9\._]*$ ^\. ^- 8. I want anonymous users to be able to upload files, but in the most secure manner possible In general: you don't want this. But, if you're stubborn... Read the upload.configuration.HOWTO, pointer at the beginning of this faq. Make very sure that you have the latest version of WU-FTPD (2.6.2), set your path-filter to the one mentioned above. Make the incoming directory owned by something else then ftp (root, or nobody) with another group then ftp (nobody). Something like : drwx-wx-wt root nobody incoming This will allow ftp to write in the directory, but not read it. Set the upload directive in ftpaccess to something like : upload /home/ftp /home/ftp/incoming/* yes root daemon 0400 nodirs One note : files get created as root and changed to the owner mentioned in the upload line. This will fail on some secure NFS setups. Best solution is to mount the /incoming separately. 9. The upload clause doesn't work with directories as it used to. Unlimited subdirectory creation has been prohibited as this has been the source of problems with WU-FTPD. You will need to explicitely allow a certain amount of levels of subdirs, like for example: upload /home/test /home/test/public_html yes test users 0664 dirs 0775 upload /home/test /home/test/public_html/* yes test users 0664 dirs 0775 upload /home/test /home/test/public_html/*/* yes test users 0664 dirs 0775 upload /home/test /home/test/public_html/*/*/* yes test users 0664 dirs 0775 This is new for versions 2.6.0 and higher. 10. The default umask used when a real user uploads a file is wrong The default umask is inherited from inetd. This can be a wrong one. There is a command line parameter -u. Edit the line in inetd.conf to something like ftpd -A -L -l -u077. 11. I heard something about 'SITE EXEC' having a security hole In some slackware distributions the _PATH_EXECPATH is set to something like /bin. Recompile WU-FTPD with it set to a special path like /bin/ftp-exec. To test for this hole, type (when logged in as a real user, not anonymous) : ftp> SITE EXEC bash -c id If you get a return with '200-uid=0(root) gid=0(root)' in it, you have the problem. 12. How do I make reports more readable ? There are a couple of scripts to make better reports from the xferlog. o dumpxfer processes the xferlog and gives more humanly readable output o processlog script to run dumpxfer, email you the output and truncate the log These are available via anonymous ftp via both need Perl. I (Koos van den Hout) also wrote a Perl script to process the log, mail daily statistics and uploaded files, and create a top most downloaded files. It is available from iistat generates nice transfer graphs from the xferlog file (and from a lot of other sources). Available from Phil Schwan wrote xferstats, available from ftp://ftp.wu-ftpd.org/pub/support/ Webalizer, a very good web log analyzer, also supports WU-FTPD xferlog format. Available from 13. Incoming file transfers fail with SunOS and an NFS mounted incoming You get errors like : Dec 7 11:14:33 ftphost vmunix: NFS write error 13 on host fileserver fh 746 1 a0000 5fea7 3b5a1bd8 a0000 2 1e0a6aed That's a known problem. Updating to the latest version is the first help. Other possible solutions : o Have the incoming disk on the ftpserver itself o /etc/ftpaccess sets owner to ftp, group to a restricted group and mode to 0040 (only group read) 14. Normal ftp clients work, Netscape ftp's fail. So, passive mode doesn't work. Apparantly ftpd needs write permission on ~ftp/dev/tcp in order to operate correctly in passive mode (Solaris). Set it to the same mode as permissions shown by ls -lL /dev/tcp, being 666. Also read the Solaris man page for ftpd for Solaris-specific information. Changed from previous versions Fix: cd ~ftp/dev chmod 666 tcp 15. I made a symbolic link within the anonymous tree or guest tree and it doesn't work for the anonymous/guest users. Symbolic links in Unix are relative to your active root. If you want to access files/directories/diskspace outside your chrooted environment, you'll have to import it using directory loopback mounts (available on at least Solaris) or using NFS mounts (available on most other operating systems but they have a performance impact). 16. I want to redirect anonymous users to another machine That's a not-so-well-known ftpaccess feature : just add 'guestserver anon.ftp.server.hostname' to your ftpaccess file.. 17. ftpd stops accepting connections when a lot of connections come in. This is a feature of inetd, not ftpd. Inetd will limit the amount of connections that can be made to a service per minute. Some versions allow to specify this amount in inetd.conf, by specifying it in the nowait flag, like : ftp stream tcp nowait.256 root /usr/sbin/ftpd ftpd -a which will allow 256 connections per minute. Check the manpage for inetd. 