deprecated/e-smith-proftpd
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

initial commit of file from CVS for e-smith-proftpd on Wed 12 Jul 09:05:44 BST 2023

Browse Source
This commit is contained in:
Brian Read
2023-07-12 09:05:44 +01:00
parent 9f1a450709
commit ced40fe923
81 changed files with 2005 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
root/etc/e-smith/db/configuration/defaults/ftp/LoginAccess Normal file
View File

@@ -0,0 +1 @@
private

1
root/etc/e-smith/db/configuration/defaults/ftp/TCPPort Normal file
View File

@@ -0,0 +1 @@
21

1
root/etc/e-smith/db/configuration/defaults/ftp/TLSEnable Normal file
View File

@@ -0,0 +1 @@
on

1
root/etc/e-smith/db/configuration/defaults/ftp/TLSRequired Normal file
View File

@@ -0,0 +1 @@
on

1
root/etc/e-smith/db/configuration/defaults/ftp/TLSVerifyClient Normal file
View File

@@ -0,0 +1 @@
off

1
root/etc/e-smith/db/configuration/defaults/ftp/access Normal file
View File

@@ -0,0 +1 @@
private

1
root/etc/e-smith/db/configuration/defaults/ftp/status Normal file
View File

@@ -0,0 +1 @@
disabled

1
root/etc/e-smith/db/configuration/defaults/ftp/type Normal file
View File

@@ -0,0 +1 @@
service

27
root/etc/e-smith/db/configuration/migrate/20proftpd.access Normal file
View File

@@ -0,0 +1,27 @@
{
my $ftp = $DB->get('ftp');
return unless defined $ftp;
my $access = $ftp->prop('accessLimits');
return unless defined $access; # New or already migrated server
my $login = $ftp->prop('access') || 'private';
my $status = $ftp->prop('status') || 'disabled';
if ($access eq "normal")
{
$status = 'enabled';
$access = 'public';
}
if ($access eq "off")
{
$status = 'disabled';
$access = 'private';
}
$ftp->delete_prop('accessLimits');
$ftp->merge_props(
LoginAccess => $login,
access => $access,
status => $status,
);
}

4
root/etc/e-smith/templates.metadata/etc/ftpusers Normal file
View File

@@ -0,0 +1,4 @@
MORE_DATA={ACCOUNTS_DENY_ALLOW_PUBLIC => 1}
TEMPLATE_PATH="/etc/e-smith/pam/accounts.deny"
OUTPUT_FILENAME="/etc/ftpusers"
PERMS=0644

1
root/etc/e-smith/templates.metadata/etc/proftpd.conf Normal file
View File

@@ -0,0 +1 @@
PERMS=0640

2
root/etc/e-smith/templates.metadata/var/service/ftp/peers/0 Normal file
View File

@@ -0,0 +1,2 @@
PERMS=use esmith::ConfigDB; (esmith::ConfigDB->open_ro->get('ftp')->prop('access') eq "private") ? "000" : "0644"
FILTER=sub { $_[0] =~ /^#/ ? '' : $_[0] } # Remove comments

2
root/etc/e-smith/templates.metadata/var/service/ftp/peers/local Normal file
View File

@@ -0,0 +1,2 @@
PERMS=use esmith::ConfigDB; (esmith::ConfigDB->open_ro->get('ftp')->prop('status') eq "enabled") ? "0644" : "0000"
FILTER=sub { $_[0] =~ /^#/ ? '' : $_[0] } # Remove comments

6
root/etc/e-smith/templates/etc/logrotate.d/proftpd/var.log.proftpd Normal file
View File

@@ -0,0 +1,6 @@
/var/log/proftpd/*.log \{
compress
missingok
\}

4
root/etc/e-smith/templates/etc/logrotate.d/proftpd/xferlog Normal file
View File

@@ -0,0 +1,4 @@
/var/log/xferlog \{
compress
missingok
\}

1
root/etc/e-smith/templates/etc/pam.d/ftp/10authFTPusers Normal file
View File

@@ -0,0 +1 @@
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

3
root/etc/e-smith/templates/etc/pam.d/ftp/20auth Normal file
View File

@@ -0,0 +1,3 @@
auth { -f "/lib/security/pam_pwdb.so" ||
-f "/lib64/security/pam_pwdb.so" ? "required pam_stack.so service=system-auth" :
"include system-auth" }

