* Sat Feb 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme

- disable anonymous by default [SME: 931]
- add passive port [SME: 12454]
- TLSv1.3 filtered out as not supported by 1.3.6 branch [SME: 12925]
- fix wrong group defined for ibays [SME: 7914]
- drop runit for full systemd service unit [SME: 12874]

README.md

@@ -3,7 +3,7 @@
 SMEServer Koozali developed git repo for smeserver-proftpd smeserver
 
 ## Wiki
-<br />https://wiki.koozali.org/
+<br />https://wiki.koozali.org/ftp
 
 ## Bugzilla
 Show list of outstanding bugs:
@@ -18,8 +18,23 @@ And a list of outstanding Legacy bugs: (e-smith-proftpd) [here](https://bugs.koo
 
 ## Description
 
-<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
-*Once it has been checked, then this comment will be deleted*
-<br />
-
 smeserver-Proftpd is an open source software package that allows users to easily set up an FTP server on their Linux or Unix-based system. It is a part of the smeserver software family, which consists of a number of professional tools for system administrators. The package provides a secure and reliable way to transfer files over the internet. It provides a wide range of features, such as virtual hosting, bandwidth throttling, file transfer logging, and support for stand-alone or inetd/xinetd operations. It is a powerful and versatile tool, and is ideal for those who want to manage and share files from their own web server.
+
+## Configuration 
+db show ftp
+- CipherSuite= $modSSL{CipherSuite} || $smeCiphers;
+- DisableAnonymous=yes (was no as default before SME11) 
+- LoginAccess=private
+- TCPPorts=49200:49999
+- TCPPort=21
+- TLSEnable=on
+- TLSRequired=on
+- TLSVerifyClient=off
+- access=private
+- status=disabled
+
+db accounts
+- ibay{'DisableAnonymous'}=no
+- ibay{'UserAccess'}
+- ibay{'PublicAccess'}= 'none';
+- user{ChrootDir'}|| $ftp{'ChrootDir'} || disabled;

createlinks

@@ -2,8 +2,6 @@
 
 use esmith::Build::CreateLinks qw(:all);
 
-safe_symlink("proftpd", "root/var/service/ftp");
-
 templates2events("/etc/logrotate.d/proftpd", qw(
 	bootstrap-console-save
 	smeserver-proftpd-update
@@ -41,6 +39,13 @@ templates2events("/etc/proftpd.conf", qw(
 	ssl-update
 	));
 
+templates2events("/usr/lib/systemd/system/ftp.service.d/50koozali.conf", qw(
+        bootstrap-console-save
+        smeserver-proftpd-update
+        ssl-update
+        ));
+
+
 foreach my $event (qw(
     remoteaccess-update))
 {

root/etc/e-smith/db/configuration/defaults/ftp/TCPPorts

@@ -0,0 +1 @@
+49200:49999

root/etc/e-smith/templates/etc/proftpd.conf/05portPassive

@@ -0,0 +1,6 @@
+{
+my $PassivePorts=$ftp{TCPPorts}||'49200:49999"';
+$PassivePorts=~ s/:/ /;
+$PassivePorts="49200 49999" if (index(',', $PassivePorts) != -1);
+$OUT= "PassivePorts             $PassivePorts\n";
+}

root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS

@@ -1,5 +1,5 @@
 {
-    	  use esmith::ssl;
+        use esmith::ssl;
         #check if TLS is enabled
         if (($ftp{TLSEnable} || 'on') eq 'on') {
 
@@ -21,7 +21,10 @@
 	$chain_file = "# no chain cert" unless -e $chain_file;
         
         $chain_file = ( $chain_file eq "# no chain cert" )? $chain_file  : "TLSCertificateChainFile $chain_file";
-        my $ciphers = $modSSL{CipherSuite} || $ftp{CipherSuite} || $smeCiphers;
+        my $ciphers = $ftp{CipherSuite} || $modSSL{CipherSuite} || $smeCiphers;
+        #SME11 proftpd 1.3.6 branch does not support TLS v1.3
+        $smeSSLprotocol =~ s/TLSv1.3//;
+        # NoSessionReuseRequired is required with newer clients and TLS to be bale to list folder
     	$OUT .= <<SSL_END;
 
