When connecting to unFTP with FileZilla we get the following error:

This is probably related to something we've seen before when testing with lftp where we close the stream to early.

In anticipation of async/await coming to stable Rust on November 7th, libraries like Tokio and Hyper have been preparing support for std::future::Future and eventually plan on dropping futures 0.1 entirely. It would be cool if libunftp came prepared for these major improvements in ergonomics too!

Since we're really low on ports when running in kubernetes, we need a way to limit attackers connecting randomly to data ports. While this feature breaks FTP protocol compatbility, it is necessary for security under certan circumstances.

Ocassionally I see this when testing (lib)unFTP with FileZilla:

Steps to reproduce:

Its not very consistent but here goes:

1. Start unFTP with certificates (TLS) configured:

cargo run -- \
--bind-address=0.0.0.0:2122 \
--bind-address-http=0.0.0.0:8080 \
--passive-ports=50000-65535 \
--ftps-certs-file=/Users/xxx/unftp/unftp.crt
--ftps-key-file=/Users/xxx/unftp/unftp.key
--root-dir=/Users/xxx/unftp/home

2. Start FileZilla and connect to unFTP:

Expected Result:

FileZilla should be able to log in immediately:

Status:      	Resolving address of localhost
Status:      	Connecting to [::1]:2122...
Status:      	Connection attempt failed with "ECONNREFUSED - Connection refused by server", trying next address.
Status:      	Connecting to 127.0.0.1:2122...
Status:      	Connection established, waiting for welcome message...
Status:      	Initializing TLS...
Status:      	Verifying certificate...
Status:      	TLS connection established.
Status:      	Logged in
Status:      	Retrieving directory listing of "/"...
Status:      	Calculating timezone offset of server...
Status:      	Timezone offset of server is 0 seconds.
Status:      	Directory listing of "/" successful

Actual Result:

FileZilla times out after 20 seconds and does a couple of retries but with no avail.

While deploying to kubernetes, we realized we don't actually need so many ports open in kubernetes if we use a single data port only.

(details: https://serverfault.com/questions/270745/why-does-ftp-passive-mode-require-a-port-range-as-opposed-to-only-one-port)

The upside of using a single port for control channel and another single port for data are many:

• kubernetes has no support for port ranges, which makes opening up thousands of ports a very remote possibility only;
• opening up a lot of ports is always seen as an impact on management, configuration and security in general;
• by identifying clients on the data port based on the control port's IP, we get added security against hijack attacks.

There are also downsides:

• There could be weird use cases where the data port is opened from another IP than the control port. This is normally reserved for advanced FTP usage that is not at all common these days.

• If a client connects multiple times from the same IP, and they both initiate data transfer, we can't identify which data port connection belongs to which client. A possible workaround would be

rename command is spawned, errors are not returned the client

Implement MDTM. See https://tools.ietf.org/html/rfc3659#page-8

While this can cause break in some rare ftp users, for 99% of the cases, it's a good security measure to forego port scanning for recently opened ftp data ports (and this snooping data).

libunftp shows the actual owner uid and gid in the LIST output. I think this is a minor security issue. It should instead just return user ftp and group ftp.

We should make this configurable. vsftpd has a hide_ids option that is set to YES by default.

The question is, are we even bothered by this since we are using containers? Guess not?

Since storage back ends can have features not implemented (e.g.: SIZE), but some clients change behavior based on the available features, so the back ends should be able to tell what features they support.

Currently unimplemented. See here:

The cloud storage back end is not working since AsAsyncReads is unimplemented. Since the library is now only dependent on tokio02 and futures03, it might be that this trait is not needed anymore.

Since the Google Cloud Storage backend doesn't support directory times, the output of a LIST is like this:

drwxr-xr-x            0            0              0            - mydirectory
drwxr-xr-x            0            0              0            - test
drwxr-xr-x            0            0              0 Dec 13 14:52 /
-rwxr-xr-x            0            0             24 Jun 07 13:05 test_thingy
-rwxr-xr-x            0            0             21 Jun 07 13:06 thingy

FileZilla thinks that the directories are - /, - mydirectory, - test instead of /, mydirectory, test

Do not use .wait() while handling the commands

There are lot of unwraps in the code, they should be removed, or documented why unwrap is the way to go. This is an umbrella task: Pull requests are probably best to send per file to keep it small.

