Commit fc539c9f authored by Paul Cammish's avatar Paul Cammish
Browse files

Merge branch '6np-stretch-testing-patch-00935' into 'stretch-testing'

6np stretch testing patch 00935

See merge request !202
parents 1dd35394 1a06f1dd
CHANGELOG
---------
2020-05-12
sympl-core
* Added functionality to the sympl cli for managing FTP users
2020-05-10
sympl-core
* Remove debug output from sympl-filesystem-security
......
......@@ -87,9 +87,20 @@ _is_domain() {
}
_is_email() {
_debug "Checking if '$1' is a valid email address..."
if [ "$1" == "all" ]; then _error "Please specify an email address."; fi
_debug "Checking if '$1' is a valid email address..."
readarray -d @ -t part < <(printf '%s' "$1")
_is_domain ${part[1]}
_debug "Checking if '${part[0]}' is valid"
if [[ ${part[0]} =~ ^[0-9a-zA-Z._%+-]+$ ]]; then
_debug "'${part[0]}' is valid"
else
_error "'${part[0]}' is not valid a valid mailbox name."
fi
}
_is_database() {
......@@ -265,6 +276,7 @@ _web_audit() {
if [ "$1" != "all" ]; then _is_domain $1 ; fi
( umask 077; touch /dev/shm/sympl_web_audit )
find /srv/*/public/ -type d -name '*htdocs' > /dev/shm/sympl_web_audit
_verbose "Enabled sites:"
......@@ -273,6 +285,7 @@ _web_audit() {
_verbose "Disabled sites:"
grep __disabled__ /dev/shm/sympl_web_audit | cut -d '/' -f 3 | sort
rm /dev/shm/sympl_web_audit
}
_web_set() {
......@@ -468,31 +481,380 @@ _mail_audit() {
##############################################################################
_ftp_none() {
_noop
echo "Sympl FTP command line interface
Usage: sympl ftp [action] [target|user@target]
Where action is one of:
create, enable, disable, reset, destroy, set, audit
And target is the domain or user to work on.
Where create is the action:
the domain folder will be created if it is not already present
Where enable is the action:
the password will be enabled if disabled and set if not present
Where disable is the action:
FTP Access will be disabled for per-domain or user access
Where reset is the action:
The password will be reset either per-domain or per-user, even if the
domain or user are disabled
Where destroy is the action:
FTP Access will be removed for both per-domain and per-user access assuming
accounts have been disabled
Where set is the action:
you can restrict per-user access for the user to a specific folder (by
default access is granted to the root of the public folder for that domain)
or by quota. the '-' character can be used to clear the set value for both
the folder and the quota so the folder reverts back to the domains public
folder and the quota reverts back to unlimited.
Examples:
sympl ftp create example.com
sympl ftp enable example.com
sympl ftp disable example.com
sympl ftp destroy user2@example.com
sympl ftp audit all|example.com
sympl ftp enable user1@example.com
sympl ftp reset user2@example.com
sympl ftp set folder <folder name> user2@example.com
sympl ftp set quota <10K|M|G> user2@example.com
"
}
_ftp_create() {
_noop
if [[ "$1" =~ .*"@".* ]]; then
_is_email $1
readarray -d @ -t part < <(printf '%s' "$1")
mailbox=${part[0]}
domain=${part[1]}
else
_is_domain $1
domain=$1
fi
_debug "Check for disabled sites"
if [ -d /srv/__disabled__$domain/public ]; then
_error "The domain '$domain' is disabled. Use 'sympl enable $domain' to enable it."
fi
_debug "Check to see if '$domain' already exists"
if [ -d /srv/$domain/public ]; then
_error "$domain Already exists. No need to continue"
fi
_verbose "Creating FTP folder for '$domain' at /srv/$domain/public/"
mkdir -p "/srv/$domain/public"
chmod -R 2775 "/srv/$domain/public" > /dev/null 2>&1
chown -R sympl: "/srv/$domain/public" > /dev/null
}
_ftp_enable() {
_noop
if [[ "$1" =~ .*"@".* ]]; then
_is_email $1
readarray -d @ -t part < <(printf '%s' "$1")
mailbox=${part[0]}
domain=${part[1]}
else
_is_domain $1
domain=$1
fi
_debug "Check if domain is set up"
if [ ! -d /srv/$domain ]; then
_error "The domain $domain does not exist."