18. Running WU-FTPD on a *large* site Tuning for a large site is mostly OS tuning since WU-FTPD fully depends on the OS to do things like file-caching and tcp-tuning. If your traffic is more then what can flow easily over a 100 Mbit card maybe you should look into bonding multiple 100 Mbit networks together or go ATM or gigabit ethernet. WU-FTPD is now default suited for running on a large site. The patches mentioned below have been included per default. For example sunsite.doc.ic.ac.uk has made some modifications available at From the notes on those patches: DAEMON If ftpd called with -D then run as a standalone daemon listing on the ftp port. This can speed up ftpd response as all ftpd then needs to do is fork off a copy to handle an incoming request. Under inetd a new copy has to be opened and exec'd. FILEWHAT If SETPROCTITLE doesn't work or if you have so many users that ps takes a long time then FILEWHAT keeps the info in a file so that ftpcount can just print it. 19. Only the first 8 characters of the anonymous username are recieved by the server. This is actually a bug in very old ftp-clients which only send the first 8 characters because the password is limited to 8 characters anyway. Upgrade your client. 20. WU-FTPD fails with '500 Illegal PORT Command' under AIX 4.3 or Solaris 8 Both set services in inetd.conf to ipv6 which WU-FTPD doesn't support yet. Fix: change the protocol from tcp6 to tcp. 21. I want to host multiple ftp servers on the same machine At this moment this is only possible with one IP number for each ftp server. So called 'name based virtual hosting' is inherently impossible with the current FTP protocol. WU-FTPD 2.6.0 supports this in a somewhat limited extent, BeroFTPD supports it somewhat better, but read the catch: There is a draft for an extension to the ftp protocol named HOST to support virtual hosts like HTTP. But, this is a draft and there are a lot of old ftp clients out there. So do not count on using this. 22. I just upgraded and now nobody can log in. It worked before. Did you look in the system log? The daemon will log the reason for the failure there. It helps a lot to know why. Most plausible (at the moment) you're upgrading to the latest version and, if you'd look, the syslog says 'not in any class'. That means you're using the old, unsafe wildcards on your class statements such as the following: class lcl real,guest,anonymous 127.*.*.* The latest versions don't support this notation for security reasons. Use netmask or CIDR instead, as in either of the following: class lcl real,guest,anonymous 127.0.0.0/8 or class lcl real,guest,anonymous 127.0.0.0:255.0.0.0. 23. I get disconnected directly from the ftp server. Most probable reason: in inetd.conf the ftp server gets started using tcpd (tcp_wrappers) which fails a security check. Look in the logfiles given from syslog.conf which check fails. 24. Mirror breaks with WU-FTPD >= 2.6.0. Get the patch for mirror to update it. Available from: In WU-FTPD 2.6.0, some flaws in dealing with the ftp protocol were fixed which broke some clients. 25. Logins to the ftp server take a long time, after that things run smooth Possible causes: IDENT (RFC931) lookup is enabled in WU-FTPD. This has a timeout of 10 seconds. If the protocol (port 113) gets blocked by a firewall or suchlike, it will wait for timeout. If it is 30 seconds and you are using redhat 7.x with xinetd, disable AUTH in inetd as well. Change the entries in /etc/xinetd.d/ftp that read: log_on_success += DURATION USERID log_on_failure += USERID Remove the 'USERID' from both. Any other time period: DNS is broken for the IP address the connection is coming from. 26. ls doesn't show anything except files. It does not show directories and links Some ftp clients improperly use the NLST and LIST commands. NLST was intended to show files only for retrieval using the mget command. LIST was intended to show everything in human-readable form. Earlier versions of WU-FTPD did not correctly interpret the RFC which defines these commands and many ftp clients were written incorrectly and do not use the definitions in the RFC. Starting WU-FTPD 2.6.0, the interpretation of NLST versus LIST ftp commands has been changed to what is the right interpretation. NLST lists retrievable files for the ftp mget command, LIST lists all files for a human reader. Suggested fix: fix the client software, or train the users to use ls -l (or dir) in a command-line client to get a listing of the files and directories. 27. My client hangs at the end of a transfer Starting WU-FTPD 2.6.0, the FTP RFC has been implemented in a stricter way, which breaks some clients. Most visible clients are mirror and squid. More information on which clients and how to update them at 28. Sometimes ftpd stops working and inetd logs 'ftp/tcp server failing (looping), service terminated' Inetd counts the number of connection occuring within a minute. If that number exceeds some threshold, is assumes the ftp service is broken (or under attack) and keeps getting restarted - and shuts down the service. In most systems, this can be overcome by adding a parameter to the inetd.conf file like .... nowait.400 (400 connections per minute). Check the specific syntax for your operating system. 