From 5a63f294c083eb3c2292665535894a9dff9c13a7 Mon Sep 17 00:00:00 2001 From: Colin Date: Tue, 18 Jun 2024 05:44:20 +0000 Subject: [PATCH] servo: sftpgo: allow fully-anonymous www read access to /pub this will help me write automated tests for its availability --- hosts/by-name/servo/services/export/default.nix | 7 ++++++- .../servo/services/export/sftpgo/default.nix | 9 ++++++++- .../services/export/sftpgo/external_auth_hook | 15 +++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/hosts/by-name/servo/services/export/default.nix b/hosts/by-name/servo/services/export/default.nix index 057fe1fc..65acd6f2 100644 --- a/hosts/by-name/servo/services/export/default.nix +++ b/hosts/by-name/servo/services/export/default.nix @@ -12,6 +12,10 @@ device = "/var/media"; options = [ "rbind" ]; }; + fileSystems."/var/export/pub" = { + device = "/var/www/sites/uninsane.org/share"; + options = [ "rbind" ]; + }; # fileSystems."/var/export/playground" = { # device = config.fileSystems."/mnt/persist/ext".device; # fsType = "btrfs"; @@ -37,7 +41,8 @@ wantedBy = [ "nfs.service" "sftpgo.service" ]; file.text = '' - media/ read-only: Videos, Music, Books, etc - - playground/ read-write: use it to share files with other users of this server + - playground/ read-write: use it to share files with other users of this server, inaccessible from the www + - pub/ read-only: content made to be shared with the www ''; }; diff --git a/hosts/by-name/servo/services/export/sftpgo/default.nix b/hosts/by-name/servo/services/export/sftpgo/default.nix index 7863b439..4eb27e37 100644 --- a/hosts/by-name/servo/services/export/sftpgo/default.nix +++ b/hosts/by-name/servo/services/export/sftpgo/default.nix @@ -103,6 +103,13 @@ in debug = true; tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command. } + { + # binding this means any doof client can connect (TLS only) + address = config.sane.netns.doof.hostVethIpv4; + port = 990; + debug = true; + tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command. + } ]; # active mode is susceptible to "bounce attacks", without much benefit over passive mode @@ -119,7 +126,7 @@ in banner = '' Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only. - Read-only access (LAN-restricted): + Read-only access (LAN clients see everything; WAN clients can only see /pub): Username: "anonymous" Password: "anonymous" diff --git a/hosts/by-name/servo/services/export/sftpgo/external_auth_hook b/hosts/by-name/servo/services/export/sftpgo/external_auth_hook index baa29892..3f60ad22 100755 --- a/hosts/by-name/servo/services/export/sftpgo/external_auth_hook +++ b/hosts/by-name/servo/services/export/sftpgo/external_auth_hook @@ -45,6 +45,8 @@ from hmac import compare_digest authFail = dict(username="") +PERM_DENY = [] +PERM_LIST = [ "list" ] PERM_RO = [ "list", "download" ] PERM_RW = [ # read-only: @@ -127,12 +129,14 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict: return mkAuthOk(username, permissions = { "/": PERM_RW, "/playground": PERM_RW, + "/pub": PERM_RO, }) if isWireguard(ip): # allow any user from wireguard return mkAuthOk(username, permissions = { "/": PERM_RW, "/playground": PERM_RW, + "/pub": PERM_RO, }) if isLan(ip): if username == "anonymous": @@ -140,7 +144,18 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict: return mkAuthOk("anonymous", permissions = { "/": PERM_RO, "/playground": PERM_RW, + "/pub": PERM_RO, }) + if username == "anonymous": + # anonymous users from the www can have even more limited access. + # mostly because i need an easy way to test WAN connectivity :-) + return mkAuthOk("anonymous", permissions = { + # "/": PERM_DENY, + "/": PERM_LIST, #< REQUIRED, even for lftp to list a subdir + "/media": PERM_DENY, + "/playground": PERM_DENY, + "/pub": PERM_RO, + }) return authFail