FreeBSD学习笔记14-pureftpd的README英文文档(2)
continue ......
------------------------ SETTING UP AN ANONYMOUS FTP ------------------------
If a 'ftp' user exists and its home directory is reachable, Pure-FTPd will
accept anonymous login, as 'ftp' or 'anonymous'. Files have to be located in
the home FTP directory. There's no need for 'bin', 'lib', 'etc' and 'dev'
directories, nor any external program. Don't chown the public files to
'ftp', just writable directories ('incoming') .
------------------------ DISPLAYING BANNERS ------------------------
If a '.banner' file is located in the 'ftp' user home directory (or in the
root directory of a virtual server, see below), it will be printed when the
client logs in. Put a nice ASCII-art logo with your name in that file.
This file shouldn't be larger than 4000 bytes, or it won't be displayed.
In each directory, you may also have a '.message' file. Its content will be
printed when a client enters the directory. Such a file can contain important
information ("Don't download version 1.7, it's broken!") .
------------------------ DISPLAYING A COOKIE ------------------------
A funny random message can be displayed in the initial login banner. The
random cookies are extracted from a text file, in the standard "fortune"
format. If you installed the "fortune" package, you should have a directory
(usually /usr/share/fortune) with binary files (xxxx.dat) and text files
(without the .dat extension) . To use Pure-FTPd cookies, just add the name
of a text file to the '-F' option. For instance:
/usr/local/sbin/pure-ftpd -F /usr/share/fortune/zippy
If you want to have your own fortune files, just create a text file with the
following structure.
Hello... this is the first fortune...
%
Welcome to the real world.
%
Follow the white rabbit.
%
Have fun...
Well... lotsa fun!
%
Yop is good for you.
Goddit? Fortunes are delimited by a '%' sign on a single line. But a
fortune itself can be multi-line (see the fourth example) .
For security paranoia, the text file has to be readable by everybody (chmod
644 the file if necessary), or the server will ignore it.
Of course, the fortune file can contain a single message.
------------------------ PER-USER CHROOT() RULES ------------------------
Apart from the "-a" flag, Pure-FTPd has another way to fine-tune chroot()
rules. Let's take an /etc/passwd entry:
mimi:x:501:100:Mimi:/home/mimi:/bin/zsh
Without any special rule, mimi will be able to log in and to retrieve any
public-readable file in the filesystem. Now, let's change a bit of its home
directory:
mimi:x:501:100:Mimi:/home/mimi/./:/bin/zsh
So what? Mimi's home directory is still the same and common applications
shouldn't notice any difference. But Pure-FTPd understands "chroot() until
/./". So when mimi next carries out a FTP log in, only the /home/mimi
directory will be reachable, not the whole filesystem. If you don't like the
"-a" and its trusted gid thing, this is a good way to only chroot() some
users. Another trick is to add something after "/./":
mimi:x:501:100:Mimi:/home/mimi/./public_html:/bin/zsh
When Mimi will log in, two things will happen:
- chroot("/home/mimi") so that Mimi can't see anything but her home directory.
- chdir("public_html") so the session will start in the public_html
directory. "cd .." is still allowed, though.
That "url-style" handling is especially handy for FTP-only users (ie.
without shell access) .
If a user is chrooted with the /./ trick *and* belongs to the trusted group
(-a) he *will* be chrooted, but he will have no ratio and will be allowed to
access dot files.
------------------------ RATIOS ------------------------
If you want to force people to upload new files before being able to
download other files, ratios are for you. It's a very good way to get lotsa
fresh stuff on a public FTP server and a must for warez traders. I don't
like that kind of business, but well... Pure-FTPd has to be designed to
please everybody.
To enable ratios, just use the '-q' option, followed by the upload:download
ratio:
-q 2:5
...means that an anonymous user has to upload at least 2 Mb of goodies to be
able to download 5 Mb.
If ratios should apply to everyone (anon and non-anon), use the '-Q' option
the same way.
Note: 'root' never has ratios. Neither have users of the trusted group when
'-Q' in used with the '-a' or '-A' option.
