QFTPd
News
The latest version is 0.40a.
December 2, 2002 -- Version 0.40a
- small update so that `cd ..` is translated to `cdup`
December 1, 2002 -- qftpd mailing list established. Send an empty message to qftpd-subscribe@qftpd.org to subscribe.
October 19, 2002 -- Version 0.40
July 22, 2001 -- Version 0.30
- FTPBADFILES is implemented using regex
- BADBOY timeouts removed
- config.h is prepackaged better
April 23, 2001 -- Version 0.20
- auth.ftpd now uses Dan's original stralloc library for USER and PASS
- a couple other things were added/fixed, sorry for not being more specific :)
March 27, 2001 -- Initial Release v0.10
What is it?
qftpd is a patch for Dan Bernstein's publicfile package. Publicfile is an anonymous only ftpd. Despite the insecurities of the ftp protocol, some of us still need to be able to write files once in a while. The short story is that I was sick of constantly recompiling various other ftpd's because of security flaws that are intrinsic to the ever-growing bloated list of absolutely useless features that people keep adding to their programs. Enter qftpd on march 10, 2001, so named after qmail. QFTPd is an extension to publicfile that allows for write access based on user external user authentication by the means of a checkpassword style interface, similar to qmail-pop3d. This means you can get the security you love/want/need, at the low-low price of compatibility with your existing setup. Furthermore, the writing abilities of qftpd must be enabled (either by sending the argument 'w' to the ftpd, or by setting an environment variable FTPWRITE equal to 1), which means you can still use it as an anonymous ftpd or non-anonymous ftpd.
How do I use this?
I want to try and distribute this thing in source form, but I am unable to contact Dan Bernstein to get his permission. I have tried to write a step by step approach for installation. I realize some of you are already familier with Dan's software. What I would recommend you to do is compile and install publicfile as per Dan's instructions. After you get publicfile running, apply the qftpd patch, and copy the new ftpd binary over the older publicfile one, and copy the auth.ftpd binary into the same directory as the ftpd binary. All you should have to do after this is modify the daemontools run script and modify your checkpassword setup. See the post-installation section below for how to do this.
1) This is not point-n-click-ware. You are responsible to yourself if you break anything by using this. Here is the qftpd patch to download.
2) Here is the patch for checkpassword. (read below for information about this patch)
3) Goto http://cr.yp.to/software.html to download and install these programs: checkpassword, daemontools, and ucspi-tcp. Dont forget to apply the patch to checkpassword!! (you might think of grabbing qmail and djbdns while yer at it)
4) Download publicfile and extract it:
`tar -zxf publicfile-0.52.tar.gz`
5) Apply the patch in the publicfile-0.52 directory: `cd publicfile-0.52; patch <../qftpd-0.30.diff`
6) Edit config.h to your liking
7) Run make and follow the rest of Dan's installation instructions for publicfile.
8) NOTE: this patch disables the httpd portion of publicfile.
9) Follow the post-installation configuration tips
Post-Installation
QUESTION: The first thing you ask me is why a patch for checkpassword?! I thought you said this was COMPATIBLE!!
ANSWER: This is simple to explain: checkpassword will setuid and setgid upon successful authentication, and this must not happen because in order for the ftpd to chroot to your destination directory, we must call the ftpd as root. Dont worry, qftpd will setuid/gid and chroot for you.
Currently if you do not patch your checkpassword, then qftpd will not work!
Next to do is change the /public/ftp/run script for daemontools.
#!/bin/sh
exec 2>&1
exec softlimit -o20 -d100000 tcpserver -vDRHl0 -b20 -c40 0 21 /usr/local/publicfile/bin/auth.ftpd /usr/local/sbin/checkpassword /usr/local/publicfile/bin/ftpd /usr/home/ftp w
This is what a sample run script might look like. Please note there are 3 lines there, incase your browser wraps them. You should probably tweak the -d100000 setting for your needs because 100000 is definitely too high. You should notice that the setuidgid program has been removed. This is because auth.ftpd needs to run as root in order to allow checkpassword to lookup a password in /etc/passwd AND in order to allow the ftpd program to chroot to the users home directory.
NOTE: the 'w' character at as the 2nd argument to the ftpd enables the writing options!!
At this point you can restart the service and it should work to use /etc/passwd.
You may also set the environment variable FTPWRITE in order to enable writing. To disable writing, you need to unset the variable. It is not a thing where you set it equal to 1 to enable and equal to 0 to disable. If the environment variable FTPWRITE is set to anything (even nothing), then writing will be enabled!!
Im going to goto sleep now but here are a few quick tips:
- if you modify a checkpassword implementation, set the environment variable FTPWRITE if you want to enable writing, and DO NOT setuid/gid, the ftpd will do this!
- the directory that qftpd chroot's to is one of: a) the directory in the HOME environment variable, b) the directory given as a command line argument, c) the current directory, in that order. This will probably be changed so you can customize it. The point is that you can implement virtual hosting by customizing your checkpassword interface, since qftpd will first try the HOME environment variable.
How can I help?
Obviously there is much work that needs to be done on this project, which is still in its infancy. If you are interested in helping or have any positive comments please email me.