RELEASE NOTES

WASHINGTON UNIVERSITY FTP SERVER, RELEASE 2 - Apr 15, 1993

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
*                          REALLY IMPORTANT NOTE                        *
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Do *NOT* use this FTP server under AIX on IBM systems.  There is a
problem with the handling of UIDs and GIDs after a set[ug]id() call
that opens up a fatal security hole when using any non-AIX FTP server.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

SEMI-IMPORTANT RELEASE NOTES

This is an INTERIM release of my modified FTP server.  Because work on
the server has been stalled for a long time, and because lots of people
seem to want to do the things this server DOES do, I'm releasing this
version.  To the best of my knowledge, it works and has no major bugs.
The features are all incremental, and with one exception, are
completely compatible with existing FTP clients.  The exception is the
multi-line messages the server will use to respond to many commands
when some features are enabled, for example:

    OLD STYLE FTP

    ftp> cd /pub
    220 CWD command successful.

    THIS FTP

    ftp> cd /pub
    220-Please read the file README
    220-  it was last modified on Thu Feb 21 10:35:09 1991 - 214 days ago
    220 CWD command successful.

Some of the older FTP clients, which do not conform to the FTP
specifications, barf on these multi-line messages.  Multi-line messages
can be disabled on a per-connection basis by using a dash (-) as the
first character of the user's password.

REALLY IMPORTANT RELEASE NOTES

The next release of the FTP server is going to include some significant
changes.  The most important one is that the logging format for file
transfers is going to be completely different, and quite incompatible.
There will probably *NOT* be any program provided to convert your old
logfiles to the new format.

ADDITIONS AND BUG-FIXES IN RELEASE 2

1.  ftpcount no longer displays multiple listings for classes that have
    multiple "class ..." lines.

2.  Added following abilites configurable in the ftpaccess file.
    see ftpaccess(5).

        chmod            <yes|no>  <typelist>
        delete           <yes|no>  <typelist>
        overwrite        <yes|no>  <typelist>
        umask            <yes|no>  <typelist>

        upload           <dir>     <yes|no>  <owner>  <group>  <mode>

        passwd_check     <none|trivial|rfc822>  {<warn|enforce>}

        alias            <name>    <dir>

        path_filter      <typelist>  <msg>  <charset>  {<disallowed> ...}

3.  The conversion table has been moved to a separate file.  The
    fields are:

           %s:%s:%s:%s:%s:%s:%s:%s

           Field    Description
            1       strip prefix
            2       strip postfix
            3       addon prefix
            4       addon postfix
            5       external command
            6       types
            7       options
            8       description

4.  ftpshut program generates shutdown file for ftp server.  Works 
    similarly to shutdown(8).  See ftpshut(8).

5.  guestgroup access no longer needs an entry in the secondary passwd
    file (~ftp/etc/passwd).  The home directory is now specified as 
    "root/./home"  For example:

    ftptest:<encrypted>:100:200:Guest User:/var/ftp/./incoming:/etc/noshell

    When ftptest logs in, it will chroot to /var/ftp and then chdir to
    /incoming (which is actually /var/ftp/incoming before the chroot).

    Since the directory in /etc/passwd actually points to the guest's
    home directory, they can use .forward files, etc.

---

Planned additions for the next release include:

o  ftppass: a program to make easy the modification (new groups, change
   passwords, remove groups) of the ftp private access file.

---

There is a known bug in SunOS 4.x where syslog() fails after a chroot().
This is BUG ID #1047632.  If you are affected by this, CALL SUN AND
ADD YOUR NAME TO THE LIST -- they aren't planning on making a patch for
SunOS 4.x [it is fixed in SunOS 5.0 -- whenever THAT comes out].

With the SunOS bug, tell them that they must FIX THE PROBLEM, not hack
syslog to listen to ~ftp/dev/log as well as /dev/log -- syslogging will
then happily fail whenever you use the guestgroup command.  As far as I
can tell, sendto() is broken for UNIX domain sockets (after chroot())
and is what they need to fix.

Chris Myers                                Internet: chris@wugate.wustl.edu
Software Engineer                           UUCP: ...!uunet!wuarchive!chris
Office of the Network Coordinator                BITNET: chris@wunet.bitnet
Washington University in Saint Louis                 Phone: +1 314 935 7390

Bryan O'Connor                           Internet: bryan@fegmania.wustl.edu
Software Engineer, wuarchive development    UUCP: ...!uunet!wuarchive!bryan
Office of the Network Coordinator                BITNET: bryan@wunet.bitnet
Washington University in Saint Louis                 Phone: +1 314 935 7048