------------------------ BANDWIDTH THROTTLING ------------------------
Pure-FTPd has an interesting built-in feature: simple bandwidth throttling.
* You want to limit FTP throughput so that uploading and downloading files
through that protocol can't fill up your network bandwidth.
-> Compile Pure-FTPd with --with-throttling
-> Run it with the '-T' flag, followed by a number. That number is the
maximum bandwidth a user can use in a session, in kilobytes/seconds.
* You want to allow less bandwidth to your anonymous users than your
authenticated ones. So that during a bandwidth starvation, real users can
still upload/download properly.
-> Compile Pure-FTPd with --with-throttling
-> Run it with the '-t' flag, followed by a number.
Example:
/usr/local/sbin/pure-ftpd -t 64
And uploading/downloading files can't take more than 64 KB/sec whatever real
bandwidth you have.
* It is possible to have different bandwidth limits for uploads and for
downloads. '-t' and '-T' can indeed be followed by two numbers delimited by
a column (':') . The first number is the upload bandwidth and the next one
applies only to downloads. One of them can be left blank which means infinity.
Example 1: 256 KB/s for uploads, 64 KB/s for downloads
/usr/local/sbin/pure-ftpd -t 256:64
Example 2: 256 KB/s for uploads, no limit for downloads
/usr/local/sbin/pure-ftpd -t 256:
Example 3: no limit for uploads, 64 KB/s for downloads
/usr/local/sbin/pure-ftpd -t:64
With no column, the value applies to both, so '-t 64' is an alias for
'-t 64:64' .
* When Pure-FTPd serves a session with restricted bandwidth, it decreases
its process priority to 10. So, '-t 0' makes sense: during a CPU
starvation, authenticated sessions may be more responsible than anonymous
ones. '-T 0' is quite useless, but it also works and it will always be nice to
the server process.
* If you need advanced bandwidth management, have a look at your kernel
Q.O.S. abilities.
------------------------ VIRTUAL SERVERS ------------------------
Using Virtual servers is a convenient way of hosting several FTP sites on the same
computer. Let's say, you got two customers. The former owns the 'c9x.org'
domain name, while the latter owns the 'rtchat.com' domain name. Both are
hosted on the same computer, but they don't want to share the same files.
ftp://ftp.c9x.org/ should show different content than ftp://ftp.rtchat.com/
.
The FTP protocol doesn't allow name-based selection. So, if you want to host
<N> different virtual FTP servers on the same host and keep the standard port,
you need <N> different IP addresses. Yes, Sir. Or use HTTP.
Assign the needed IP adresses to your network adapter (with "ifconfig eth0:x
..." or "ip addr add dev eth0 a.b.c.d").
Now, create a /etc/pure-ftpd directory if it doesn't exist:
mkdir /etc/pure-ftpd
To add a virtual FTP server, you only need to create a symbolic link in
/etc/pure-ftpd/ from the virtual host IP to the directory that contains the
file for that virtual host.
Example:
ln -s /home/customers/rtchat.com/ftp /etc/pure-ftpd/216.226.17.77
ln -s /home/customers/c9x.org/ftp /etc/pure-ftpd/212.73.209.252
Done! Put the C9X files in /home/customers/c9x.org/ftp/ and the RTChat
files in /home/customers/rtchat.com/ftp/ .
With that feature, every account on the server can have its own public
anonymous FTP area. If you are providing hosting services, this is a nice
feature for your customers.
* WARNING *: it also means that your customers can create "incoming"
directories with 1777 permissions. It can be nice, but it can also fill up
your disk with warez. You can stop uploads for anonymous users with the
'-i' (or --anonymouscantupload) option.
By default, all IP addresses assigned to your server can be accessed by real
or anonymous users. You can restrict this with -e (only anonymous) or -E
(only real) .
A more flexible way is to use '-V <ip address>' to define a "trusted" IP
address. When a client connects to that trusted IP, anonymous and real
logins are permitted. But on all other IP, only anonymous users are permitted.
