10.0.1 initial versioned tarball released 2---------------------------------------- 3 4- Added "-ldl" to LIBS to get linking to work on RedHat6.1 5- Add RedHat6.1 on list of tested platforms :) 6 70.0.2 packaged 8-------------- 9 10- Emit version in greeting string 11- In PORT command, reject numbers <0 or >255. Problem noted by Solar Designer, 12<solar@openwall.com> 13- Allow an option AND a path for LIST/NLST, e.g. "LIST -al /pub". Reported by 14Bill Nottingham <notting@redhat.com>, using ncftp. Further noted by Colin 15Hogben <chah@jet.uk> using emacs and James Antill <james@and.org>. 16- Don't prepend directory path for LIST (but still so for NLST). Noted by 17Colin Hogben <chah@jet.uk> and Ingo Luetkebohle <ingo@blank.pages.de> 18- Fix problem listing non-existant or unreadable directories - just return 19a blank listing rather than an error. Problem noted by Martin Sillence 20<martin.sillence@prnewswire.co.uk>, using squid. 21- Fix KDE's downloads (via KFM), it was using the "SIZE" command which I had 22not implemented. Reported by Simon Dales <simonD@nuffield.co.uk> and Jo Dillon 23<jo@trolltech.com>. Apparently implementing SIZE also fixed lftp's download 24time estimator, reported by Ingo Luetkebohle <ingo@blank.pages.de> 25- Remove abornal_exit() from utility.c 26- Fix so we don't write "500 OOPS: child died" upon QUIT. Reported by Solar 27Designer, <solar@openwall.com> and Tim Bagot <tsb@earth.li> 28 290.0.3 packaged 30-------------- 31 32- Oops: fix so we don't emit a status 150 mark unless we actually got a 33connection from the client (stops some clients hanging trying to list an 34inaccessible directory) 35 360.0.4 packaged 37-------------- 38 39- In verbose directory listing, report symlink targets. Use the traditional 40syntax of: "link_name -> target_path" 41- Damn netscape! The comma in the response text to PASV confused it, so it 42had to be removed. Discovered with tcpdump! 43- Don't require clients to redo PORT or PASV if a RETR or STOR fails due 44to inability to open/create file. Fixes Netscape symlink navigation problem. 45- Fix for listing absolute paths with only one /, e.g. "ls /.message" was 46failing 47 480.0.5 packaged 49-------------- 50 51- Remove README.ftpproto 52- Add SECURITY/OVERVIEW 53- Add SECURITY/DESIGN 54- Note that as a security tweak, we should lose more privs if we're configured 55for anonymous only logins (TODO) 56- Add SECURITY/IMPLEMENTATION, SECURITY/TRUST, but nothing in them yet. 57- Convert str.c to vsf_sysutil_*. This leaves the following to do: 58 checkauth.c, main.c, postprivparent.c, privparent.c, privsock.c, utility.c 59- Convert privparent.c to vsf_sysutil_*. 60- Create BUGS and move existing listed bugs from TODO into this new file 61- Add parseconf.h, parseconf.c to handle parsing of a config file (work in 62progress) 63- Fix change_full_credentials() in utility.c, to always chdir() even if we 64are not going to do a chroot() 65- Rename get_random_byte() to vsf_sysutil_get_random_byte(), and move from 66utility.c to sysutil.c 67- Create new file secutil.c, move change_full_credentials() to it and rename 68- Convert utility.c to vsf_sysutil_*. 69- handle_local_login(): don't look up username; common_do_login() does it 70- implement different tunable umask() values for local/anonymous users 71- implement SITE UMASK 72- implement SITE CHMOD 73- whoops! allow non-anonymous users to overwrite files with STOR 74 750.0.6 packaged 76-------------- 77 78- SECURITY: when in anonymous-only mode, reject usernames that aren't the 79anonymous usernames. This is hoping some FTP clients will be stopped from 80sending a cleartext password. Idea from Gerald Teschl <gt@esi.ac.at>. 81- Decided to put "telnet strings" on the back burner :) 82- Sprinkling of static in main.c 83- Complete parseconf.c config file parsing and plug it into main.c 84- Convert main.c to vsf_sysutil_*. This leaves 85 checkauth.c, postprivparent.c and privsock.c 86- Now we have runtime config, make compiled in defaults extra paranoid 87- Implement "tunable_anon_world_readable_only" to only serve publicly 88readable files anonymously 89- Add sample "vsftpd.conf" 90- Eww - missing "return" in parseconf.c 91- Move ASCII mode transfers out of critical section in TODO 92- parseconf.c: if an integer starts with "0", treat it as octal 93- Ban "SITE CHMOD" if !tunable_write_enable 94- Wrote SECURITY/TRUST 95- Wrote SECURITY/IMPLEMENTATION, probably more to come 96- Update INSTALL 97- Add "tunable_nopriv_user" 98- Update parseconf.c with the two latest new config variables 99- Add sysdeputil.h, sysdeputil.c for system specific facilities, i.e. 100capabilites, authentication. 101- Lose checkauth.c,h - they moved into sysdeputil.c,h 102- Lose config.h - it moved into sysdeputil.c 103- Convert postprivparent.c to vsf_sysutil_* (leaves privsock.c) 104- Convert privsock.c to vsf_sysutil_*. All done, yay!! :) 105- D'oh! Missing "!" in postlogin.c refused to server publicly readable files:) 106- Fix chown() of uploaded files (broken initialization order in main()) 107- Add SPEED, and fill it with wild speculation 108- Rename distribution directory "vsftpd-x.x.x" (note the added "d") 109 1100.0.7 packaged 111-------------- 112 113- Build with -O2 114- Fix "uninitialized" warnings -O2 exposed - the one in capabilities setup 115could be nasty! 