3
root/etc/e-smith/templates/etc/pam.d/ftp/30account Normal file
View File

@@ -0,0 +1,3 @@
account { -f "/lib/security/pam_pwdb.so" ||
-f "/lib64/security/pam_pwdb.so" ? "required pam_stack.so service=system-auth" :
"include system-auth" }

3
root/etc/e-smith/templates/etc/pam.d/ftp/40session Normal file
View File

@@ -0,0 +1,3 @@
session { -f "/lib/security/pam_pwdb.so" ||
-f "/lib64/security/pam_pwdb.so" ? "required pam_stack.so service=system-auth" :
"include system-auth" }

1
root/etc/e-smith/templates/etc/pam.d/ftp/template-begin Symbolic link
View File

@@ -0,0 +1 @@
/etc/e-smith/templates-default/template-begin-pam

42
root/etc/e-smith/templates/etc/proftpd.conf/00Documentation Normal file
View File

@@ -0,0 +1,42 @@
{
#------------------------------------------------------------
# FILE ACCESS PERMISSIONS RULES
#
# - There are three types of user that can connect to the ftp
# server: regular users, "admin", and information bay users.
#
# - When "information bay" users connect, their permissions are
# set by the Anonymous sections below.
#
# - All other users are governed by the permissions declared in
# this main section of the proftpd.conf file.
#
# - The main section permits access only from the local network.
# Hence, only the anonymous information bays can be accessed
# remotely.
#
# - Regular users as well as the "admin" account can connect
# locally, and the ftp server will switch to their user/group
# immediately upon connection. Therefore we program the FTP
# server to permit write access to all these users; the Unix
# filesystem will sort out who gets to update which files.
#
# - All Unix accounts have the same primary group name as user
# name (normal for Red Hat Linux). However, all user accounts
# also belong to group "shared".
#
# - Files in user accounts are owned by "user/user" (i.e. group
# name same as user).
#
# - For all the other files (primary web site, information bay
# files, etc.) either they can only be written by "admin" or
# they can be written by any local user. If the former, we
# make the files owned by "admin/shared", with permissions
# 750/640. If the latter, we make the files owned by
# ???/shared, with permissions 770/660. Each file is owned
# by the user that created it.
#
# - Make all directories setgid, so that they continue to be
# owned by "shared".
#------------------------------------------------------------
}

9
root/etc/e-smith/templates/etc/proftpd.conf/00localAccess Normal file
View File

@@ -0,0 +1,9 @@
{
# Work out local access specification
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro();
@local_access = $ndb->local_access_spec;
return "";
}

2
root/etc/e-smith/templates/etc/proftpd.conf/05AllowRestart Normal file
View File

@@ -0,0 +1,2 @@
AllowRetrieveRestart on
AllowStoreRestart on

25
root/etc/e-smith/templates/etc/proftpd.conf/05Chroot Normal file
View File

@@ -0,0 +1,25 @@
{
use esmith::AccountsDB;
$OUT = "";
my $accounts = esmith::AccountsDB->open;
my @users = $accounts->users;
foreach my $user (@users)
{
my $chrootDir = $user->prop('ChrootDir') || $ftp{'ChrootDir'} || next;
if ( $chrootDir =~ m#^/# && -d $chrootDir )
{
$OUT .= "DefaultRoot $chrootDir ".$user->key."\n";
}
elsif ( -d "/home/e-smith/files/ibays/$chrootDir" )
{
$OUT .= "DefaultRoot /home/e-smith/files/ibays/$chrootDir ".$user->key."\n";
}
elsif ( $chrootDir =~ m#home$# )
{
$OUT .= "DefaultRoot /home/e-smith/files/users/".$user->key."/home ".$user->key."\n";
}
}
}

1
root/etc/e-smith/templates/etc/proftpd.conf/05DefaultRoot Normal file
View File

@@ -0,0 +1 @@
DefaultRoot /home/e-smith/files

1
root/etc/e-smith/templates/etc/proftpd.conf/05DefaultServer Normal file
View File

