initial commit of file from CVS for e-smith-proftpd on Wed 12 Jul 09:05:44 BST 2023

2023-07-12 09:05:44 +01:00
parent 9f1a450709
commit ced40fe923
81 changed files with 2005 additions and 2 deletions
--- a/root/etc/e-smith/db/configuration/defaults/ftp/LoginAccess
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/LoginAccess
@@ -0,0 +1 @@
+private
--- a/root/etc/e-smith/db/configuration/defaults/ftp/TCPPort
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/TCPPort
@@ -0,0 +1 @@
+21
--- a/root/etc/e-smith/db/configuration/defaults/ftp/TLSEnable
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/TLSEnable
@@ -0,0 +1 @@
+on
--- a/root/etc/e-smith/db/configuration/defaults/ftp/TLSRequired
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/TLSRequired
@@ -0,0 +1 @@
+on
--- a/root/etc/e-smith/db/configuration/defaults/ftp/TLSVerifyClient
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/TLSVerifyClient
@@ -0,0 +1 @@
+off
--- a/root/etc/e-smith/db/configuration/defaults/ftp/access
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/access
@@ -0,0 +1 @@
+private
--- a/root/etc/e-smith/db/configuration/defaults/ftp/status
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/status
@@ -0,0 +1 @@
+disabled
--- a/root/etc/e-smith/db/configuration/defaults/ftp/type
+++ b/root/etc/e-smith/db/configuration/defaults/ftp/type
@@ -0,0 +1 @@
+service
--- a/root/etc/e-smith/db/configuration/migrate/20proftpd.access
+++ b/root/etc/e-smith/db/configuration/migrate/20proftpd.access
@@ -0,0 +1,27 @@
+{
+    my $ftp = $DB->get('ftp');
+    return unless defined $ftp;
+
+    my $access = $ftp->prop('accessLimits');
+    return unless defined $access; # New or already migrated server
+
+    my $login = $ftp->prop('access') || 'private';
+    my $status = $ftp->prop('status') || 'disabled';
+    if ($access eq "normal")
+    {
+	$status = 'enabled';
+	$access = 'public';
+    }
+    if ($access eq "off")
+    {
+	$status = 'disabled';
+	$access = 'private';
+    }
+
+    $ftp->delete_prop('accessLimits');
+    $ftp->merge_props(
+	    LoginAccess => $login,
+	    access => $access,
+	    status => $status,
+	);
+}
--- a/root/etc/e-smith/templates.metadata/etc/ftpusers
+++ b/root/etc/e-smith/templates.metadata/etc/ftpusers
@@ -0,0 +1,4 @@
+MORE_DATA={ACCOUNTS_DENY_ALLOW_PUBLIC => 1}
+TEMPLATE_PATH="/etc/e-smith/pam/accounts.deny"
+OUTPUT_FILENAME="/etc/ftpusers"
+PERMS=0644
--- a/root/etc/e-smith/templates.metadata/etc/proftpd.conf
+++ b/root/etc/e-smith/templates.metadata/etc/proftpd.conf
@@ -0,0 +1 @@
+PERMS=0640
--- a/root/etc/e-smith/templates.metadata/var/service/ftp/peers/0
+++ b/root/etc/e-smith/templates.metadata/var/service/ftp/peers/0
@@ -0,0 +1,2 @@
+PERMS=use esmith::ConfigDB; (esmith::ConfigDB->open_ro->get('ftp')->prop('access') eq "private") ? "000" : "0644"
+FILTER=sub { $_[0] =~ /^#/ ? '' : $_[0] } # Remove comments
--- a/root/etc/e-smith/templates.metadata/var/service/ftp/peers/local
+++ b/root/etc/e-smith/templates.metadata/var/service/ftp/peers/local
@@ -0,0 +1,2 @@
+PERMS=use esmith::ConfigDB; (esmith::ConfigDB->open_ro->get('ftp')->prop('status') eq "enabled") ? "0644" : "0000"
+FILTER=sub { $_[0] =~ /^#/ ? '' : $_[0] } # Remove comments
--- a/root/etc/e-smith/templates/etc/logrotate.d/proftpd/var.log.proftpd
+++ b/root/etc/e-smith/templates/etc/logrotate.d/proftpd/var.log.proftpd
@@ -0,0 +1,6 @@
+
+/var/log/proftpd/*.log \{
+    compress
+    missingok
+\}
+
