The Bftpd program is a small, easy-to-configure FTP server.

It strives to be fast, secure and quick to install and configure.

Lastest News

September 30, 2017: Bug fix update.

This release of Bftpd 4.6 fixes two errors. The first is a possible memory corruption when loading the configuration file. The second change makes sure that Bftpd places new clients in a chroot environment, unless the administrator specifically disables the chroot feature. Using a chroot is now the default behaviour, even if the option is not set in the configuration file.

September 6, 2017: Bug fix update.

This release of Bftpd fixes a possible buffer underflow issue when accepting short commands from raw or malicious cliens. Thanks to Andreas for pointing out this flaw.

October 1, 2014: Bug fix update.

This release of Bftpd fixes a potential buffer overflow bug that occurs when the server is compiled with S_ISLINK defined. This bug may cause a buffer overflow when symbolic links are included in a directory listing. The new version 4.4 of Bftpd should process symbolic links properly or, in cases were S_ISLINK is not defined, hide symbolic links. This latter behaviour is provided for added security and to avoid causing Bftpd to hang on some operating systems while processing directory listings where symbolic links exist.

April 25, 2014: Minor update.

This release updates the license file for clarity and fixes a compiler warning with regards to casting a pointer to an integer type.

Dec 22, 2013: Fix for login issue.

Lauri Kasaen reported a bug which could prevent Bftpd from logging in valid users when modern versions of glibc are being used on the system. Lauri provided a patch for the login checks which corrects the error and this has been confirmed to work on older versions of glibc as well.

Oct 28, 2013: Fix for potential crash.

Lauri Kasanen reported a bug in Bftpd. When linked against modern versions of glibc (version 2.17 and newer), calls to crypt() for password checking can return invalid values. This can cause Bftpd to crash. The latest version of Bftpd (4.1) performs a check to avoid the problem.

May 28, 2013: Port to NetBSD.

Following the release of Bftpd 3.9 Thomas Cort sent a patch which should allow the Bftpd server to build on NetBSD. No features or functionality in the service changed. Thanks to Thomas for sending in this patch.

May 27, 2013: Bug fixes and port to MINIX.

Following reports from a security audit performed by Zhenbo Xu the Bftpd project was made aware of several potential bugs in the server. These bugs could cause memory leaks or, possibly, crash the Bftpd service on operating systems where calls to malloc() can return NULL. The bugs and the memory leak reported have been fixed in version 3.9 of Bftpd.

We are also pleased to announce that the Bftpd service now compiles and runs on the MINIX operating system without requiring any modifications. MINIX users can unpack the Bftpd source code and run the usual "./configure, make, make install" to get a working Bftpd. Some special features of Bftpd will not work with MINIX, but core functionality, file transfers and directory listings work. To assist MINIX admins we include a special MINIX configuration file with the Bftpd source code. This example configuration file, bftpd.conf.minix, is designed to work out of the box on MINIX machines. This file should be copied to the /etc directory under the name /etc/bftpd.conf, please see the documentation for details on configuring Bftpd.

May 8, 2012: Minor bug fix release.

The new release of Bftpd, version 3.8, addresses two minor issues. The first is on 64-bit systems it could be possible for time stamps on user logins to become corrupted, at least if the clocks are running at a date which would require more than 32-bit to store. This has been corrected. The second fix is that Bftpd will now make a small effort to find its configuration file. Previously Bftpd was hard-coded to look in /etc/bftpd.conf for its settings. Now Bftpd will check there, and it will also check PREFIX/etc/bftpd.conf. The prefix variable can be set at compile time, see line 5 of the Makefile.

February 20, 2012: Bug fix release.

This release of Bftpd, version 3.7, corrects a number of problems with the Makefile and the way in which the configuration file is parses. Namely, the Makefile now respects the "prefix" variable and can, if required, install Bftpd into unusual locations, including a prefix where the expected directories (ie /usr, /etc) do not yet exist. This release attempts to load the configuration file faster and is more tolerant of unexpected spaces and end-of-line comments.

