You can subscribe to this list here.
2002 |
Jan
|
Feb
|
Mar
(16) |
Apr
(35) |
May
(37) |
Jun
(26) |
Jul
(24) |
Aug
(20) |
Sep
(33) |
Oct
(65) |
Nov
(19) |
Dec
(38) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2003 |
Jan
(43) |
Feb
(20) |
Mar
(31) |
Apr
(17) |
May
(10) |
Jun
(2) |
Jul
(13) |
Aug
(13) |
Sep
(13) |
Oct
(22) |
Nov
(7) |
Dec
(8) |
2004 |
Jan
(11) |
Feb
(14) |
Mar
(11) |
Apr
(9) |
May
(11) |
Jun
(8) |
Jul
(8) |
Aug
(3) |
Sep
(11) |
Oct
(10) |
Nov
(4) |
Dec
(7) |
2005 |
Jan
(1) |
Feb
(5) |
Mar
(12) |
Apr
(9) |
May
(7) |
Jun
(56) |
Jul
(14) |
Aug
(3) |
Sep
(20) |
Oct
(8) |
Nov
(5) |
Dec
(4) |
2006 |
Jan
(4) |
Feb
(1) |
Mar
(31) |
Apr
(12) |
May
(10) |
Jun
(6) |
Jul
(3) |
Aug
(2) |
Sep
(3) |
Oct
(5) |
Nov
(5) |
Dec
(11) |
2007 |
Jan
(7) |
Feb
(2) |
Mar
(13) |
Apr
(2) |
May
(2) |
Jun
(2) |
Jul
(6) |
Aug
(10) |
Sep
(4) |
Oct
(14) |
Nov
(2) |
Dec
(3) |
2008 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
(4) |
May
|
Jun
(2) |
Jul
(3) |
Aug
(3) |
Sep
(5) |
Oct
(1) |
Nov
(3) |
Dec
(2) |
2009 |
Jan
(9) |
Feb
(13) |
Mar
(3) |
Apr
(11) |
May
(1) |
Jun
(3) |
Jul
(6) |
Aug
(2) |
Sep
(4) |
Oct
(9) |
Nov
(2) |
Dec
(11) |
2010 |
Jan
(27) |
Feb
(15) |
Mar
(3) |
Apr
(5) |
May
(1) |
Jun
(3) |
Jul
(3) |
Aug
(2) |
Sep
(6) |
Oct
(6) |
Nov
|
Dec
(11) |
2011 |
Jan
(6) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
(6) |
Dec
|
2012 |
Jan
(1) |
Feb
(1) |
Mar
(4) |
Apr
|
May
(3) |
Jun
(5) |
Jul
(7) |
Aug
(1) |
Sep
(3) |
Oct
(4) |
Nov
(1) |
Dec
(6) |
From: TJ S. <cas...@us...> - 2012-12-27 18:30:12
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv10577 Modified Files: FTP.html Log Message: Updated website copy of FTP howto. Index: FTP.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/FTP.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- FTP.html 12 Oct 2012 15:23:16 -0000 1.2 +++ FTP.html 27 Dec 2012 18:30:08 -0000 1.3 @@ -337,7 +337,7 @@ <pre> SITE MKDIR /path/to/some/dir/that/is/not/there/ </pre> - Supported by the <code>mod_site_misc</code> module. + Supported by the <a href="../contrib/mod_site_misc.html"><code>mod_site_misc</code></a> module. </li> <p> @@ -350,7 +350,7 @@ <pre> SITE RMDIR /path/to/some/dir/with/files/ </pre> - Supported by the <code>mod_site_misc</code> module. + Supported by the <a href="../contrib/mod_site_misc.html"><code>mod_site_misc</code></a> module. </li> <p> @@ -362,7 +362,7 @@ <pre> SITE SYMLINK src dest </pre> - Supported by the <code>mod_site_misc</code> module. + Supported by the <a href="../contrib/mod_site_misc.html"><code>mod_site_misc</code></a> module. </li> <p> @@ -373,9 +373,8 @@ <pre> SITE UTIME 200412312359 /path/to/some/file.txt </pre> - Supported by the <code>mod_site_misc</code> module. + Supported by the <a href="../contrib/mod_site_misc.html"><code>mod_site_misc</code></a> module. </li> - </ul> <p> @@ -408,6 +407,57 @@ </li> </ul> +<p><a name="FAQ"> +<b>Frequently Asked Questions</b> + +<p><a name="MoveDirectoriesAcrossDevices"> +<font color=red>Question</font>: I can use the <code>RNFR</code> and +<code>RNTO</code> commands to <i>move</i> a file, even across different +disks/mount points. And I can use <code>RNFR</code>/<code>RNTO</code> to move +a directory, <b>but</b> I <b>cannot</b> move a directory across different +disks/mount points. Is this a bug?<br> +<font color=blue>Answer</font>: No, it is not a bug. Why not? Ultimately, +it is because the FTP specifications do not guarantee (or even <i>discuss</i>) +that an FTP implementation must support renaming of directories across +mount points. +<p> + +<p> +ProFTPD implements the <code>RNFR</code>/<code>RNTO</code> functionality +by using the <code>rename(2)</code> system call. And <code>rename(2)</code> +is documented to <b>not</b> work across mount points. + +<p> +"But then why does it work when I rename a file across mount points?" you +ask. Good question. The answer is that for <b>files only</b>, ProFTPD +detects the <code>rename(2)</code> error for renaming across mount points, +and then <i>copies</i> the file in question to the new location, deleting +the old location when the copy completes successfully. + +<p> +"Great!" you say, "Now do the same thing for directories!" Unfortunately, for +directories, the answer is not that simple. Here are some things to consider +when copying directories: what if the directory contains sockets, FIFOs, +devices, and other irregular file types which cannot be easily copied/moved? +Should copying/moving of directories automatically use root privileges in +order to preserve the ownership on files that do not belong to the logged-in +user? What if the copying/deleting of files fails in the midde: what should +then happen to the copied (and remaining) files/directories? + +<p> +Since there are no easy answers as yet to the above questions, ProFTPD now +detects the <code>rename(2)</code> error for renaming across mount points +for a <b>directory</b>, and rejects the <code>RNTO</code> command, showing +something like: +<pre> + RNFR directory + 350 File or directory exists, ready for destination name + RNTO /other/mount/directory + 550 Rename /other/mount/directory: Is a directory +</pre> +That "Is a directory" error indicates that ProFTPD cannot rename a directory +across the mount points you requested. (That particular error message can, +and will, be made more informative.) <p> <hr> |
From: TJ S. <cas...@us...> - 2012-12-13 16:12:30
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv11363 Modified Files: TLS.html Log Message: Update website copy of TLS howto. Index: TLS.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/TLS.html,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -r1.9 -r1.10 --- TLS.html 25 Sep 2012 23:22:51 -0000 1.9 +++ TLS.html 13 Dec 2012 16:12:27 -0000 1.10 @@ -29,7 +29,7 @@ Example <a href="../contrib/mod_tls.html"><code>mod_tls</code></a> configuration: <pre> <IfModule mod_dso.c> - <font color=green># If mod_tls was built as a shared/DSO module, load it + <font color=green># If mod_tls was built as a shared/DSO module, load it</font> LoadModule mod_tls.c </IfModule> |
From: TJ S. <cas...@us...> - 2012-12-11 19:42:18
|
Update of /cvsroot/pdd/www.proftpd.org/docs/utils In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv11333 Modified Files: index.html Log Message: Typo. Index: index.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/utils/index.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- index.html 11 Dec 2012 19:33:42 -0000 1.2 +++ index.html 11 Dec 2012 19:42:16 -0000 1.3 @@ -29,7 +29,7 @@ </dd> <p> - <dt>The <a href="ftpdctl.html"><code>ftpdctl<code></a> utility + <dt>The <a href="ftpdctl.html"><code>ftpdctl</code></a> utility <dd> </dd> |
From: TJ S. <cas...@us...> - 2012-12-11 19:33:45
|
Update of /cvsroot/pdd/www.proftpd.org/docs/utils In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv10424 Modified Files: index.html Log Message: Fix typos, add links to DSO howto, ftpshut docs. Index: index.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/utils/index.html,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- index.html 17 Mar 2011 00:15:59 -0000 1.1 +++ index.html 11 Dec 2012 19:33:42 -0000 1.2 @@ -29,7 +29,7 @@ </dd> <p> - <dt>The <a href="ftpdctl.html"><code>ftpdctl/code></a> utility + <dt>The <a href="ftpdctl.html"><code>ftpdctl<code></a> utility <dd> </dd> @@ -49,7 +49,14 @@ <p> <dt>The <a href="ftpscrub.html"><code>ftpscrub</code></a> utility - <dd> + <dd>Can be used to "scrub" the <code>ScoreboardFile</code> of dead + sessions, <i>i.e.</i> caused by sessions which die uncleanly. See + the <a href="../howto/Scoreboard.html">Scoreboard</a> howto for more + information. + </dd> + + <p> + <dt>The <a href="ftpshut.html"><code>ftpshut</code></a> utility </dd> <p> @@ -64,7 +71,7 @@ <p> <dt>The <a href="prxs.html"><code>prxs</code></a> utility - <dd> + <dd>Used to compile <a href="../howto/DSO.html">DSO</a> modules. </dd> </ul> |
From: TJ S. <cas...@us...> - 2012-12-10 23:30:24
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv25518 Modified Files: Debugging.html ServerType.html Log Message: Updating website copy of these howtos. Index: ServerType.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/ServerType.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- ServerType.html 5 Jan 2010 17:04:54 -0000 1.2 +++ ServerType.html 10 Dec 2012 23:30:21 -0000 1.3 @@ -13,10 +13,11 @@ <hr> <p> -The <a href="http://www.proftpd.org/docs/directives/linked/config_ref_ServerType.html"><code>ServerType</code></a> configuration directive for ProFTPD can cause -confusion for those just starting with this server. What is the purpose -for this directive? What are these "inetd" and "standalone" -types, and why does one need to choose one or the other? +The <a href="../modules/mod_core.html#ServerType"><code>ServerType</code></a> +configuration directive for ProFTPD can cause confusion for those just starting +with this server. What is the purpose for this directive? What are these +"inetd" and "standalone" types, and why does one need to +choose one or the other? <p> The purpose of this directive is to choose between the two operating modes for @@ -151,11 +152,11 @@ However, the most common way this is done is through <code>inetd</code>. When running a <code>proftpd</code> server in <em>standalone</em> mode, then, it is not quite as straightforward; however, it is not hard, either. -The <a href="http://www.castaglia.org/proftpd/modules/mod_wrap.html"><code>mod_wrap</code></a> module can be compiled into your <code>proftpd</code>. This -module allows a standalone <code>proftpd</code> server to use the normal -<code>/etc/hosts.allow</code>, <code>/etc/hosts.deny</code> files, in addition -to other files (something that normal <code>tcpwrappers</code> configurations -cannot do). +The <a href="../contrib/mod_wrap.html"><code>mod_wrap</code></a> module can be +compiled into your <code>proftpd</code>. This module allows a standalone +<code>proftpd</code> server to use the normal <code>/etc/hosts.allow</code>, +<code>/etc/hosts.deny</code> files, in addition to other files (something that +normal <code>tcpwrappers</code> configurations cannot do). <p> If you try to start a <code>proftpd</code> server configured with a Index: Debugging.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Debugging.