--- a/root/etc/e-smith/templates/etc/logrotate.d/proftpd/xferlog
+++ b/root/etc/e-smith/templates/etc/logrotate.d/proftpd/xferlog
@@ -0,0 +1,4 @@
+/var/log/xferlog \{
+    compress
+    missingok
+\}
--- a/root/etc/e-smith/templates/etc/pam.d/ftp/10authFTPusers
+++ b/root/etc/e-smith/templates/etc/pam.d/ftp/10authFTPusers
@@ -0,0 +1 @@
+auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
--- a/root/etc/e-smith/templates/etc/pam.d/ftp/20auth
+++ b/root/etc/e-smith/templates/etc/pam.d/ftp/20auth
@@ -0,0 +1,3 @@
+auth       { -f "/lib/security/pam_pwdb.so" ||
+             -f "/lib64/security/pam_pwdb.so" ? "required     pam_stack.so service=system-auth" :
+                                                "include      system-auth" }
--- a/root/etc/e-smith/templates/etc/pam.d/ftp/30account
+++ b/root/etc/e-smith/templates/etc/pam.d/ftp/30account
@@ -0,0 +1,3 @@
+account    { -f "/lib/security/pam_pwdb.so" ||
+             -f "/lib64/security/pam_pwdb.so" ? "required     pam_stack.so service=system-auth" :
+                                                "include      system-auth" }
--- a/root/etc/e-smith/templates/etc/pam.d/ftp/40session
+++ b/root/etc/e-smith/templates/etc/pam.d/ftp/40session
@@ -0,0 +1,3 @@
+session    { -f "/lib/security/pam_pwdb.so" ||
+             -f "/lib64/security/pam_pwdb.so" ? "required     pam_stack.so service=system-auth" :
+                                                "include      system-auth" }
--- a/root/etc/e-smith/templates/etc/pam.d/ftp/template-begin
+++ b/root/etc/e-smith/templates/etc/pam.d/ftp/template-begin
@@ -0,0 +1 @@
+/etc/e-smith/templates-default/template-begin-pam
--- a/root/etc/e-smith/templates/etc/proftpd.conf/00Documentation
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/00Documentation
@@ -0,0 +1,42 @@
+{
+#------------------------------------------------------------
+# FILE ACCESS PERMISSIONS RULES
+# 
+# - There are three types of user that can connect to the ftp
+#   server: regular users, "admin", and information bay users.
+# 
+# - When "information bay" users connect, their permissions are
+#   set by the Anonymous sections below.
+# 
+# - All other users are governed by the permissions declared in
+#   this main section of the proftpd.conf file.
+# 
+# - The main section permits access only from the local network.
+#   Hence, only the anonymous information bays can be accessed
+#   remotely.
+# 
+# - Regular users as well as the "admin" account can connect
+#   locally, and the ftp server will switch to their user/group
+#   immediately upon connection. Therefore we program the FTP
+#   server to permit write access to all these users; the Unix
+#   filesystem will sort out who gets to update which files.
+# 
+# - All Unix accounts have the same primary group name as user
+#   name (normal for Red Hat Linux). However, all user accounts
+#   also belong to group "shared".
+# 
+# - Files in user accounts are owned by "user/user" (i.e. group
+#   name same as user).
+# 
+# - For all the other files (primary web site, information bay
+#   files, etc.) either they can only be written by "admin" or
+#   they can be written by any local user. If the former, we 
+#   make the files owned by "admin/shared", with permissions
+#   750/640. If the latter, we make the files owned by
+#   ???/shared, with permissions 770/660. Each file is owned
+#   by the user that created it.
+# 
+# - Make all directories setgid, so that they continue to be
+#   owned by "shared".
