changes

wu-ftpd类unix下的ftp服务器,可用于嵌入式系统

        defaultserver private
        defaultserver deny <username> [<username> ...]
        defaultserver allow <username> [<username> ...]

 o  Testing CLOSED_VIRTUAL_SERVER pointed out a bug in user() .. the
    attempt to sleep to slow down password guessers can't work since
    signals are off.  The daemon sleeps forever.  This has been there for
    years.

 o  Ported to Digital Unix 4.

 o  If no 'ftp' user existed, the HELP-HACKERS patch failed to send a
    response which would hang the ftp client.

 o  BSD auth failures crashed the daemon.  This looks like it's been a
    long-standing problem.

 o  An earlier version changed the behavior of the xferlog to always show
    the full, real path for the file.  This should have been a compile-time
    option.

 o  More typos in ftpaccess.5, some mine, some have been there for ages.

 o  Added the ability to disable all DNS lookups in the daemon.  I've done
    this as a compile-time option and included a discussion of the risks
    and benefits in the config.h for the daemon.  Enabling this feature can
    be a win for busy sites because it can reduce the time required to make
    a connection as well as eliminate syslog messages caused by bad DNS
    management at the remote sites.

 o  Found another undocumented feature.  If the <addrglob> on a 'class' or
    'deny' clause starts with a slach (/) it names a file which contains
    any number of additional <addrglob> entries per line and any number of
    lines.  Updated manpage.

 o  Add 'greeting' clause to control the amount of information the server
    gives out on the greeting.  The new ftpaccess clause is:

	greeting full|brief|terse

 o  Added 'email' option for the 'virtual' clause so we may set this as
    well.  The new ftpaccess clause is:

        virutal <address> email <string>

 o  Added the restriction that no real users may log in on the virtual
    server.

 o  If a guest logs in on the virtual server deny the login unless their
    chroot point is the virtual server's root.  This restricts guest logins
    to the site admin and anonymous users.

 o  Added 'hostname' option for the 'virtual' clause so we may set the name
    of our multi-homed ftp sites as we can with our default site.  The new
    ftpaccess clause is:

        virtual <address> hostname <string>

 o  Added an ftpaccess clause to limit total connect time.  The new clause
    is:

        limit-time {*|anonymous|guest} <minutes>

 o  Disallow certain email addresses as passwords for anonymous ftp.  The
    new ftpaccess clause for this is:

        deny-email <case-insensitive-email-address>

 o  Fix a bug in the parsing of ftpconversions which I found when I put in
    the new conversions for checksums.  Turns out this was the same as the
    bug I fixed in VR4 parsing the ftpgroups file.

 o  Cleaned up some of the cross-platform user authentication code for
    SECUREOSF.

 o  Modify the password cryptography for C2 Digital Unix.

 o  Moved 'retrieve_is_data' to be always compiled into the code since it
    was needed for SITE CHECKSUM.

 o  Add site-exec-max-lines ftpaccess clause.  This clause makes the limit
    on output lines from SITE EXEC configurable.  The default is a 20-line
    limit, which was the old compiled-in limit.  The new ftpaccess clause
    is:

        site-exec-max-lines <number> [<class> ...]

 o  Added IGNORE_NOOP as a new compile-time option.  It is now the default.

 o  Added 'SITE CHECKMETHOD' and 'SITE CHECKSUM'.

        SITE CHECKMETHOD [CRC|POSIX|MD5|RFC1321]

	Sets or displays the current check method.  If no parameter is
	given, displays the current method; otherwise the method is set to
	the given algorithm.  CRC and POSIX are equivalent and are the
	output of the GNU cksum(1) utility.  MD5 and RFC1321 are equivalent
	and are the output of the GNU md5sum(1) utility.  The default check
	method is RFC1321 (MD5).

	SITE CHECKSUM [<file>]

	Calculates the checksum for the named file.  If no file is given,
	the last file transferred (uploaded or download) is used.  If no
	file has yet been transferred, reports an error.  The current
	CHECKMETHOD is used to calculate the checksum.

	New ftpconversions: .crc and .md5

	Two new file conversions were added to the example ftpconversion
	which allow using GET to retrieve the CRC or MD5 checksums for
        files.