fi
_debug "Check if the domains config folder exists"
if [ ! -d /srv/$domain/config ]; then
_verbose "Creating the config folder for domain '$domain'."
mkdir -p /srv/$domain/config
fi
if [ "x$mailbox" != "x" ]; then
_debug "Check for the ftp-users file and create a blank one if it is absent."
if [ ! -f /srv/$domain/config/ftp-users ]; then
_verbose "Setting up ftp-users file"
echo "#username:password:folder:quota" > /srv/$domain/config/ftp-users
chown sympl: /srv/$domain/config/ftp-users
fi
_debug "Checking for user $mailbox in domain $domain"
if [ "$( grep -R ^$mailbox: /srv/$domain/config/ftp-users )" ]; then
_error "FTP user $mailbox already enabled on domain $domain."
elif [ "$( grep -R ^#$mailbox: /srv/$domain/config/ftp-users )" ]; then
_verbose "Enabling disabled user '$mailbox' on domain '$domain'."
sed -ri "/^#$mailbox/s/#//" /srv/$domain/config/ftp-users
else
_verbose "Adding user '$mailbox' to domain '$domain'."
password="$( openssl rand -base64 32 | sed 's/\///g' | cut -c 1-32 )"
echo "$mailbox:$password" >> /srv/$domain/config/ftp-users
fi
else
_debug "Check if per-domain access is already enabled"
if [ -f /srv/$domain/config/ftp-password ]; then
_error "The domain $domain is already enabled for FTP access, to reset the pasword use <sympl ftp reset $domain>."
fi
_debug "Check for disabled per-domain access for '$domain'"
if [ -f /srv/$domain/config/__disabled__ftp-password ]; then
_verbose "Re-enabling per-domain ftp access for $domain."
mv /srv/$domain/config/__disabled__ftp-password /srv/$domain/config/ftp-password
else
_verbose "Setting per-domain FTP password for '$domain'"
password="$( openssl rand -base64 32 | cut -c 1-32 )"
_debug "Password '$password' for user $domain on domain $domain;"
echo "$password" > /srv/$domain/config/ftp-password
_verbose "Access created for '$domain' with password '$password'"
chown sympl: "/srv/$domain/config/ftp-password"
fi
fi
}
_ftp_disable() {
_noop
if [[ "$1" =~ .*"@".* ]]; then
_is_email $1
readarray -d @ -t part < <(printf '%s' "$1")
mailbox=${part[0]}
domain=${part[1]}
else
_is_domain $1
domain=$1
fi
if [ ! -d /srv/$domain ]; then
_error "The domain '$domain' does not exist."
fi
if [ "x$mailbox" != "x" ]; then
_debug "Checking for user $mailbox in domain $domain"
if [ "$( grep -R ^#$mailbox: /srv/$domain/config/ftp-users )" ]; then
_error "FTP user $mailbox already disabled on domain $domain."
elif [ "$( grep -R ^$mailbox: /srv/$domain/config/ftp-users )" ]; then
_verbose "Disabling user '$mailbox' on domain '$domain'."
sed -ri "s/(^$mailbox:)/#\1/" /srv/$domain/config/ftp-users
return 0;
else
_error "User '$mailbox' not found for domain '$domain'."
fi
else
_debug "Checking per-domain ftp access for $domain is enabled and exists"
if [ -f /srv/$domain/config/__disabled__ftp-password ]; then
_error "The per-domain ftp access for $domain is already disabled."
elif [ ! -f /srv/$domain/config/ftp-password ]; then
_error "The per-domain ftp access for $domain does not exist."
fi
_verbose "Disabling per-domain FTP access for $domain"
mv /srv/$domain/config/ftp-password /srv/$domain/config/__disabled__ftp-password
fi
}
_ftp_reset() {
if [[ "$1" =~ .*"@".* ]]; then
_is_email $1
readarray -d @ -t part < <(printf '%s' "$1")
mailbox=${part[0]}
domain=${part[1]}
else
_is_domain $1
domain=$1
fi
if [ -d /srv/$domain ]; then
_error "The domain '$domain' does not exist."