+#------------------------------------------------------------
+}
--- a/root/etc/e-smith/templates/etc/proftpd.conf/00localAccess
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/00localAccess
@@ -0,0 +1,9 @@
+{
+    # Work out local access specification
+    use esmith::NetworksDB;
+
+    my $ndb = esmith::NetworksDB->open_ro();
+    @local_access = $ndb->local_access_spec;
+
+    return "";
+}
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05AllowRestart
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05AllowRestart
@@ -0,0 +1,2 @@
+AllowRetrieveRestart    on
+AllowStoreRestart       on
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05Chroot
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05Chroot
@@ -0,0 +1,25 @@
+{
+	use esmith::AccountsDB;
+
+	$OUT = "";
+	my $accounts = esmith::AccountsDB->open;
+	my @users = $accounts->users;
+
+	foreach my $user (@users)
+	{
+		my $chrootDir = $user->prop('ChrootDir') || $ftp{'ChrootDir'} || next;
+
+		if ( $chrootDir =~ m#^/# && -d $chrootDir )
+		{
+			$OUT .= "DefaultRoot		$chrootDir	".$user->key."\n";
+		}
+		elsif ( -d "/home/e-smith/files/ibays/$chrootDir" )
+		{
+			$OUT .= "DefaultRoot		/home/e-smith/files/ibays/$chrootDir	".$user->key."\n";
+		}
+		elsif ( $chrootDir =~ m#home$# )
+		{
+			$OUT .= "DefaultRoot		/home/e-smith/files/users/".$user->key."/home	".$user->key."\n";
+		}
+	}
+}
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05DefaultRoot
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05DefaultRoot
@@ -0,0 +1 @@
+DefaultRoot		/home/e-smith/files
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05DefaultServer
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05DefaultServer
@@ -0,0 +1 @@
+DefaultServer		on
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05DenyFilter
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05DenyFilter
@@ -0,0 +1 @@
+DenyFilter \*.*/
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05DisplayChdir
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05DisplayChdir
@@ -0,0 +1 @@
+DisplayChdir	.message
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05DisplayLogin
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05DisplayLogin
@@ -0,0 +1 @@
+DisplayLogin		welcome.msg
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05Group
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05Group
@@ -0,0 +1 @@
+Group			public
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05IdentLookups
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05IdentLookups
@@ -0,0 +1 @@
+IdentLookups off
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05MaxInstances
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05MaxInstances
@@ -0,0 +1 @@
+MaxInstances		30
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05PersistentPasswd
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05PersistentPasswd
@@ -0,0 +1 @@
+PersistentPasswd off
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05ScoreboardFile
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05ScoreboardFile
@@ -0,0 +1 @@
+ScoreboardFile	/var/run/proftpd/scoreboard
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05ServerAdmin
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05ServerAdmin
@@ -0,0 +1 @@
+ServerAdmin		admin@{ $DomainName }
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05ServerIdent
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05ServerIdent
@@ -0,0 +1 @@
+ServerIdent		off
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05ServerName
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05ServerName
@@ -0,0 +1 @@
+ServerName		"ProFTPD SME Server installation"
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05ServerType
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05ServerType
@@ -0,0 +1 @@
+ServerType		inetd
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05ShowSymlinks
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05ShowSymlinks
@@ -0,0 +1 @@
+ShowSymlinks off
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05UseFtpUsers
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05UseFtpUsers
@@ -0,0 +1 @@
+UseFtpUsers		on
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05UseReverseDNS