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- Debugging.html 5 Jan 2010 16:59:31 -0000 1.2 +++ Debugging.html 10 Dec 2012 23:30:21 -0000 1.3 @@ -21,6 +21,28 @@ user follows these steps and determines the solution for themselves. <p> +Keep in mind that <code>proftpd</code> runs on quite a few different platforms, +including Linux (and its various distributions), Solaris, Mac OSX, various BSDs, +etc. So please, when reporting issues, <b>include as much information as you +can</b>. Saying something like "latest Ubuntu/CentOS/Fedora", or "stable +Debian", or "FreeBSD ports", does not mean that much to those of us who don't +run/use those platforms. + +<p> +We <b>want</b> to help you, but to do that, we need to know as many details as +possible. One goal is for us to be able to reproduce the issue locally. That's +why providing the `proftpd -V' output, and the <code>proftpd.conf</code>, the +debug logging, and a description of the behavior you <b><i>expect</i></b> (as +well as what you actually <b><i>observed</i></b>) is so important. These +things help us to recreate the setup, and the circumstances, locally. And +once we can see the same issue on our machines, we can help that much more +rapidly with the solution. + +<p> +You will hear requests for these details come up quite a bit. It's worth +pointing out why that is. + +<p> <b>Know the Version</b><br> Various problems afflict various versions of the code, so when tracking down problems, it is good to know the version being used: @@ -57,15 +79,15 @@ that your changes are valid. The easiest way to do this is to do an informative syntax check: <pre> - proftpd -td5 + proftpd -td10 </pre> The <code>-t</code> option directs the server to only do a syntax check, to parse the configuration file but stop before actually starting its operations -as a server. The <code>-d5</code> will cause the server to display debugging +as a server. The <code>-d10</code> will cause the server to display debugging messages during this testing of the configuration file. Another useful command is: <pre> - proftpd -c <i>/path/to/new/config/file</i> -td5 + proftpd -c <i>/path/to/new/config/file</i> -td10 </pre> which lets you test the syntax of some new configuration file before it is put into production. @@ -81,7 +103,7 @@ The easiest way to get the debugging information is to start the server from the command line using: <pre> - proftpd -nd6 + proftpd -nd10 </pre> <b>Note</b>: make sure that no other <code>proftpd</code> instances are running before using this command, otherwise you will see: @@ -104,7 +126,7 @@ snippets (if you know what the relevant debug messages are), or you can capture the debug output to a file: <pre> - proftpd -nd5 2>&1 >& /path/to/debug/file + proftpd -nd10 2>&1 >& /path/to/debug/file </pre> and send that file, compressed, along with your post. @@ -129,7 +151,8 @@ server startup script. <p> -As of version 1.2.8rc1, ProFTPD supports a <a href="http://www.proftpd.org/docs/directives/linked/config_ref_DebugLevel.html"><code>DebugLevel</code></a> +As of version 1.2.8rc1, ProFTPD supports a +<a href="../modules/mod_core.html#DebugLevel"><code>DebugLevel</code></a> configuration directive. This lets you set a debugging level in your <code>proftpd.conf</code> file, without needing to edit <code>inetd.conf</code> or <code>xinetd</code> configuration file. @@ -139,14 +162,15 @@ A common response on the mailing lists to a posted question is: "What do your server logs say?" Locating the server's log files can be troublesome, depending on your configuration. If the -<a href="http://www.proftpd.org/docs/directives/linked/config_ref_SystemLog.html"><code>SystemLog</code></a> configuration directive is in effect, you know exactly where -the server's log file is. If not, then by default the server uses -<code>syslog</code> for logging. The location of <code>syslog</code>'d log -files is set in your system's <code>/etc/syslog.conf</code> file. You may -need to read your system's man pages for <code>syslog.conf</code> or -<code>syslogd</code> to understand the format of that file. Note that the -server will log using a <code>syslog</code> facility of <code>daemon</code> -(and level <code>debug</code> when debugging) for most of its messages; during +<a href="../modules/mod_log.html#SystemLog"><code>SystemLog</code></a> +configuration directive is in effect, you know exactly where the server's log +file is. If not, then by default the server uses <code>syslog</code> for +logging. The location of <code>syslog</code>'d log files is set in your +system's <code>/etc/syslog.conf</code> file. You may need to read your +system's man pages for <code>syslog.conf</code> or <code>syslogd</code> to +understand the format of that file. Note that the server will log using a +<code>syslog</code> facility of <code>daemon</code> (and level +<code>debug</code> when debugging) for most of its messages; during authentication, messages are logged using the <code>authpriv</code> facility. <p> @@ -216,14 +240,13 @@ <p> <b>Common Problems</b><br> One common question is: "I changed the configuration file, but the new -configuration is not being seen!" The solution depends on your -configured -<a href="http://www.proftpd.org/docs/directives/linked/config_ref_ServerType.html"><code>ServerType</code></a>. Almost certainly it will be <code>standalone</code>, as -<code>inetd</code>-mode servers pick up configuration changes almost instantly -(the server is started from the ground up for each connection). For -configuration changes to be seen by a <code>standalone</code> server, you need -to either stop, then start the server (the hard way), or to send the -<code>HUP</code> signal the the daemon process. +configuration is not being seen!" The solution depends on your configured +<a href="ServerType.html"><code>ServerType</code></a>. Almost certainly it +will be <code>standalone</code>, as <code>inetd</code>-mode servers pick up +configuration changes almost instantly (the server is started from the ground +up for each connection). For configuration changes to be seen by a +<code>standalone</code> server, you need to either stop, then start the server +(the hard way), or to send the <code>HUP</code> signal the the daemon process. <p> Another common question involves use of ProFTPD's <code><Limit></code> |
From: John M. <jw...@us...> - 2012-12-04 15:02:31
|
Update of /cvsroot/pdd/www.proftpd.org/docs In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv14083 Modified Files: rfc.epl Log Message: fix broken rfc-editor link Index: rfc.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/rfc.epl,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- rfc.epl 15 Jun 2010 14:47:16 -0000 1.8 +++ rfc.epl 4 Dec 2012 15:02:29 -0000 1.9 @@ -32,7 +32,7 @@ <h2>RFC-959 File Transfer Protocol (FTP)</h2> <a href="http://www.rfc-editor.org/rfc/rfc959.txt">[http]</a> <a href="ftp://ftp.rfc-editor.org/in-notes/rfc959.txt">[ftp]</a> -<i>Errata:</i> <a href="http://www.rfc-editor.org/errata.html">[http]</a> +<i>Errata:</i> <a href="http://www.rfc-editor.org/errata_search.php?rfc=959&rec_status=15&presentation=table">[http]</a> <table cellspacing="0" cellpadding="0" border="0"> <tr> |
From: TJ S. <cas...@us...> - 2012-11-19 21:32:31
|
Update of /cvsroot/pdd/www.proftpd.org/docs/modules In directory vz-cvs-3.sog:/tmp/cvs-serv32339 Modified Files: mod_dso.html Log Message: Updated website copy of mod_dso docs. Index: mod_dso.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/modules/mod_dso.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- mod_dso.html 9 Nov 2011 23:52:11 -0000 1.2 +++ mod_dso.html 19 Nov 2012 21:32:29 -0000 1.3 @@ -336,6 +336,93 @@ This option causes <code>mod_dso</code> to be compiled into <code>proftpd</code>. +<p><a name="FAQ"> +<b>Frequently Asked Questions</b><br> + +<p><a name="DSOAlreadyLoaded"> +<font color=red>Question</font>: When I try to start <code>proftpd</code>, it +fails like this: +<pre> + proftpd[1234]: mod_dso/0.5: module 'mod_radius.c' already loaded + proftpd[1234]: Fatal: LoadModule: error loading module 'mod_radius.c': Operation not permitted on line 9 of '/etc/proftpd/proftpd.conf' +</pre> +How do I fix this "module already loaded" error?<br> +<font color=blue>Answer</font>: This happens when the proftpd configuration +either <i>a)</i> uses the <a href="#LoadModule"><code>LoadModule</code></a> +on a module which was compiled in as a static module, or <i>b)</i> is +inadvertently using <code>LoadModule</code> on the same module multiple times. + +<p> +To check if the module has been statically compiled into your +<code>proftpd</code> executable, use the <code>-l</code> command-line parameter, +<i>e.g.</i>: +<pre> + # proftpd -l + Compiled-in modules: + mod_core.c + mod_xfer.c + mod_auth_unix.c + mod_auth_file.c + mod_auth.c + mod_ls.c + mod_log.c + mod_site.c + mod_delay.c + mod_facts.c + mod_dso.c + mod_ident.c + mod_auth_pam.c + mod_tls.c + mod_cap.c +</pre> +The modules listed via the command are the static modules. So if your +<code>LoadModule</code> directive is used for one of the modules in this list, +you can remove that <code>LoadModule</code> directive; that module will already +be loaded. + +<p> +The other cause, that of having multiple <code>LoadModule</code> directives +for the same module, usually happens when your <code>proftpd.conf</code> +file includes other config files, <i>e.g.</i>: +<pre> + Include /path/to/modules.conf +</pre> +and it is those other config files which have <code>LoadModule</code> directives +of their own. + +<p> +If you find yourself needs to change the configuration to work around this +error, you can use the following to see if the module has already been +loaded, and if not, load it: +<pre> + <IfModule !mod_radius.c> + LoadModule mod_radius.c + </IfModule> +</pre> + +<p><a name="DSOAlreadyLoadedSpecialModules"> +<font color=red>Question</font>: When I try to start <code>proftpd</code>, it +fails like this: +<pre> + proftpd[1234]: mod_dso/0.5: module 'mod_ctrls.c' already loaded + proftpd[1234]: Fatal: LoadModule: error loading module 'mod_ctrls.c': Operation not permitted on line 9 of '/etc/proftpd/proftpd.conf' +</pre> +I do not have any other <code>LoadModule</code> directives in my config, nor +is the <code>mod_ctrls</code> module in my <code>--with-modules</code> +configure option.<br><br> +<font color=blue>Answer</font>: In this particular case, the +<code>mod_ctrls</code> module is automatically compiled in, as a static module, +when the <code>--enable-ctrls</code> configure option is used. There are only +a few such modules with this special handling: +<ul> + <li><code>mod_ctrls</code> (<i>via the <code>--enable-ctrls</code> configure option</i>) + <li><code>mod_dso</code> (<i>via the <code>--enable-dso</code> configure option</i>) + <li><code>mod_lang</code> (<i>via the <code>--enable-nls</code> configure option</i>) + <li><code>mod_memcache</code> (<i>via the <code>--enable-memcache</code> configure option</i>) +</ul> +All of these modules would appear in the <code>`proftpd -l'</code> static +module list. + <p> <hr><br> @@ -345,7 +432,7 @@ <br><hr> <font size=2><b><i> -© Copyright 2004-2011 TJ Saunders<br> +© Copyright 2004-2012 TJ Saunders<br> All Rights Reserved<br> </i></b></font> |
From: TJ S. <cas...@us...> - 2012-10-16 19:01:51