116- Nail warning in vsf_sysutil_sendfile(). We're now "-Wall warning free" 117- Build with -Werror to signal intent to _stay_ warning free 118- A few int -> long in the area of file sizes and offsets 119- Remove comma's at end of enum lists (-pedantic caught it) 120- Impact from fixing warnings caused by -pedantic 121- Date format %e -> %d in date display, %e isn't everywhere 122- Paranoia in vsf_sysutil_malloc() 123- Clean up interface to substring searching in str.c 124- Cleanups in str.c 125- Squash most "unsigned<->signed" conversions exposed by -Wconversion 126- Lose "-g" to CFLAGS; after all we're bug-free now ;-) 127- Add "AUDIT" 128- Fix up a bunch of potential 64-bit issues (maybe >2Gb files will work on 12964-bit platforms now, no way to test) 130- Implement PR_SET_KEEPCAPS support for 2.2.18+ and 2.4.0+ kernels 131- In sysdeputil.c, change NULL -> 0 to help Solaris build problem 132- Repair vsf_sysutil_sendfile() and the caller 133- Logging: log the username 134- Logging: don't log "//" as start of filenames under certain conditions 135- Logging: log the date. Logging is almost useful now! 136- Logging: log MKD commands too; they are used in anon ftp a fair bit 137- Take the trouble to look into partial reads/writes. Looks like we are safe. 138- vsf_sysutil_read and vsf_sysutil_write now hide EINTR and retry 139- Replace some vsf_sysutil_{read,write} usage with 140vsf_sysutil_{read,write)_loop which handles partial reads and writes 141- Implement a sendfile() replacement for systems which lack it 142- Implement runtime checking for system specific Linux stuff, i.e. 143prctl(PR_SET_KEEPCAPS). This is inspired by RedHat7.0 headers claiming to 144be a 2.4.0 kernel, but actually you are running on 2.2.x! :-( 145- Strip the build executable at link time 146 1470.0.8 packaged 148-------------- 149 150- A few incorrect sizeof()'s in postlogin.c, thanks to Antonomasia 151<ant@notatla.demon.co.uk> for noting these. 152- Decide that ASCII support isn't too important for now (waiting for users to 153demand it). Also decide that ABOR is a must :( Thanks to Zach Brown 154<zab@zabbo.net> for the discussion. 155- More TODO items thanks to Stephen White <swhite@ox.compsoc.net> - 2.0.x 156issues. 157- Provide a definition for SHUT_RDWR in sysutil.c, not all systems have that 158definition yet. Thanks Stephen White <swhite@ox.compsoc.net>. 159- Tidy privparent.c 160- Decide ASCII _is_ quite important, thanks Solar ;-) 161- Bit of extra paranoia in sysutil.c: don't call mem*() if size == 0 162- Tidy str.c 163- Command line: if vsftpd has an argument, it is a path to a config file. 164- Set TCP_NODELAY on command stream 165- Don't lseek() for RETR in common case with REST set to 0 166- Correct error code for transfer after succesful connection (425 -> 426) 167- ABOR support. Bah. 168- APPE support (why not, it was trivial). Putting off ASCII support ;-) 169- Add ASCII transfer support. Bah. 170- Tidy up sysutil.c, fix breakage in read_loop and write_loop. 171 1720.0.9 packaged 173-------------- 174 175- Remove ".message" from distribution. Thanks Mitchell Blank Jr 176<mitch@sfgoth.com> 177- Note where I can get some load testing software, thanks to Dan Kegel 178<dank@alumni.caltech.edu>. I'll do that soon because I hope to waste wu-ftpd. 179- Fix an Alpha build warning and check return value from final pam_end(). 180Reported by Solar Designer <solar@openwall.com>. 181- Add xinetd.d/vsftpd, from Kurt Seifried <listuser@seifried.org>. 182- Integrate comments/fixes into SECURITY documentation, thanks to Antonomasia 183<ant@notatla.demon.co.uk> 184- SECURITY: default tunable_chroot_local_user to 0, because it is dangerous to 185give users write access to the filesystem root (think of opening trusted 186files relative to the root). Thanks again Solar Designer 187<solar@openwall.com>. 188- Add "make install" target. Currently it is minimal! 189- Clearer error message if vsftpd is started manually. Suggestion from 190Tom <tom@lemuria.org>. 191- Report futuristic or old (>6 months) dates in a different format, showing 192the year like /bin/ls does. 193- Add KERNEL-2.4.0-WARNING. Whoo-hoo. Why do all my non-trivial programs seem 194to trigger kernel bugs? 195- SECURITY: refuse to allow anonymous logins if some bonehead has configured 196the anonymous ftp user with write access to the ftp root. 197- Fix ASCII downloads so that \n UNCONDITIONALLY maps to \r\n. This behaviour 198is now consistent with wu-ftpd and results in simpler code. 199- Fix ASCII uploads to not to fail to strip some \r characters. Noted by 200Mitchell Blank Jr <mitch@sfgoth.com>. 201- Add TODO items: log transfer rate and anonymous password. Andrew Anderson 202<andrew@redhat.com>. 203 2040.0.10 packaged 205--------------- 206 207- Remove errant #include <sys/sendfile.h> from sysutil.c. Noted by Jan-Frode 208Myklebust <janfrode@parallab.uib.no> 209- Use gettimeofday(2) not time(2), for better resolution. 210- Add transfer rate to the log 211- Add <limits.h> to sysutil.c, spotted by Kevin Vajk <kvajk@cup.hp.com>. 212- Spell "LICENSE" correctly: Kevin Vajk <kvajk@cup.hp.com>. 213- Use fcntl() for locking instead of flock() because it is much more standard. 214flock() usage noted by Kevin Vajk <kvajk@cup.hp.com>. 215- Use more portable IPPROTO_* instead of SOL_* (IPPROTO_IP, IPPROTO_TCP). 216Thanks to Neil Blakey-Milner <nbm@mithrandr.moria.org> porting to FreeBSD. 217- Start of Solaris port, thanks to Kurt Seifried <seifried@securityportal.com> 218for access to a Solaris 8 box. 219- Portability fix: include <netinet/in_systm.h> before <netinet/ip.h>. 220- Port to Solaris 8: new directory port. New file porting_junk.h. New file 221solaris_bogons.h 222- Add vsf_findlibs.sh to cater for different platform link requirements. Now 223builds on Solaris and Linux with "make". 224- struct sockaddr casts to kill Solaris warnings. 225- sysdeputil.c: remove unused variable warnings. 226- sysutil.c: use _exit() instead of exit() to avoid libc doing stuff on exit. 227Fixes segfault reported by Joshua Hill <josh@untruth.org>. 228- Add BENCHMARKS. Many thanks to Andrew Anderson <andrew@redhat.com>. 229- Fix disconnect/crash if SIGURG received whilst blocking on command stream. 230- Update INSTALL with more platforms. 231 2320.0.11 packaged 233--------------- 234 235- Brag about performance in README. And why not. 236- Better bail-out message if the "ftp" anonymous user isn't found 237- Better bail-out message if the secure chroot directory isn't found 238- Introduce tunable_one_process_model and start work on it 239- Fix rare segfault on exit - race leading to infinite stack recursion 240- Don't bail out if we didn't get an argv[0]. Who cares? Noted by Kurt Seifried 241<seifried@securityportal.com>. 