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05UseReverseDNS
@@ -0,0 +1 @@
+UseReverseDNS off
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05User
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05User
@@ -0,0 +1 @@
+User			public
--- a/root/etc/e-smith/templates/etc/proftpd.conf/05port
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/05port
@@ -0,0 +1 @@
+Port			21
--- a/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
@@ -0,0 +1,41 @@
+{
+    	#check if TLS is enabled
+        if (($ftp{TLSEnable} || 'on') eq 'on') {
+
+        #check if TLS is required: values "on", "off"
+        #if "on" normal ftp connections are dropped
+        my $tlsrequired = $ftp{'TLSRequired'} || "on";
+        my $tlsclient = $ftp{'TLSVerifyClient'} || "off";
+        #use the same crt and key of httpd
+        my $defaultcrt = "/home/e-smith/ssl.crt/${SystemName}.${DomainName}.crt";
+        my $defaultkey = "/home/e-smith/ssl.key/${SystemName}.${DomainName}.key";
+
+        my $crt = $modSSL{'crt'} || $defaultcrt;
+        $crt = $defaultcrt unless -e $crt;
+        my $key = $modSSL{'key'} || $defaultkey;
+        $key = $defaultkey unless -e $key;
+
+        my $chain_file = $modSSL{CertificateChainFile} ||
+        "# no chain cert";
+	$chain_file = "# no chain cert" unless -e $chain_file;
+
+        $chain_file = ( $chain_file eq "# no chain cert" )? $chain_file  : "TLSCertificateChainFile $chain_file";
+
+    	$OUT .= <<SSL_END;
+
+<IfModule mod_tls.c>
+TLSEngine                  on
+TLSLog                     /var/log/proftpd/tls.log
+TLSProtocol                TLSv1.1 TLSv1.2
+TLSOptions                 NoCertRequest AllowClientRenegotiations
+TLSRSACertificateFile      $crt
+TLSRSACertificateKeyFile   $key
+$chain_file
+TLSVerifyClient            $tlsclient
+TLSRequired                $tlsrequired
+</IfModule>
+SSL_END
+
+	}
+}
+
--- a/root/etc/e-smith/templates/etc/proftpd.conf/09DirectorySlashBegin
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/09DirectorySlashBegin
@@ -0,0 +1 @@
+<Directory /*>
--- a/root/etc/e-smith/templates/etc/proftpd.conf/10LimitDenyWrite
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/10LimitDenyWrite
@@ -0,0 +1,3 @@
+  <Limit WRITE>{ # deny all write access unless given explicitly }
+    DenyAll
+  </Limit>
--- a/root/etc/e-smith/templates/etc/proftpd.conf/10LimitSiteChmod
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/10LimitSiteChmod
@@ -0,0 +1,3 @@
+  <Limit SITE_CHMOD>{ # deny all chmod }
+    DenyAll
+  </Limit>
--- a/root/etc/e-smith/templates/etc/proftpd.conf/11DirectorySlashEnd
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/11DirectorySlashEnd
@@ -0,0 +1 @@
+</Directory>
--- a/root/etc/e-smith/templates/etc/proftpd.conf/15LimitLOGIN
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/15LimitLOGIN
@@ -0,0 +1,22 @@
+{
+# allow normal user connections either only from local network,
+# or from anywhere
+}<Limit LOGIN>
+{
+    my $access = $ftp{LoginAccess} || "private";
+    if ($access eq 'public')
+    {
+	$OUT = "  AllowAll";
+    }
+    else
+    {
+	use Net::IPv4Addr qw(ipv4_parse);
+
+	$OUT = "  Order Allow,Deny\n";
+	$OUT .= join "\n",
+	    map { "  Allow from " . join '/', ipv4_parse($_) }
+		@local_access;
+	$OUT .= "\n  Deny from all";
+    }
+}
+</Limit>
--- a/root/etc/e-smith/templates/etc/proftpd.conf/30UserDirAccess
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/30UserDirAccess
@@ -0,0 +1,15 @@
+{
+# Local access to "home" subdirectory of user directories.
+# (Don't set group, since files are in user's primary group.  umask is
+# 007 to generate permissions of 770/660.)
+#
+# NOTE: Users cannot write to their real home directory ~user as it 
+#       is blocked by the default deny write
+}
+<Directory ~/home>
+    AllowOverwrite on
+    Umask 007
+    <Limit WRITE>
+        AllowAll
+    </Limit>
+</Directory>
--- a/root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/40IBayAccess
@@ -0,0 +1,42 @@
+{
+# Local access to bay directories. Note that in this context, we can
+# ignore the public access rules associated with each bay, since this
+# section of the config file applies only to local logins. We can also
+# ignore the usepassword rules, since anonymous login is handled
+# below.