@@ -0,0 +1 @@
DefaultServer on

1
root/etc/e-smith/templates/etc/proftpd.conf/05DenyFilter Normal file
View File

@@ -0,0 +1 @@
DenyFilter \*.*/

1
root/etc/e-smith/templates/etc/proftpd.conf/05DisplayChdir Normal file
View File

@@ -0,0 +1 @@
DisplayChdir .message

1
root/etc/e-smith/templates/etc/proftpd.conf/05DisplayLogin Normal file
View File

@@ -0,0 +1 @@
DisplayLogin welcome.msg

1
root/etc/e-smith/templates/etc/proftpd.conf/05Group Normal file
View File

@@ -0,0 +1 @@
Group public

1
root/etc/e-smith/templates/etc/proftpd.conf/05IdentLookups Normal file
View File

@@ -0,0 +1 @@
IdentLookups off

1
root/etc/e-smith/templates/etc/proftpd.conf/05MaxInstances Normal file
View File

@@ -0,0 +1 @@
MaxInstances 30

1
root/etc/e-smith/templates/etc/proftpd.conf/05PersistentPasswd Normal file
View File

@@ -0,0 +1 @@
PersistentPasswd off

1
root/etc/e-smith/templates/etc/proftpd.conf/05ScoreboardFile Normal file
View File

@@ -0,0 +1 @@
ScoreboardFile /var/run/proftpd/scoreboard

1
root/etc/e-smith/templates/etc/proftpd.conf/05ServerAdmin Normal file
View File

@@ -0,0 +1 @@
ServerAdmin admin@{ $DomainName }

1
root/etc/e-smith/templates/etc/proftpd.conf/05ServerIdent Normal file
View File

@@ -0,0 +1 @@
ServerIdent off

1
root/etc/e-smith/templates/etc/proftpd.conf/05ServerName Normal file
View File

@@ -0,0 +1 @@
ServerName "ProFTPD SME Server installation"

1
root/etc/e-smith/templates/etc/proftpd.conf/05ServerType Normal file
View File

@@ -0,0 +1 @@
ServerType inetd

1
root/etc/e-smith/templates/etc/proftpd.conf/05ShowSymlinks Normal file
View File

@@ -0,0 +1 @@
ShowSymlinks off

1
root/etc/e-smith/templates/etc/proftpd.conf/05UseFtpUsers Normal file
View File

@@ -0,0 +1 @@
UseFtpUsers on

1
root/etc/e-smith/templates/etc/proftpd.conf/05UseReverseDNS Normal file
View File

@@ -0,0 +1 @@
UseReverseDNS off

1
root/etc/e-smith/templates/etc/proftpd.conf/05User Normal file
View File

@@ -0,0 +1 @@
User public

1
root/etc/e-smith/templates/etc/proftpd.conf/05port Normal file
View File

@@ -0,0 +1 @@
Port 21

41
root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS Normal file
View File

@@ -0,0 +1,41 @@
{
#check if TLS is enabled
if (($ftp{TLSEnable} || 'on') eq 'on') {
#check if TLS is required: values "on", "off"
#if "on" normal ftp connections are dropped
my $tlsrequired = $ftp{'TLSRequired'} || "on";
my $tlsclient = $ftp{'TLSVerifyClient'} || "off";
#use the same crt and key of httpd
my $defaultcrt = "/home/e-smith/ssl.crt/${SystemName}.${DomainName}.crt";
my $defaultkey = "/home/e-smith/ssl.key/${SystemName}.${DomainName}.key";
my $crt = $modSSL{'crt'} || $defaultcrt;
$crt = $defaultcrt unless -e $crt;
my $key = $modSSL{'key'} || $defaultkey;
$key = $defaultkey unless -e $key;
my $chain_file = $modSSL{CertificateChainFile} ||
"# no chain cert";
$chain_file = "# no chain cert" unless -e $chain_file;
$chain_file = ( $chain_file eq "# no chain cert" )? $chain_file : "TLSCertificateChainFile $chain_file";
$OUT .= <<SSL_END;
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.1 TLSv1.2
TLSOptions NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile $crt
TLSRSACertificateKeyFile $key
$chain_file
TLSVerifyClient $tlsclient
TLSRequired $tlsrequired
</IfModule>
SSL_END
}
}