A few minor compiler warnings have also been cleared up to make building with GCC smoother. Thanks to Zhang and Martin for reporting bugs and suggesting fixes.

July 27, 2011: Minor bug fix release.

Martin reported two issues, both of which have been fixed in version 3.6 of Bftpd. The first bug to be fixed concerns text file authentication. Users home directories had to be quite short previously, and the length of path names when using text file authentication has been increased.

The other bug concerns files which are really named pipes. If a named pipe is in a directory performing a directory listing would cause the connection to hang. This has been fixed so named pipes are handled properly.

Thanks to Martin for reporting these problems and for helping to test the fixes.

July 10, 2011: Minor bug fix release.

Tony Wang pointed out a bug which could cause Bftpd to fail to properly bind itself to a socket. Version 3.5 fixes the issue.
Thanks to Tony for both reporting the bug and supplying a patch to correct the issue.

May 11, 2011: Minor bug fix/feature addition.

The 3.3 version of Bftpd included a fix to work around the GNU C library's method of getting the current time zone information in a chroot environment. Other C libraries may not need this internal work-around.

A new option has been added to the Bftpd configuration file (bftpd.conf) called TIMEZONE_FIX. By default Bftpd tries to find its own time zone data. However, setting TIMEZONE_FIX="no" will cause Bftpd to hand time zone handling back to the C library.

May 8, 2011: Minor bug fix update.

A bug in the way time zone information is determined when running in a chroot environment has caused some users to find their log file is time stamped incorrectly. Generally log entries have appeared in GMT (or UTC) time, rather than local time. This is the same problem reported in this ProFTPd bug. This new release of Bftpd, version 3.3, includes a work around to calculate the current time zone prior to entering the chroot environment.

March 6, 2011: Minor feature update.

The 3.2 release of Bftpd includes one minor fix, which lets Bftpd hide files controlled by a certain group to be hidden from the client. It also adds a new value to the SHOW_HIDDEN_FILES variable. Previously we could set Bftpd to always show hidden files or never show them. A new value has been added which will cause Bftpd to show hidden files to the client only when the client requests hidden files in the directory listing. This should clear up compatibility issues with clients like Filezilla.

September 22, 2010: Important security update.

Paul Laufer was kind enough to point out that the last few versions of Bftpd have shipped with a potential security problem. By default, the anonymous FTP account was left turned on. This means that if the system administrator leaves the anonymous account enabled and does not set the anonymous user's chroot option, remote users will have almost unlimited access to the server. By default the anonymous user account should be disabled.

If you are running Bftpd, please check your configuration file (typically /etc/bftpd.conf) and look at the section near the bottom regarding the FTP user. Either DENY_LOGIN should be set or ROOTDIR should point to a safe location where a remote user cannot do harm to the rest of the system. At this time a fix in the form of Bftpd-3.1 is being uploaded which locks down the anonymous account.

Also, in an effort to avoid leaving people in the dark, we are setting up a security mailing list. This list will be used only to annouce new releases and security warnings. If you would like to subscribe to the mailing list, please get in touch with us via our Contact page.

September 4, 2010: New stable release.

This new release, 3.0, contains our corrected documentation and the new Slovak documentation. There were no code changes between 2.9 and 3.0.

August 30, 2010: Added Slovak documentation.

Dusan kindly submitted a translation of the Bftpd documentation in the Slovak language. You can find a copy of the new pages on the Documents page. The next source releaseof Bftpd will also include the new translation.

July 7, 2010: Documentation update.

Updated the documentation on the website to fix broken links. The documentation now includes a section on configuration options. Thanks to Xiang for pointing out the page was missing.

June 2, 2010: Anonymous login bug fix.

A bug was found in the way bftpd handles anonymous logins. When an anonymous user connects, the ROOTDIR option in the configuration file was was being ignored. The new release, 2.9, corrects this problem. Thanks to Paul Laufer for reporting this issue.

This release also fixes an issue where the bftpd log file would get erased on Ubuntu during a reboot of the system.