+
+    use esmith::AccountsDB;
+
+    $OUT = "";
+
+    my $adb = esmith::AccountsDB->open_ro();
+    foreach my $ibay ($adb->ibays)
+    {
+	my %properties = $ibay->props;
+	my $key = $ibay->key;
+	my $umask = "027";
+
+	if ($properties{'UserAccess'} eq 'wr-admin-rd-group')
+	{
+	    $umask = "027";
+	}
+	elsif ($properties{'UserAccess'} eq 'wr-group-rd-group')
+	{
+	    $umask = "007";
+	}
+	elsif ($properties{'UserAccess'} eq 'wr-group-rd-everyone')
+	{
+	    $umask = "002";
+	}
+
+	$OUT .= "\n";
+	$OUT .= "<Directory /home/e-smith/files/ibays/$key/*>\n";
+	$OUT .= "    AllowOverwrite on\n";
+	$OUT .= "    GroupOwner shared\n";
+	$OUT .= "    Umask $umask\n";
+	$OUT .= "    <Limit WRITE>\n";
+	$OUT .= "        AllowAll\n";
+	$OUT .= "    </Limit>\n";
+	$OUT .= "</Directory>\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/50AnonymousPrimary
@@ -0,0 +1,29 @@
+{
+#------------------------------------------------------------
+# How to handle anonymous FTP logins: chroot to the Primary
+# i-bay files directory.
+#------------------------------------------------------------
+	return "" if ($ftp{DisableAnonymous} || 'no') eq 'yes';
+
+	$OUT = << 'EOF';
+<Anonymous /home/e-smith/files/ibays/Primary/files>
+    User public
+    Group public
+    UserAlias anonymous public
+    UserAlias ftp public
+    AnonRequirePassword off
+    UseFtpUsers on
+    MaxClients 10
+    DisplayLogin welcome.msg
+    DisplayChdir .message
+    <Limit LOGIN>
+        AllowAll
+    </Limit>
+    <Directory *>
+        <Limit WRITE>
+            DenyAll
+        </Limit>
+    </Directory>
+</Anonymous>
+EOF
+}
--- a/root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay
+++ b/root/etc/e-smith/templates/etc/proftpd.conf/60AnonymousIBay
@@ -0,0 +1,84 @@
+{
+#------------------------------------------------------------
+# How to handle logins from information bay accounts: chroot to the
+# files part of the information bay directory.
+#------------------------------------------------------------
+
+    use esmith::AccountsDB;
+    use Net::IPv4Addr qw(ipv4_parse);
+
+    $OUT .= "";
+
+    my $adb = esmith::AccountsDB->open_ro();
+    my @local = map { join '/', ipv4_parse($_) } @local_access;
+    my @all = ('all');
+    foreach my $ibay ($adb->ibays)
+    {
+	my $key = $ibay->key;
+	my %properties = $ibay->props;
+
+	next if ($key eq "Primary");
+
+	my $pass;
+	
+	my $access = $ibay->prop('PublicAccess') || 'none';
+
+	if ($access eq 'none')
+	{
+	    @allow   = ('127.0.0.1');
+	    $pass    = 1;
+	}
+	elsif ($access eq 'local')
+	{
+            @allow = @local;
+	    $pass    = 0;
+	}
+	elsif ($access eq 'local-pw')
+	{
+            @allow = @local;
+	    $pass    = 1;
+	}
+	elsif ($access eq 'global')
+	{
+	    @allow   = @all;
+	    $pass    = 0;
+	}
+	elsif ($access eq 'global-pw')
+	{
+	    @allow   = @all;
+	    $pass    = 1;
+	}
+	elsif ($access eq 'global-pw-remote')
+	{
+	    @allow   = @all;
+	    $pass    = 1;
+	}
+
+	# variables: $allow (IP), $pass (bool)
+
+	if ( ($ftp{DisableAnonymous} || 'no') ne 'yes' &&
+	     ($ibay->prop('DisableAnonymous') || 'no') ne 'yes' )
+	{
+	    $OUT .= "\n";
+	    $OUT .= "<Anonymous /home/e-smith/files/ibays/$key/files>\n";
