servo: sftpgo: allow fully-anonymous www read access to /pub
this will help me write automated tests for its availability
This commit is contained in:
parent
891a29feeb
commit
5a63f294c0
|
@ -12,6 +12,10 @@
|
||||||
device = "/var/media";
|
device = "/var/media";
|
||||||
options = [ "rbind" ];
|
options = [ "rbind" ];
|
||||||
};
|
};
|
||||||
|
fileSystems."/var/export/pub" = {
|
||||||
|
device = "/var/www/sites/uninsane.org/share";
|
||||||
|
options = [ "rbind" ];
|
||||||
|
};
|
||||||
# fileSystems."/var/export/playground" = {
|
# fileSystems."/var/export/playground" = {
|
||||||
# device = config.fileSystems."/mnt/persist/ext".device;
|
# device = config.fileSystems."/mnt/persist/ext".device;
|
||||||
# fsType = "btrfs";
|
# fsType = "btrfs";
|
||||||
|
@ -37,7 +41,8 @@
|
||||||
wantedBy = [ "nfs.service" "sftpgo.service" ];
|
wantedBy = [ "nfs.service" "sftpgo.service" ];
|
||||||
file.text = ''
|
file.text = ''
|
||||||
- media/ read-only: Videos, Music, Books, etc
|
- media/ read-only: Videos, Music, Books, etc
|
||||||
- playground/ read-write: use it to share files with other users of this server
|
- playground/ read-write: use it to share files with other users of this server, inaccessible from the www
|
||||||
|
- pub/ read-only: content made to be shared with the www
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -103,6 +103,13 @@ in
|
||||||
debug = true;
|
debug = true;
|
||||||
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
# binding this means any doof client can connect (TLS only)
|
||||||
|
address = config.sane.netns.doof.hostVethIpv4;
|
||||||
|
port = 990;
|
||||||
|
debug = true;
|
||||||
|
tls_mode = 2; # 2 = "implicit FTPS": client negotiates TLS before any FTP command.
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
# active mode is susceptible to "bounce attacks", without much benefit over passive mode
|
# active mode is susceptible to "bounce attacks", without much benefit over passive mode
|
||||||
|
@ -119,7 +126,7 @@ in
|
||||||
banner = ''
|
banner = ''
|
||||||
Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.
|
Welcome, friends, to Colin's FTP server! Also available via NFS on the same host, but LAN-only.
|
||||||
|
|
||||||
Read-only access (LAN-restricted):
|
Read-only access (LAN clients see everything; WAN clients can only see /pub):
|
||||||
Username: "anonymous"
|
Username: "anonymous"
|
||||||
Password: "anonymous"
|
Password: "anonymous"
|
||||||
|
|
||||||
|
|
|
@ -45,6 +45,8 @@ from hmac import compare_digest
|
||||||
|
|
||||||
authFail = dict(username="")
|
authFail = dict(username="")
|
||||||
|
|
||||||
|
PERM_DENY = []
|
||||||
|
PERM_LIST = [ "list" ]
|
||||||
PERM_RO = [ "list", "download" ]
|
PERM_RO = [ "list", "download" ]
|
||||||
PERM_RW = [
|
PERM_RW = [
|
||||||
# read-only:
|
# read-only:
|
||||||
|
@ -127,12 +129,14 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
|
||||||
return mkAuthOk(username, permissions = {
|
return mkAuthOk(username, permissions = {
|
||||||
"/": PERM_RW,
|
"/": PERM_RW,
|
||||||
"/playground": PERM_RW,
|
"/playground": PERM_RW,
|
||||||
|
"/pub": PERM_RO,
|
||||||
})
|
})
|
||||||
if isWireguard(ip):
|
if isWireguard(ip):
|
||||||
# allow any user from wireguard
|
# allow any user from wireguard
|
||||||
return mkAuthOk(username, permissions = {
|
return mkAuthOk(username, permissions = {
|
||||||
"/": PERM_RW,
|
"/": PERM_RW,
|
||||||
"/playground": PERM_RW,
|
"/playground": PERM_RW,
|
||||||
|
"/pub": PERM_RO,
|
||||||
})
|
})
|
||||||
if isLan(ip):
|
if isLan(ip):
|
||||||
if username == "anonymous":
|
if username == "anonymous":
|
||||||
|
@ -140,6 +144,17 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
|
||||||
return mkAuthOk("anonymous", permissions = {
|
return mkAuthOk("anonymous", permissions = {
|
||||||
"/": PERM_RO,
|
"/": PERM_RO,
|
||||||
"/playground": PERM_RW,
|
"/playground": PERM_RW,
|
||||||
|
"/pub": PERM_RO,
|
||||||
|
})
|
||||||
|
if username == "anonymous":
|
||||||
|
# anonymous users from the www can have even more limited access.
|
||||||
|
# mostly because i need an easy way to test WAN connectivity :-)
|
||||||
|
return mkAuthOk("anonymous", permissions = {
|
||||||
|
# "/": PERM_DENY,
|
||||||
|
"/": PERM_LIST, #< REQUIRED, even for lftp to list a subdir
|
||||||
|
"/media": PERM_DENY,
|
||||||
|
"/playground": PERM_DENY,
|
||||||
|
"/pub": PERM_RO,
|
||||||
})
|
})
|
||||||
|
|
||||||
return authFail
|
return authFail
|
||||||
|
|
Loading…
Reference in New Issue
Block a user