242- Change logged date format to include the year. 243- Add option to log in standard (wu-ftpd like) "xferlog" format. 244- Cater for sendfile() returning EINTR in sysdeputil.c 245- Use SO_LINGER on data sockets, to get accurate transfer rates! 246- Cater for an interrupted blocking close() 247- Tuning: eliminate 3 mprotect(), 1 munmap() and 1 mmap() system call per 248command read. 249- Prevent infinite loops calling sendfile(). Two bugs - we needed to check 250the sendfile() return for 0 (doh!!) and also, we sometimes did lseek() on 251a file, to beyond its end. Thanks to Daniel Veillard <Daniel.Veillard@imag.fr> 252for reporting. 253- Tuning: cache fd's for /etc/passwd and /etc/group to avoid syscalls. 254- Tuning: "assist" the get*uid(), get*nam() calls to not make lots of useless 255syscalls, if /etc/group and /etc/passwd are missing. Thanks to Daniel Veillard 256<Daniel.Veillard@imag.fr> for reporting. 257- Use SO_LINGER timeout of 5 mins; INT_MAX seemed to do nothing! 258- Finally(!) fix transfer rate timing. 259 2600.0.12 packaged 261--------------- 262 263- Update INSTALL. Mention the config file can be given on the command line. 264- Lower VSFTP_MAX_COMMAND_LINE to 4096 (wu-ftpd uses 512 I think). 265- Add RedHat/vsftpd-rh7.spec, kindly provided by Emmanuel Galanos 266<egalanos@anchor.net.au>. 267- Add more RedHat/* spec files etc, kindly provided by Andrew Anderson 268<andrew@redhat.com>. 269- Cleanup: move two process model code to "twoprocess.c". 270- Damn! Make the file lock _block_ if it's busy, in sysutil.c. 271- Finish implementing one process model - benchmarks to follow 272- Don't log success if the download is ABOR'ed during the blocking close(). 273- Build on systems without PAM (obviously local logins won't work..) 274- Beware of FreeBSD accept() bug: ai32@drexel.edu 275- Implemented a customizable ftp banner with "ftpd_banner" config file setting 276- Builds on OpenBSD 2.8 - woohoo 277- FreeBSD: look for libpam.so* in /usr/lib 278- FreeBSD: add #include <sys/param.h> otherwise CMSG_* break. 279- Kill privparent.[ch] - merged them into twoprocess.c 280- Enable SIGCHLD handler _before_ forking - should nail a race which could lead 281to zombies. Inspired by zombie report from Joe Klemmer <klemmerj@webtrek.com>. 282- Data connection timeout code. 283- ftpcmdio.c: Don't cancel the alarm when we get a command. For safety, we 284insist that that the only way to "cancel" the alarm is to reset it. This 285prevents hangs blocking on write() to the command stream. Of course, data 286transfers are long running operations and have their own timeouts. 287- Data transfer timeout now kills session. 288- Take care that no writes block once we've decided to abandon ship. 289- FreeBSD sendfile() support. I wonder if it works! 290 2910.0.13 packaged 292--------------- 293 294- Split out directory listing code into ls.c 295- Change blocking accept() and connect() code to use select() not SIGALRM! 296- Remove alarm() timeout junk from file locking in logging.c 297- Cater for signals interrupting the blocking file lock 298- Whoops: fix data timeout incorrectly going off. Noted and fixed by Joshua 299Hill <josh@untruth.org>. 300- Implement tunable_pasv_promiscuous to relax PASV IP checks. Useful if you 301are playing with secure tunneling of command connection. Idea, patch from 302Seth Vidal <skvidal@phy.duke.edu>. 303- Much better line-by-line file reading string buffer functions. 304- Use the above better functions for directory messages and config file 305reading. This eliminates a probable quadratic algorithm, i.e. it's a speedup. 306- Explictly free certain buffers rather than using the static trick. For 307example, the config file buffer which is only used once. 308- Massive cleanup and refactoring of login code. 309- Add ability to specify file containing list of banned e-mail addresses for 310anonymous users. Apparently a required feature for big sites trying to avoid 311DDoS attacks. 312- Add ability to specify file containing list of users to chroot(), request 313from helo <helo@neounix.com>, who also persuaded me not to use the homedir 314hack in /etc/passwd. 315- Add TODO: PASV port range config setting, for firewalled setups. From Rafal 316Wojtczuk <nergal@idea.avet.com.pl>. 317- Rudimentary support for non-PAM local user authentication, with 318encouragement and helpful discussion from D Richard Felker III 319<dalias@aerifal.cx>. 320- Use MAP_ANON instead of mmap() /dev/zero for anonymous pages. It saves 321using a file descriptor. Neither are standard(?) but MAP_ANON seems to work 322on a superset of systems compared with mmap() /dev/zero. 323- Ability to specify a PASV local port range with pasv_min_port and 324pasv_max_port. Request from Rafal Wojtczuk <nergal@idea.avet.com.pl>. 325- Non-PAM authentication: check /etc/shells, and support shadow password and 326account expiry. 327- First cut at a vsftpd.conf man page! (vsftpd.conf.5) 328 3290.0.14 packaged 330--------------- 331 332- Default to ASCII mode transfers, as per RFC. Bug noted with Macintosh client 333by William Day <day@chem.duke.edu>. 334- Implement "ls -a". 335- Implement "ls -r". 336- Implement "ls -l", i.e. "NLST -L" now works 337- Implement "ls -t". Superb - now the oft-used "ls -ltr" works! 338- setproctitle() support - FreeBSD only in the first cut. 339- setproctitle() on Linux support - what a hack! This crap really needs kernel 340support. I'm ashamed I bothered. 341- Repair the contributed spec files a bit, based on reports from Oleg Drokin 342<green@iXcelerator.com> and Jakob Lichtenberg <jl@it-c.dk>. 343- Show remote IP and local username in setproctitle() support. 344- Add vsftpd.8 man page, thanks to Daniel Jacobowitz <dan@debian.org>. 345- In sysdeputil.c, check macros LINUX_VERSION_CODE and KERNEL_VERSION are 346defined. From James Antill <james@and.org>. 