May 25, 2010: PC-BSD support

I am happy to annouce that, with the help of PC-BSD founder, Kris Moore, we're now able to offer one-click install files for PC-BSD users. The PBI package can be found here. Please test it and let us know how it works. All going well we hope to see Bftpd offered through PC-BSD's package manager soon. For those of you on FreeBSD, the bftpd server is offered through their Ports collection.

April 19, 2010: New release

The 2.8 release brings a lot of improvements and bug fixes to Bftpd.

There were some cases where the user config options might not be read properly, depending on how Bftpd was compiled. This has been fixed so options should always be read.

Anonymous logins have been fixed. This broke a few releases back and it's been corrected. We have also disabled anonymous logins by default. You can allow anonymous logins in the configuration file.

If several Bftpd sessions all die at once, the system will now clean up the zombie processes.

The "list" command now recognizes the "-a" paramater, allowing clients to see hidden files. This function only works if the administrator has turned on the configuration file option SHOW_HIDDEN_FILES.

The search function has been updated, allowing users to see symbolic links, even if those links are broken. For this feature to work, the configuration file option SHOW_NONREADABLE_FILES must be turned on.

Many thanks to Raster who contributed most of the improvements for this release. Also thanks to Oliver Metz for reporting bugs.

In short, we've fixed a few things, tried to make the system more secure out of the box and added some optional functionality. Please see the contact page if you would like to report a problem.

March 28, 2010: Stable release

This release, 2.7, fixes an issue where an FTP client would attempt to delete a directory on the server. The server would previously send back the same error regardless if the directory was full or if the client did now have permission to delete it. This would confuse some clients. Thanks to Raster for providing this patch.
This release also clears up some complier warnings from gcc 4.4.1.

October 19, 2009: Stable release

This release of version 2.6 fixes a few minor bugs with the bandwidth logging feature introduced in 2.5. Primarily it makes sure bandwidth is logged even if the client does not disconnect cleanly.

October 9, 2009: Stable release

This release, version 2.5, contains two new features. It improves UTF-8 support with programs such as Filezilla. The server also provides the option to log bandwidth usage on a per user basis. The option to enable bandwidth logging is called BANDWIDTH and can be found in the bftpd config file. The README file has also been updated to include a few awk scripts to assist with getting data from the bandwidth logs.

September 2, 2009: Stable release.

This release, version 2.4, fixes one security bug which could have led to a denial of service attack. Administrators are advised to upgrade at their eariliest convenience.
Many thanks to Dazhi for reporting this issue.

October 5, 2008: Stable release.

Since no new bugs were reported from the development release, I'm going to repackage Bftpd as a stable release. This is the same code as bftpd-2.2.1, so those of you who follow the development packages have no need to upgrade. For people who stick to stable releases, this is for you.

Spetember 16, 2008: Minor bug fix.

This development release is to test a small patch, provided by Ivan, which prevents problems when bftpd is launched by some daemon processes. I forsee no problems, but I'm putting this out as a development release for now.

June 22, 2008: New Website

Daniel Zilli was kind enough to volunteer to redesign the Bftpd website. I'm very happy with this change and I hope that our visitors feel the same.

March 21, 2008: Stable release Bftpd-2.2

This release brings one small change over the previous development releases. Bftpd will not close connections when a client sends an incorrect username/password combination. Connections are closed if the server is full or the system is configured to deny logins.

February 25, 2008: Development release Bftpd-2.1.2

This update introduces a few small, handy features to bftpd. The first is that bftpd prompts for a password, even if the user is logging in as anonymous. This is to increase compatibility with various web browsers that expect the prompt.

The second change is that the User's MOTD varible in bftpd's config file can use two symbols (%u and %h) to represent the user's username and home directory.

A new option was added to the config file called SHOW_NONREADABLE_FILES which toggels whether files which cannot be read are listed to the client.

Some work was done to make bftpd's string handling more secure, sepcifically in the replace() function.

Many thanks to Eric Woltermann who provided patches and much assistance in driving this release forward.

Checked by Calysto