29. I can't login, in the syslog is: get passwd; pwdb: request not recognized Your /etc/pam.d/ftp file is missing/incomplete, it should contain at least: #%PAM-1.0 auth required pam_pwdb.so shadow nullok auth required pam_shells.so account required pam_pwdb.so session required pam_pwdb.so And for denying users in /etc/ftpusers: auth required /lib/security/pam_listfile.so item=user sense=deny file =/etc/ftpusers onerr=succeed 30. Under Solaris, certain user information stays cached even when changed Solaris uses nscd to cache certain information. With 'nscd -i passwd' the cache will be refreshed. You can also have a look at the manpage for nscd on how to change this behaviour. 31. Does WU-FTPD support resuming downloads/uploads Since the correct way to resume a download is not standardized, it depends on the interaction between server and client. The way that it is usually implemented is supported by WU-FTPD. 12. Other things 1. Where is the FTP protocol documented ? RFC959 documents the FTP protocol. 2. How can I make my ftp-archive accessible by Email (ftpmail) ? There is a Perl-script collection available named ftpmail. It is available on a lot of ftp-sites (archie for 'ftpmail'), some of which are : , nic.funet.fi, ftp.warwick.ac.uk, ftp.loria.fr, ftp.germany.eu.net. 3. How do I force all clients to switch to binary mode ? You can't. Binary or Ascii transfer is purely a choice of the client in the ftp protocol. Some clients switch to binary mode automatically at startup, but that is purely their choice and not governed by the server. 4. My embedded device has a builtin version of WU-FTPD which is outdated according to your site, how do I update it ? Firewall the device from the Internet and if possible from network (most embedded devices should not be reachable from the Internet anyway). Then start bugging the vendor for an update pointing the vendor towards the website for WU-FTPD at . 13. Credits/miscellanious A number of people deserve credit : + Alexander L. Haiut (alx@cs.bgu.ac.il), creator of the original faq. + *Hobbit* (hobbit@avian.org) for the first security patches to WU-FTPD. + Stan Barber (sob@owlman.academ.com), long time maintainer of WU-FTPD and the patch-archive for WU-FTPD. Not actively maintaining it anymore. + Reinier Post (reinpost@win.tue.nl), for the scripts that maintain this FAQ. + And of course, Chris Myers and Bryan O'Connor at Washington University who wrote WU-FTPD in the first place. Warning : Both are no longer working on WU-FTPD, or even working at Washington University. Please don't mail them with questions. + And all the people who send me updates for the FAQ or other information. A number of names still archived: Al Longyear (longyear@sii.com), Francois Belanger (francois@goltier.com), Chuck Davis (cdavis@wrair-amss.army.mil), Perry L. Morgan (pmorgan@uceng.uc.edu), Justin Kurmaty (justin@pty.com), Michael Brennen (mbrennen@fni.com), W. James Showalter (gamma@mintaka.disa.mil), Albert Lunde (Albert-Lunde@nwu.edu), Eric (ewedaa@kset.com), Eilon Gishri (eilon@aristo.tau.ac.il), Frans Stekelenburg (gjs@knmi.nl), Jim Davis (jdavis@cs.arizona.edu), Perry A. Stupp (pstupp@i-com.com), Peter Glassenbury (pete@cosc.canterbury.ac.nz), Simon Rakov (Simon_Rakov@iongate.staff.ichange.com), Andy Johnson (asj@cc.usu.edu). (No chocolate cookies. Yet) 1. How do I contact the WU-FTPD Development team Send email to (wuftpd-members@wu-ftpd.org) 2. I have a correction / new feature, how do I submit it for the WU-FTPD Development team's consideration The development team prefers context-diffs against the lastest version of the source code. Completely new files may be included separately or as part of the context-diff. If your entire patch is small (less than 25,000 bytes) you may send it via email, with a brief description of your change, to wuftpd-members@wu-ftpd.org. If your patch or addition is large (over 25,000 bytes) or invloves several files, please create a compressed tar (tar.gz or tar.Z) and upload it to ftp://ftp.wu-ftpd.org/incoming After you have uploaded, please send a brief description of your patchs, along with the name you uploaded it as, to wuftpd-members@wu-ftpd.org. 3. I have what I believe to be a critical security problem with the daemon and don't want to talk about it via email. Can I call someone on the telephone Yes, but you had better be right. Be sure you have read all of this FAQ, and all of the documentation which came with the daemon. If you believe you have a problem which effects the security of servers, other than your own, you may contact Gregory A Lundberg at 1-800-809-2195 or 1-937-298-5254 (office) 1-888-977-5370 or 1-937-299-7653 (home) 1-937-299-8743 (FAX) Last modified : Thu Apr 4 23:22:18 2002 _________________________________________________________________ Created by : Koos van den Hout (koos@wu-ftpd.org) Email related to this faq: (faq@wu-ftpd.org) Homepage : http://idefix.net/~koos/