* Sat Feb 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme

- disable anonymous by default [SME: 931]
- add passive port [SME: 12454]
- TLSv1.3 filtered out as not supported by 1.3.6 branch [SME: 12925]
- fix wrong group defined for ibays [SME: 7914]
- drop runit for full systemd service unit [SME: 12874]

root/etc/e-smith/db/configuration/defaults/ftp/TCPPorts

@@ -0,0 +1 @@
+49200:49999

root/etc/e-smith/templates/etc/proftpd.conf/05portPassive

@@ -0,0 +1,6 @@
+{
+my $PassivePorts=$ftp{TCPPorts}||'49200:49999"';
+$PassivePorts=~ s/:/ /;
+$PassivePorts="49200 49999" if (index(',', $PassivePorts) != -1);
+$OUT= "PassivePorts             $PassivePorts\n";
+}

root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS

@@ -1,5 +1,5 @@
 {
-    	  use esmith::ssl;
+        use esmith::ssl;
         #check if TLS is enabled
         if (($ftp{TLSEnable} || 'on') eq 'on') {
 
@@ -21,7 +21,10 @@
 	$chain_file = "# no chain cert" unless -e $chain_file;
         
         $chain_file = ( $chain_file eq "# no chain cert" )? $chain_file  : "TLSCertificateChainFile $chain_file";
-        my $ciphers = $modSSL{CipherSuite} || $ftp{CipherSuite} || $smeCiphers;
+        my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers;
+        #SME11 proftpd 1.3.6 branch does not support TLS v1.3
+        $smeSSLprotocol =~ s/TLSv1.3//;
+        # NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder
     	$OUT .= <<SSL_END;
 
 <IfModule mod_tls.c>
@@ -29,7 +32,7 @@ TLSEngine                  on
 TLSLog                     /var/log/proftpd/tls.log
 TLSProtocol                $smeSSLprotocol
 TLSCipherSuite						 $ciphers
-TLSOptions                 NoCertRequest AllowClientRenegotiations
+TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
 TLSRSACertificateFile      $crt
 TLSRSACertificateKeyFile   $key
 $chain_file

root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess

@@ -32,7 +32,7 @@
 	$OUT .= "\n";
 	$OUT .= "<Directory /home/e-smith/files/ibays/$key/*>\n";
 	$OUT .= "    AllowOverwrite on\n";
-	$OUT .= "    GroupOwner shared\n";
+	$OUT .= "    GroupOwner ".$properties{'Group'}."\n";
 	$OUT .= "    Umask $umask\n";
 	$OUT .= "    <Limit WRITE>\n";
 	$OUT .= "        AllowAll\n";

root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary

@@ -3,7 +3,7 @@
 # How to handle anonymous FTP logins: chroot to the Primary
 # i-bay files directory.
 #------------------------------------------------------------
-	return "" if ($ftp{DisableAnonymous} || 'no') eq 'yes';
+	return "" if ($ftp{DisableAnonymous} || 'yes') eq 'yes';
 
 	$OUT = << 'EOF';
 <Anonymous /home/e-smith/files/ibays/Primary/files>

root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay

@@ -3,6 +3,7 @@
 # How to handle logins from information bay accounts: chroot to the
 # files part of the information bay directory.
 #------------------------------------------------------------
+    return "# Anonymous access disabled by default" unless(( $ftp{DisableAnonymous} || "yes") eq "yes");
 
     use esmith::AccountsDB;
     use Net::IPv4Addr qw(ipv4_parse);
@@ -56,8 +57,7 @@
 
 	# variables: $allow (IP), $pass (bool)
 
-	if ( ($ftp{DisableAnonymous} || 'no') ne 'yes' &&
-	     ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
+	if ( ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
 	{
 	    $OUT .= "\n";
 	    $OUT .= "<Anonymous /home/e-smith/files/ibays/$key/files>\n";

root/etc/e-smith/templates/usr/lib/systemd/system/ftp.service.d/50koozali.conf/40service

@@ -0,0 +1,10 @@
+[Service]
+Environment=
+Environment={
+$OUT  = "CONCURRENCYREMOTE=". ($ftp{Instances} || "40");
+$OUT .= " PER_IP_INSTANCES=". ($ftp{InstancesPerIP} || "4");
+$OUT .= " LOCALNAME=$SystemName.$DomainName";
+$OUT .= " LISTENIP=0";
+$OUT .= " PORT=". ($ftp{TCPPort} || "21");
+}
+

root/service/ftp

@@ -1 +0,0 @@
-/var/service/proftpd

root/usr/lib/systemd/system/ftp.service

@@ -4,12 +4,24 @@ After=network.target
 Requires=runit.service
 
 [Service]
-Type=oneshot
+Type=simple
+SyslogIdentifier=proftpd
+Environment=CONCURRENCYREMOTE=40 PER_IP_INSTANCES=4 LOCALNAME=0 LISTENIP=0 PORT=ftp
+WorkingDirectory=/var/service/proftpd/
 ExecStartPre=/sbin/e-smith/service-status ftp
-ExecStart=/usr/bin/sv u /service/ftp
-ExecStop=/usr/bin/sv stop /service/ftp
-ExecReload=/usr/bin/sv t /service/ftp
-RemainAfterExit=yes
+ExecStartPre=/sbin/e-smith/systemd/ftp-tcpsvd
+ExecStart=/usr/bin/tcpsvd \
+	-v \
+	-i ./peers \
+	-c $CONCURRENCYREMOTE \
+	-C ${PER_IP_INSTANCES}:'421 per host concurrency limit reached\r\n' \
+	-l $LOCALNAME \
+	$LISTENIP \
+	$PORT \
+	/usr/sbin/in.proftpd
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=20s
 
 [Install]
 WantedBy=sme-server.target

root/var/service/proftpd/log/run

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-#----------------------------------------------------------------------
-# copyright (C) 2003-2006 Mitel Networks Corporation
-# 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# 		
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 		
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
-#----------------------------------------------------------------------
-exec					\
-    /usr/bin/setuidgid smelog	\
-    /usr/bin/multilog t s5000000	\
-    /var/log/ftp

root/var/service/proftpd/run

@@ -1,36 +0,0 @@
-#!/bin/sh
-#----------------------------------------------------------------------
-# copyright (C) 2003-5 Mitel Networks Corporation
-# 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# 		
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 		
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
-# 
-# Technical support for this program is available from Mitel Networks 
-# Please visit our web site www.mitel.com/sme/ for details.
-#----------------------------------------------------------------------
-
-[ -f ./runenv ] && . ./runenv
-
-exec 2>&1
-# Adjust ACLs in ./peers
-./control/1
-exec /usr/bin/tcpsvd \
-	-v \
-	-i ./peers \
-	-c ${CONCURRENCYREMOTE:-40} \
-	-C ${PER_IP_INSTANCES:-4}:'421 per host concurrency limit reached\r\n' \
-	-l ${LOCALNAME:-0} \
-	${LISTENIP:-0} \
-	${PORT:-ftp} \
-	/usr/sbin/in.proftpd