1
root/etc/e-smith/templates/etc/proftpd.conf/09DirectorySlashBegin Normal file
View File

@@ -0,0 +1 @@
<Directory /*>

3
root/etc/e-smith/templates/etc/proftpd.conf/10LimitDenyWrite Normal file
View File

@@ -0,0 +1,3 @@
<Limit WRITE>{ # deny all write access unless given explicitly }
DenyAll
</Limit>

3
root/etc/e-smith/templates/etc/proftpd.conf/10LimitSiteChmod Normal file
View File

@@ -0,0 +1,3 @@
<Limit SITE_CHMOD>{ # deny all chmod }
DenyAll
</Limit>

1
root/etc/e-smith/templates/etc/proftpd.conf/11DirectorySlashEnd Normal file
View File

@@ -0,0 +1 @@
</Directory>

22
root/etc/e-smith/templates/etc/proftpd.conf/15LimitLOGIN Normal file
View File

@@ -0,0 +1,22 @@
{
# allow normal user connections either only from local network,
# or from anywhere
}<Limit LOGIN>
{
my $access = $ftp{LoginAccess} || "private";
if ($access eq 'public')
{
$OUT = " AllowAll";
}
else
{
use Net::IPv4Addr qw(ipv4_parse);
$OUT = " Order Allow,Deny\n";
$OUT .= join "\n",
map { " Allow from " . join '/', ipv4_parse($_) }
@local_access;
$OUT .= "\n Deny from all";
}
}
</Limit>

15
root/etc/e-smith/templates/etc/proftpd.conf/30UserDirAccess Normal file
View File

@@ -0,0 +1,15 @@
{
# Local access to "home" subdirectory of user directories.
# (Don't set group, since files are in user's primary group. umask is
# 007 to generate permissions of 770/660.)
#
# NOTE: Users cannot write to their real home directory ~user as it
# is blocked by the default deny write
}
<Directory ~/home>
AllowOverwrite on
Umask 007
<Limit WRITE>
AllowAll
</Limit>
</Directory>

42
root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess Normal file
View File

@@ -0,0 +1,42 @@
{
# Local access to bay directories. Note that in this context, we can
# ignore the public access rules associated with each bay, since this
# section of the config file applies only to local logins. We can also
# ignore the usepassword rules, since anonymous login is handled
# below.
use esmith::AccountsDB;
$OUT = "";
my $adb = esmith::AccountsDB->open_ro();
foreach my $ibay ($adb->ibays)
{
my %properties = $ibay->props;
my $key = $ibay->key;
my $umask = "027";
if ($properties{'UserAccess'} eq 'wr-admin-rd-group')
{
$umask = "027";
}
elsif ($properties{'UserAccess'} eq 'wr-group-rd-group')
{
$umask = "007";
}
elsif ($properties{'UserAccess'} eq 'wr-group-rd-everyone')
{
$umask = "002";
}
$OUT .= "\n";
$OUT .= "<Directory /home/e-smith/files/ibays/$key/*>\n";
$OUT .= " AllowOverwrite on\n";
$OUT .= " GroupOwner shared\n";
$OUT .= " Umask $umask\n";
$OUT .= " <Limit WRITE>\n";
$OUT .= " AllowAll\n";
$OUT .= " </Limit>\n";
$OUT .= "</Directory>\n";
}
}

29
root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary Normal file
View File

@@ -0,0 +1,29 @@
{
#------------------------------------------------------------
# How to handle anonymous FTP logins: chroot to the Primary
# i-bay files directory.
#------------------------------------------------------------
return "" if ($ftp{DisableAnonymous} || 'no') eq 'yes';
$OUT = << 'EOF';
<Anonymous /home/e-smith/files/ibays/Primary/files>
User public
Group public
UserAlias anonymous public
UserAlias ftp public
AnonRequirePassword off
UseFtpUsers on
MaxClients 10
DisplayLogin welcome.msg
DisplayChdir .message
<Limit LOGIN>
AllowAll
</Limit>
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
EOF
}

84
root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay Normal file
View File