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory vz-cvs-3.sog:/tmp/cvs-serv20010 Modified Files: ConfigurationTricks.html Log Message: Updated ConfigurationTricks howto for website. Index: ConfigurationTricks.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/ConfigurationTricks.html,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- ConfigurationTricks.html 30 Mar 2011 22:28:33 -0000 1.4 +++ ConfigurationTricks.html 16 Oct 2012 19:01:48 -0000 1.5 @@ -239,6 +239,36 @@ some terse but powerful files. <p> +As a demonstration, here is an example making use of environment variables, +<code>Define</code>, and <code><IfDefine></code>. First, set an +environment variable, <i>e.g.</i> (assuming Bourne shell syntax): +<pre> + $ USE_BANS=TRUE + $ export USE_BANS +</pre> +Now start proftpd using the -D command-line option to set a define based +on the value of that environment variable: +<pre> + $ ./proftpd -DUSE_BANS=$USE_BANS ... +</pre> +And in the <code>proftpd.conf</code>, you might have something like: +<pre> + <IfDefine USE_BANS=TRUE> + .. + </IfDefine> +</pre> +in which case, the directives within that conditional section would be +in effect when proftpd was started. On the other hand, to disable those +configuration directives before starting proftpd, all that you need to do +now is change the environment variable value: +<pre> + $ USE_BANS=FALSE + $ export USE_BANS +</pre> +That <code><IfDefine></code> section will no longer be in effect +when proftpd is started. + +<p> <b>Multiple Daemons on Same Host</b><br> What if you wanted to run multiple instances of <code>proftpd</code> on the same host? This is actually a prudent idea, for running one production |
From: TJ S. <cas...@us...> - 2012-10-12 15:23:20
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory vz-cvs-3.sog:/tmp/cvs-serv13755 Modified Files: DSO.html FTP.html Log Message: Updating website copy of docs. Index: DSO.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/DSO.html,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- DSO.html 3 Aug 2012 18:24:30 -0000 1.4 +++ DSO.html 12 Oct 2012 15:23:16 -0000 1.5 @@ -327,6 +327,53 @@ its own <code>configure</code> script and <code>Makefile</code>, then you should use those. Otherwise, <code>prxs</code> should suffice. +<p><a name="FAQ"> +<b>Frequently Asked Questions</b><br> +<font color=red>Question</font>: My installed <code>proftpd</code> does not +include <code>mod_sql_passwd</code> (or some other module). How can I get +proftpd to use this module without recompiling?<br> +<font color=blue>Answer</font>: First, see if your proftpd package came +with the <a href="#prxs"><code>prxs</code></a> tool; by default, this tool +is installed as <code>/usr/local/bin/prxs</code>. If you do not find +<code>prxs</code> anywhere on your system, you will have to recompile proftpd +in order to add new modules. + +<p> +Second, you will need the source code for <code>mod_sql_passwd</code> (or +whatever other module you want to add to your proftpd). Assume, then, that +you have found the <code>mod_sql_passwd.c</code> source file. The next +step is to use <code>prxs</code> to build that module as a DSO module: +<pre> + # /usr/local/bin/prxs -c -i -d mod_sql_passwd.c +</pre> +If the above fails with this error message: +<pre> + Your installed proftpd does not support shared modules/DSOs. + Make sure the --enable-dso configure option is used when + compiling proftpd. +</pre> +It means that your <code>proftpd</code> does not have DSO support -- and +that means that you will have to recompile proftpd to add the new module. + +<p> +If, on the other hand, your <code>prxs</code> succeeded, the last steps are +to update your <code>proftpd.conf</code> to load the new module, and then +restart proftpd so that it reads the updated configuration. Continuing with +the example of <code>mod_sql_passwd</code>, you would add the following line +near the top of your <code>proftpd.conf</code>: +<pre> + LoadModule mod_sql_passwd.c +</pre> +and later in the config file, configure your newly added module: +<pre> + <IfModule mod_sql_passwd.c> + SQLPasswordEngine on + ... + </IfModule> +</pre> +Last, restart proftpd, and enjoy your new module's functionality, all without +needing to recompile/reinstall proftpd itself. + <p> <hr> <i>$Date$</i><br> Index: FTP.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/FTP.html,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- FTP.html 17 Aug 2007 00:11:26 -0000 1.1 +++ FTP.html 12 Oct 2012 15:23:16 -0000 1.2 @@ -19,13 +19,17 @@ </li> <p> + <li><a name="ALLO"><b><code>ALLO</code></b></a><br> + </li> + + <p> <li><a name="APPE"><b><code>APPE</code></b></a><br> Short for <b>APPE</b>nd.<br> </li> <p> <li><a name="AUTH"><b><code>AUTH</code></b></a><br> - Short for <b>AUTH</b>enticate (supported by <code>mod_tls</code>)<br> + Short for <b>AUTH</b>enticate (supported by <a href="../contrib/mod_tls.html"><code>mod_tls</code></a>)<br> </li> <p> @@ -71,6 +75,10 @@ </li> <p> + <li><a name="LANG"><b><code>LANG</code></b></a><br> + </li> + + <p> <li><a name="LIST"><b><code>LIST</code></b></a><br> </li> @@ -78,10 +86,20 @@ <li><a name="MDTM"><b><code>MDTM</code></b></a><br> Short for <b>M</b>o<b>D</b>ification <b>T</b>i<b>M</b>e, this command is used by the client to request the modification time of a file on the - server. This command is not defined in any formal RFCs (yet), but is - a commonly implemented FTP command. <i>Note</i> that this command - <b>cannot</b> be used to change the modification time of the file on - the server; it only reports on the file's modification time.<br> + server. This command is defined formally in <a href="http://www.faqs.org/rfcs/rfc3659.html">RFC 3659</a>, and is a commonly implemented FTP command. + <i>Note</i> that this command <b>cannot</b> be used to change the + modification time of the file on the server; it only <i>reports</i> on the + file's modification time. The <a href="#MFMT"><code>MFMT</code></a> + command is used to <i>change</i> a file's modification time.<br> + </li> + + <p> + <li><a name="MFMT"><b><code>MFMT</code></b></a><br> + Short for <b>M</b>odify <b>F</b>act: Last <b>M</b>odified <b>T</b>ime, + supported by <a href="../modules/mod_facts.html"><code>mod_facts</code></a>. + Some clients use this command to change the last modified timestamp on + a newly uploaded file so that the timestamp on the server matches the + timestamp of that file on the client. </li> <p> @@ -90,6 +108,32 @@ </li> <p> + <li><a name="MLSD"><b><code>MLSD</code></b></a><br> + Short for <b>M</b>achine <b>L</b>i<b>S</b>ting, <b>D</b>irectory, supported + by <a href="../modules/mod_facts.html"><code>mod_facts</code></a>. Unlike + the <a href="#LIST"><code>LIST</code></a> command, whose response format + was never specified, the <code>MLSD</code> command has a strictly defined + response format (see <a href="http://www.faqs.org/rfcs/rfc3659.html">RFC 3659</a> for details). This format was designed to be easily machine parseable, + for automated processing of directory listing formats; the format was also + designed to be platform-agnostic, and thus portable. + </li> + + <p> + <li><a name="MLST"><b><code>MLST</code></b></a><br> + Short for <b>M</b>achine <b>L</b>i<b>ST</b>ing, supported by + <a href="../modules/mod_facts.html"><code>mod_facts</code></a>. This + command is similar to <a href="#MLSD"><code>MLSD</code></a> in that it + uses the same response format. Unlike <code>MLSD</code>, the response for a + <code>MLST</code> is sent back on the control connection rather than + using a data connection, and <b>is for a single file only</b>. + </li> + + <p> + <li><a name="MODE"><b><code>MODE</code></b></a><br> + There are three mode types defined by <a href="http://www.faqs.org/rfcs/rfc969.html">RFC 959</a>; <code>proftpd</code> only supports one (<i>i.e.</i> <b>S</b>tream). + </li> + + <p> <li><a name="NLST"><b><code>NLST</code></b></a><br> Short for <b>N</b>ame <b>L</b>i<b>ST</b>.<br> </li> @@ -342,10 +386,6 @@ </li> <p> - <li><a name="ALLO"><b><code>ALLO</code></b></a><br> - </li> - - <p> <li><a name="MACB"><b><code>MACB</code></b></a><br> Short for <b>MAC</b>intosh <b>B</b>inary. This command is not defined in any RFC, and is something of a hack added by Apple in order to support @@ -353,13 +393,6 @@ </li> <p> - <li><a name="MODE"><b><code>MODE</code></b></a><br> - There are three mode types defined by RFC959; <code>proftpd</code> only - supports one (<i>i.e.</i> <b>S</b>tream), and thus this command is not - supported.<br> - </li> - - <p> <li><a name="REIN"><b><code>REIN</code></b></a><br> </li> |
From: TJ S. <cas...@us...> - 2012-10-10 20:36:49
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory vz-cvs-3.sog:/tmp/cvs-serv11758 Modified Files: Limit.html Log Message: Updating website copy of Limit howto. Index: Limit.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Limit.html,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- Limit.html 1 Jun 2012 16:28:48 -0000 1.4 +++ Limit.html 10 Oct 2012 20:36:47 -0000 1.5 @@ -159,7 +159,7 @@ DenyAll </Limit> - <Limit CDUP CWD XCWD XCUP> + <Limit CDUP CWD PWD XCWD XCUP> AllowAll </Limit> |
From: TJ S. <cas...@us...> - 2012-10-10 01:27:24
|
Update of /cvsroot/pdd/www.proftpd.org/docs/modules In directory vz-cvs-3.sog:/tmp/cvs-serv1424 Modified Files: mod_lang.html Log Message: Updating website copy of mod_lang docs. Index: mod_lang.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/modules/mod_lang.html,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- mod_lang.html 9 Nov 2011 23:52:11 -0000 1.4 +++ mod_lang.html 10 Oct 2012 01:27:22 -0000 1.5 @@ -16,10 +16,12 @@ <p> <b>Internalization and Localization</b><br> -The <code>mod_lang</code> module is ProFTPD's module for handling the LANG -and OPTS UTF8 commands, in support of <a href="http://www.faqs.org/rfcs/rfc2640.html">RFC 2640</a>. The <code>mod_lang</code> module also supports character -sets other than UTF8, for those sites which do not require RFC2640 support, but -<i>do</i> use character sets other than ASCII. This module is contained in the +The <code>mod_lang</code> module is ProFTPD's module for handling the +<code>LANG</code> and <code>OPTS UTF8</code> commands, in support of +<a href="http://www.faqs.org/rfcs/rfc2640.html">RFC 2640</a>. The +<code>mod_lang</code> module also supports character sets other than UTF-8, +for those sites which do not require RFC 2640 support, but <i>do</i> use +character sets other than ASCII. This module is contained in the <code>mod_lang.c</code> file for ProFTPD 1.3.<i>x</i>, and is compiled in whenever the <code>--enable-nls</code> configure option is used. Installation instructions are discussed <a href="#Installation">here</a>. Examples @@ -78,8 +80,8 @@ <p> The <code>LangEngine</code> directive enables or disables the module's -handling of the LANG command. If it is set to <em>off</em> this module does no -localization of responses. +handling of the <code>LANG</code> command. If it is set to <em>off</em> this +module does no localization of responses. <p> <b>Note</b> that setting <code>LangEngine</code> to <em>off</em> also keeps @@ -123,7 +125,7 @@ <p> <hr> <h2><a name="UseEncoding">UseEncoding</a></h2> -<strong>Syntax:</strong> UseEncoding <em>on|off|local-charset client-charset</em><br> +<strong>Syntax:</strong> UseEncoding <em>on|off|local-charset client-charset ["strict"]</em><br> <strong>Default:</strong> None<br> <strong>Context:</strong> "server config", <code><VirtualHost></code>, <code><Global></code><br> <strong>Module:</strong> mod_lang<br> @@ -132,12 +134,13 @@ <p> The <code>UseEncoding</code> directive is used to explicitly configure which character sets should be used for encoding. By default, the -<code>mod_lang</code> will automatically discover the local character set, -and will use UTF8 for the client character set. The module will also allow -the use of UTF8 encoding to be changed by clients using the OPTS UTF8 command -(as per RFC2640). However, if the <code>UseEncoding</code> directive is -explicitly used to indicate the character sets to use (or not use), then any -OPTS UTF8 commands used by clients will be refused. +<code>mod_lang</code> module will automatically discover the local character +set, and will use UTF-8 for the client character set. The module will also +allow the use of UTF-8 encoding to be changed by clients using the +<code>OPTS UTF8</code> command (as per RFC 2640). However, if the +<code>UseEncoding</code> directive is explicitly used to indicate the character +sets to use (or not use) <b>and</b> the <em>"strict"</em> keyword +is used, then any OPTS UTF8 commands used by clients will be refused. <p> For example, to disable all use of encoding, use the following in your @@ -159,6 +162,15 @@ <pre> UseEncoding koi8-r cp1251 </pre> +With the above, a client could still request a switch from <code>koi8-r</code> +encoding to UTF-8 via the <code>OPTS UTF8</code> command. If, however, you +wished to prevent clients from changing the encoding to UTF-8, the above +configuration would instead look like: +<pre> + UseEncoding koi8-r cp1251 strict +</pre> + +<p> For a full list of the character sets which are supported, use: <pre> $ iconv --list @@ -186,8 +198,9 @@ One common request of <code>proftpd</code> is to properly handle Cyrillic characters in file and directory names. The usual character sets which contain Cyrillic characters use the same codes as used for Telnet -control codes, unfortunately. RFC959 (which defines FTP) mandates that the -Telnet control codes be supported in FTP implementations. +control codes, unfortunately. +<a href="http://www.faqs.org/rfcs/rfc959.html">RFC 959</a> (which defines FTP) +mandates that the Telnet control codes be supported in FTP implementations. <p> The <code>mod_lang</code> module, however, can be used to deal with this @@ -221,10 +234,27 @@ <p><a name="FAQ"></a> <b>Frequently Asked Questions</b><br> +<p><a name="Translations"> +<font color=red>Question</font>: What translations for proftpd currently exist?<br> +<font color=blue>Answer</font>: ProFTPD has currently been translated into: +<ul> + <li>bg_BG + <li>en_US + <li>fr_FR + <li>it_IT + <li>ja_JP + <li>ko_KR + <li>ru_RU + <li>zh_CN + <li>zh_TW +</ul> +If you are interested in providing more translations, please read this +<a href="../howto/Translations.html">howto</a>. + <p><a name="SpecialCharacters"> <font color=red>Question</font>: When I upload a file with special characters -(<i>e.g.</i> umlauts, accents, cedillas, <i>etc</i>), the special characters -are turned into '?' on the server. What's wrong?<br> +(<i>e.g.</i> umlauts, accents, cedillas, <i>etc</i>) in the file name, the +special characters are turned into '?' on the server. What's wrong?<br> <font color=blue>Answer</font>: There are a couple of things to check when this happens. @@ -238,7 +268,7 @@ <p> Next, make sure that the <code>LANG</code> environment variable is set before -starting the server. Special characters require that UTF8 or ISO-8859-1 be +starting the server. Special characters require that UTF-8 or ISO-8859-1 be used, thus you might use things like: <pre> # export LANG=de_DE.utf8 @@ -254,6 +284,21 @@ commands like <code>OPTS UTF8</code>, thus interfering with the protocol and causing encoding problems. +<p><a name="UnsupportedLanguage"> +<font color=red>Question</font>: I have configured my <code>mod_lang</code> +module to use a language, but when I start <code>proftpd</code>, I see an +error like this: +<pre> + mod_lang/0.9: LangDefault '<i>language</i>', configured for server '<i>serverName</i>', is not a supported language, removing +</pre> +<font color=blue>Answer</font>: This usually happens for one of two reasons: +<ul> + <li>The configured <em>language</em> is <b>not</b> listed in <code>`setlocale -a'</code> + <li>The configured <em>language</em> is <b>not</b> one of the <a href="#Translations">supported translations</a> +</ul> +Both of these conditions <b>must</b> be true, otherwise you will see the +"not a supported language" error. + <p> <hr><br> Author: <i>$Author$</i><br> @@ -261,7 +306,7 @@ <br><hr> <font size=2><b><i> -© Copyright 2006-2010 TJ Saunders<br> +© Copyright 2006-2012 TJ Saunders<br> All Rights Reserved<br> </i></b></font> |
From: TJ S. <cas...@us...> - 2012-09-27 17:53:26
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory vz-cvs-3.sog:/tmp/cvs-serv21723 Modified Files: Tracing.html Log Message: Typo. Index: Tracing.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Tracing.html,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- Tracing.html 25 Sep 2012 23:17:04 -0000 1.4 +++ Tracing.html 27 Sep 2012 17:53:23 -0000 1.5 @@ -231,7 +231,7 @@ <code>proftpd.conf</code>. <p><a name="FAQ"> -<b>Frequently Asked Questsions</b><br> +<b>Frequently Asked Questions</b><br> <p> <font color=red>Question</font>: Can I configure <code>Trace</code> on a |
From: TJ S. <cas...@us...> - 2012-09-25 23:22:54
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory vz-cvs-3.sog:/tmp/cvs-serv23634 Modified Files: TLS.html Log Message: Updating website copy of TLS howto. Index: TLS.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/TLS.html,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- TLS.html 4 Jan 2010 17:50:23 -0000 1.8 +++ TLS.html 25 Sep 2012 23:22:51 -0000 1.9 @@ -26,8 +26,13 @@ from SourceForge. <p> -Example <a href="http://www.castaglia.org/proftpd/modules/mod_tls.html"><code>mod_tls</code></a> configuration: +Example <a href="../contrib/mod_tls.html"><code>mod_tls</code></a> configuration: <pre> + <IfModule mod_dso.c> + <font color=green># If mod_tls was built as a shared/DSO module, load it + LoadModule mod_tls.c + </IfModule> + <IfModule mod_tls.c> TLSEngine on TLSLog /var/ftpd/tls.log @@ -311,6 +316,35 @@ using <code>openssl s_client</code> will provide most of the information you will want in figuring out your certificate and verification issues. +<p><a name="TLSClientAuth"></a> +<b>TLS Client Auth/Mutual Auth</b><br> +Like most web servers, when <code>mod_tls</code> is used, it does not +require that the connecting client present a certificate for verification +by default. That is, <code>mod_tls</code> does not require "client auth" +or "mutual auth" by default. To require that clients present a valid +certificate, you would use the <a href="../contrib/mod_tls.html#TLSVerifyClient"><code>TLSVerifyClient</code></a> directive like so: +<pre> + <IfModule mod_tls.c> + TLSEngine on + ... + <font color=green># Verify clients that want to use FTP over TLS</font> + TLSVerifyClient on + </IfModule> +</pre> + +<p> +With this directive enabled in your configuration, if a client connects +and performs the SSL/TLS handshake but does <b>not</b> present a valid +certificate, then the TLSLog would contain error messages like this: +<pre> + mod_tls/2.4.3[12065]: TLS/TLS-C requested, starting TLS handshake + mod_tls/2.4.3[12065]: unable to accept TLS connection: protocol error: + (1) error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate + mod_tls/2.4.3[12065]: TLS/TLS-C negotiation failed on control channel +</pre> +The client failed to provide a valid certificate, and so the connection +was rejected. + <p><a name="FAQ"></a> <b>Frequently Asked Questions</b><br> @@ -327,7 +361,7 @@ <p><a name="TLSProtection"> <font color=red>Question</font>: Does FTPS protect both the control connection -<i>and</i> the data connections?<br> +<b>and</b> the data connections?<br> <font color=blue>Question</font>: Short answer: yes. <p> @@ -581,6 +615,16 @@ security requirements you have configured on the server. <p> +The following may also appear in the <code>TLS</code> for any data +transfers (which include directory listings): +<pre> + client did not reuse SSL session, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter +</pre> +This message appears because an additional security restriction that was +added in ProFTPD 1.3.3rc1. The <a href="../contrib/mod_tls.html#TLSOptions"><code>TLSOptions</code></a> documentation for this "NoSessionReuseRequired" option +describes the situation in more detail. + +<p> You may also see the following appear in the <code>TLSLog</code> on occasion: <pre> PROT: unwilling to accept security parameter (C), declining @@ -590,11 +634,101 @@ with a security parameter of <code>C</code>, meaning "Clear", which effectively tells the server not to protect data transfers. The <code>mod_tls</code> module will refuse the <code>C</code> security parameter -if, like above, there is "TLSRequired on" in your +if, like above, there is "TLSRequired on" in your <code>proftpd.conf</code>. This case also indicates a disagreement between the client's security expectations and the security policy you have configured on the server. +<p> +In order to accept a "PROT C" FTP command, your <code>mod_tls</code> +configuration would need to use a <code>TLSRequired</code> value other than +<em>required</em>, <i>e.g.</i> something like: +<pre> + # We only require SSL/TLS protection during authentication + TLSRequired auth + + # We will accept SSL/TLS protection for the control channel if the + # client wants to use it, but NOT for data transfers + TLSRequired !data +</pre> + +<p><a name="TLSErrorAfterLargeUpload"> +<font color=red>Question</font>: Using FTPS, after uploading a very large file, +my next directory listing fails: +<pre> + 425 Unable to build data connection: Operation not permitted +</pre> +The <code>TLSLog</code> contains: +<pre> + client did not reuse SSL session, rejecting data connection (see the NoSessionReuseRequired TLSOptions parameter +</pre> +but I do <i>not</i> want to use that option, and would like to rely on the +additional security protection provided by requring SSL session reuse. +And my FTPS client is correctly reusing SSL session IDs (as earlier data +transfers were working properly). So why is my data transfer failing after +the upload of a very large file?<br> +<font color=blue>Answer</font>: The answer involves SSL session caching +on the server side (<i>i.e.