fi
if [ "x$mailbox" != "x" ]; then
_debug "Checking for per user access on domain '$domain'"
password="$( openssl rand -base64 32 | sed 's/\///g' | cut -c 1-32 )"
if [ ! -f /srv/$domain/config/ftp-users ]; then
_error "per user access not set up for domain '$domain'. please use <sympl ftp enable $mailbox@$domain>."
elif [ "$( grep -R ^#*$mailbox: /srv/$domain/config/ftp-users )" ]; then
if [ "$( grep -R ^#$mailbox: /srv/$domain/config/ftp-users )" ]; then
_verbose "Resetting password for disabled user '$mailbox' on '$domain' to '$password'."
else
_verbose "Resetting password for '$mailbox' on '$domain' to '$password'."
fi
sed -ri "s/(^#*$mailbox:)[^:]*(.*)/\1$password\2/" /srv/$domain/config/ftp-users
return 0;
else
_error "User '$mailbox' not foung for per-user access on domain '$domain'."
fi
else
_debug "Resetting the per-domain access password for $domain"
password="$( openssl rand -base64 26 | cut -c 1-32 )"
_debug "Checking if per-domain ftp access for $domain exists"
if [ -f /srv/$domain/config/__disabled__ftp-password ]; then
_debug "The per-domain ftp access for $domain is disabled. Resetting password"
echo "$password" > /srv/$domain/config/__disabled__ftp-password
_verbose "Setting the disabled per-domain FTP access password for '$domain' to $password"
return 0;
elif [ ! -f /srv/$domain/config/ftp-password ]; then
_error "The per-domain ftp access for $domain does not exist."
fi
_verbose "Resetting the password for per-domain FTP access for $domain"
printf '%s' "$password" > /srv/$domain/config/ftp-password
fi
}
_ftp_destroy() {
_noop
if [[ "$1" =~ .*"@".* ]]; then
_is_email $1
readarray -d @ -t part < <(printf '%s' "$1")
mailbox=${part[0]}
domain=${part[1]}
else
_is_domain $1
domain=$1
fi
if [ ! -d /srv/$domain ]; then
_error "The domain '$domain' does not exist."
fi
if [ "x$mailbox" != "x" ]; then
_debug "Confirm '$mailbox' is disabled and exists."
if [ "$( grep -R ^$mailbox: /srv/$domain/config/ftp-users )" ]; then
_error "The user '$mailbox' is enabled for domain '$domain'. It must be disabled before it can be destroyed."
elif [ "$( grep -R ^#mailbox: /srv/$domain/config/ftp-users )" ]; then
_verbose "destroying user '$mailbox' for domain '$domain'."
sed -ri "/^#$mailbox:/d" /srv/$domain/config/ftp-users
return 0;
elif [ ! -f /srv/$domain/config/ftp-users ]; then
_error "Per-user access is not set up for the domain '$domain'."
else
_error "User '$mailbox' not found for domain '$domain'"
fi
else
_debug "Confirm '$domain' is disabled and exists"
if [ -f /srv/$domain/config/ftp-password ]; then
_error "The ftp access for '$domain' is enabled. It must be disabled before it can be destroyed."
elif [ ! -f /srv/$domain/config/__disabled__ftp-password ]; then
_error "The ftp access for '$domain' does not exist."
fi
_verbose "Destroying /srv/$domain/config/__disabled__ftp-password..."
rm -r /srv/$domain/config/__disabled__ftp-password
fi
}
_ftp_set() {
_noop
_is_email $1
readarray -d @ -t part < <(printf '%s' "$1")
mailbox=${part[0]}
domain=${part[1]}
if [ -z "$3" ]; then
_error "Set requires quota or folder to have a size or location argument"
fi
_debug "Check if domain is set up for FTP"
if [ ! -d /srv/$domain ]; then
_error "The domain $domain does not exist."
elif [ ! -d /srv/$domain/public ]; then
_error "The domain $domain is not set up for FTP access. Please use <sympl ftp create $domain>"
fi
_debug "Check if the domains config folder exists"
if [ ! -d /srv/$domain/config ]; then
_verbose "Creating the config folder for domain $domain."
