Security Incidents

2004-03-04: DoS vulnerability
Resolved - please use 0.3.7.

Introduction

oftpd is designed to be as secure as an anonymous FTP server can possibly be. It runs as non-root for most of the time, and uses the Unix chroot() command to hide most of the systems directories from external users - they cannot change into them even if the server is totally compromised! It contains its own directory change code, so that it can run efficiently as a threaded server, and its own directory listing code (most FTP servers execute the system "ls" command to list files).

History

I wrote oftpd to fill a need we had at my company. Our public FTP site was a mess, and in addition to reorganizing the hierarchy and file layout I wanted to get the latest version of our FTP server software. It turns out that the version we had had had a number of security issues. So I decided to find an anonymous-only, secure FTP server. None of the ones I found were fully baked. Time to write my own.

The name oftpd was chosen scientifically - I started with "aftpd", but another server already had that name. Likewise with "bftpd", "cftpd", and so on... "oftpd" was the first single-character ftpd name available.

I have since been informed that oftp stands for ODETTE File Transfer Protocol. I should have searched for "oftp" as well as "oftpd". No matter, the folks at http://www.oftp.net/ don't mind the name similarity.

Philosophy

oftpd is designed to be secure. Please report any concerns you have about this! It is also designed to be easy to install, configure, and run, because I think we've all see too many exploits caused by misconfigured servers. The code is intended to be easy to read and thereby audit.

Downloads

0.3.7 is the latest of the "development" series, but I've been using the 0.3.6 version for a few years without any problems, so I recommend it. It is a security fix for a DoS bug found in 0.3.6. Details are in the ChangeLog

Please read the FAQ if you have questions.

oftpd-0.3.7.tar.gz oftpd-0.3.6.tar.gz oftpd-0.3.5.tar.gz oftpd-0.3.4.tar.gz oftpd-0.3.3.tar.gz oftpd-0.3.2.tar.gz oftpd-0.3.1.tar.gz oftpd-0.3.0.tar.gz

You can also download earlier versions, but there's not really any reason to do so:

oftpd-0.2.1.tar.gz oftpd-0.2.0.tar.gz oftpd-0.1.3.tar.gz oftpd-0.1.2.tar.gz oftpd-0.1.1.tar.gz

Patches

You can download Mauro Tortonesi's IPv6 patch from here:

ftp://ferrara.linux.it/pub/ipv6/patches/oftpd-0.2.0-ipv6rel1.patch.bz2

You can see his other IPv6 patches on this page.

Use this against the 0.2.0 release. It is more likely to work than the current 0.3.x code if you need IPv6 support!

Forks

Christian Dietrich has taken the oftpd source and made a nice program for easy file sharing. He has set up a project page here:

http://dokucode.de/cgi-bin/show.sh?path=/Projects/lanftpd

Shane Kerr <shane@time-travellers.org>
Last modified 2007-08-10

Contents