</i> <code>mod_tls</code>), cache timeouts, and +session renegotiations. + +<p> +By default, <code>mod_tls</code> uses OpenSSL's "internal" session cache, +which is an in-memory caching of SSL session IDs. And by default, OpenSSL's +internal session cache has a cache timeout of 5 minutes; after that amount +of time in the internal session cache, a cached SSL session ID is considered +stale and is available for reuse. + +<p> +This means that 5 minutes or more into an FTPS session, even if your FTPS +client reused an SSL session ID, the OpenSSL internal session cache will +time out that SSL session ID. The next time your FTPS client goes to reuse +that session ID for a data transfer, <code>mod_tls</code> won't find it in +the OpenSSL internal session cache, and will think that your FTPS client is +not reusing the SSL session ID as is required, and fail the transfer. + +<p> +Fixing this situation requires two parts: <i>a)</i> the ability to change +the cache timeout used for the OpenSSL internal session cache, and <i>b)</i> +renegotiating the SSL session ID with the FTPS client periodically, to keep +the SSL session ID up-to-date in the session cache. + +<p> +The first part, configuring the session cache timeout for the OpenSSL internal +session cache, is only possible in ProFTPD 1.3.4rc2 and later (see +<a href="http://bugs.proftpd.org/show_bug.cgi?id=3580">Bug#3580</a>). The +<a href="../contrib/mod_tls.html#TLSSessionCache"><code>TLSSessionCache</code></a> directive was modified to allow a configuration such as: +<pre> + TLSSessionCache internal: 1800 +</pre> +(Unfortunately, the ':' after "internal" <i>is</i> necessary.) This configures +<code>mod_tls</code> such that the OpenSSL internal session cache uses +a cache timeout of 1800 seconds (30 minutes), rather than the default of 300 +seconds (5 minutes). + +<p> +No matter how long you configure the cache timeout, eventually you will have +a session which lasts longer than that timeout. Which brings us to the second +part of the solution: renegotiating a new SSL session ID periodically, which +keeps it fresh in the session cache. The +<a href="../contrib/mod_tls.html#TLSRenegotiate"><code>TLSRenegotiate</code></a> +directive is needed for this. For example, the following configuration +should address the issue of failed data transfers after very large uploads: +<pre> + TLSRenegotiate ctrl 1500 timeout 300 + TLSSessionCache internal: 1800 +</pre> +This tells <code>mod_tls</code> to request a renegotiation of the SSL session +on the control channel every 1500 seconds (25 minutes), and to allow +300 seconds (5 minutes) for the client to perform the renegotiation. It also +tells <code>mod_tls</code> to cache the SSL session data for 1800 seconds +(30 minutes), <i>i.e.</i> longer than the renegotiation time of 1500 seconds. + +<p> +This way, as long as your client supports renegotiations and is updating the +SSL session ID properly for data transfers, when a data transfer is requested, +the SSL session ID presented by the client should always be fresh and in the +session cache. + <p><a name="TLSBuildErrors"> <font color=red>Question</font>: Why would I see the following errors while attempting to build <code>proftpd</code> with <code>mod_tls</code>? <pre> @@ -821,11 +955,26 @@ - mod_tls/2.2: compiled using OpenSSL version 'OpenSSL 0.9.7i 14 Oct 2005' headers, but linked to OpenSSL version 'OpenSSL 0.9.7l 28 Sep 2006' library </pre> -<font color=blue>Answer</font>: That message is a warning, not an error. It -is telling you that the OpenSSL headers on your system don't match the OpenSSL -library version. In most cases, this is not a problem. However, there -can be inexplicable errors if the difference in header versus library versions -is too large. +What does this mean?<br> +<font color=blue>Answer</font>: That is an informational/warning message. + +<p> +Some systems are badly maintained by their admins (and/or by the packages +installed on the systems), such that the OpenSSL headers can become quite badly +out of sync with the OpenSSL libraries. If this discrepancy becomes bad +enough, you can see strange behavior from OpenSSL, ranging from random behavior +to segfaults. So <code>mod_tls</code> tries to let the admin know about the +system's mismatched OpenSSL header/library versions. + +<p> +Usually a minor OpenSSL version difference like the example above is OK, +but it really depends on exactly what changed in OpenSSL, and how. + +<p> +If you see the above message, it is not a <i>requirement</i> that you recompile +<code>proftpd</code> against the OpenSSL headers of the same version as the +OpenSSL libraries. However, the version discrepancy <em>is</em> a possible +source of trouble. <p> This header/library version check was added recently, hence why older @@ -909,6 +1058,39 @@ which would result in the same error. <p> +<font color=red>Question</font>: Is there a way to require TLS (FTPS) for +remote clients <b>only</b>, and allow simple FTP (without TLS) for local +clients (<i>i.e.</i> for clients in networks which we will be able to define +as "local")?<br> +<font color=blue>Answer</font>: Yes. + +<p> +To do this, you would use a combination of +<a href="Classes.html"><code><Class></code></a> sections and +<a href="../contrib/mod_ifsession.html">mod_ifsession</a>'s +<code><IfClass></code>, <i>e.g.</i>: +<pre> + <Class local> + From ... + </Class> + + <IfModule mod_tls.c> + # Normal mod_tls configuration here + + <IfClass local> + # Don't require FTPS from local clients + TLSRequired off + </IfClass> + + <IfClass !local> + # Require FTPS from remote/non-local clients + TLSRequired on + </IfClass> + + </IfModule> +</pre> + +<p> <hr> Last Updated: <i>$Date$</i><br> <hr> |
From: TJ S. <cas...@us...> - 2012-09-25 23:17:07
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory vz-cvs-3.sog:/tmp/cvs-serv20306 Modified Files: Tracing.html Log Message: Updating website copy of Tracing howto. Index: Tracing.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/Tracing.html,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- Tracing.html 21 Apr 2011 16:00:33 -0000 1.3 +++ Tracing.html 25 Sep 2012 23:17:04 -0000 1.4 @@ -174,17 +174,52 @@ This shows process ID 30583 logging to the "auth" channel, log level 6, a message about handling the "endgrent" Auth API request. -<p> +<p><a name="RuntimeTuning"> <b>Runtime Tracing</b><br> -If Controls support is enabled in your <code>proftpd</code>, and you are -using the <code>mod_ctrls_admin</code> module, then you can also use the +If Controls support is enabled in your <code>proftpd</code>, <i>and</i> +you are using the <code>mod_ctrls_admin</code> module, then you can also use the <code>ftpdctl</code> command to adjust the trace logging settings in the running <code>proftpd</code>, without needing to change your <code>proftpd.conf</code> file. See: <pre> <a href="../contrib/mod_ctrls_admin.html#trace">doc/contrib/mod_ctrls_admin.html#trace</a> </pre> -for more information. +for more information on the <code>ftpdctl trace</code> action. + +<p> +Here's a concrete example of how tuning the trace logging at runtime can be +useful. You may need the extra information logged via trace logging in order +to track down/debug some issue, <b>but</b> you do not want to enable trace +logging all of the time in your environment. Fortunately, it is possible +to make it possible to get the trace logging information you need, when +you need to get it, and then turn the trace logging off <i>all without +restarting proftpd</i>. + +<p> +First, you need to configure your <code>proftpd.conf</code> like so: +<pre> + TraceLog /path/to/proftpd/trace.log + Trace DEFAULT:0 +</pre> +This configuration tells proftpd to direct all trace logging to that +<code>TraceLog</code> file, <i>but</i> to not actually write anything to the +file; the log level zero (0) filters out all trace logging messages. Start +proftpd with the updated <code>proftpd.conf</code>. Later, while proftpd is +running, you can tune the tracing using the +<a href="Controls.html"><code>ftpdctl</code></a> utility, like this: +<pre> + # ftpdctl trace lock:10 scoreboard:5 +</pre> +which dynamically changes the 'lock' trace channel level to 10, and the +'scoreboard' trace channel level to 5. Once you have gathered the necessary +information in the <code>TraceLog</code> file, you then use <code>ftpdctl</code> +again and restore the trace levels back to zero, effectively turning off +trace logging once more: +<pre> + # ftpdctl trace DEFAULT:0 +</pre> +Note that the changed settings will only apply to <b>new</b> sessions; this +does <b>not</b> change the trace logging for <i>existing</i> sessions. <p> <b>Use Only When Needed</b><br> |
From: TJ S. <cas...@us...> - 2012-08-03 18:24:33
|
Update of /cvsroot/pdd/www.proftpd.org/docs/howto In directory vz-cvs-3.sog:/tmp/cvs-serv5921 Modified Files: DSO.html Log Message: Updating website version of DSO howto. Index: DSO.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/howto/DSO.html,v retrieving revision 1.3 retrieving revision 1.4 diff -u -d -r1.3 -r1.4 --- DSO.html 5 Jan 2010 17:01:24 -0000 1.3 +++ DSO.html 3 Aug 2012 18:24:30 -0000 1.4 @@ -272,6 +272,14 @@ Then restart <code>proftpd</code>, and your custom module will be in use. <p> +For example, you might use <code>prxs</code> to compile the +<code>mod_sql_sqlite</code> module like so, from the top level of the +ProFTPD source directory: +<pre> + # prxs -c -i -d contrib/mod_sql_sqlite.c +</pre> + +<p> The following options are also supported: <pre> -n, --name Tells prxs the name of the module being compiled. |
From: TJ S. <cas...@us...> - 2012-07-31 20:36:50
|
Update of /cvsroot/pdd/www.proftpd.org/docs/modules In directory vz-cvs-3.sog:/tmp/cvs-serv10055 Modified Files: mod_facts.html Log Message: Updating website copy of the mod_facts documentation. Index: mod_facts.html =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/docs/modules/mod_facts.html,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- mod_facts.html 9 Nov 2011 23:52:11 -0000 1.2 +++ mod_facts.html 31 Jul 2012 20:36:48 -0000 1.3 @@ -41,6 +41,7 @@ <h2>Directives</h2> <ul> <li><a href="#FactsAdvertise">FactsAdvertise</a> + <li><a href="#FactsOptions">FactsOptions</a> </ul> <hr> @@ -63,7 +64,7 @@ <code>LIST</code>/<code>NLST</code> commands. Some FTP clients, though, will attempt to use the newer commands just as if they were equivalent to the older commands, including supporting glob/wildcard characters. -Section 2.2.2 of RFC3659 explicitly states that wildcard characters are +Section 2.2.2 of RFC3659, which explicitly states that wildcard characters are <b>not</b> supported in the <code>MLSD</code> and <code>MLST</code> commands. Thus, to prevent problems when using such FTP clients with proftpd, you can disable the advertising of support for those commands using @@ -74,6 +75,39 @@ </IfModule> </pre> +<hr> +<h2><a name="FactsOptions">FactsOptions</a></h2> +<strong>Syntax:</strong> FactsOptions <em>opt1 ...</em><br> +<strong>Default:</strong> None<br> +<strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br> +<strong>Module:</strong> mod_facts<br> +<strong>Compatibility:</strong> 1.3.4b and later + +<p> +The <code>FactsOptions</code> directive is used to configure various optional +behavior of <code>mod_facts</code>. <b>Note</b>: all of the configured +<code>FactsOptions</code> parameters <b>must</b> appear on the same line in the +configuration; only the <i>first</i> <code>FactsOptions</code> directive that +appears in the configuration is used. + +<p> +The currently implemented options are: +<ul> + <li><code>UseSlink</code><br> + <p> + Use this option to have <code>mod_facts</code> use the <i>broken</i> + "OS.unix=slink" syntax, preferred by FTP clients such as FileZilla, for + indicating symlinks, rather than the more correct "OS.unix=symlink" + syntax. See + <a href="http://bugs.proftpd.org/show_bug.cgi?id=3318">Bug#3318</a> for + a more detailed discussion. + + <p> + <b>Note</b> that this option first appeared in + <code>proftpd-1.3.4b</code>. + </li> +</ul> + <p><a name="FAQ"> <b>Frequently Asked Questions</b><br> @@ -81,7 +115,7 @@ <font color=red>Question</font>: Why does <code>MLSD</code> list all of the files in a directory, including the "hidden" files, where the <code>LIST</code> command does not?