mkdir -p /srv/$domain/config
fi
if [[ "$2" == "folder" ]]; then
_debug "Checking for user $mailbox"
if [ "$3" == "-" ]; then set -- "${@:1:2}"; fi
if [ "$( grep -R ^#*$mailbox: /srv/$domain/config/ftp-users )" ]; then
_debug "Setting folder for $mailbox on $domain to $3"
while read line; do
readarray -d : -t item < <(printf '%s' "$line")
sed -ri "s/(^#*$mailbox:).*/\1${item[1]}:$3:${item[3]}/" /srv/$domain/config/ftp-users
done <<< $( grep -R "^#*$mailbox:" /srv/$domain/config/ftp-users )
_verbose "Folder reset for '$mailbox' on domain '$domain' to '$3'"
return 0;
else
_error "User $mailbox not found in configuration, please use <sympl ftp enable username@domain>."
fi
fi
if [[ "$2" == "quota" ]]; then
_debug "Checking for user $mailbox"
if [ "$3" == "-" ]; then set -- "${@:1:2}"; fi
if [ "$( grep -R ^#*$mailbox: /srv/$domain/config/ftp-users )" ]; then
_debug "Setting quota for $mailbox on $domain to $3"
while read line; do
readarray -d : -t item < <(printf '%s' "$line")
sed -ri "s/(^#*$mailbox:).*/\1${item[1]}:${item[2]}:$3/" /srv/$domain/config/ftp-users
done <<< $( grep -R "^#*$mailbox:" /srv/$domain/config/ftp-users )
_verbose "Quota reset for '$mailbox' on domain '$domain' to '$3'"
return 0;
else
_error "User $mailbox not found in configuration, please use <sympl ftp set username@domain>."
fi
fi
}
_ftp_audit() {
_noop
if [ "$1" != "all" ]; then _is_domain $1 ; else set "*"; fi
( umask 077; touch /dev/shm/sympl_ftp_audit )
find /srv/$1/config/ -type f -name '*ftp-password' > /dev/shm/sympl_ftp_audit
find /srv/$1/config/ -type f -name 'ftp-users' >> /dev/shm/sympl_ftp_audit
_verbose "Enabled per-domain access:"
dom=$( grep '/ftp-password' /dev/shm/sympl_ftp_audit | cut -d '/' -f 3 | sort )
[ -z "$dom" ] && echo "None found." || echo "$dom"; unset dom
_verbose "Disabled per-domain access:"
dom=$( grep __disabled__ftp-password /dev/shm/sympl_ftp_audit | cut -d '/' -f 3 | sort )
[ -z "$dom" ] && echo "None found." || echo "$dom"; unset dom
for domain in $( grep ftp-users /dev/shm/sympl_ftp_audit | cut -d '/' -f 3 | sort ); do
_verbose "Per-user access exists for domain $domain:"
printf '\t%-25s%-10s%-10s\n' "<username>" "<folder>" "<quota>"
while read line; do
readarray -d : -t item <<< "$line"
printf '\t%-25s%-10s%-10s\n' "${item[0]}@$domain" "${item[2]}" "${item[3]::-1}"
done <<< $( sed '/^#.*username/d' /srv/$domain/config/ftp-users )
done
_debug "Cleaning up audit file"
rm /dev/shm/sympl_ftp_audit
}
_ftp_update() {
......@@ -503,6 +865,7 @@ _ftp_update() {
# Backup #
##############################################################################
_backup_none() {
_noop
}
......@@ -622,6 +985,7 @@ _main() {
enable) _action 'enable' ; shift ;;
disable) _action 'disable' ; shift ;;
audit|list) _action 'audit' ; shift ;;
reset) _action 'reset' ; shift ;;
update|upgrade) _action 'update' ; shift ;;
set) _action 'set' "$2" "$3" ; shift ; shift ; shift ;;
*) # unhandled parameter
......
sympl-core (9.0.200512.0) stable; urgency=low
* Added functionality to the sympl cli for FTP user management
-- Doug Targett <dougtargett@gmail.com> Tue, 05 May 2020 17:55:30 +0100
sympl-core (9.0.200510.0) stable; urgency=medium
* Remove debug output from sympl-filesystem-security
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment