From 4be10f2b17205a5219f7802e5267de80c8804c70 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Sun, 16 Feb 2025 02:09:38 -0500 Subject: [PATCH] * Sat Feb 15 2025 Jean-Philippe Pialasse 11.0.0-7.sme - disable anonymous by default [SME: 931] - add passive port [SME: 12454] - TLSv1.3 filtered out as not supported by 1.3.6 branch [SME: 12925] - fix wrong group defined for ibays [SME: 7914] - drop runit for full systemd service unit [SME: 12874] --- README.md | 25 ++++++++++--- createlinks | 9 +++-- .../db/configuration/defaults/ftp/TCPPorts | 1 + .../templates/etc/proftpd.conf/05portPassive | 6 ++++ .../templates/etc/proftpd.conf/06ModTLS | 9 +++-- .../templates/etc/proftpd.conf/40IBayAccess | 2 +- .../etc/proftpd.conf/50AnonymousPrimary | 2 +- .../etc/proftpd.conf/60AnonymousIBay | 4 +-- .../ftp.service.d/50koozali.conf/40service | 10 ++++++ .../1 => sbin/e-smith/systemd/ftp-tcpsvd} | 0 root/service/ftp | 1 - root/usr/lib/systemd/system/ftp.service | 22 +++++++++--- .../systemd/system/ftp.service.d}/.gitignore | 0 root/var/service/proftpd/down | 0 root/var/service/proftpd/log/run | 23 ------------ .../service/proftpd/log/supervise/.gitignore | 0 root/var/service/proftpd/run | 36 ------------------- root/var/service/proftpd/supervise/.gitignore | 0 smeserver-proftpd.spec | 21 ++++++----- 19 files changed, 81 insertions(+), 90 deletions(-) create mode 100644 root/etc/e-smith/db/configuration/defaults/ftp/TCPPorts create mode 100644 root/etc/e-smith/templates/etc/proftpd.conf/05portPassive create mode 100644 root/etc/e-smith/templates/usr/lib/systemd/system/ftp.service.d/50koozali.conf/40service rename root/{var/service/proftpd/control/1 => sbin/e-smith/systemd/ftp-tcpsvd} (100%) delete mode 120000 root/service/ftp rename root/{var/service/proftpd/env => usr/lib/systemd/system/ftp.service.d}/.gitignore (100%) delete mode 100644 root/var/service/proftpd/down delete mode 100644 root/var/service/proftpd/log/run delete mode 100644 root/var/service/proftpd/log/supervise/.gitignore delete mode 100644 root/var/service/proftpd/run delete mode 100644 root/var/service/proftpd/supervise/.gitignore diff --git a/README.md b/README.md index 34cde23..4c41dfc 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ SMEServer Koozali developed git repo for smeserver-proftpd smeserver ## Wiki -
https://wiki.koozali.org/ +
https://wiki.koozali.org/ftp ## Bugzilla Show list of outstanding bugs: @@ -18,8 +18,23 @@ And a list of outstanding Legacy bugs: (e-smith-proftpd) [here](https://bugs.koo ## Description -
*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.* -*Once it has been checked, then this comment will be deleted* -
- smeserver-Proftpd is an open source software package that allows users to easily set up an FTP server on their Linux or Unix-based system. It is a part of the smeserver software family, which consists of a number of professional tools for system administrators. The package provides a secure and reliable way to transfer files over the internet. It provides a wide range of features, such as virtual hosting, bandwidth throttling, file transfer logging, and support for stand-alone or inetd/xinetd operations. It is a powerful and versatile tool, and is ideal for those who want to manage and share files from their own web server. + +## Configuration +db show ftp +- CipherSuite= $modSSL{CipherSuite} || $smeCiphers; +- DisableAnonymous=yes (was no as default before SME11) +- LoginAccess=private +- TCPPorts=49200:49999 +- TCPPort=21 +- TLSEnable=on +- TLSRequired=on +- TLSVerifyClient=off +- access=private +- status=disabled + +db accounts +- ibay{'DisableAnonymous'}=no +- ibay{'UserAccess'} +- ibay{'PublicAccess'}= 'none'; +- user{ChrootDir'}|| $ftp{'ChrootDir'} || disabled; diff --git a/createlinks b/createlinks index 2b71fb8..0afbf6c 100755 --- a/createlinks +++ b/createlinks @@ -2,8 +2,6 @@ use esmith::Build::CreateLinks qw(:all); -safe_symlink("proftpd", "root/var/service/ftp"); - templates2events("/etc/logrotate.d/proftpd", qw( bootstrap-console-save smeserver-proftpd-update @@ -41,6 +39,13 @@ templates2events("/etc/proftpd.conf", qw( ssl-update )); +templates2events("/usr/lib/systemd/system/ftp.service.d/50koozali.conf", qw( + bootstrap-console-save + smeserver-proftpd-update + ssl-update + )); + + foreach my $event (qw( remoteaccess-update)) { diff --git a/root/etc/e-smith/db/configuration/defaults/ftp/TCPPorts b/root/etc/e-smith/db/configuration/defaults/ftp/TCPPorts new file mode 100644 index 0000000..725c2c2 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/ftp/TCPPorts @@ -0,0 +1 @@ +49200:49999 diff --git a/root/etc/e-smith/templates/etc/proftpd.conf/05portPassive b/root/etc/e-smith/templates/etc/proftpd.conf/05portPassive new file mode 100644 index 0000000..4a3faf5 --- /dev/null +++ b/root/etc/e-smith/templates/etc/proftpd.conf/05portPassive @@ -0,0 +1,6 @@ +{ +my $PassivePorts=$ftp{TCPPorts}||'49200:49999"'; +$PassivePorts=~ s/:/ /; +$PassivePorts="49200 49999" if (index(',', $PassivePorts) != -1); +$OUT= "PassivePorts $PassivePorts\n"; +} diff --git a/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS b/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS index 9aa27b6..d6c56d9 100644 --- a/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS +++ b/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS @@ -1,5 +1,5 @@ { - use esmith::ssl; + use esmith::ssl; #check if TLS is enabled if (($ftp{TLSEnable} || 'on') eq 'on') { @@ -21,7 +21,10 @@ $chain_file = "# no chain cert" unless -e $chain_file; $chain_file = ( $chain_file eq "# no chain cert" )? $chain_file : "TLSCertificateChainFile $chain_file"; - my $ciphers = $modSSL{CipherSuite} || $ftp{CipherSuite} || $smeCiphers; + my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers; + #SME11 proftpd 1.3.6 branch does not support TLS v1.3 + $smeSSLprotocol =~ s/TLSv1.3//; + # NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder $OUT .= < @@ -29,7 +32,7 @@ TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol $smeSSLprotocol TLSCipherSuite $ciphers -TLSOptions NoCertRequest AllowClientRenegotiations +TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired TLSRSACertificateFile $crt TLSRSACertificateKeyFile $key $chain_file diff --git a/root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess b/root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess index b7c7240..3a97d63 100644 --- a/root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess +++ b/root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess @@ -32,7 +32,7 @@ $OUT .= "\n"; $OUT .= "\n"; $OUT .= " AllowOverwrite on\n"; - $OUT .= " GroupOwner shared\n"; + $OUT .= " GroupOwner ".$properties{'Group'}."\n"; $OUT .= " Umask $umask\n"; $OUT .= " \n"; $OUT .