	NOTE: SITE CHECKSUM requires the installation of two additional
	programs in the ~ftp/bin directory.   These programs have the same
	requirements as the external ls(1) program also normally required
	in that directory.  For systems without these programs, or which
	require building new copies, the GNU textutils package should be
	used.  This package is available at ftp://ftp.gnu.org/pub/gnu/ the
	current version at the time of this writing is
        textutils-1.22.tar.gz

###########################################################################

Changes in 2.4.2-BETA-18-VR7: Released 15 September, 1998

 o  Transfer limits tesed the wrong values for files uploaded to the
    server.

 o  Added several new log messages missed in other versions having to do
    with filesystem change attempts.

 o  Extended logging for rejected or denied functions such as delete,
    rename.

 o  The QUOTA logic for BSDI doesn't match what's provided by the system.

 o  My label 'slimy_hack:' appearing just before a '}' causes some
    compilers to belch.  I guess some are more ANSI/ISO than others.  Made
    a quick fix which ought to make them shut up until I can rewrite pass()
    to make the label go away.

 o  The include for 'mntent.h' isn't needed unless QUOTE_DEVICE is defined.
    This caused problems on BSDI.  Moving the include to only appear for
    systems which use QUOTE_DEVICE.

 o  The HELP_CRACKERS patch was too agressive and, if message files were
    defined for 'deny' and 'limit' could tickle bugs in ftp clients.  The
    patch is backed off to drop the connection immedeately if it violates
    'deny' or 'limit'.

 o  Extended upload and noretrieve to have an optional parameter which
    specifies whether the named file/directory is interpreted as an
    absolute name or relative to the current chroot'd environment.

 o  Don't respond to *ANY* commands except USER, PASS and QUIT until the
    remote user logs in successfully.

 o  Added PARANOID check to deny login if a real user's home directory is
    bad.  Something's bunged up in /etc/passwd, why trust it?

 o  Extended logging for rejected and failed login attempts.

 o  Fixed a bug in popen which can cause segmentation faults.  It's unknown
    if this is exploitable (it doesn't look like it is to me).  It's been a
    problem for a long time.

 o  Fixed a typo in the ftpaccess manpage (What, just one?  Come on!)

 o  Traffic counters weren't protected by TRANSFER_COUNT in some cases.

 o  The 'daemon' variable conflicts with a 'daemon()' function in some
    runtimes.  Renamed.

 o  Missing <grp.h>.  Gotta love Linux's grab-one-get-it-all method for
    defining system headers, don't ya?  Grrr.

 o  DAEMON always includes <sys/termio.h>, it was needed until VR6 removed
    the attempt to detach from the controlling terminal.

 o  main() is declared void; that's not ANSI, it's just stupid.

 o  routevector.c uses ulong instead of u_long.  ulong doesn't exist on
    many systems.

 o  defumask caused a data alignment problem on HP-UX 10.

###########################################################################

Changes in 2.4.2-BETA-18-VR6: Released 26 August, 1998

 o  Fixed handling for the message clause so login and cwd= work as
    expected.

 o  The daemon responds differently in some cases when it's denying access.
    This could be used by attackers to determine the validity of some user
    names on the target system.  NOTE: the 331 response for some systems,
    notably BSD S/Key or other challenge/response systems, may differ from
    the 331 response given.  I don't have access to those systems to check
    out the differences.  If you do, and work out how to hide the access
    refusal until after the password challenge, please forward it to me.

 o  The upload clause should use realpath on the home directory to be sure
    it matches.  Otherwise, real users with /./ in their path will need
    their upload clause to lexically match the home directory entry in
    /etc/passwd.  This was not a big issue until I added realuser.

 o  Fixed a bug with realpath, a missed condition.  If chroot'd to '/' the
    xferlog shows '//' at the start of the filename.

 o  Added the ability to force all UID/GID in a range to be treated as
    guests.  The ftpaccess clause for this are:

        guestuser <username> [<username> ...]
        realgroup <groupname> [<groupname> ...]
        realuser <username> [<username> ...]