See https://tools.ietf.org/html/rfc3659#page-13

The GCS backend is ignoring the http status code and error body in most of the commands. These information should be used for error propagation. The 'del' command can be used as an example how to do it.

Upgrade to Futures 0.3, Tokio 0.2 and Hyper 0.13

Currently unimplemented.

At the moment, libunftp has a few, scattered, built-in log-based logging.
For a proper production environment, we need the possibility of structured logging (via slog?), or an event system that allows actual logging implementations (or anything else) on the user of the library.

When giving a nonexistent filename like t, f, unftp does not display the filename in the error. It looks like some such characters are treated as if they are not a filename within libunftp. E.g.:

lftp localhost:/> rm t
rm: Access failed: 550 File not found
lftp localhost:/> rm u
rm: Access failed: 550 File not found
lftp localhost:/> rm d
rm: Access failed: 550 File not found
lftp localhost:/> rm e
rm: Access failed: 550 File not found
lftp localhost:/> rm f
rm: Access failed: 550 File not found

Some other characters don't have the issue:

lftp localhost:/> rm s
rm: Access failed: 550 File not found (s)
lftp localhost:/> rm v
rm: Access failed: 550 File not found (v)
lftp localhost:/> rm w
rm: Access failed: 550 File not found (w)

Although this looks like a benign bug, it could be more than that.

The GCS backend should have a generic implementation for handling error responses from the GCS API, safely and consistently. It should also make troubleshooting easy through verbose error logging.

The main concern here is hitting API request count limits, caused by client retries: (causing 429—Too Many Requests)

1. Error responses should be consistent between commands (permanent vs temporary failures). Retryable error codes should only be send when there is an actual transient error.
2. Should implement exponential backoff. There is a separate issue for that: #82

Troubleshooting: It should verbosely log these errors, and it should include details retrieved through the HTTP response body (JSON). See GCS status codes.

Currently unimplemented.

"The EPSV command requests that a server listen on a data port and wait for a connection."

Spec: https://tools.ietf.org/html/rfc2428#section-3

See also https://www.jscape.com/blog/what-is-the-ftp/s-epsv-command-and-when-do-you-use-it

Thank you as always :-))

Please tell us about U. I want to give my own user.

use futures::{future, Future, Stream};
use std::path::{Path, PathBuf};
use std::time::SystemTime;

#[derive(Clone, Debug)]
struct SampleUser {
    hash: String,
}

impl AsRef<SampleUser> for SampleUser {
    fn as_ref(&self) -> &SampleUser {
        self
    }
}

struct SampleStorage;

struct SampleMetadata;

impl libunftp::storage::Metadata for SampleMetadata {
    fn len(&self) -> u64 {
        0
    }

    fn is_empty(&self) -> bool {
        self.len() == 0
    }

    fn is_dir(&self) -> bool {
        true
    }

    fn is_file(&self) -> bool {
        !self.is_dir()
    }

    fn is_symlink(&self) -> bool {
        false
    }

    fn modified(&self) -> Result<SystemTime, libunftp::storage::Error> {
        Ok(SystemTime::now())
    }

    fn gid(&self) -> u32 {
        48
    }

    fn uid(&self) -> u32 {
        48
    }
}

impl libunftp::storage::StorageBackend<SampleUser> for SampleStorage {
    type File = std::io::Cursor<Vec<u8>>;
    type Metadata = SampleMetadata;
    type Error = libunftp::storage::Error;

    fn stat<P: AsRef<Path>>(
        &self,
        _user: &Option<SampleUser>,
        _path: P,
    ) -> Box<dyn Future<Item = Self::Metadata, Error = Self::Error> + Send> {
        Box::new(future::ok(Self::Metadata {}))
    }