347- Workaround a broken firewall that expects a very precise PASV response. We 348now match wu-ftpd. Many many thanks to Jakob Lichtenberg <jl@it-c.dk> for 349his help. 350- If tunable_anon_world_readable_only (default), don't list directories unless 351they are world readable. 352- Use qsort() for directory sorting - eliminates gross quadratic sorting. 353Turbo charges directory listings with 1000's of entries. 354- Fix big memory leak in str_list_free(). 355- Simplify + reduce heap usage in strlist.c 356- Optimize away lots of excessive heap usage and redundant copying in str.c 357- By default, show numeric user/group id's in directory listings. Makes 358generating directory listings perhaps 4 times(!) faster, and is noticeable 359with e.g. 5000 entries in a directory. n.b. this performance figure is as 360measured on a glibc-2.2 system, so glibc would seem to be inefficient. 361- Don't use MSG_DONTWAIT - prefer the more portable fcntl()/O_NONBLOCK. Fixes 362glibc-2.0 build issues. 363- Work around broken Linux-2.0 unix fd passing. Now builds/runs on RH5.2. 364- Build fixes for FreeBSD 3.5, with help from Jerry Walsh <jerry@aardvark.ie>. 365- Only restrict directory listings to world-readable for _anonymous_ users! 366Thanks again Jerry Walsh <jerry@aardvark.ie> for the report. 367- Add TUNING 368- Special case for security/performance: if we need _no_ privilege, then 369force one process model. Security: root dropped totally straight away. 370Performance: no messing around forking etc. 371- Minor performance tweaks, don't leave big mappings lying around from 372config file parsing. 373 3740.0.15 packaged 375--------------- 376 377- Argh. Fix SuSE 6.0 build issue (time_t used but not defined). Reported by 378Peter Stern <peter@frontierflying.com>. 379- Another SuSE 6.0 issue - another damn system lacking CMSG_SPACE etc. 380- Cope with any return value from blocking close(2). Previously, we missed 381EAGAIN, which some systems might return (not Linux). 382- New wizzy synchronous signal framework, to prevent re-entrancy issues. It 383presents an interface very similar to the traditional UNIX async interface. 384Technically this is a security fix; imagine a SIGURG (user controllable!) 385coming in whilst we are deep inside glibc. The SIGURG handler is non-trivial 386and may well re-enter and upset glibc. Specific example: the malloc subsystem. 387- When handing SIGURG, account the time taken under the data tranfer timeout. 388- Install the command timeout handler before we write anything to the remote. 389- Cleanup capabilities handling to be taken care of in secutil.c. 390- Fix bug: one_process_model mode could lose supplementary groups. 391- Add "SIZE" file. 392- Make one_process_model work with the anon deny e-mail list. 393- Massive cleanups. Start moving static state into a session structure. 394- Oops - fix Solaris 8 build by fixing include order in porting_junk.h, and 395include a dirfd() replacement. Noted by William Yodlowsky 396<wyodlows@andromeda.rutgers.edu> and Mike Batchelor <mikebat@tmcs.net>. 397- Fix return of a void function call in a void function. It upsets Sun's 398compiler. (gcc is fine with it, I'm not sure if it's against the rules). 399Noted by Mike Batchelor <mikebat@tmcs.net>. 400- Make it possible to use port ranges starting lower than 5001, from 401Matthew Kirkwood <weejock@ferret.lmh.ox.ac.uk>. 402- Use a /dev/zero mmap() fallback if we do not find MAP_ANON. This should 403fix the build on Solaris 2.6, 2.7 machines. Reported by Mike Batchelor 404<mikebat@tmcs.net>. Also noted as one of the problems facing an IRIX build. 405- Add MDTM support, so clients like ncftp can set the date on downloaded files. 406- Add irix_bogons.h, trying to port to IRIX 6.5, with help from Jan-Frode 407Myklebust <janfrode@parallab.uib.no>. 408- Don't reference "struct msghdr.msg_flags", not all systems have it. Clear it 409with vsf_sysutil_memclr() instead. Found on IRIX 6.5.11 410- Cater for systems lacking getusershell(), e.g. IRIX 6.5.11, by not using it. 411- Fix compiler error with header files claiming 2.4 headers but only having 4122.2 headers. Reported by Ben Ricker <bricker@wellinx.com>. 413- Kill warning on system without capabilities. 414- Add -R option to ls (disabled by default), to cater for broken clients which 415assume it is present (e.g. mirror). 416- Add "Makefile.sun", from Mike Batchelor <mikebat@tmcs.net>. 417- Fix PORT transfer crashes with "one_process_model". Reported by 418Andrew Anderson <andrew@redhat.com>. 419- Cater for HP-UX shared libraries which end in ".sl", from Kevin Vajk 420<kvajk@cup.hp.com>. 421- Add hpux_bogons.h, and make MAP_ANON a synonym for MAP_ANONYMOUS. 422- Move send_fd and recv_fd to sysdeputil.c and provide old-style fd passing 423code for IRIX and HP-UX. 424- Get it going on HP-UX 11.11 and HP-UX 10.20, thanks to Kevin Vajk 425<kvajk@cup.hp.com>. Minor changes to hpux_bogons.h 426- Update vsftpd.conf with "ls_recurse_enable". 427- Get it going on IRIX 6.5.11, thanks to Jan-Frode Myklebust 428<janfrode@parallab.uib.no>. 429- Fix reporting of filenames in MKD operations (regression since 0.0.15). 430- Wow - lots of contributed .spec files. Adopt those from Seth Vidal 431<skvidal@phy.duke.edu>. 432- Fix FreeBSD build. 433 4340.9.0 packaged 435-------------- 436 437- Fix .spec files to include URL, from Seth Vidal <skvidal@phy.duke.edu>. 438- Don't let unprintable characters escape into setproctitle(). Thanks to 439Solar Designer for the suggestion. 440- Make the PAM service name a tunable, suggestion from Solar Designer. 441- Add option to log all FTP protocol (log_ftp_protocol). 442- Log logins, successful or failed. 443- Refuse to download a file in ASCII mode if REST position != 0. Solar 444reminded me by looking in the BUGS file. 445- Clearly mark an ASCII download in the FTP response string. 446- Argh. Fix broken upload timeout again (goes off erroneously). 447- Fix logging of FTP protocol, add logging of pid. Reported by Frank Fiamingo 448<FiamingF@strsoh.org>. 449- Fix bug where logging code bug()'s on the second logged operation, iff 450logging is in fact disabled! Reported by Alexander Schreiber 451<alexander.schreiber@informatik.tu-chemnitz.de>. 