* Sat Feb 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme

- disable anonymous by default [SME: 931]
- add passive port [SME: 12454]
- TLSv1.3 filtered out as not supported by 1.3.6 branch [SME: 12925]
- fix wrong group defined for ibays [SME: 7914]
- drop runit for full systemd service unit [SME: 12874]
This commit is contained in:
2025-02-16 02:09:38 -05:00
parent 3cbe389a9e
commit 4be10f2b17
19 changed files with 81 additions and 90 deletions

View File

@@ -0,0 +1,6 @@
{
my $PassivePorts=$ftp{TCPPorts}||'49200:49999"';
$PassivePorts=~ s/:/ /;
$PassivePorts="49200 49999" if (index(',', $PassivePorts) != -1);
$OUT= "PassivePorts $PassivePorts\n";
}

View File

@@ -1,5 +1,5 @@
{
use esmith::ssl;
use esmith::ssl;
#check if TLS is enabled
if (($ftp{TLSEnable} || 'on') eq 'on') {
@@ -21,7 +21,10 @@
$chain_file = "# no chain cert" unless -e $chain_file;
$chain_file = ( $chain_file eq "# no chain cert" )? $chain_file : "TLSCertificateChainFile $chain_file";
my $ciphers = $modSSL{CipherSuite} || $ftp{CipherSuite} || $smeCiphers;
my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers;
#SME11 proftpd 1.3.6 branch does not support TLS v1.3
$smeSSLprotocol =~ s/TLSv1.3//;
# NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder
$OUT .= <<SSL_END;
<IfModule mod_tls.c>
@@ -29,7 +32,7 @@ TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol $smeSSLprotocol
TLSCipherSuite $ciphers
TLSOptions NoCertRequest AllowClientRenegotiations
TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
TLSRSACertificateFile $crt
TLSRSACertificateKeyFile $key
$chain_file

View File

@@ -32,7 +32,7 @@
$OUT .= "\n";
$OUT .= "<Directory /home/e-smith/files/ibays/$key/*>\n";
$OUT .= " AllowOverwrite on\n";
$OUT .= " GroupOwner shared\n";
$OUT .= " GroupOwner ".$properties{'Group'}."\n";
$OUT .= " Umask $umask\n";
$OUT .= " <Limit WRITE>\n";
$OUT .= " AllowAll\n";

View File

@@ -3,7 +3,7 @@
# How to handle anonymous FTP logins: chroot to the Primary
# i-bay files directory.
#------------------------------------------------------------
return "" if ($ftp{DisableAnonymous} || 'no') eq 'yes';
return "" if ($ftp{DisableAnonymous} || 'yes') eq 'yes';
$OUT = << 'EOF';
<Anonymous /home/e-smith/files/ibays/Primary/files>

View File

@@ -3,6 +3,7 @@
# How to handle logins from information bay accounts: chroot to the
# files part of the information bay directory.
#------------------------------------------------------------
return "# Anonymous access disabled by default" unless(( $ftp{DisableAnonymous} || "yes") eq "yes");
use esmith::AccountsDB;
use Net::IPv4Addr qw(ipv4_parse);
@@ -56,8 +57,7 @@
# variables: $allow (IP), $pass (bool)
if ( ($ftp{DisableAnonymous} || 'no') ne 'yes' &&
($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
if ( ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
{
$OUT .= "\n";
$OUT .= "<Anonymous /home/e-smith/files/ibays/$key/files>\n";

View File

@@ -0,0 +1,10 @@
[Service]
Environment=
Environment={
$OUT = "CONCURRENCYREMOTE=". ($ftp{Instances} || "40");
$OUT .= " PER_IP_INSTANCES=". ($ftp{InstancesPerIP} || "4");
$OUT .= " LOCALNAME=$SystemName.$DomainName";
$OUT .= " LISTENIP=0";
$OUT .= " PORT=". ($ftp{TCPPort} || "21");
}