If you are a hosting service provider and if each customer has its own IP
address, it may be a nice idea to have a trusted IP you give to all your
customers, so that they can manage the files in their account. That IP is
the same for all customers. You can easily restrict access to that IP with
firewall rules if your customers have static IP addresses.
Use '-V <trusted ip>' and link /etc/pure-ftpd/<customer ip> to
~customer/ftp . Every customer will have his own *anonymous only* FTP
server and hackers will have to find the trusted IP to get in.
------------------------ IPv6 SUPPORT ------------------------
Pure-FTPd has full IPv6 support (native IPv6 addresses and 4-in-6
addresses). But use a super-server that also understands the IPv6 protocol,
like Rlinetd or Xinetd. Recent versions of Inetd should also be ok
(unverified). IPv6 is supported everywhere: logging, configuration
switches, virtual hosts, protocol (EPSV/EPRT support), name resolution...
--------------------- LOGGING ---------------------
Log messages are sent to the syslog daemon. You can disable logging with
'-f none'.
If you want all FTP messages to be redirected to a file, say /var/log/ftp,
add this line to your /etc/syslog.conf file:
ftp.* /var/log/ftp
Then restart your syslogd daemon:
killall -HUP syslogd
You can also drop your old "syslogd" and "klogd" programs for Metalog, an
efficient alternative: http://metalog.sourceforge.net/
Names of uploaded/downloaded files are logged with paths like this:
/home/ftp//pub/bla.jpg
The double-slash ('//') is the chroot limit.
--------------------- WATCHING CURRENT SESSIONS ---------------------
Since 0.97.7, you can type 'pure-ftpwho' at any time to watch current active
sessions.
If typing 'pure-ftpwho' answers 'Command not found', you have to add
/usr/local/sbin in your PATH environment variable.
The default output looks like this:
+------+---------+-------+------+-------------------------------------------+
| PID | Login |For/Spd| What | File/IP |
+------+---------+-------+------+-------------------------------------------+
| 2239 | jedi | 00:17 | D/L | XFree86-clients-4.0.3.tar.gz |
| '' | '' | 41K/s| 33% | -> nestea.funboard.de |
+------+---------+-------+------+-------------------------------------------+
| 2385 | ftp | 00:02 | IDLE | |
| '' | '' | | | -> gw2.crn.kjop.co.uk |
+------+---------+-------+------+-------------------------------------------+
'D/L' means that the client is downloading and 'U/L' means he's uploading
some file whose name is shown in the next column. '33%' is the real-time
completion of the current operation. '41K/s' is the bandwidth used by the
client. You can track down who's starving your bandwidth with this.
The 'pureftp-who' command accepts interesting options:
'-c': the program is called via a web server (CGI interface) . Output is a
full HTML page with the initial content-type header. This option is
automatically enabled if an environment variable called GATEWAY_INTERFACE is
found. This is the default if you can access the program from a CGI-enabled web
server (Apache, Roxen, Caudium, WN, ...) .
'-h': show command-line options summary.
'-n': don't resolve host names and only show IP addresses (faster).
'-s': output an easily parsable format for shell scripts (but not very user
friendly) .
There's only one line per client, with only numeric data, delimited by a '|'
character. It's not very human-readable, but it's designed for easy parsing by
shell scripts (cut/sed) . '|' characters in user names or file names are
quoted ('|' becomes '\|') .
Type 'pure-ftpwho -h' to check the format.
'-w': output a complete HTML page (web mode).
'-W': output an HTML page with no header and no footer. This is an embedded
mode, suitable for inline calls from CGI, SSI or PHP scripts.
'-x': output well-formed XML data for post-processing. This is the most
acurate mode. Time is in seconds and file sizes are in bytes (in other
output formats, sizes are in kbytes for easier readability) .
'-v': verbose output in text mode. Additional info includes the size of
files being downloaded/uploaded, the local IP or local host name and the
connection port. This is especially useful for virtual hosts. Here's a
sample output of 'pure-ftpwho -v':
+------+---------+-------+------+-------------------------------------------+
| PID | Login |For/Spd| What | File/Remote IP/Size(Kb)/Local IP |
+------+---------+-------+------+-------------------------------------------+
| 9086 | j | 00:04 | DL | linux-2.4.4.tar.bz2 |
| '' | '' | 22K/s| 27% | -> localhost |
| '' | '' | | | Total size: 20859 Transfered: 5632 |
| '' | '' | | | <- localhost:21 |
+------+---------+-------+------+-------------------------------------------+
------------------------ AFTER AN UPLOAD ------------------------
After a successful upload, any external program or shell script can be
spawned with the name of the newly uploaded file as an argument. You can use
that feature to automatically send a mail when a new file arrives. Or you
can pass it to a moderation system, an anti-virus, a MD5 signature generator
or whatever you decide can be done with a file.
To support this, the server has to be configured --with-uploadscript at
compilation time. Upload scripts won't be spawned on unreadable directories.
So it's highly recommended to use upload scripts with the --customerproof
run-time option and without unreadable parent directories.
To tell the FTP server to use upload scripts, it has to be launched with the
'-o' option. Finally, you have to run another daemon called 'pure-uploadscript'
provided by this package.
IMPORTANT:
YOU MUST START PURE-FTPD _FIRST_ and _THEN_ START PURE-UPLOADSCRIPT.
THE REVERSE ORDER WON'T WORK.
For security purposes, the server never launches any external program. It's
why there is a separate daemon, that reads new uploads pushed into a named
pipe by the server. Uploads are processed synchronously and sequencially.
It's why on loaded or untrusted servers, it might be a bad idea to use
pure-uploadscript with lenghty or cpu-intensive scripts.
The easiest way to run pure-uploadscript is 'pure-uploadscript -r <script>':
/usr/local/sbin/pure-uploadscript -r /bin/antivirus.sh
The absolute path of the newly uploaded file is passed as a first argument.
Some environment variables are also filled with interesting values:
- UPLOAD_SIZE : the size of the file, in bytes.
- UPLOAD_PERMS : the permissions, as an octal value.
- UPLOAD_UID : the uid of the owner.
- UPLOAD_GID : the group the file belongs to.
- UPLOAD_USER : the name of the owner.
- UPLOAD_GROUP : the group name the file belongs to.
- UPLOAD_VUSER : the full user name, or the virtual user name. (127 chars max)
There are also some options to "pure-uploadscript":
- '-u <uid>' and '-g <gid>' to switch the account pure-uploadscript will run
as. The script will be spawned with the same identity.
- '-B' to fork in background.
Please have a look at the man page ('man pure-uploadscript') for additional
info.
------------------------ LISTING DIRECTORIES ------------------------
The built-in 'ls' supports all common options of a regular 'ls' command.
Here are the ones you should know for a better life with FTP:
- '-l': verbose listing, reporting dates, owners, perms and sizes.
- '-a': also lists files and directories beginning with a dot.
- '-F': adds a '/' after directory names.
- '-d': list the directory itself, not its content.
- '-R': recursive listing.
- '-S': sort by size.
- '-t': sort by date.
- '-r': reverse the sorting order.
If you aren't very familiar with Unix, log in to your FTP server and try
these variants:
ls
ls -F
ls -l
ls -la
ls -lR
ls -Sl
ls -Slr
ls -tl
ls -tlr
Globbing is also supported. So if you are looking for a GNOME RPM in
<I don't know the directory name>/gnome-xxxxxxxx.rpm , you can find it that
way:
ls */gnome*.rpm
------------------------ VIRTUAL QUOTAS ------------------------
With virtual quotas, you can restrict the maximum number of files and the
total size of a user directory.
These quotas are "virtual" because they aren't handled at kernel-level, but
by the FTP server itself. There are some advantages over kernel quotas:
- Virtual quotas are specific to the FTP server. You can have different
system quotas to handle other files (eg. mail) on the same partition.
- You can have different virtual quotas for every user, even if they share
the same system uid.
- Virtual quotas are working even on filesystems that don't support system
quotas.