452- From Solar: be paranoid about libc implementations of isprint() in sysutil.c 453- Careful not to write any unprintable characters into the log. 454- fchmod() files that we fchown(), to prevent suid games, etc. 455- Cleanups, added comments to some headers. 456- Minor speedups to some str.c string handling functions. 457- Joe Klemmer <klemmerj@webtrek.com> reports zombies again! Nail a couple of 458races: make the SIGCHLD handler async, and cater for an interrupted wait(2) 459syscall. 460- If chroot_local_user=YES then chroot_list_enable becomes a list of users to 461NOT chroot(). With input from Lars Hecking <lhecking@nmrc.ie>. 462 4630.9.1 packaged 464-------------- 465 466- DAMN! Fix silly "missing newline" logging bug. 467 4680.9.1 repackaged 469---------------- 470 471- Refuse to start if local_enable and anonymous_enable are NO, hit by 472Lars Hecking <lhecking@nmrc.ie>. 473- Report anonymous e-mail in the LOGIN log event, idea from Joachim Blaabjerg 474<styx@mailbox.as>. 475- Fix man page install in vsftpd-rh7.spec, from Matthew Galgoci 476<mgalgoci@redhat.com>. 477- Fix chown_upload bug noted by brett <beldridg@best.com>. 478- Add concept of guest user, idea from Andrew Anderson <andrew@redhat.com>. 479- Simple bandwidth limitation, inspired by Mads Martin J�rgensen 480<mmj@suse.de>. 481- Fix chown_upload bug in a different way. 482- Correct *_umask details in vsftpd.conf.5, from brett <beldridg@best.com>. 483- Don't show .files unless "ls -a" was specified, n.b. this differs in 484behaviour from wu-ftpd, but not proftpd. 485- Implement directory write(2) buffering, for a 33% reduction in CPU used to 486send big dirs. Activate the bandwidth limit on directory listings. 487- HPUX enhancements: setproctitle and sendfile. Thanks to Kevin Vajk 488<kvajk@cup.hp.com>. 489- We DON'T need to follow symlinks on "ls -R" - phew. 490- Add README.solaris. Thanks to Mike Batchelor <mikebat@tmcs.net>. 491- Implement passing remote host to PAM (for pam_access etc.), thanks to 492Emmanuel Galanos <egalanos@cerberus.anchor.net.au>. 493- Fix guest_enable so that this means all non-anonymous users are guest users. 494- Add ability to deny selected users before they get the chance to send their 495cleartext password!! 496- Fix FreeBSD build - use a cast instead of floor() which needs libm. 497 4980.9.2 packaged 499-------------- 500 501- Fix potential leak in PAM handling code. 502- Fix build in the non-PAM case (dammit!!). Reported by Alexey E. Korchagin 503<Webmaster@buzuluk.ru> and Michael Fengler <michael.fengler@adpag.de>. 504- Include filename and size in bytes in the "here comes the data" 150 message. 505- Change link flags from "-s" to "-Wl,-s" 506- Add libcap support - should fix ia64, Alpha build problems with syscalls. 507- Tidy up vsf_findlibs.sh 508- Work with NFS mounted home dirs and root_squash, thanks to Hunter Matthews 509<thm@duke.edu> for the report. 510- Add FAQ. 511- Improve "make install". 512- Fix Solaris build (nanosleep is in a separate library, typical). 513- Fix REST + STOR combination, investigation inspired by Mike Batchelor 514<mikebat@tmcs.net>. 515 5160.9.3 packaged 517-------------- 518 519- Update xinetd file to reflect /usr/local location. Thanks to Fridtjof 520Busse <fridtjof@fbunet.de>. 521- Make our 150 response code match wu-ftpd - allows broken "ange-ftp" of 522emacs to do a percentage complete indicator. Reported by Jonathan Kamens 523<jik@kamens.brookline.ma.us> via Andrew Anderson <andrew@redhat.com>. 524- Fix build on S390, ia64 platforms (poor kernel includes). Patch from 525<mmj@suse.de>. 526- Fix up vsf_findlibs.sh to cater for RedHat7.2 which has libcap. Reported 527by Chris Burton <chris@post.cpac.uk.com>. 528- Boast some more in BENCHMARKS. 529- Add anon_root and local_root, inspired by Ole Tange <tange@tange.dk>. 530- Fix up vsf_findlibs.sh to cater for broken Mandrake, and also consider 531the case of missing PAM headers (no pam-devel installed). Thanks to 532Jeff Baldwin <jeff_baldwin@unc.edu> for access to Mandrake. 533 534At this point: 1.0.0 packaged and released 535------------------------------------------ 536Ah, the wonderful psychology of release numbers 537----------------------------------------------- 538 539- Fix IRIX build (capabilities issue), Jan-Frode Myklebust 540<janfrode@parallab.uib.no>. 541- Fix FreeBSD build, reported by Jim Breton 542<jamesb-security-audit@alongtheway.com>. 543- Fix Debian build, reported by Brian Clark <brianj@fusionwerks.com>. 544 5451.0.1 packaged 546-------------- 547 548- Fix .spec files to use /usr/local/sbin not /usr/sbin, noted by Bill Unruh 549<unruh@physics.ubc.ca>. 550- Small doc tweaks and improvements(?) 551- Add COPYING, the GNU GPL version 2. 552- Add use_localtime config option to override the use of GMT times. 553- Add tunable_check_shell (default YES) so people can disable this if they 554are not using PAM. 555- AIX 5.1 build support, thanks to Jan-Frode Myklebust 556<janfrode@parallab.uib.no>. 557- Add "hide_ids" option to show user/group in directory listings as "ftp". 558Request from Solar. 559- Use the seemingly more portable setreuid() and setregid(), poxy HP. 560- Use status 550 instead of 500 for known but disabled commands. 561- Rename "dirchange.[ch]" to "banner.[ch]". 562- Multiline connect banner support via "banner_file" config option. 563- Minor error message changes. 564- Add more FAQ entries. 565- Add patch to specify PASV address - thanks to Mike McLean <mikem@redhat.com>. 566- Drop the 2.4.0 kernel warning file 567- Rudimentary standalone listener support - to be expanded in a later release. 568- If sendfile() returns EINVAL just fall back to normal routines - handles 569non-pagecache backed files. 570- Add "port_promiscuous" setting - should help enabling FXP. 571- Modify anon_root and local_root to change directory _before_ applying the 572chroot(). 573- Open all files O_NONBLOCK to avoid pipes blocking on open. 574- Support wu-ftpd style per-user chroot() via /./ in /etc/passwd HOMEDIR. 