= " AllowAll\n"; diff --git a/root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary b/root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary index 0755357..30f1831 100644 --- a/root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary +++ b/root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary @@ -3,7 +3,7 @@ # How to handle anonymous FTP logins: chroot to the Primary # i-bay files directory. #------------------------------------------------------------ - return "" if ($ftp{DisableAnonymous} || 'no') eq 'yes'; + return "" if ($ftp{DisableAnonymous} || 'yes') eq 'yes'; $OUT = << 'EOF'; diff --git a/root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay b/root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay index 68bb2ca..99a0a36 100644 --- a/root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay +++ b/root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay @@ -3,6 +3,7 @@ # How to handle logins from information bay accounts: chroot to the # files part of the information bay directory. #------------------------------------------------------------ + return "# Anonymous access disabled by default" unless(( $ftp{DisableAnonymous} || "yes") eq "yes"); use esmith::AccountsDB; use Net::IPv4Addr qw(ipv4_parse); @@ -56,8 +57,7 @@ # variables: $allow (IP), $pass (bool) - if ( ($ftp{DisableAnonymous} || 'no') ne 'yes' && - ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' ) + if ( ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' ) { $OUT .= "\n"; $OUT .= "\n"; diff --git a/root/etc/e-smith/templates/usr/lib/systemd/system/ftp.service.d/50koozali.conf/40service b/root/etc/e-smith/templates/usr/lib/systemd/system/ftp.service.d/50koozali.conf/40service new file mode 100644 index 0000000..ed36ee4 --- /dev/null +++ b/root/etc/e-smith/templates/usr/lib/systemd/system/ftp.service.d/50koozali.conf/40service @@ -0,0 +1,10 @@ +[Service] +Environment= +Environment={ +$OUT = "CONCURRENCYREMOTE=". ($ftp{Instances} || "40"); +$OUT .= " PER_IP_INSTANCES=". ($ftp{InstancesPerIP} || "4"); +$OUT .= " LOCALNAME=$SystemName.$DomainName"; +$OUT .= " LISTENIP=0"; +$OUT .= " PORT=". ($ftp{TCPPort} || "21"); +} + diff --git a/root/var/service/proftpd/control/1 b/root/sbin/e-smith/systemd/ftp-tcpsvd similarity index 100% rename from root/var/service/proftpd/control/1 rename to root/sbin/e-smith/systemd/ftp-tcpsvd diff --git a/root/service/ftp b/root/service/ftp deleted file mode 120000 index a6f38e3..0000000 --- a/root/service/ftp +++ /dev/null @@ -1 +0,0 @@ -/var/service/proftpd \ No newline at end of file diff --git a/root/usr/lib/systemd/system/ftp.service b/root/usr/lib/systemd/system/ftp.service index 3b1d24e..490a57f 100644 --- a/root/usr/lib/systemd/system/ftp.service +++ b/root/usr/lib/systemd/system/ftp.service @@ -4,12 +4,24 @@ After=network.target Requires=runit.service [Service] -Type=oneshot +Type=simple +SyslogIdentifier=proftpd +Environment=CONCURRENCYREMOTE=40 PER_IP_INSTANCES=4 LOCALNAME=0 LISTENIP=0 PORT=ftp +WorkingDirectory=/var/service/proftpd/ ExecStartPre=/sbin/e-smith/service-status ftp -ExecStart=/usr/bin/sv u /service/ftp -ExecStop=/usr/bin/sv stop /service/ftp -ExecReload=/usr/bin/sv t /service/ftp -RemainAfterExit=yes +ExecStartPre=/sbin/e-smith/systemd/ftp-tcpsvd +ExecStart=/usr/bin/tcpsvd \ + -v \ + -i ./peers \ + -c $CONCURRENCYREMOTE \ + -C ${PER_IP_INSTANCES}:'421 per host concurrency limit reached\r\n' \ + -l $LOCALNAME \ + $LISTENIP \ + $PORT \ + /usr/sbin/in.proftpd +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=20s [Install] WantedBy=sme-server.target diff --git a/root/var/service/proftpd/env/.gitignore b/root/usr/lib/systemd/system/ftp.service.d/.gitignore similarity index 100% rename from root/var/service/proftpd/env/.gitignore rename to root/usr/lib/systemd/system/ftp.service.d/.gitignore diff --git a/root/var/service/proftpd/down b/root/var/service/proftpd/down deleted file mode 100644 index e69de29..0000000 diff --git a/root/var/service/proftpd/log/run b/root/var/service/proftpd/log/run deleted file mode 100644 index 6280f76..0000000 --- a/root/var/service/proftpd/log/run +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -#---------------------------------------------------------------------- -# copyright (C) 2003-2006 Mitel Networks Corporation -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -#---------------------------------------------------------------------- -exec \ - /usr/bin/setuidgid smelog \ - /usr/bin/multilog t s5000000 \ - /var/log/ftp diff --git a/root/var/service/proftpd/log/supervise/.gitignore b/root/var/service/proftpd/log/supervise/.gitignore deleted file mode 100644 index e69de29..0000000 diff --git a/root/var/service/proftpd/run b/root/var/service/proftpd/run deleted file mode 100644 index 9d55c73..0000000 --- a/root/var/service/proftpd/run +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh -#---------------------------------------------------------------------- -# copyright (C) 2003-5 Mitel Networks Corporation -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Technical support for this program is available from Mitel Networks -# Please visit our web site www.mitel.com/sme/ for details. -#---------------------------------------------------------------------- - -[ -f ./runenv ] && . ./runenv - -exec 2>&1 -# Adjust ACLs in ./peers -./control/1 -exec /usr/bin/tcpsvd \ - -v \ - -i ./peers \ - -c ${CONCURRENCYREMOTE:-40} \ - -C ${PER_IP_INSTANCES:-4}:'421 per host concurrency limit reached\r\n' \ - -l ${LOCALNAME:-0} \ - ${LISTENIP:-0} \ - ${PORT:-ftp} \ - /usr/sbin/in.proftpd diff --git a/root/var/service/proftpd/supervise/.gitignore b/root/var/service/proftpd/supervise/.gitignore deleted file mode 100644 index e69de29..0000000 diff --git a/smeserver-proftpd.spec b/smeserver-proftpd.spec index 902a513..daee28b 100644 --- a/smeserver-proftpd.spec +++ b/smeserver-proftpd.spec @@ -4,7 +4,7 @@ Summary: smeserver specific proftpd configuration files and templates %define name smeserver-proftpd Name: %{name} %define version 11.0.0 -%define release 6 +%define release 7 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -26,6 +26,13 @@ Provides: e-smith-proftpd AutoReqProv: no %changelog +* Sat Feb 15 2025 Jean-Philippe Pialasse 11.0.0-7.sme +- disable anonymous by default [SME: 931] +- add passive port [SME: 12454] +- TLSv1.3 filtered out as not supported by 1.3.6 branch [SME: 12925] +- fix wrong group defined for ibays [SME: 7914] +- drop runit for full systemd service unit [SME: 12874] + * Sun Jan 26 2025 Jean-Philippe Pialasse 11.0.0-6.sme - adding requirement for deamontools bin [SME: 12566] @@ -630,14 +637,8 @@ rm -rf $RPM_BUILD_ROOT rm -f %{name}-%{version}-%{release}-filelist /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ --dir /var/service/proftpd 'attr(01755,root,root)' \ - --file /var/service/proftpd/down 'attr(0644,root,root)' \ - --file /var/service/proftpd/run 'attr(0755,root,root)' \ - --file /var/service/proftpd/control/1 'attr(0755,root,root)' \ - --dir /var/service/proftpd/log 'attr(0755,root,root)' \ - --dir /var/service/proftpd/log/supervise 'attr(0700,root,root)' \ - --dir /var/service/proftpd/supervise 'attr(0700,root,root)' \ - --file /var/service/proftpd/log/run 'attr(0755,root,root)' \ - --dir /var/log/ftp 'attr(2750,smelog,smelog)' \ + --dir /var/log/ftp 'attr(2750,root,root)' \ + --file /sbin/e-smith/systemd/ftp-tcpsvd 'attr(0554,root,root)' \ > %{name}-%{version}-%{release}-filelist echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist @@ -645,8 +646,6 @@ echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist rm -rf $RPM_BUILD_ROOT %pre -/sbin/e-smith/create-system-user smelog 1002 \ - 'sme log user' /var/log/smelog /bin/false %files -f %{name}-%{version}-%{release}-filelist %defattr(-,root,root)