<br> -<font color=blue>Answer</code>: The <code>MLSD</code> and <code>MLST</code> +<font color=blue>Answer</font>: The <code>MLSD</code> and <code>MLST</code> commands do not have any notions of "options" like the <code>LIST</code> and <code>NLST</code> commands do; there is no way for a client, in the request to list the files in a directory, to ask the server to filter the list of @@ -95,10 +129,10 @@ <font color=red>Question</font>: Why does <code>MLST</code> show the UIDs/GIDs for listed files, where <code>LIST</code>/<code>NLST</code> show the user/group names?<br> -<font color=blue>Answer</code>: The list of "facts" defined by RFC 3659 does +<font color=blue>Answer</font>: The list of "facts" defined by RFC 3659 does <b>not</b> include a fact for the stringified version of user/group owner names, unfortunately. This means that the <code>MLSD</code>/<code>MLST</code> -commands don't have a good way of obtaining the user/group names. +commands do not have a good way of obtaining the user/group names. <p> To work around this issue, you can add the following to your @@ -109,7 +143,31 @@ </IfModule> </pre> This tells <code>proftpd</code> to not advertise to the client that it can -support the <code>MLSD</code/<code>MLST</code> commands. +support the <code>MLSD</code>/<code>MLST</code> commands. The client will then +usually fall back to using the older <code>LIST</code> command, which +<i>does</i> include the file owner user/group names. + +<p><a name="FactsSymlinks"> +<font color=red>Question</font>: Why does FileZilla not display symlinks +properly, even though I have "ShowSymlinks on" in my <code>proftpd.conf</code>?<br> +<font color=blue>Answer</font>: Newer versions of FileZilla (and other +FTP clients) use the <code>MLSD</code> command for listing files, rather than +the older <code>LIST</code> command. And FileZilla and the +<code>mod_facts</code> disagree on the proper syntax for indicating when a +file is a symlink. + +<p> +To work around this issue, you can add the following to your +<code>proftpd.conf</code>: +<pre> + <IfModule mod_facts.c> + FactsOptions UseSlink + </IfModule> +</pre> +This tells the <code>mod_facts</code> module to use the improper +"OS.unix=slink:<i>path</i>" syntax for symlinks; this is the syntax preferred +by FileZilla (and perhaps other FTP clients). By default, the +<code>mod_facts</code> module uses the better "OS.unix=symlink" syntax. <p> <hr><br> @@ -119,7 +177,7 @@ <br><hr> <font size=2><b><i> -© Copyright 2007-2011 TJ Saunders<br> +© Copyright 2007-2012 TJ Saunders<br> All Rights Reserved<br> </i></b></font> |
From: TJ S. <cas...@us...> - 2012-07-31 18:13:49
|
Update of /cvsroot/pdd/www.proftpd.org In directory vz-cvs-3.sog:/tmp/cvs-serv1226 Modified Files: md5_pgp.epl index.epl Log Message: Announcing release of proftpd-1.3.4b. Index: md5_pgp.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/md5_pgp.epl,v retrieving revision 1.62 retrieving revision 1.63 diff -u -d -r1.62 -r1.63 --- md5_pgp.epl 11 Nov 2011 17:45:06 -0000 1.62 +++ md5_pgp.epl 31 Jul 2012 18:13:46 -0000 1.63 @@ -10,8 +10,7 @@ <pre> 88c0ac5a505b31b107196cf234fccced <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3g.tar.bz2">proftpd-1.3.3g.tar.bz2</a> 8d7cb79cecfd81acec755c6130a8ddd5 <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.3g.tar.gz">proftpd-1.3.3g.tar.gz</a> -4e3235dc1ef95d36e59721d70c5c489c <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.4a.tar.bz2">proftpd-1.3.4a.tar.bz2</a> -4cf3892cfeb25f50514bdda935bcf2ff <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.4a.tar.gz">proftpd-1.3.4a.tar.gz</a> +0871e0b93c9c3c88ca950b6d9a04aed2 <a href="ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.4a.tar.gz">proftpd-1.3.4b.tar.gz</a> </pre> <h2>PGP Signatures</h2> @@ -39,24 +38,13 @@ </pre> <pre> -<strong>proftpd-1.3.4a.tar.bz2.asc</strong> ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (GNU/Linux) - -iEYEABECAAYFAk69XIsACgkQt46JP6URl2pLAgCgzD+d385MBFzJs0ymBcKFR29H -A3UAoLk/UBvGpHw0Ia1v5Sm2kYnNGEOM -=jN9k ------END PGP SIGNATURE----- -</pre> - -<pre> -<strong>proftpd-1.3.4a.tar.gz.asc</strong> +<strong>proftpd-1.3.4b.tar.gz.asc</strong> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) -iEYEABECAAYFAk69XJEACgkQt46JP6URl2qLAwCfQkBXdlCPyxguKHKo0Pgerw/7 -8+8AoI47NX5AVkAtaavJt+PQu6ur78Ch -=nm1H +iEYEABECAAYFAlAYE/wACgkQt46JP6URl2pIgQCgwqPzMUsUx++mlK/MFTzSRL1g +e1cAoNuD1fHAQ7eQppw0hSUp7vam416k +=Za9N -----END PGP SIGNATURE----- </pre> Index: index.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/index.epl,v retrieving revision 1.121 retrieving revision 1.122 diff -u -d -r1.121 -r1.122 --- index.epl 10 Feb 2012 16:00:30 -0000 1.121 +++ index.epl 31 Jul 2012 18:13:46 -0000 1.122 @@ -3,6 +3,13 @@ #include "header.epl" +<h1>1.3.4b released</h1> +[<i>31/Jul/2012</i>] +<p>The ProFTPD Project team is pleased to release 1.3.4b to the community. +This is a maintenance release, containing backported fixes for issues found +in the 1.3.4 release. The <a href="docs/RELEASE_NOTES-1.3.4b">RELEASE_NOTES</a> +and <a href="docs/NEWS-1.3.4b">NEWS</a> files contain the full details. + <h1>1.3.4a released</h1> [<i>11/Nov/2011</i>] <p>The ProFTPD Project team is ready to release 1.3.4a to the community. |
From: TJ S. <cas...@us...> - 2012-07-31 18:13:48
|
Update of /cvsroot/pdd/www.proftpd.org/docs In directory vz-cvs-3.sog:/tmp/cvs-serv1226/docs Added Files: NEWS-1.3.4b RELEASE_NOTES-1.3.4b Log Message: Announcing release of proftpd-1.3.4b. --- NEW FILE: NEWS-1.3.4b --- $Id: NEWS-1.3.4b,v 1.1 2012/07/31 18:13:46 castaglia Exp $ ----------------------------------------------------------------------------- More details on the bugs listed below can be found by using the bug number indicated in the following URL: http://bugs.proftpd.org/show_bug.cgi?id=N where `N' is the bug number. ----------------------------------------------------------------------------- 1.3.4b - Released 31-Jul-2012 -------------------------------- - Bug 3713 - mod_tls cannot be compiled using Openssl 0.9.6. - Bug 3714 - ftpwho/ftptop are not showing command arguments (e.g. downloaded file name). - Bug 3715 - MLSD/MLST fail when "DirFakeUser off" or "DirFakeGroup off" used. - Bug 3717 - proftpd fails to run with "Abort trap" error message. - Bug 3719 - LIST -R can loop endlessly if bad directory symlink exists. [...2603 lines suppressed...] - sendfile() deprecates politely on Linux 2.0.x. - AuthPAMAuthoritative now defaults to False. This should clear up any confusion on using PAM with AuthUserFile and friends. - Removed Bandwidth from the documentation. - Fixed a rare segfault in mod_auth. - Logging has changed slightly to be more informative and more consistent. All messages that get logged are now preceded with <virtualhost> (remote host[remote ip]). - mod_ldap for authentication against LDAP directories is now in place. - ftpwho/ftpcount -- a grammatical error corrected, and they now build as seperate binaries. - Fixed the 'no names, just UIDs' bug. - Added genuser.pl to facilitate AuthUserFile entry creation. - Umask now takes an optional second argument, specifying a directory umask. - Work around FreeBSD's broken setpassent(), and a new option to override this in fixed versions of FreeBSD's libc (--enable-force-setpassent). - Generate RPMs for both inetd and standalone versions of ProFTPD. - Added AuthUsingAlias to allow for more fine-grain control of anonymous logins. - Added support for 'TYPE L 8' and 'TYPE L 7' per RFC 959. --- NEW FILE: RELEASE_NOTES-1.3.4b --- 1.3.4 Release Notes ------------------------ This file contains a description of the major changes to ProFTPD for the 1.3.4 release cycle, from the 1.3.4rc1 release to the 1.3.4 maintenance releases. More information on these changes can be found in the NEWS and ChangeLog files. 1.3.4b --------- + Fixed mod_ldap segfault on login when LDAPUsers with no filters used. + Fixed sporadic SFTP upload issues for large files. + Fixed SSH2 handling for some clients (e.g. OpenVMS). + New FactsOptions directive; see doc/modules/mod_facts.html#FactsOptions + Fixed build errors on Tru64, AIX, Cygwin. 1.3.4a --------- + Fixed mod_load/mod_wrap2 build issues. 1.3.4 --------- + New "NoEmptyFragments" TLSOption added; see the TLSOptions documentation for details. + Improved configure script for cross-compiling. + Reworked the proftpd.spec RPM file + Fixed mod_sql_mysql "Alarm clock" bug on FreeBSD. + New "IgnoreSFTPSetTimes" SFTPOption added; see the SFTPOptions documentation for details. + Fixed response pool use-after-free issue (CVE-2011-4130). 1.3.4rc3 --------- + The mod_ldap configuration directives have changed to a simplified version; please read the "Changes" section in README.LDAP for details. + Support for using RADIUS for authentication SSH2 logins, and for supporting the NAS-IPv6-Address RADIUS attribute. + Automatically disable sendfile support on AIX systems. + <Limit WRITE> now prevents renaming/moving a file out of the limited directory. + ExtendedLog entries now written for data transfers which time out. 1.3.4rc2 --------- + Display messages work properly again. + Fixes plaintext command injection vulnerability in FTPS implementation (i.e. mod_tls). See http://bugs.proftpd.org/show_bug.cgi?id=3624 for details. + Fixes CVE-2011-1137 (badly formed SSH messages cause DoS). See http://bugs.proftpd.org/show_bug.cgi?id=3586 for details. + Performance improvements, especially during server startup/restarts. + New --enable-memcache configure option ProFTPD now provides an API for modules for using memcached servers for caching information among different proftpd server and/or across sessions. For more information, see the mod_memcache documentation in doc/modules/mod_memcache.html. + New --enable-pcre configure option The C library support for POSIX regular expressions is vulnerable to some pathological regex patterns; the glibc library in particular can be made to burn CPU with such patterns. Sites which wish to avoid such buggy C library implementations can instead use PCRE for regular expression support in ProFTPD, by using the --enable-pcre configure option. + New modules mod_tls_memcache The mod_tls_memcache module uses the new mod_memcache/memcached support in ProFTPD to use memcached servers for caching SSL session information. This can be useful, especially when clusters of proftpd servers are in used, or for preserving SSL session caches across proftpd restarts. See doc/contrib/mod_tls_memcache.html for more details on this module. + New configuration directives: MaxCommandRate Some clients send FTP commands too quickly. The new MaxCommandRate directive is used to detect and to throttle such malicious clients; it also generates an event that can be used by the mod_ban module for banning these clients. See doc/modules/mod_core.html#MaxCommandRate. ProcessTitles By default, proftpd changes the process title for session processes to include the authenticated user name and the FTP command being handled, including the paths to files being downloaded. The new ProcessTitles directive can be used to modify proftpd's behavior