575- Add SIGHUP support to new built in listener. 576- Per-user config overrides, via "user_config_dir" - woohoo! 577- Warning fixes, i.e. change "index" to "indexx" thanks to Olaf Kirch 578<okir@suse.de>. 579- Make sure the standalone daemon doesn't leak zombies! 580- Supposedly fix kernel messages about MSG_PEEK race - thanks to advice from 581Alexey <kuznet@ms2.inr.ac.ru>. 582- Add global client limit for standalone mode. 583- Add username that failed when we die with str_getpwnam. 584- Add a bunch of documentation under EXAMPLES. 585 586At this point: 1.1.0 package released 587------------------------------------- 588 589(Note - 1.1.0 also included large file (>2Gb) support). 590 591- Fix port_promiscuous, oops! Thanks to Bj�rn-Ove Heimsund 592<bjornoh@mi.uib.no>. 593- Fix to support umasks which create executable files. Reported by 594"Martin, Andreas" <AMartin@hegau-klinikum.de>. 595- Make the messages more.. professional :( Thanks to Steven G. Taylor 596<staylor@redhat.com>. 597- Allow anon users to append to files if they can delete files! Suggestion 598from Michael Leuchtenburg <michael@slashhome.org>. 599- Hopefully fix Solaris build (-lresolv) 600- Replace atoll() with a homebrew - modern FreeBSD, OpenBSD lack it. 601- Different solution for a umask which creates executable files: 602file_open_mode. 603- First attempt at Tru64 build, working with <Sulla17@aol.com>. 604- A few minor FAQ additions. 605- Change date format in the log from Sep 09 -> Sep 9. Avoids breaking some 606broken log parsers. 607- Make "INSTALL" better and clearer. 608- Fix passwd_chroot_enable, reported by James Jones <james@richland.edu>. 609- Finish Tru64 building :-) 610- Add tunable_no_anon_password as asked for by Stephen Quinney 611<stephen.quinney@computing-services.oxford.ac.uk>. 612 613At this point: 1.1.1 package released 614------------------------------------- 615 616- Add per-IP connection limits in standalone mode. 617- Add logging of refused connect due to global or IP connection limits. 618- (Many thanks for testing and suggestions from Rob van Nieuwkerk 619<robn@verdi.et.tudelft.nl> and Adrian Reber <adrian@lisas.de>. 620- Make connection limit exceeded messages nonblocking. 621- Don't exit the listener if fork fails. 622 623At this point: 1.1.2 package released 624------------------------------------- 625 626- Support for tcp_wrappers. 627- First stab at Solaris sendfilev() support. 628- Don't bomb out the listener on SIGHUP if the config became invalid. 629- End vsf_findlibs.sh with "exit 0;" - thanks Lars Hecking <lhecking@nmrc.ie>! 630- Integrate with tcp_wrappers - load config based on VSFTPD_LOAD_CONF 631environment variables. Allows per-IP configurability in standalone mode. 632- Fix build without tcp_wrappers. 633- Fix Solaris sendfilev() support - interruption via a signal returns EINTR 634rather than a partial byte count! 635- Add to EXAMPLE/ - PER_IP_CONFIG and INTERNET_SITE_NOINETD 636 637At this point: 1.1.3 package released 638------------------------------------- 639 640- Eliminate crypt() not defined warning. 641- "grep -q" is not standard to redirect to /dev/null instead. 642- Make banned_email_file work second time around. 643- Add force_dot_files to work around broken clients. The behaviour when 644enabled is very wu-ftpd like. 645- Implement SITE HELP - should work around IE bug? 646- Update README, vsftpd.conf with references to read the manual page! 647- Log revamp: add dual_log_enable to log to xferlog AND vsftpd.log. 648- Log revamp: add syslog_enable to log vsftpd.log to syslog(). 649- Add "background" option to background the listener process. 650- Fix warning is vsftpd.8 man page, Bill Nottingham <notting@redhat.com>. 651- Fix tcp wrappers support to NOT emit loads of Bad file descriptor messages 652to the system log. 653- Add ability to make bandwidth limiter smoother by using e.g. 654trans_chunk_size=8192. 655- Add ability for virtual users to use local privs non anon privs, via 656virtual_use_local_privs=YES. 657- Fix sendfile() fallback on FreeBSD, thanks to Adam Stroud 658<adstro@stny.rr.com>. 659- Add pam_session support, as well as utmp and wtmp logging for local logins 660(when using a PAM build). Tested pam_limits maxlogins works. 661- Ensure the source IP address for PORT connects is always the same as the 662control connection local IP address. Previously it was not when NOT using 663connect_from_port_20 in the presence of multiple local IP addresses. 664- Oops - make max_per_ip and max_clients work with the two process model 665when both connect_from_port_20 and chown_uploads are false. 666- Initial IPv6 support (EPSV only). 667- Add EPRT support to IPv6. 668- Fix "ls .file" to list .file even if the ls -a flag is not present. Noted 669by and thanks to Sean Millichamp <sean@enertronllc.com>. 670- Better error messages for config file parse fail: include setting name. 671- Fix bug in str_split_text where text is greater than 1 character long! 672- Make it build on Solaris8 - switch from utmp to utmpx and handle missing 673LOG_FTP. 674- Always check for VSFTPD_LOAD_CONF environment variable. 675- Implement HELP properly (should help broken clients). 676- Fix FreeBSD build (no utmpx.h, so disable feature). 677- Fix chown_uploads. 678- "Guess fix" for FreeBSD reported bug. I reckon FreeBSD is returning -EINTR 679from a blocking close but still closing the fd, despite the error return. So 680cater for this. Reported by Drew Vogel <dvogel@intercarve.net>. 681- Add download_enable and dirlist_enable. Useful in conjunction with the 682per-user config stuff. 683- Add chmod_enable. 684- Implement STRU and MODE for _old_, broken clients! 685- Log connects. 686- Fix 500 OOPS with chown_uploads and an APPE command. 687- Improve some error messages: die -> die2 for more information. 688- Repair max_per_ip (problem comparing IPv4 addresses). 689- Make chown_uploads work with virtual users. 