+	    $OUT .= "    User $key\n";
+	    $OUT .= "    Group $key\n";
+	    $OUT .= "    AnonRequirePassword " . ($pass ? "on" : "off") . "\n";
+	    $OUT .= "    UseFtpUsers on\n";
+	    $OUT .= "    MaxClients 10\n";
+	    $OUT .= "    DisplayLogin welcome.msg\n";
+	    $OUT .= "    DisplayChdir .message\n";
+	    $OUT .= "    <Limit LOGIN>\n";
+	    $OUT .= "      Order Allow,Deny\n";
+	    $OUT .= "      Allow from $_\n" foreach @allow;
+	    $OUT .= "      Deny from all\n";
+	    $OUT .= "    </Limit>\n";
+	    $OUT .= "    <Directory *>\n";
+	    $OUT .= "        <Limit WRITE>\n";
+	    $OUT .= "            DenyAll\n";
+	    $OUT .= "        </Limit>\n";
+	    $OUT .= "    </Directory>\n";
+	    $OUT .= "</Anonymous>\n";
+	}
+    }
+}
--- a/root/etc/e-smith/templates/etc/rsyslog.conf/32proftpd
+++ b/root/etc/e-smith/templates/etc/rsyslog.conf/32proftpd
@@ -0,0 +1,6 @@
+
+#proftpd
+if $programname == 'proftpd' and $syslogfacility-text == 'authpriv' then      /var/log/secure
+:programname, isequal, "proftpd"            /var/log/proftpd/proftpd.log
+& stop
+
--- a/root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/10localhost
+++ b/root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/10localhost
@@ -0,0 +1,2 @@
+127.0.0.1:allow
+{ $LocalIP }:allow
--- a/root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/80localNetworks
+++ b/root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/80localNetworks
@@ -0,0 +1,22 @@
+{
+    use esmith::util;
+
+    my @prefixes = esmith::util::computeAllLocalNetworkPrefixes($LocalIP,
+                                                                $LocalNetmask);
+
+    require esmith::NetworksDB;
+    my $n = esmith::NetworksDB->open;
+    foreach my $network ($n->get_all_by_prop(type => 'network'))
+    {
+	push(@prefixes,
+	    esmith::util::computeAllLocalNetworkPrefixes(
+		$network->key, $network->prop('Mask')));
+    }
+
+    foreach my $prefix ( @prefixes )
+    {
+	my $dot = ( $prefix =~ /\d+\.\d+\.\d+\.\d+/ ) ? '' : '.';
+
+	$OUT .= $prefix . $dot . ":allow\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/90default
+++ b/root/etc/e-smith/templates/etc/tcprules/tcp.proftpd/90default
@@ -0,0 +1,4 @@
+:{
+    my $access = $ftp{'access'} || 'private';
+    $OUT = ($access eq "public") ?  "allow" : "deny"
+}
--- a/root/etc/e-smith/templates/var/service/ftp/peers/0/ConcurrencyPerIP
+++ b/root/etc/e-smith/templates/var/service/ftp/peers/0/ConcurrencyPerIP
@@ -0,0 +1 @@
+C4
--- a/root/etc/e-smith/templates/var/service/ftp/peers/local/ConcurrencyPerIP
+++ b/root/etc/e-smith/templates/var/service/ftp/peers/local/ConcurrencyPerIP
@@ -0,0 +1 @@
+C4
--- a/root/etc/e-smith/templates/var/service/proftpd/peers/0/template-begin
+++ b/root/etc/e-smith/templates/var/service/proftpd/peers/0/template-begin
--- a/root/etc/e-smith/templates/var/service/proftpd/peers/local/template-begin
+++ b/root/etc/e-smith/templates/var/service/proftpd/peers/local/template-begin
				`@@ -0,0 +1 @@`
				`auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed`
				`@@ -0,0 +1 @@`
				`/etc/e-smith/templates-default/template-begin-pam`
				`@@ -0,0 +1 @@`
				`ServerName "ProFTPD SME Server installation"`