 <IfModule mod_tls.c>
@@ -29,7 +32,7 @@ TLSEngine                  on
 TLSLog                     /var/log/proftpd/tls.log
 TLSProtocol                $smeSSLprotocol
 TLSCipherSuite						 $ciphers
-TLSOptions                 NoCertRequest AllowClientRenegotiations
+TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
 TLSRSACertificateFile      $crt
 TLSRSACertificateKeyFile   $key
 $chain_file

root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess

@@ -32,7 +32,7 @@
 	$OUT .= "\n";
 	$OUT .= "<Directory /home/e-smith/files/ibays/$key/*>\n";
 	$OUT .= "    AllowOverwrite on\n";
-	$OUT .= "    GroupOwner shared\n";
+	$OUT .= "    GroupOwner ".$properties{'Group'}."\n";
 	$OUT .= "    Umask $umask\n";
 	$OUT .= "    <Limit WRITE>\n";
 	$OUT .= "        AllowAll\n";

root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary

@@ -3,7 +3,7 @@
 # How to handle anonymous FTP logins: chroot to the Primary
 # i-bay files directory.
 #------------------------------------------------------------
-	return "" if ($ftp{DisableAnonymous} || 'no') eq 'yes';
+	return "" if ($ftp{DisableAnonymous} || 'yes') eq 'yes';
 
 	$OUT = << 'EOF';
 <Anonymous /home/e-smith/files/ibays/Primary/files>

root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay

@@ -3,6 +3,7 @@
 # How to handle logins from information bay accounts: chroot to the
 # files part of the information bay directory.
 #------------------------------------------------------------
+    return "# Anonymous access disabled by default" unless(( $ftp{DisableAnonymous} || "yes") eq "yes");
 
     use esmith::AccountsDB;
     use Net::IPv4Addr qw(ipv4_parse);
@@ -56,8 +57,7 @@
 
 	# variables: $allow (IP), $pass (bool)
 
-	if ( ($ftp{DisableAnonymous} || 'no') ne 'yes' &&
+	if ( ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
-	     ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
 	{
 	    $OUT .= "\n";
 	    $OUT .= "<Anonymous /home/e-smith/files/ibays/$key/files>\n";

root/etc/e-smith/templates/usr/lib/systemd/system/ftp.service.d/50koozali.conf/40service

@@ -0,0 +1,10 @@
+[Service]
+Environment=
+Environment={
+$OUT  = "CONCURRENCYREMOTE=". ($ftp{Instances} || "40");
+$OUT .= " PER_IP_INSTANCES=". ($ftp{InstancesPerIP} || "4");
+$OUT .= " LOCALNAME=$SystemName.$DomainName";
+$OUT .= " LISTENIP=0";
+$OUT .= " PORT=". ($ftp{TCPPort} || "21");
+}
+

root/service/ftp

@@ -1 +0,0 @@
-/var/service/proftpd

root/usr/lib/systemd/system/ftp.service

@@ -4,12 +4,24 @@ After=network.target
 Requires=runit.service
 
 [Service]
-Type=oneshot
+Type=simple
+SyslogIdentifier=proftpd
+Environment=CONCURRENCYREMOTE=40 PER_IP_INSTANCES=4 LOCALNAME=0 LISTENIP=0 PORT=ftp
+WorkingDirectory=/var/service/proftpd/
 ExecStartPre=/sbin/e-smith/service-status ftp
-ExecStart=/usr/bin/sv u /service/ftp
+ExecStartPre=/sbin/e-smith/systemd/ftp-tcpsvd
-ExecStop=/usr/bin/sv stop /service/ftp
+ExecStart=/usr/bin/tcpsvd \
-ExecReload=/usr/bin/sv t /service/ftp
+	-v \
-RemainAfterExit=yes
+	-i ./peers \
+	-c $CONCURRENCYREMOTE \
+	-C ${PER_IP_INSTANCES}:'421 per host concurrency limit reached\r\n' \
+	-l $LOCALNAME \
+	$LISTENIP \
+	$PORT \
+	/usr/sbin/in.proftpd
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=20s
 