 o  Disallow UIDs and GIDs by numeric range.  This can obviate the need for
    /etc/ftpusers.  The ftpaccess clauses for this are:

        deny-uid <uid-range> [...]
        deny-gid <gid-range> [...]
        allow-uid <uid-range> [...]
        allow-gid <gid-range> [...]

 o  Added 'guest-root' to select directory based upon guest UID.  The new
    ftpaccess clause is:

        guest-root <root-dir> [<uid-range>]

 o  Added 'anonymous-root' to select chroot directory based on class of
    anonymous user.  The new ftpaccess clause is:

        anonymous-root <root-dir> [<class>]

 o  Missed a spot where "*" should be matched for the <root-dir> in an
    upload clause.

 o  Fixed a silly bug in the "rename" clause.

 o  Change the defaults to deny upload, and other site-modification things,
    for anonymous users.

 o  Some systems, notably Solaris, have problems with the code the
    standalone daemon mode used to attempt to detach from the terminal
    session.  This was in the original patch.  Upon thinking about the
    problem, I see no reason to keep the code arround.  If you need this
    feature, use 'nohup' to run the daemon.

 o  Standalone daemon mode (in VR4) missed including a header.

 o  Added '-VR6' to version string in newsvers.sh.  This will be updated
    with all future versions.

###########################################################################

Changes in 2.4.2-BETA-18-VR5: Released 15 August, 1998

 o  Cleaned up some unneeded blank lines sent in responses.

 o  Added a message to show total traffic counts on the response to QUIT.

 o  Added file counts, corrected missed bytes, added counts to STAT
    command.

 o  Added detail counters and ftpaccess clauses to limit the user's ability
    to upload/download files based on these.  The new ftpaccess clauses
    are:

        byte-limit [<raw>] <in|out|total> <count> [<class>]
        file-limit [<raw>] <in|out|total> <count> [<class>]

 o  Restrict throughput for network load management.  The ftpaccess clause
    for this is:

        throughput <root-dir> <subdir-glob> <file-glob-list> <bytes-per-second> <bytes-per-second-multiply> <remote- glob-list>

 o  Added 'tcpwindow' to configure TCP window size for performance
    tweaking.  The ftpaccess clause is:

        tcpwindow <size> [<class>]

 o  Provided address remapping for PASV mode to allow daemon to run behind
    IP-address translating firewalls (NAT).  If you use this with virtual
    hosts, let me know how it goes; I think it works, but let me know if it
    needs extensions for virtual hosts.  The ftpaccess clauses for this
    are:

        passive address <externalip> <cidr>

 o  Limit PASV port ranges.  The ftpaccess clause for this is:

        passive ports <cidr> <min> <max>

 o  The original idea for realpath when it was included in the source kit
    was that it would provide missing functionality on systems where it was
    missing or replace existing functionality on systems where it was
    already present.  The VR versions presume the daemon will always use
    the included realpath function.

###########################################################################

Changes in 2.4.2-BETA-18-VR4: Released 30 July, 1998

 o  Added 'defumask' to specify umask values by class in ftpaccess.  The
    ftpaccess clause is:

        defumask <umask> [<class>]

 o  Added the ability to specifiy groups which have no password.  You'll
    still need to SITE GPASS, but just send no password.

 o  Fixed possible bugs if the ftpgroup file is malformed.

 o  Allow numeric UID and GID values.  On systems with large numbers of
    users and a large number of upload clauses, the daemon can take a
    significant period to process the ftpaccess, passwd and group files.
    Effected ftpaccess clauses include: upload, guestgroup and autogroup.

 o  The following problems were noted during testing:
     - Issuing PORT prior to login changes the state of the daemon
     - Issuing PASV after PORT does not change the mode reported by STAT
     - Illegal PORT commands change the state of the daemon
    This turned out to be two problems: PASV mode was being reset by
    rejected PORT commands, and PASV mode wasn't reseting the state
    completely after setting up a data connection.

 o  HELP PORT indicated only 5 bytes were needed.  Six are.

 o  Added MAPPING_CHDIR config option to support CWD working like cd
    command in most Unix shells; the PWD shown is the logical path rather
    than the physical path.