LAFFEY: libwrap (TCP Wrappers) wu-ftpd patch

libwrap (TCP Wrappers) wu-ftpd patch

Price: $0 (GPL License) THIS SOFTWARE HAS NO WARRANTY. USE AT YOUR OWN RISK.

Current Version: 0.9

Date Modified: July 5, 2000

Overview

This is a patch to the Un*x wu-ftpd FTP server (available here) to support the use of libwrap (TCP Wrappers) when the server is run in standalone daemon mode via the -S switch.

This gives you the ability to control access in the same /etc/hosts.deny or /etc/hosts.allow files you use when running wu-ftpd (or any other service) from inetd With this patch you may deny access to hosts and the connection is dropped right after the connection is made (with the accept() call). The check is performed in the child process so the main server process is not slowed down.

There is also an initscript provided for starting and stopping the ftp server in standalone mode.

Details

TCP Wrappers (or libwrap) provide a way to control access to services on a host. Traditional TCP Wrappers are called from inetd and used to protect services started from inetd. When the wu-ftpd is run from inetd you do not need this patch. This patch is for use when you run the wu-ftpd in standalone daemon mode. You use this mode primarily for speed (as all that is required is a fork instead of an exec), though some people choose not to run inetd at all, in which case running the server standalone is the only way to go.

What you need:

The wu-ftpd version 2.6.1 (older versions have serious security holes) server avaliable here: http://www.wuftpd.org/
A suitable TCP Wrapper library (libwrap) installed where your compiler can find it (like in /usr/lib)
The patch (below)
Correctly configured /etc/hosts.allow and /etc/hosts.deny files (see the man pages) Note that the service named for the wrapped wu-ftpd server is "ftpd" (NOT "in.ftpd").
Nice to have the ftpd standalone initscript if you use iniscripts (like RedHat in /etc/rc.d/init.d) (Get this below.)

How to use the patch:

Expand a clean copy of wu-ftpd 2.6.1
cd to the directory that contains the newly expanded wu-ftpd-2.6.1 directory
Copy the patch file into the current directory
Apply the patch with "patch -p0 < wrapped_ftp_patch"
Then cd into the wu-ftpd-2.6.1 dir and proceed as usual (./configure; make; etc...) Note: You must use ./configure (autoconf) and not the old ./build method
You may want to run make install to put things in place, but remember that this setup is for running the server in standalone daemon mode, not from inetd.
Make sure you do NOT have a line in /etc/inetd.conf for ftp (and kill -HUP inetd if required)
If you use iniscripts (like RedHat) install the initscript in /etc/rc.d/init.d (or equivalent) Then make synlinks into rc3.d or rc5.d as usual (see your docs).
If you do not use initscripts you might want to configure /etc/rc.local to start the daemon at boot as it will have to be started manually on reboot otherwise.
Start the server with the -S option (I like to use "/path/to/ftpd -ll -a -S" personally) or use the provided initscript which assumes the daemon is in /usr/sbin/ftpd (note there is not an "in." in front of ftpd. You may need to configure the initscript to match your daemon location / options preferences.
Test out your new setup. Try it from a host that is allowed and from a host that is denied.

Important Notes:
USE AT YOUR OWN RISK. THERE IS NO WARRANTY OF ANY KIND.
You most likely need version 2.6.1 of the wu-ftpd. Anything older offers remote root so it would be a good idea to upgrade anyway!
The service name for use in /etc/hosts.deny/allow is "ftpd". Thus, for example, to deny everyone you would put "ftpd:ALL" in /etc/hosts.deny
You probably need use ./configure when building (instead of the old style ./build XXX). Or you will have to edit the Makefile yourself to include libwrap for ftpd.
This was tested under linux intel RH6, linux ppc Q3, and NetBSD 1.3/1.4
Problems? Suggestions? E-mail me here Complaints? mail to /dev/null ;-) (Or send them to that address...)

Download

wrapped_ftpd_patch
(USA-Local Server) (1K) - GZIPed patch file

ftpd_initscript
(USA-Local Server) (1K) - GZIPed initscript file (Goes in /etc/rc.d/init.d or equivalent. May need tweaking.)

Revision History

v0.9

Initial public release

Return to LAFFEY Computer Imaging home page.

Webmaster (webmaster@laffeycomputer.com)