    fn list<P: AsRef<Path>>(
        &self,
        _user: &Option<SampleUser>,
        _path: P,
    ) -> Box<
        dyn Stream<
                Item = libunftp::storage::Fileinfo<std::path::PathBuf, Self::Metadata>,
                Error = Self::Error,
            > + Send,
    >
    where
        <Self as libunftp::storage::StorageBackend<SampleUser>>::Metadata: libunftp::storage::Metadata,
    {
        let result = future::ok(vec!["a", "b", "c"])
            .map(|_| {
                futures::stream::iter_ok(vec![libunftp::storage::Fileinfo {
                    path: PathBuf::from("".to_string()),
                    metadata: Self::Metadata {},
                }])
            })
            .flatten_stream();

        Box::new(result)
    }

    fn get<P: AsRef<Path>>(
        &self,
        _user: &Option<SampleUser>,
        _path: P,
    ) -> Box<dyn Future<Item = std::io::Cursor<Vec<u8>>, Error = Self::Error> + Send> {
        Box::new(future::ok(std::io::Cursor::new(vec![0])))
    }

    fn put<P: AsRef<Path>, R: tokio::prelude::AsyncRead + Send + 'static>(
        &self,
        _user: &Option<SampleUser>,
        _bytes: R,
        _path: P,
    ) -> Box<dyn Future<Item = u64, Error = Self::Error> + Send> {
        Box::new(future::ok(0))
    }

    fn del<P: AsRef<Path>>(
        &self,
        _user: &Option<SampleUser>,
        _path: P,
    ) -> Box<dyn Future<Item = (), Error = std::io::Error> + Send> {
        Box::new(future::ok(()))
    }

    fn rmd<P: AsRef<Path>>(
        &self,
        _user: &Option<SampleUser>,
        _path: P,
    ) -> Box<dyn Future<Item = (), Error = Self::Error> + Send> {
        Box::new(future::ok(()))
    }

    fn mkd<P: AsRef<Path>>(
        &self,
        _user: &Option<SampleUser>,
        _path: P,
    ) -> Box<dyn Future<Item = (), Error = Self::Error> + Send> {
        Box::new(future::ok(()))
    }

    fn rename<P: AsRef<Path>>(
        &self,
        _user: &Option<SampleUser>,
        _from: P,
        _to: P,
    ) -> Box<dyn Future<Item = (), Error = Self::Error> + Send> {
        Box::new(future::ok(()))
    }
}

fn main() {
    let mut rt = tokio::runtime::Runtime::new().unwrap();
    let server = libunftp::Server::new(Box::new(move || { SampleStorage {} }));
    rt.spawn(server.listener("127.0.0.1:2121"));
}

However, an error occurs :'-(

   Compiling ftp-sample v0.1.0 (/home/kenta/dev/ninja/ftp-sample)
error[E0277]: the trait bound `SampleStorage: libunftp::storage::StorageBackend<libunftp::auth::AnonymousUser>` is not satisfied
   --> src/main.rs:145:18
    |
145 |     let server = libunftp::Server::new(Box::new(move || { SampleStorage {} }));
    |                  ^^^^^^^^^^^^^^^^^^^^^ the trait `libunftp::storage::StorageBackend<libunftp::auth::AnonymousUser>` is not implemented for `SampleStorage`
    |
    = help: the following implementations were found:
              <SampleStorage as libunftp::storage::StorageBackend<SampleUser>>
    = note: required by `libunftp::server::Server::<S, U>::new`

This is successfly :)

+ impl libunftp::storage::StorageBackend<libunftp::auth::AnonymousUser> for SampleStorage {
- impl libunftp::storage::StorageBackend<SampleUser> for SampleStorage {

Currently, U is only libunftp::auth::AnonymousUser can be passed. I wrote a code for libunftp to compile successfully here.

Is there a good solution?

thank you.

When connecting to unFTP from FileZilla this is the result:

Expected:

The message: "Status: Server does not support non-ASCII characters" must not appear

Hello! I facing a problem.