@@ -0,0 +1,84 @@
{
#------------------------------------------------------------
# How to handle logins from information bay accounts: chroot to the
# files part of the information bay directory.
#------------------------------------------------------------
use esmith::AccountsDB;
use Net::IPv4Addr qw(ipv4_parse);
$OUT .= "";
my $adb = esmith::AccountsDB->open_ro();
my @local = map { join '/', ipv4_parse($_) } @local_access;
my @all = ('all');
foreach my $ibay ($adb->ibays)
{
my $key = $ibay->key;
my %properties = $ibay->props;
next if ($key eq "Primary");
my $pass;
my $access = $ibay->prop('PublicAccess') || 'none';
if ($access eq 'none')
{
@allow = ('127.0.0.1');
$pass = 1;
}
elsif ($access eq 'local')
{
@allow = @local;
$pass = 0;
}
elsif ($access eq 'local-pw')
{
@allow = @local;
$pass = 1;
}
elsif ($access eq 'global')
{
@allow = @all;
$pass = 0;
}
elsif ($access eq 'global-pw')
{
@allow = @all;
$pass = 1;
}
elsif ($access eq 'global-pw-remote')
{
@allow = @all;
$pass = 1;
}
# variables: $allow (IP), $pass (bool)
if ( ($ftp{DisableAnonymous} || 'no') ne 'yes' &&
($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
{
$OUT .= "\n";
$OUT .= "<Anonymous /home/e-smith/files/ibays/$key/files>\n";
$OUT .= " User $key\n";
$OUT .= " Group $key\n";
$OUT .= " AnonRequirePassword " . ($pass ? "on" : "off") . "\n";
$OUT .= " UseFtpUsers on\n";
$OUT .= " MaxClients 10\n";
$OUT .= " DisplayLogin welcome.msg\n";
$OUT .= " DisplayChdir .message\n";
$OUT .= " <Limit LOGIN>\n";
$OUT .= " Order Allow,Deny\n";
$OUT .= " Allow from $_\n" foreach @allow;
$OUT .= " Deny from all\n";
$OUT .= " </Limit>\n";
$OUT .= " <Directory *>\n";
$OUT .= " <Limit WRITE>\n";
$OUT .= " DenyAll\n";
$OUT .= " </Limit>\n";
$OUT .= " </Directory>\n";
$OUT .= "</Anonymous>\n";
}
}
}

6
root/etc/e-smith/templates/etc/rsyslog.conf/32proftpd Normal file
View File

@@ -0,0 +1,6 @@
#proftpd
if $programname == 'proftpd' and $syslogfacility-text == 'authpriv' then /var/log/secure
:programname, isequal, "proftpd" /var/log/proftpd/proftpd.log
& stop

2
root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/10localhost Normal file
View File

@@ -0,0 +1,2 @@
127.0.0.1:allow
{ $LocalIP }:allow

22
root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/80localNetworks Normal file
View File

@@ -0,0 +1,22 @@
{
use esmith::util;
my @prefixes = esmith::util::computeAllLocalNetworkPrefixes($LocalIP,
$LocalNetmask);
require esmith::NetworksDB;
my $n = esmith::NetworksDB->open;
foreach my $network ($n->get_all_by_prop(type => 'network'))
{
push(@prefixes,
esmith::util::computeAllLocalNetworkPrefixes(
$network->key, $network->prop('Mask')));
}
foreach my $prefix ( @prefixes )
{
my $dot = ( $prefix =~ /\d+\.\d+\.\d+\.\d+/ ) ? '' : '.';
$OUT .= $prefix . $dot . ":allow\n";
}
}

4
root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/90default Normal file
View File

@@ -0,0 +1,4 @@
:{
my $access = $ftp{'access'} || 'private';
$OUT = ($access eq "public") ? "allow" : "deny"
}

1
root/etc/e-smith/templates/var/service/ftp/peers/0/ConcurrencyPerIP Normal file
View File

@@ -0,0 +1 @@
C4

1
root/etc/e-smith/templates/var/service/ftp/peers/local/ConcurrencyPerIP Normal file
View File

@@ -0,0 +1 @@
C4

0
root/etc/e-smith/templates/var/service/proftpd/peers/0/template-begin Normal file
View File

0
root/etc/e-smith/templates/var/service/proftpd/peers/local/template-begin Normal file
View File