with regard to this session process title changing. See doc/modules/mod_core.html#ProcessTitles for more info. SQLNamedConnectInfo Some sites wish to have mod_sql connections to multiple different databases simultaneously, e.g. one connection for retrieving user data and a separate connection for logging. To support such sites, the new SQLNamedConnectInfo directive can be used to create "named connection". These "named connections" can then be used in a SQLNamedQuery, i.e. you can specify the named connection that a SQLNamedQuery is to use when it is expected. More information can found at doc/contrib/mod_sql.html#SQLNamedConnectInfo. TraceOptions The TraceLog can provide very detailed information, especially when diagnosing an issue. To aid in such diagnoses, the new TraceOptions directive can be used to add more information to the TraceLog, such as client/server IP addresses (if available), and timestamps with millisecond granularity. The documentation at doc/modules/mod_core.html#TraceOptions has the details. + The following utilities are now installed under $prefix/bin/ by the 'make install' target: ftpasswd, ftpmail, ftpquota + Changed configuration directives: BanOnEvent The mod_ban module's BanOnEvent directive now supports a few more events, namely 'MaxCommandRate' and 'UnhandledCommand'. These events can be used to ban clients which send commands too quickly, or which send too many unhandled/unknown commands. ExtendedLog For some LogFormat variables (e.g. %E, %I, %O) it is useful to log them when then session exits. The mod_sql module has had the ability to log at session exit for quite some time. The ExtendedLog directive can how log at session exit as well, using the new "EXIT" command class. LogFormat The LogFormat directive now supports a couple of new variables: %E variable, for end-of-session reason %H variable, for IP address of server handling session These are listed in the LogFormat docs; see doc/modules/mod_log.html#LogFormat. PathAllowFilter, PathDenyFilter The PathAllowFilter and PathDenyFilter directives now support an optional flags parameter, which can be used to specify e.g. case-insensitive evaluation of the configured regular expression. For example: PathDenyFilter .jpg$ [NC] See doc/modules/mod_core.html#PathAllowFilter for more details. SFTPOptions The mod_sftp module's SFTPOptions directive supports a new 'IgnoreSFTPSetPerms' option. This option is similar to the existing 'IgnoreSFTPUploadPerms'; it causes mod_sftp to silently ignore the SFTP client's attempts to change file permissions. See doc/contrib/mod_sftp.html#SFTPOptions. SFTPPAMOptions The SFTPPAMOptions directive for the mod_sftp_pam module now supports a 'NoInfoMsgs' option, which disables the sending of informational messages from the PAM library to the connecting SSH client. This option can be used to make mod_sftp_pam behavior like OpenSSH with regard to PAM support. SQLNamedQuery The SQLNamedQuery directive now supports an optional "named connection" name, for supporting multiple database connections. See the doc/contrib/mod_sql.html#SQLNamedConnectInfo docs for more information. TLSSessionCache The TLSSessionCache directive from the mod_tls module can now be used to explicitly configure the session cache timeout when OpenSSL's internal session caching mechanism (used by default) is being used. See doc/contrib/mod_tls.html#TLSSessionCache for details. Trace The Trace directive can now to be used to specify a range of trace channel log levels, rather than simply specifying the maximum log level for a channel. For example, to see only messages from log levels 5 to 8, you would do: Trace DEFAULT:5-8 This is documented in the Trace directive documentation, at doc/modules/mod_core.html#Trace. + New documentation: doc/howto/ConnectionACLs.html doc/utils/ftpasswd.html doc/utils/ftpcount.html doc/utils/ftpdctl.html doc/utils/ftpquota.html doc/utils/ftpscrub.html doc/utils/ftptop.html doc/utils/ftpwho.html + Developer/API Changes The following functions have been removed, as they are not used anywhere and should not be being used: pr_response_send_ml() pr_response_send_ml_start() pr_response_send_ml_end() The following function has been renamed/moved: end_login() is now pr_session_end() A related new function, pr_session_disconnect() is added. This new function allows the caller to specify a reason code indicating why the session is ending, as well as support for an optional string for more details about the reason for ending the session. 1.3.4rc1 --------- + Fixed Telnet IAC stack overflow vulnerability (ZDI-CAN-925) + Fixed directory traversal bug in mod_site_misc (CVE-2010-3867) + Fixed sql_prepare_where() buffer overflow (Bug#3536) + Added Japanese translation + Many mod_sftp bugfixes + Fixed SSL_shutdown() errors caused by OpenSSL 0.9.8m and later + Fixed handling of utmp/utmpx format changes on FreeBSD + Automatic detection of MySQL, Postgres library and header file locations + Added support for SMTP authentication in ftpmail script + Updated fnmatch implementation, using glibc-2.9 version. + Overhauled mod_ldap configuration directives, making mod_ldap easier to configure. Previous configurations must be updated. See README.LDAP for details. + New modules: mod_copy This module provides the SITE CPFR and SITE CPTO commands, for allowing a client to copy files from one location to another on the server, without requiring downloads/uploads. See doc/contrib/mod_copy.html for details. mod_deflate This module provides support for MODE Z, which uses compression to reduce the number of bytes required for data transfers and directory lists. See doc/contrib/mod_deflate.html for more information. Depending on the data being transferred, clients can see quite a difference in the speed; see: http://www.smartftp.com/support/kb/file.php?f=192 for some performance numbers. mod_ifversion This module allows for version-specific configuration sections of the proftpd config file. It is useful for using the same proftpd config across multiple servers where different proftpd versions may be in use. See doc/contrib/mod_ifversion.html for examples. mod_qos This module allows administrators to set networking-specific "Quality of Service" (QoS) bits on the packets used by the server. More information can be found in doc/contrib/mod_qos.html + New configuration directives: Protocols This directive can be used to specify which protocols can be used by a connecting client. It is designed to work with mod_ifsession, so that it can be set on a per-user/group/class basis. See doc/modules/mod_core.html#Protocols for details. ScoreboardMutex This directive is used to explicitly configure the patch to a "mutex" file used for scoreboard locking; this file is used to increase proftpd's performance under load. See: http://bugs.proftpd.org/show_bug.cgi?id=3208 for more information. SFTPClientAlive This directive is used to enable a protocol-level "keep alive" check for mod_sftp SSH connections. More details can be found in doc/contrib/mod_sftp.html#SFTPClientAlive. WrapOptions The mod_wrap2 module has additional behaviors such as checking the allow/deny rules at client connect time (versus after login), and checking the allow/deny rules using all of a client's DNS names. The WrapOptions directive is used to configure these behaviors; see doc/contrib/mod_wrap2.html#WrapOptions for more information. + Changed configuration directives: BanOnEvent The BanOnEvent directive of the mod_ban module now supports LoginRate events; see doc/contrib/mod_ban.html#BanOnEvent. This lets mod_ban reject clients which are logging in too quickly. ListOptions The mod_ls module now supports the -c and -u options for the LIST command. The ListOptions directive handles these options as well. See the ls(1) man page for more details on these options. In addition, the NoErrorIfAbsent ListOption can be used to configure whether mod_ls returns a 226 response code, rather than the default 450 response code, for a LIST/NLST command for a path which does not exist. Some clients are sensitive to this use case. LogFormat The LogFormat directive now supports two additional variables: %I for logging the total number of bytes read from the network, and %O for logging the total number of bytes written to the network. Note that these values do NOT include any bytes for the TCP packet overhead. The mod_sql module's SQLLog directive also supports these variables. These variables can be used to get a better idea of network traffic per session/client, as well as for comparing the relative network traffic of e.g. FTPS versus SFTP. SFTPOptions The mod_sftp module did not interoperate well with old ssh.com or with Tectia SSH clients. Support for these clients was added to mod_sftp via the OldProtocolCompat SFTPOption (Bug#3480). See doc/contrib/mod_sftp.html#SFTPOptions for more information. TLSOptions When verifying a client's certificate, the mod_tls module could be configured to check the iPAddress and/or dNSName portions of the SubjectAltName section of the client certificate, via the TLSOptions directive. A new CommonNamedRequired TLSOptions is now supported, which tells mod_tls to check the CommonName (CN) section of the client certificate. See doc/contrib/mod_tls.html#TLSOptions for details. UseSendfile The UseSendfile directive can now be used in <Directory> sections and .ftpaccess files. This means that sendfile(2) support can be disabled on filesystems which do not support it, while still be used on other parts of the filesystem which can support it. The UseSendfile directive can now also configure how many bytes of a file to send via sendfile(2) at a time; this can be either in number of bytes, or in percentage of the file size. The advantage of this is that now the ScoreboardFile (and ftptop/ftpwho) can show download progress rates when UseSendfile is enabled. See doc/howto/Sendfile.html for the full details. + Deprecated configuration directives: DisplayGoAway Support for this directive has been removed. Last Updated: $Date: 2012/07/31 18:13:46 $ |
From: John M. <jw...@us...> - 2012-07-02 20:25:22
|
Update of /cvsroot/pdd/www.proftpd.org In directory vz-cvs-3.sog:/tmp/cvs-serv30321 Modified Files: cvs.epl Log Message: link directly to the sourceforge webcvs Index: cvs.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/cvs.epl,v retrieving revision 1.15 retrieving revision 1.16 diff -u -d -r1.15 -r1.16 --- cvs.epl 2 Jul 2012 19:56:15 -0000 1.15 +++ cvs.epl 2 Jul 2012 20:25:20 -0000 1.16 @@ -27,8 +27,8 @@ the tree is <code>proftpd</code>.</li> <li>The documentation directory is <code>/cvsroot/pdd</code> and the trees are <code>FAQ</code> and <code>Userguide</code>.</li> - <li>A <a href="http://sourceforge.net/cvs/?group_id=17793">web-based CVS - viewer</a> is also available.</li> + <li>A <a href="http://proftp.cvs.sourceforge.net/viewvc/proftp/">web-based + CVS viewer</a> is also available.</li> </ul> <h2>Detailed Instructions</h2> |
From: John M. <jw...@us...> - 2012-07-02 20:18:53
|