Success case

Command:	PASV
Response:	227 Entering Passive Mode (127,0,0,1,234,79)
Command:	STOR a
Response:	150 Ready to receive data
Response:	226 File successfully written
Status:	File transfer successful, transferred 0 B in 1 second

Error case

Command:	PASV
Response:	227 Entering Passive Mode (127,0,0,1,203,51)
Command:	STOR あ
Response:	500 Invalid UTF8 in command
Error:	Critical file transfer error

Error from here
https://github.com/bolcom/libunftp/blob/master/src/server/commands/mod.rs#L593-L595

How are you working it out?

The help command currently doesn't do anything useful.

When you connect with and FTP client to unFTP and issue the HELP command it currently just responds with "powered by unFTP". Perhaps it can also give a link to our website (https://unftp.rs)

Currently unimplemented.

This behavior is not correct:

---> LIST t
<--- 150 Sending directory list
---- Got EOF on data connection
---- Closing data socket
-rwxr-xr-x            0            0             24 Jun 07 13:05 test_thingy
-rwxr-xr-x            0            0             21 Jun 07 13:06 thingy
<--- 226 Listed the directory 

expected instead:

550 File or directory not found

When running libunftp via unFTP Server and then trying to connect with macOS Finder's integrated FTP I get an error message:

I run unFTP Server with:

cargo run -- \
  --bind-address=0.0.0.0:2121 \
  --bind-address-http=0.0.0.0:8080 \
  --home-dir=/Users/xxx/Desktop/unftp/home \

This is what I see in the logs (Note: The double logging is probably an issue with the log setup and not macOS's sending double commands)

 Oct 04 09:09:10.340 INFO Starting unFTP server., sbe-type: filesystem, auth-type: anonymous, home: /Users/hdejager/Desktop/unftp/home, address: 0.0.0.0:2121, version: v0.3.0-5-ge46b146
 Oct 04 09:09:10.341 INFO Starting Prometheus unFTP exporter., address: 0.0.0.0:8080
Oct 04 09:09:10.343 INFO Using anonymous authenticator
Oct 04 09:09:21.100 INFO Processing event Command(User { username: b"anonymous" })
Oct 04 09:09:21.100 INFO Processing event Command(User { username: b"anonymous" })
Oct 04 09:09:21.100 INFO Processing event Command(Pass { password: b"[email protected]" })
Oct 04 09:09:21.100 INFO Processing event Command(Pass { password: b"[email protected]" })
Oct 04 09:09:21.100 INFO Processing event InternalMsg(AuthSuccess)
Oct 04 09:09:21.100 INFO Processing event InternalMsg(AuthSuccess)
Oct 04 09:09:21.101 INFO Processing event Command(Syst)
Oct 04 09:09:21.101 INFO Processing event Command(Syst)
Oct 04 09:09:21.101 INFO Processing event Command(Pwd)
Oct 04 09:09:21.101 INFO Processing event Command(Pwd)
Oct 04 09:09:21.101 INFO Processing event Command(Type)
Oct 04 09:09:21.101 INFO Processing event Command(Type)
Oct 04 09:09:21.102 INFO Processing event Command(Cwd { path: "/" })
Oct 04 09:09:21.102 INFO Processing event Command(Cwd { path: "/" })
Oct 04 09:09:21.102 INFO Processing event Command(Port)
Oct 04 09:09:21.102 INFO Processing event Command(Pasv)

Hi guys.

I thinks processing TCP of this library is complicated.
The reason is control connection and data connection interact in both directions by channel.
I redesigned the process in here (in progress).

My idia will all comannds process in process() and responde(). Session::process_data() and channels be unnecessarily.

How do you think that?

To avoid hitting API request count limits, caused by client retries: (causing 429—Too Many Requests)
Implement exponential backoff.

"This command causes the server-DTP to accept the data transferred via the data connection and to store the data in a file at the server site. If the file specified in the pathname exists at the server site, then the data shall be appended to that file; otherwise the file specified in the pathname shall be created at the server site."

Spec: https://www.freesoft.org/CIE/RFC/959/23.htm

mod.rs files should only collect the content of other files and not have any "real" code.

the LIST command always returns permissions as

rwxr-xr-x

regardless of the actual permissions of the file.