However, virtual quotas are slower and can't be as reliable as kernel quotas,
so don't trust them ultimately, they are probably races allowing to bypass
them. Also the filesystem users directories are on must properly support file
locking.
Virtual quotas are implemented in Pure-FTPd as simple files called
".ftpquota", located in the home directory of chrooted users. This file only
contains two numbers: the current number of files for this user and the
total size of the directory (+ its subdirectories), in bytes. When a new
file is uploaded, these numbers grow. When a file is deleted, these numbers
get smaller. Simple. Of course, when virtual quotas are enabled for one
user, that user must be 1) chrooted, 2) not allowed to write quota files, 3)
not allowed to forbid access to some directories to fool the counter.
Quotas can be enabled for all users for the -n (--quotas) option. This
option is followed by the max number of files and the max size (in Megabytes)
. Every user will have the same quota. Exception: members of the trusted
group, if -a is enabled.
You can also have different quotas for every user if you use PureDB or SQL
databases. See the "README.Virtual-Users" file for more info about PureDB
databases.
So, if you want 1000 files max and 10 Mb max for all your customers, run
the server like this:
/usr/local/sbin/pure-ftpd -n 1000:10
".ftpquota" files are created on demand when they are missing. However, when
they are created, the server assumes that the account was empty. If this is
not the case, you must run the "pure-quotacheck" utility to create an
initial ".ftpquota" file.
"pure-quotacheck" is a tool that computes the size and the number of files
in a directory and create a ".ftpquota" file with this info.
The syntax is:
pure-quotacheck -u username/uid -d home directory [-g group/gid]
For instance, if you want to summarize usage for the /home/ftpusers/john
directory, whoose files are owned by the "ftpusers" system account, just run:
pure-quotacheck -u ftpusers -d /home/ftpusers/john
You can run pure-quotacheck whenever you want, even when ".ftpquota" files
are already there. This is even a good idea to run this for all users in
crontab, so that stored quotas are always exact, even if something went wrong
(server bug, filesystem corruption, savagely killed server, etc) .
With traditional quotas, when a hard limit is reached, it's impossible to
write new data. It's nice for files that are created fastly (operations on
local filesystems) . But it's really frustrating when transfering files
through networks.
Virtual quotas are working in a (somewhat strange) but handy way. When an
user begins an upload, the newly uploaded file can be as huge as his total
quota. It means that if his quota is 10 Mb, he can upload a 10 Mb file, even
if he already has 9 Mb of other files in his directory. The idea is that
while he's uploading the file, he can realize that his quota will be
reached and he can move/compress/delete other files to save space before
the end of the upload. And only after completion of the upload, the quota is
checked. If the quota is still crunched, the newly uploaded file will be
deleted.
------------------------ AUTHENTICATION ------------------------
Pure-FTPd supports multiple methods of authentication. To use a method, you
must have it compiled in (check the ./configure options) .
- To use Unix authentication (the traditional /etc/passwd file), add the
following option when you run the server:
-l unix
- To use PAM authentication, add this:
-l pam
- To use PureDB (virtual users), add this:
-l puredb:/path/to/puredb_database
(read README.Virtual-Users for more info about PureDB indexed files)
- To use LDAP directories, add this:
-l ldap:/path/to/ldap_config_file
(read README.LDAP for more info about LDAP directories)
- To use MySQL databases, add this:
-l mysql:/path/to/mysql_config_file
(read README.MySQL for more info about MySQL databases)
- To use Postgres databases, add this:
-l pgsql:/path/to/postgres_config_file
(read README.PGSQL for more info about Postgres databases)
- To use external authentication handlers (with pure-authd), use:
-l extauth:/path/to/authd/socket
(read README.Authentication-Modules for more info about external
authentication)
Multiple authentication methods can be chained. For instance, you can run the
server like this:
/usr/local/sbin/pure-ftpd -lldap:/etc/pureftpd-ldap.conf \
-lpuredb:/etc/pureftpd.pdb -lunix
Every method is tried in order. With the previous command line, an LDAP
directory is probed first. If a user isn't found in the directory, a
PureDB database is scanned for the same user name. If that user is still not
found, /etc/passwd is scanned.
If the user is found in the LDAP directory, but the given password is wrong,
further authentication methods are skipped.
If you don't specify any -l option, PAM is assumed by default if the server
is compiled with PAM support and Unix is assumed by default otherwise.
------------------------ DIRECTORY ALIASES ------------------------
Directory aliases provides "shortcuts" for the "cd" command. For instance,
if you define an alias called "pictures" for "/usr/misc/pictures", when an
user will type "cd pictures" and if no real "pictures" directory exists, he
will be automatically redirected to "/usr/misc/pictures". Unlike symbolic
links, "cd pictures" will work from any directory. Tildes are *not* expanded.
An user can get the list of available aliases with the following command:
SITE ALIAS
To support that feature, the server must be compiled with --with-diraliases
passed to ./configure .
To define alias/directory pairs, you must create a file called
/etc/pureftpd-dir-aliases, whoose format is:
Alternating lines of alias and dir
(this enables embeded whitespace in dir and alias without quoting rules)
Optional blank lines
Optional lines beginning with '#' as comments
(no you can't put a '#' just anywhere)
Example:
pictures
/usr/misc/pictures
sources
/usr/src
# This is for the OpenBSD port tree
pureftpd-port
/usr/ports/net/pure-ftpd
------------------------ PRIVILEGE SEPARATION ------------------------
When privilege separation is enabled, each session will spawn two processes :
a "privileged" process running as root, but that can only do very basic
and trusted actions (binding a port and remove the ftpwho scoreboard) and
the "client" process. The "client" process definitely revokes all privileges
after authentication and chroot() and punctually communicates with the
parent over a private channel.
Privilege separation decreases performance of loaded servers, but it
increases theorical security.
Some old broken operating systems may allow the ptrace() system call on
processes that revoked privileges. On these platforms, enabling privilege
separation is a bad idea if untrusted users also have shell access. Use the
src/ptracetest program to check this. At least Solaris, ISOS, MirBSD, OpenBSD,
FreeBSD and Linux are known to be safe.
------------------------ CHARSETS (RFC2640) ------------------------
Since version 1.0.21, pure-ftpd has *experimental* support for charsets
conversion. The server filesystem can use a different charset than the
charset assumed by clients, and pure-ftpd translates file names through the
iconv library.
Some modern clients like lftp will also try to use UTF-8 if the server
supports it.
Thus, charsets conversion can be very useful when dealing with file names
containing non-english characters.
In order to support this, pure-ftpd has to be compiled with:
./configure ... --with-rfc2640
This is not supported by default because it requires libiconv.
Then the server has to be started with --fscharset=<charset>. Replace
<charset> with the charset of the server's filesystem. For instance:
/usr/local/sbin/pure-ftpd --fscharset=ISO-8859-15
This is often enough to properly work with UTF-8 capable clients.
But optionnally, you can specify the default charset for clients, with
--clientcharset:
/usr/local/sbin/pure-ftpd --fscharset=iso-8859-15 --clientcharset=big5
------------------------ OPTIMIZING FOR HIGH LOAD ------------------------
If you are going to use Pure-FTPd on a highly loaded server, here are some
hints to get the best performances:
- Compile with:
env CFLAGS="-O2 -fomit-frame-pointer -fgcse -Os" ./configure --with-minimal --without-inetd --without-pam
make install-strip
- Run it in standalone mode. Don't use -C, don't enable pure-ftpwho nor
pure-uploadscript (-o), nor per-user limits (-y) .
- Increase your system max descriptors number and local port range. On a
Linux kernel, you can try:
echo 2000 > /proc/sys/fs/super-max
echo 60000 > /proc/sys/fs/file-max
ulimit -n 60000
echo 30000 65534 > /proc/sys/net/ipv4/ip_local_port_range
- On a Linux kernel, disable syncookies, ecn, timestamps and window scaling:
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
- Disable access time update on your mounted filesystems. On a Linux system,
just add 'noatime,nodiratime' for each mount point in your /etc/fstab file.
