Mirror of glftpd-ng.com | Git: glftpd-ng-mirror
Downloads (BETA)
Changelog
2011-12-27: Reverse lookups working again. Fixed uncontrolled buffer (SIGABRTs reported).
2011-11-20: Fixed a few signaling issues (sukalis). Updated t2 builds to include AES-NI enabled libssl. Replaced glftpd update_crc() with zlib's crc32(). Introduced ul_buffer_size <value> glftpd.conf option to let you set read buffer size for read() and write() (by default set to BUFSIZ). Experiment values and get back to me. Suggested value; 262144
2011-08-23: Published a little tool which can scan an existing directory structure, and output .ownerdb files. This is good for initializing old structures to run under a rootless glftpd instance.
2011-08-21: Optimized list file routines (linked list buffering whole dir). Fixed RMD error where new -wal and -shm files were not deleted properly.
2011-08-20: Rootless useradd fix. Updated owner_sqlite files to reflect current changes. Implemented functions to read and parse whole dirs with linked lists (and corrosponding free() functions). Removed gl_log() references, as you don't have it :)
2011-08-15: Rootless groupadd fix.
2011-08-14: New T2 builds. Redefined signaling and implemented features for rootless glftpd. Msg you know who if you want to activate it. SQLite3 code used in glftpd can be found here. Feedback welcomed. Please make options for your 3rd party script to use the SQLite3 permissions!
2011-08-14: No new outstanding error reports on T2 builds, migrating to main track. Known issues; Signal 6 and speed_limit.
2011-08-11: Fixed another "delay_signaling was called with euid=0".
2011-08-04: Fixed (null) user on NUKE/UNNUKE. Adressed loading username.lock files.
2011-08-03: Adressed NUKE hanging for some users.
2011-08-02: Revisited the NUKE logging, please feedback result. Normalized logging. Normalized SHM structs and dirlogs with 32-bit binaries.
2011-07-27: Fixed a "delay_signaling was called with euid=0" on RETR. Thanks sukalis for debug input!
2011-07-25: Caught a few strcpy bugs which could cause malicious directory names and completions. Normalized memory space between 32 and 64-bit. t2 build only.
2011-07-12: Think we nailed the NUKE flags. Try the t2 and give feedback.
2011-07-11: Adressed problems with flags and site nuke logging, if you had problems try the t2 and give feedback
2011-07-07: Fixed memory leak on directory list (thanks zokum and PCFiL)
2011-06-27: First public release
64-bit compatibility
(2011-08-02) 247c158f68910b1480512d7a2125bc70 glconf.h.gz
f20c0cbc4fc72870a9c178d87bbee173 glext_lnx32_10.04.tgz
4cef3dda2017abaa45dd7eb98bb270ca glext_lnx32_8.04.tgz
(2011-08-02) 09a0a2bcf7b0f7cc822b113afdf655eb glext_lnx64_10.04.tgz
(2011-08-02) 12324eba38ab04c81b2fb587cebd03c1 glext_lnx64_8.04.tgz
ff2dcddd77f1507e7df00e6868312b0c sitewho.tar.gz
Put glconf.h in your ${glftpd-LNX_2.01}/bin/sources, run compile.sh to build with correct glftpd x86_64 headers.
If you want native working 64-bit binaries download and extract glext_*.tgz (pick a suiting one) to your $GLDIR/bin folder. To build a working sitewho binary, use sitewho.tar.gz sources.
AppArmor Profile
In order to make glftpd as safe and secure as possible to use, dispite it's design, you can use an AppArmor profile to enhance it's security. AppArmor is standard and available in Ubuntu Server and openSuSE.
To install the profile, download jail.glftpd.bin.glftpd.txt and put in your /etc/apparmor.d/ directory. Modify the @{GLROOT} and @{GLCONF} variables accordingly. And if you have other custom site commands which glftpd needs executing, add them in @{GLBINS}.
Activation of profile is achieved by running aa-enforce /etc/apparmor.d/jail.glftpd.bin.glftpd, then reloading the profiles to include it. To see status, run aa-status :
root@box:~# aa-status
apparmor module is loaded.
1 profiles are loaded.
1 profiles are in enforce mode.
/jail/glftpd/bin/glftpd
2 processes have profiles defined.
2 processes are in enforce mode :
/jail/glftpd/bin/glftpd (5016)
/jail/glftpd/bin/glftpd (5074)
This profile has only been tested on stock installations. If you get permission problems and/or runtime problems, check your system logs to track down the problem. This is PoC only.
Implemented (extended) standard
Original standard: RFC 2428
RFC 2428 implements two commands replacing PASV and PORT. They are EPSV (Extended Passive mode) and EPRT (Extended Port mode).
The original implementation looks like:
EPSV[<space> <net-prt>]
Returns: 229 <text indicating server is entering extended passive mode> (<d><d><d><tcp-port><d>)
EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>
Returns: 200 <text indicating correct input>
net-prt = Network Protocol, 1 = IPv4, 2 = IPv6
net-addr = Network Address
tcp-port = TCP port
d = delimiter (preferred |)
As PASV would return an IP address and TCP port to make FXP working smoothly, EPSV does not. In fact, the standard prohibits populating the empty fields with protocol and IP. This is what we have extended.
glftpd with IPv6-protocol will implement RFC 2428 as following:
EPSV[<space> <net-prt>]
Returns: 229 <text indicating server is entering extended passive mode> (<d><net-prt><d><net-addr><d><tcp-port><d>)
EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>
Returns: 200 <text indicating correct input>
Which gives
This allows for a full flexibility FXP which provides:
* Using FTP bouncers
* FXP:ing over IPv6 even though connected via IPv4
* Utilizing IPv6 between v6-enabled sites without requirement of client IPv6, and vice versa with legacy IPv4
glftpd.conf
To play with IPv6 on your glftpd installation, add the following to glftpd.conf:
ipv6 1
By doing this it will on login look what IPv6 addresses you have available. It will select to use the first public it can find. By public we discount link local (fe80::) and loopback (::1).
In case you want to bind to a specific address and/or perform round robin between multiple, simply add the following to glftpd.conf:
active_addr6 <v6 address>
pasv_addr6 <v6 address>
That should be it for now... :)