690- Chmod files to 0600 before chown_uploads kicks in. 691- Add STOU support. 692- Add cmds_allowed config parameter. 693- Add some FAQ entries. 694 695At this point: v1.2.0 released! 696=============================== 697 698- Apply NetBSD patch to sysdeputil.c to activate a few features. Thanks to 699Lubomir Sedlacik <salo@netbsd.org>. 700- Apply fix for broken clients that terminate commands with \r\r\n. Thanks 701to Andrey Chernomyrdin <andrey@excom.spb.su>. 702- AIX send_file support, thanks to Tomas Ogren <stric@ing.umu.se>. 703- Fix typos in vsftpd.conf.5, thanks to SEKINE Tatsuo <tsekine@sdri.co.jp>. 704- Simple -F flag support to LIST and NLST. Needed for some broken clients. 705- Add simple ? wildcard in pattern matching. 706- Make pasv_min_port and pasv_max_port work if they are the same value. Thanks 707to Marvin Solomon <solomon@cs.wisc.edu>. 708- Paranoia: ignore user_config_dir if username has a / in it. 709- Implement stub ALLO command to keep busybox/ftpput happy. 710- Implement REIN, ACCT and SMNT stubs. 711- Implement FEAT along with an OPTS stub. 712- Implement STAT (no-args version). 713- Implement STAT (file/dir). 714- Add very simple access control via hide_file and deny_file. These should 715NOT be used for securing content as they are very dumb! Filesystem permissions 716are still the recommended way for securing important content. 717- Allow unsetting of string values with option= (i.e. blank). 718- Default virtual users to being chroot()'ed to the guest_user's home 719directory, if virtual_use_local_privs is not set. 720- Add support for "user_sub_token", where you can set the home directory of 721guest_user to "/home/virtual/$USER", and "user_sub_token" to "$USER" to 722have a root directory auto generated based on username logging in, e.g. 723fred logs in and gets chroot()'ed in /home/virtual/fred. 724- Fix bug in str_replace_text if replace token matches at end of string. 725- Recognize P@SW as PASV; works around an SMC router bug. 726- Accept an async ABOR sequence if it arrives via non-urgent data. Fixes issue 727with Cisco routers. Thanks to Eddie Corns <E.Corns@ed.ac.uk>. 728- Implement simple {,} support in pattern matcher (nested not handled). Handy 729to use with hide_file and deny_file options. 730(v1.2.1pre2) 731- Fix port range with pasv_min_port and pasv_max_port to use the full range 732(the upper limit wasn't being used very often!). 733- Activate SO_REUSEADDR on passive listen sockets - makes servers with 734restricted port ranges much more useable! 735- Add secure_email_list_enable, to provide simple anonymous password control. 736For some cases, it's better than the hassle of virtual users. Idea thanks to 737Malcolm O'Callaghan, <mjo@stamps.com>. 738- Add some FAQ entries. 739(v1.2.1pre3) 740- Fix issue with failure to call openlog() before using tcp_wrappers. Part 741of RH bugzilla #89765. (The more serious part was fixed with v1.2.0). 742 743At this point: v1.2.1 released! 744=============================== 745 746- Fix FreeBSD 5.1/5.2 issue with time_t being long long on that platform. 747Thanks to Matthias Andree <matthias.andree@gmx.de>. 748- Tweak vsftpd.conf.5 to avoid automated mails from ESR ;-) 749- Remove vsftpd spec files, they are old and buggy. 750- Add -v flag which just outputs the version and exits. 751- Fix nasty issue resulting in listener instability under extreme load (root 752cause was re-entering malloc/free). Many thanks to Olivier Baudron 753<olivier.baudron@m4x.org> for an excellent report. 754(v1.2.2pre1) 755- Fix build with modern glibc-2.3 and no libcap on Linux. 756- Fix 64-bit file support on Solaris. 757(v1.2.2pre2) 758- Add initial support for running as the user which launched vsftpd, i.e. no 759root needed. Warning - easy to create insecurity if you use this without 760knowing what you are doing. 761- For above run-as-launching-user support: make CDUP re-use CWD code so that 762deny_file of *..* is useful. 763- Attempt fix of 64-bit file support on FreeBSD (may need another go). 764- Update INSTALL to refer to more modern platforms. 765 766At this point: v1.2.2 released! (need to get the listener fix out) 767================================================================== 768 769- Improve logging (log deletes, renames, chmods, etc. as requested by users). 770- Add no_log_lock to work around Solaris / Veritas locking hangs. 771- Add EPRT, EPSV, PASV and TVFS to FEAT response. 772- Implement use of MDTM to set timestamps. 773- Recognize FEAT prior to login. 774- Add OpenSSL (AUTH TLS / SSL) support for encrypted control and data 775connections! Hurrah. 776- Increase max size of .message files to 4000 characters, thanks to Eric 777Pancer <epancer@security.depaul.edu> for the report. 778- Add easy builddefs.h ability to disable PAM builds even when PAM is installed. 779- Report vsftpd version in STAT output. 780- Add REFS file. 781- Change parent<->child socket comms from DGRAM to STREAM for increased 782reliability. The main benefit is should the parent be killed (or crash out) 783then the child won't block on a read() that will never return. 784- Make str_reserve reserve space for the trailing zero as well, so we don't 785cause a reallocation if we exactly fill the buffer. 786- Optimize the sending of strings over the parent<->child comms links. 787- Improve the build system so tcp_wrappers, PAM and OpenSSL can be forcibly 788compiled out. 789- Fix vsftpd.conf.5 typos, thanks to Dmitry V. Levin <ldv@altlinux.org>. 790- If trans_chunk_size is between 1 and 4096, use 4096 rather than ignoring 791totally. Thanks to Brad <brad@intradonline.com>. 792- Lose Makefile.sun and README.solaris special cases. 793- Add SSL / TLS info to SECURITY texts. 794- Add README.ssl 795- Add documentation for new SSL options to vsftpd.conf.5. 796- Add support for CWD ~ (and in general support ~ at start of any filename). 797Also support stuff like ~chris/pics, if tilde_user_enable=YES is set. Note that 798all of this is for very very broken clients :-( 799- Fix compile warnings. 