Source

linux-scalability-benchmarks / gatling / README.ftp

The default branch has multiple heads

gatling now also speaks FTP, and it is enabled per default.
Disable it with -F.

Working around itojun's disabled IPv4-mapped IPv6 addresses is even
worse for FTP than it is for HTTP.  I'm not going to waste my time on
this for now.  Please ask itojun himself to prove how "easy" or even
"trivial" it is to do this, as he always claims it is.

Like HTTP will bind to port 80 if running as root, or 8000 otherwise,
FTP will bind to port 21 and 2121.  To specify the FTP port, use
-f -p [port].  Example:

  gatling -p 81 -f -p 2100

would run a HTTP server on port 81 and an FTP server on port 2100.  For
now, HTTP and FTP will always bind to the same IP number.

Please note:

  a) No TELNET sequences.
     These are _really_ obsolete, a pain in the ass to implement, and
     have even been used as means to avoid intrusion detection systems
     due to the obscurity.

  b) The path checking deliberately _allows_ to leave the file system,
     as long as you follow a symbolic link in the process.  That means,
     if you symlink out of the FTP file system (and the destination is in
     the chroot jail), gatling will allow FTP (and HTTP!) users to
     follow the symlink.  However, following a directory symlink and
     appending "/../" will not follow the .. directory entry from the
     target directory of the symlink, as an attacker may hope.

     The idea is to make it easy to create an FTP Server by putting a
     few symlinks to directories you want to export in an empty
     directory and starting gatling there.

  c) Like for HTTP, gatling will do virtual hosting, i.e. if the client
     connected to IP 10.1.1.23 on port 21, gatling will look for the
     exported data in the directory "10.1.1.23:21".

  d) gatling will not let users download files that are not world
     readable, even if the permissions would normally allow the gatling
     process to read the files.  This is to prevent accidental
     publication of sensitive files.

  e) gatling accepts uploads per anonymous FTP, but only to directories
     that are world writable.  Since there normally are no world
     writable directories, this should not pose much of a threat to
     anyone.  Please note that the files are created with mode 600,
     which means gatling will not let others download uploaded files, so
     it cannot be exploited as warez dump.

     You can disable uploads altogether with -U, or you can allow
     anonymous downloaders to download just uploaded files with -a.

  f) gatling's directory listings will always claim files are owned by
     root.  The local accounts on FTP sites are ignored by software and
     not normally useful to outsiders anyway, but revealing them may
     expose more of your organisation to FTP users than you want.