 [Install]
 WantedBy=sme-server.target

root/var/service/proftpd/log/run

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-#----------------------------------------------------------------------
-# copyright (C) 2003-2006 Mitel Networks Corporation
-# 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# 		
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 		
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
-#----------------------------------------------------------------------
-exec					\
-    /usr/bin/setuidgid smelog	\
-    /usr/bin/multilog t s5000000	\
-    /var/log/ftp

root/var/service/proftpd/run

@@ -1,36 +0,0 @@
-#!/bin/sh
-#----------------------------------------------------------------------
-# copyright (C) 2003-5 Mitel Networks Corporation
-# 
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-# 		
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-# 		
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
-# 
-# Technical support for this program is available from Mitel Networks 
-# Please visit our web site www.mitel.com/sme/ for details.
-#----------------------------------------------------------------------
-
-[ -f ./runenv ] && . ./runenv
-
-exec 2>&1
-# Adjust ACLs in ./peers
-./control/1
-exec /usr/bin/tcpsvd \
-	-v \
-	-i ./peers \
-	-c ${CONCURRENCYREMOTE:-40} \
-	-C ${PER_IP_INSTANCES:-4}:'421 per host concurrency limit reached\r\n' \
-	-l ${LOCALNAME:-0} \
-	${LISTENIP:-0} \
-	${PORT:-ftp} \
-	/usr/sbin/in.proftpd

smeserver-proftpd.spec

@@ -4,7 +4,7 @@ Summary: smeserver specific proftpd configuration files and templates
 %define name smeserver-proftpd
 Name: %{name}
 %define version 11.0.0
-%define release 6
+%define release 7
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -26,6 +26,13 @@ Provides: e-smith-proftpd
 AutoReqProv: no
 
 %changelog
+* Sat Feb 15 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-7.sme
+- disable anonymous by default [SME: 931]
+- add passive port [SME: 12454]
+- TLSv1.3 filtered out as not supported by 1.3.6 branch [SME: 12925]
+- fix wrong group defined for ibays [SME: 7914]
+- drop runit for full systemd service unit [SME: 12874]
+
 * Sun Jan 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-6.sme
 - adding requirement for deamontools bin [SME: 12566]
 
@@ -630,14 +637,8 @@ rm -rf $RPM_BUILD_ROOT
 rm -f %{name}-%{version}-%{release}-filelist
 /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
     --dir /var/service/proftpd 'attr(01755,root,root)' \
-    --file /var/service/proftpd/down 'attr(0644,root,root)' \
+    --dir /var/log/ftp 'attr(2750,root,root)' \
-    --file /var/service/proftpd/run 'attr(0755,root,root)' \
+    --file /sbin/e-smith/systemd/ftp-tcpsvd 'attr(0554,root,root)' \
-    --file /var/service/proftpd/control/1 'attr(0755,root,root)' \
-    --dir /var/service/proftpd/log 'attr(0755,root,root)' \
-    --dir /var/service/proftpd/log/supervise 'attr(0700,root,root)' \
-    --dir /var/service/proftpd/supervise 'attr(0700,root,root)' \
-    --file /var/service/proftpd/log/run 'attr(0755,root,root)' \
-    --dir /var/log/ftp 'attr(2750,smelog,smelog)' \
     > %{name}-%{version}-%{release}-filelist
 echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
 
@@ -645,8 +646,6 @@ echo "%doc COPYING" >> %{name}-%{version}-%{release}-filelist
 rm -rf $RPM_BUILD_ROOT
 
 %pre
-/sbin/e-smith/create-system-user smelog 1002 \
-    'sme log user' /var/log/smelog /bin/false
 
 %files -f %{name}-%{version}-%{release}-filelist
 %defattr(-,root,root)