- Disable syslog output and DNS lookups. Run it with:
/usr/local/sbin/pure-ftpd -f none -H
For FreeBSD, DJ_Oggy recommends the following setting:
>>> QUOTE:
Drop into single user mode (do a shutdown now or boot -s) and enter
tunefs -n enable <filesystem>
i sugest / /usr /var
In /etc/fstab add ",noatime" to the options of all filesystems.
In /boot/loader.conf add the following:
hw.ata.wc="1"
kern.ipc.nmbclusters="60000"
In /etc/sysctl.conf add the following:
vfs.vmiodirenable=1
kern.ipc.maxsockbuf=2097152
kern.ipc.somaxconn=8192
kern.ipc.maxsockets=16424
kern.maxfiles=65536
kern.maxfilesperproc=32768
net.inet.tcp.rfc1323=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
give it two asprin, a reboot and call me in the morning!!!!!
<<< END OF QUOTE
------------------------ KNOWN ISSUES ------------------------
- On non-linux systems, '-c' only works in standalone mode.
- You should always avoid the use of spaces in login names: applications
that are parsing log files often choke on this.
- Incomplete transfers aren't logged in alternative formats.
- On Solaris (at least Solaris 8), the large files + virtualchroot
combination doesn't compile (we need to use struct stat64 in place of stat
everywhere) .
- On Solaris, to get chroot to work with pure-ftpd you need a dev directory
in your new rootdir with these:
crw-rw-rw- 1 root other 11, 42 Dec 10 15:02 tcp
crw-rw-rw- 1 root other 105, 1 Dec 10 15:02 ticotsord
crw-rw-rw- 1 root other 11, 41 Dec 10 15:03 udp
crw-rw-rw- 1 root other 13, 12 Dec 10 15:03 zero
else you get this
ftp> ls
425 Can't create the data socket: Bad file number.
If all your users are chrooted, you have to create these files in every home
directory. Here's how:
mkdir dev
mknod dev/tcp c 11 42
chmod 0666 dev/tcp
mknod dev/udp c 11 41
mknod dev/zero c 13 12
mknod dev/ticotsord c 105 1
(Reported by Kenneth Stailey)
- Resuming ASCII transfers is refused. ASCII transfers are hell, because
they are consuming CPU time both at client and server sides. And they even
consume *more* bandwidth than binary transfers. But they allow Windows
clients to upload scripts to Unix servers, stripping these nasty ^M signs.
ASCII transfers are implemented in Pure-FTPd. But they can't be resumed and
this is intentional. To restart an ASCII transfer, the file has to be
read and analyzed byte by byte. It can be very long and by sending two
trivial commands, a client can completely kill a server (take a lot of CPU and
disk resources) . And there's no workaround.
Another point is that while RFC describe a way to resume ASCII transfers,
many clients and servers implement them in another way. The result is that
resumed ASCII transfers can lead to data corruption. Some major servers
didn't follow RFC, so some clients did the same mistake to support these
servers, while some other modern clients and servers are trying to fully
conform to RFC. So when clients and servers are speaking the same dialect, it
works. When it's not the case, you get corrupted files. Messy, eh?
And what if a customer uploads a script to your server and thinks he can
safely delete it from its hard disk? If the remote file is corrupted, he
will get really angry.
It's why Pure-FTPd *refuses* to resume ASCII transfers. If a customer tells
you that he isn't able to upload/download a partially transfered ASCII file,
please tell him to remove the partial file and to retransfer it again. This
is a safe bet.
------------------------ DOWNLOADING PURE-FTPD ------------------------
Pure-FTPd home page is: http://www.pureftpd.org/ .
Pure-FTPd mailing-lists:
http://www.pureftpd.org/ml/
If you have question, suggestions or patches, feel free to post them to the
mailing list. Newbies and silly ideas are welcome.
Thank you,
-Frank DENIS "Jedi/Sector One" <j..at..pureftpd.org> .
* Please also read the CONTACT file.