Update of /cvsroot/pdd/www.proftpd.org/include In directory vz-cvs-3.sog:/tmp/cvs-serv30069/include Modified Files: header.epl Log Message: bump copyright year Index: header.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/include/header.epl,v retrieving revision 1.53 retrieving revision 1.54 diff -u -d -r1.53 -r1.54 --- header.epl 2 Jul 2012 20:14:47 -0000 1.53 +++ header.epl 2 Jul 2012 20:18:51 -0000 1.54 @@ -80,7 +80,7 @@ <a href="http://sourceforge.net/projects/proftp"> <img src="http://sflogo.sourceforge.net/sflogo.php?group_id=17793&type=10" width="80" height="15" border="0" alt="Get ProFTPD Server Software at SourceForge.net. Fast, secure and Free Open Source software downloads" /> </a> - <p>Copyright © 1999 - 2011, The ProFTPD Project.</p> + <p>Copyright © 1999 - 2012, The ProFTPD Project.</p> </div> </div> |
From: John M. <jw...@us...> - 2012-07-02 20:14:50
|
Update of /cvsroot/pdd/www.proftpd.org/include In directory vz-cvs-3.sog:/tmp/cvs-serv29921/include Modified Files: header.epl Log Message: remove 'mirror' wording Index: header.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/include/header.epl,v retrieving revision 1.52 retrieving revision 1.53 diff -u -d -r1.52 -r1.53 --- header.epl 2 Jul 2012 19:56:16 -0000 1.52 +++ header.epl 2 Jul 2012 20:14:47 -0000 1.53 @@ -28,7 +28,7 @@ </div> Release Candidate: <strong>None</strong> - <h1>Mirrors and Downloads</h1> + <h1>Downloads</h1> <ul> <li><a href="/pgp.html">PGP public keys</a></li> <li><a href="/md5_pgp.html">MD5 & PGP signatures</a></li> |
From: John M. <jw...@us...> - 2012-07-02 19:56:18
|
Update of /cvsroot/pdd/www.proftpd.org In directory vz-cvs-3.sog:/tmp/cvs-serv25717 Modified Files: cvs.epl list-unsub.epl lists.epl Removed Files: download.epl howtomirror.epl wwwmirror.epl Log Message: decommission the mirror network --- download.epl DELETED --- Index: cvs.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/cvs.epl,v retrieving revision 1.14 retrieving revision 1.15 diff -u -d -r1.14 -r1.15 --- cvs.epl 31 May 2012 17:02:06 -0000 1.14 +++ cvs.epl 2 Jul 2012 19:56:15 -0000 1.15 @@ -13,9 +13,9 @@ distribution tarballs or packages are used unless you really know what you're doing.</p> -<p>There are no mirror sites for the CVS server. Nightly tarballs of the -latest source from CVS are available from <a href="download.html">the FTP -sites</a> in the <code>devel/source/</code> directory.</p> +<p>Nightly tarballs of the latest source from CVS are available from <a +href="download.html">the FTP sites</a> in the <code>devel/source</code> +directory.</p> <h2>Quick Instructions</h2> --- wwwmirror.epl DELETED --- Index: list-unsub.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/list-unsub.epl,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- list-unsub.epl 12 Jun 2005 16:03:39 -0000 1.4 +++ list-unsub.epl 2 Jul 2012 19:56:16 -0000 1.5 @@ -29,8 +29,6 @@ <a href="https://lists.sourceforge.net/lists/listinfo/proftp-devel">https://lists.sourceforge.net/lists/listinfo/proftp-devel</a> <li>proftpd-committers: <a href="https://lists.sourceforge.net/lists/listinfo/proftp-committers">https://lists.sourceforge.net/lists/listinfo/proftp-committers</a> - <li>proftpd-mirrors: - <a href="https://lists.sourceforge.net/lists/listinfo/proftp-mirrors">https://lists.sourceforge.net/lists/listinfo/proftp-mirrors</a> </ul> <p>Enter your subscribed e-mail address into the textfield at the bottom of --- howtomirror.epl DELETED --- Index: lists.epl =================================================================== RCS file: /cvsroot/pdd/www.proftpd.org/lists.epl,v retrieving revision 1.16 retrieving revision 1.17 diff -u -d -r1.16 -r1.17 --- lists.epl 12 Jun 2005 15:48:49 -0000 1.16 +++ lists.epl 2 Jul 2012 19:56:16 -0000 1.17 @@ -62,12 +62,4 @@ <p>Subscribe via <a href="mailto:pro...@pr...?subject=subscribe">e-mail</a> or visit the <a href="https://lists.sourceforge.net/lists/listinfo/proftp-committers">web interface</a>.</p> - -<h2>Mirror Admins</h2> -<p>This list is intended for administrators mirroring or interested in -mirroring the ProFTPD FTP and web site.</p> - -<p>Subscribe via <a href="mailto:pro...@pr...?subject=subscribe">e-mail</a> or -visit the <a href="https://lists.sourceforge.net/lists/listinfo/proftp-mirrors">web interface</a>.</p> - #include "footer.epl" |
From: John M. <jw...@us...> - 2012-06-26 20:21:50
|
Update of /cvsroot/pdd/Userguide/directives/sgml In directory vz-cvs-3.sog:/tmp/cvs-serv15716 Modified Files: LDAPDoQuotaLookups Log Message: QuotaDefault is the Way of the Future Index: LDAPDoQuotaLookups =================================================================== RCS file: /cvsroot/pdd/Userguide/directives/sgml/LDAPDoQuotaLookups,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -r1.9 -r1.10 --- LDAPDoQuotaLookups 26 Jun 2012 19:45:09 -0000 1.9 +++ LDAPDoQuotaLookups 26 Jun 2012 20:21:47 -0000 1.10 @@ -93,7 +93,9 @@ <para>The optional <option>default-quota<option> argument specifies the quota limits to use if an entry does not have a ftpQuota attribute, and has the same format as the ftpQuota LDAP attribute. - For example, "false,hard,100,100,100,100,100,100".</para> + For example, "false,hard,100,100,100,100,100,100". This argument is + deprecated as of ProFTPD 1.3.4b; use the <link linked="QuotaDefault> + QuotaDefault directive</link> instead.</para> </refsect1> <refsect1> |
From: John M. <jw...@us...> - 2012-06-26 19:45:12
|
Update of /cvsroot/pdd/Userguide/directives/sgml In directory vz-cvs-3.sog:/tmp/cvs-serv11534 Modified Files: LDAPDoQuotaLookups Log Message: better wording, mention base DN interpolation in mod_ldap 2.9.3+ Index: LDAPDoQuotaLookups =================================================================== RCS file: /cvsroot/pdd/Userguide/directives/sgml/LDAPDoQuotaLookups,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- LDAPDoQuotaLookups 15 Oct 2010 18:20:38 -0000 1.8 +++ LDAPDoQuotaLookups 26 Jun 2012 19:45:09 -0000 1.9 @@ -76,22 +76,24 @@ <refsect1> <title>Description</title> - <para>This configuration directive activates LDAP quota lookups. - The second argument to this directive is the LDAP base DN to use for - quota limit search. The third argument is a template to be used for - the search filter; %v will be replaced with the username that is - being authenticated. By default, the search filter template - "(&(LDAPAttr_uid=%v)(objectclass=posixAccount))" is used. - - The uid for the the search filter is taken from the - <link linkend="LDAPAttr">LDAPAttr</link> directive - Search filter - templates are only supported in mod_ldap v2.7 and later.</para> + <para>Activates LDAP quota lookups. The second argument is the LDAP + base DN to use for quota limit searches. The third argument is the + search filter template. The default search filter template is + "(&(LDAPAttr_uid=%u)(objectclass=posixAccount))". The attribute + name used in the default search filter template is taken from the + <link linkend="LDAPAttr">LDAPAttr</link> directive, so if you re-map + an attribute, the default search filter reflects that + re-mapping.</para> - <para>If specified, the <option>default-quota<option> argument - specifies the quota limits to use if a user does not have a ftpQuota - attribute. This argument is formatted the same way as the ftpQuota - LDAP attribute.</para> + <para>In mod_ldap v2.7 or later, %u in the search filter template + will be replaced with the username, group, or class that is being + looked up. mod_ldap v2.9.3 or later will also expand %u in the + base DN.</para> + + <para>The optional <option>default-quota<option> argument specifies + the quota limits to use if an entry does not have a ftpQuota + attribute, and has the same format as the ftpQuota LDAP attribute. + For example, "false,hard,100,100,100,100,100,100".</para> </refsect1> <refsect1> |
From: John M. <jw...@us...> - 2012-06-26 19:22:31
|
Update of /cvsroot/pdd/Userguide/directives/sgml In directory vz-cvs-3.sog:/tmp/cvs-serv9985 Modified Files: LDAPUsers LDAPGroups Log Message: better wording, mention that default filters honor LDAPAttr mappings Index: LDAPGroups =================================================================== RCS file: /cvsroot/pdd/Userguide/directives/sgml/LDAPGroups,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- LDAPGroups 15 Oct 2010 18:20:38 -0000 1.1 +++ LDAPGroups 26 Jun 2012 19:22:29 -0000 1.2 @@ -77,13 +77,12 @@ <para>Activates LDAP group membership lookups and GID to name mappings in directory listings.</para> - <para>The first argument to this directive is the LDAP base DN to - use for group lookups. The second through fourth arguments are - templates to be used for the search filter; %u will be replaced with - the group name, GID number, or group member username that is being - looked up, respectively.</para> + <para>The first argument is the LDAP base DN to use for group + lookups. The second through fourth arguments are search filter + templates; %u will be replaced with the group name, GID number, or + group member username that is being looked up, respectively.</para> - <para>By default, the search filter templates look like this:</para> + <para>The default search filter templates are:</para> <para> group-name-filter-template: "(&(LDAPAttr_cn=%u)(objectclass=posixGroup))", gid-number-filter-template: "(&(LDAPAttr_gidNumber=%u)(objectclass=posixGroup))", @@ -92,7 +91,8 @@ <para>The attribute names used in the default search filters are taken from the <link linkend="LDAPAttr">LDAPAttr</link> - directive.</para> + directive, so if you re-map an attribute, the default search filter + reflects that re-mapping.</para> </refsect1> <refsect1> Index: LDAPUsers =================================================================== RCS file: /cvsroot/pdd/Userguide/directives/sgml/LDAPUsers,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- LDAPUsers 26 Jun 2012 19:19:18 -0000 1.2 +++ LDAPUsers 26 Jun 2012 19:22:29 -0000 1.3 @@ -77,15 +77,15 @@ useful in "virtual user" environments, since mod_ldap won't be able to look up other users.</para> - <para>The second argument is a template to be used for the search - filter when looking up users by username; %u will be replaced with - the username that is being authenticated.</para> + <para>The second argument is the search filter template for looking + up users by username; %u will be replaced with the username that is + being authenticated.</para> - <para>The third argument is a template to be used for the search - filter when looking up users by UID number; %u will be replaced with - the UID number that is being looked up.</para> + <para>The third argument is the search filter template for looking + up users by UID number; %u will be replaced with the UID number that + is being looked up.</para> - <para>By default, the search filter templates look like this:</para> + <para>The default search filter templates are:</para> <para> username-filter-template: "(&(LDAPAttr_uid=%u)(objectclass=posixAccount))", uid-number-filter-template: "(&(LDAPAttr_uidNumber=%u)(objectclass=posixAccount))", @@ -93,7 +93,8 @@ <para>The attribute names used in the default search filters are taken from the <link linkend="LDAPAttr">LDAPAttr</link> - directive.</para> + directive, so if you re-map an attribute, the default search filter + reflects that re-mapping.</para> </refsect1> <refsect1> |