800- Update INSTALL with (recent) OS X as a working platform. 801 802At this point: v2.0.0 released! 803=============================== 804 805- Add -lcrypto for the SSL build; needed for some systems! Thanks to Nelson 806Chang <nelsoncybernet@bigfoot.com>. 807- Oops; fix session bale out if an empty length password is given. 808- Fix build on Fedora Core 2 (-lcap cannot seem to find /lib/libcap.so). 809- Fix vsftpd.conf.5 man page error in "ssl_sslv3", thanks to Etienne Chevillard 810<echevillard@yahoo.fr>. 811- Clarify licensing: I allow linking of my GPL software with the OpenSSL 812libraries. Thanks to Jonas Bofjall <job@abc.se>. 813- Add COPYRIGHT. 814- Fix build on OpenBSD, FreeBSD, probably NetBSD too (they aren't SuSv2 815compliant; timezone should be a variable not a function). 816- Fix build where PAM build is enabled but PAM headers are missing. 817- Fix build on RHEL3 (remove errant include from twoprocess.c). 818 819At this point: v2.0.1 released! 820=============================== 821 822- Fix FAQ typo, thanks to Jose Santiago Oyervides Gonzalez 823<jose.oyervides@elnorte.com>. 824- Emit data transfer status messages (success / failure) after flushing and 825waiting for the full data transfer to reach the client. This should help work 826around buggy FTP clients such as FlashFXP, which is known to truncate files 827incorrectly. 828(v2.0.2pre1) 829- Make str_empty actually allocate an empty string. 830- Change the ASCII receive code to ONLY rip out \r if it is just before a \n; 831someone finally complained about this. 832(v2.0.2pre2) 833- Enable AIX Large File Support #define from Tomas gren <stric@cs.umu.se>. 834- Add a couple of FAQ entries. 835- Fix time delta code areas to cope with negative deltas, which will occur 836if the clock is adjusted backwards. Thanks to Andrew Anderson 837<andrew@redhat.com> for a great report. 838- Fix "errno" checks to be robust in multiple places; previously, calls to 839failing library calls could be made inbetween the original library call and 840the "errno" reads. Thanks to Andrew Anderson <andrew@redhat.com> for a great 841report. 842- Make bandwidth limiter work with SSL data connections. 843(v2.0.2pre3) 844- Note that the SSL / bandwidth limiter bug fixed a much more serious bug: 845SSL data connection dropouts after data_connection_timeout seconds. 846- Typo fixes. 847 848At this point: v2.0.2 released! (need to get the SSL dropout fix out) 849===================================================================== 850 851- Document what regex expressions are supported in the man page. 852- New settings rsa_private_key_file and dsa_private_key_file to allow 853separate files for the certificates and private keys. 854- Initial, simple fix for timed out processes not exiting when SSL is in use. 855Better fix (which reports timeout to client properly) to follow. 856- Add which setsockopt option failed to die("setsockopt") calls. 857- Fix when running on recent OpenBSDs - OpenBSD change broke vsftpd. Lower 858linger timeout from INT_MAX to 32767 (SHORT_MAX). Reported by 859Ewoud van der Vliet <e.c.vandervliet@student.utwente.nl> and Ed Vazquez 860<ed.vazquez@dhha.org>. 861(v2.0.3pre1) 862- Fix error with IPv4 connections to IPv6 listeners and PORT type data 863connections when connect_from_port_20 is set. RedHat bugzilla 134541. Reported 864by Joe Orton <jorton@redhat.com>, Radek Vokal <rvokal@redhat.com> and 865Andreas Kupfer <kupfer@42h.de>. 866- Remove vsf_sysutil_sockaddr_same_family (unused). 867- Support protocol 1 (IPv4) in EPRT. 868- Add ssl.c to AUDIT. 869- Allow config file to use "ssl_ciphers=" to use default OpenSSL cipher list. 870- Allow "EPSV 1" to mean IPv4 EPSV. 871- Report dummy IP but correct port with IPv6 / PASV. 872- Handle SSL_WANT_READ and SSL_WANT_WRITE retries in SSL_read and SSL_write; 873fixes SSL upload failures when data timeouts are in use with some clients. 874Specifically, I used the test case FileZilla 2.2.12a on Windows XP. Reported 875by Lee Lawrence <leel@aspin.co.uk> (using CuteFTP and BackupEdge) and 876Christian DELAIR <christian@cognition.fr> (using lftp, FileZilla and 877SmartFTP). Thanks to these two people for valuable help. 878(v2.0.3pre2) 879- Implicitly disable connect_from_port_20 and chown_uploads when a non-root 880user is using run_as_launching_user. 881- Add force_anon_logins_ssl and force_anon_data_ssl for a fully SSL secure 882anonymous-only solution (useful when you don't have root access and a range 883of acceptable anonymous passwords as credentials). 884- Use SSL BIO callbacks to fix data connection timeout checks; the checks 885weren't all occurring promply. 886 887At this point: v2.0.3 released! (need to get about three imporant fixes out) 888============================================================================ 889 890- Add explicit "This FTP server does not allow anonymous logins" message. 891- Add paranoid checks to sysutil.c for large values / lengths. 892- Fix incorrect comment about ASCII and SIZE in the vsftpd.conf example. 893- Load per-IP config files earlier; allows more settings to be tuned on a 894per-IP level. Suggested by Reber Tobias <t.reber@dkfz-heidelberg.de>. 895- Fix MDTM on non-existant files. Reported by Ken A <ka@pacific.net>. 896- {} regex fix so that {*} correctly matches everything. Reported by 897Tom Van de Wiele <tom.vandewiele@gmail.com>. 898- Add "mdtm_write" option to disable MDTM being able to set file timestamps. 899- Fix HPUX build, thanks to Kevin Vajk <kvajk@cup.hp.com>. 900- Add optional file locking support via lock_upload_files (default on). 901- Apply LDFLAGS patch from Mads Martin Joergensen <mmj@suse.de>. 902- Add pasv_addr_resolve option to allow pasv_address to get DNS resolved once 903at startup. 904- Apply patch to fix timezone issues (caused by chroot() interacting badly with 905newer glibc versions). Thanks to Dmitry V. Levin <ldv@altlinux.org> and 906Mads Martin Joergensen <mmj@suse.de>. 907 908At this point: v2.0.4 released! 909=============================== 910 911