From: Ansgar Burchardt <ansgar@debian.org>
Date: Fri, 1 Sep 2017 19:03:40 +0000 (+0200)
Subject: security upload ftp server: disallow directory listings and download
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=b2bb4fc93697ae24be4701c95988330c193bc15e;p=mirror%2Fdsa-puppet.git

security upload ftp server: disallow directory listings and download
---

diff --git a/modules/roles/manifests/security_upload.pp b/modules/roles/manifests/security_upload.pp
index 4197940dc..cc1c097a4 100644
--- a/modules/roles/manifests/security_upload.pp
+++ b/modules/roles/manifests/security_upload.pp
@@ -10,6 +10,8 @@ class roles::security_upload {
 		banner     => 'ftp.security.upload.debian.org FTP server',
 		logfile    => '/var/log/ftp/vsftpd-security.upload.debian.org.log',
 		writable   => true,
+		readable   => false,
+		listable   => false,
 		chown_user => dak-unpriv,
 		root       => '/srv/security.upload.debian.org/ftp',
 	}
diff --git a/modules/vsftpd/manifests/site.pp b/modules/vsftpd/manifests/site.pp
index 543332515..352ca688c 100644
--- a/modules/vsftpd/manifests/site.pp
+++ b/modules/vsftpd/manifests/site.pp
@@ -4,6 +4,8 @@ define vsftpd::site (
 	$chown_user='',
 	$writable=false,
 	$writable_other=false,
+	$readable=true,
+	$listable=true,
 	$banner="${name} FTP Server",
 	$max_clients=100,
 	$logfile="/var/log/ftp/vsftpd-${name}.debian.org.log",
diff --git a/modules/vsftpd/templates/vsftpd.conf.erb b/modules/vsftpd/templates/vsftpd.conf.erb
index 5a09a5dd7..739efa3cb 100644
--- a/modules/vsftpd/templates/vsftpd.conf.erb
+++ b/modules/vsftpd/templates/vsftpd.conf.erb
@@ -16,6 +16,12 @@ chown_username=<%= scope.lookupvar('chown_user') %>
 anon_other_write_enable=YES
 delete_failed_uploads=YES
 <%- end -%>
+<%- if not scope.lookupvar('readable') -%>
+download_enable=NO
+<%- end -%>
+<%- if not scope.lookupvar('listable') -%>
+dirlist_enable=NO
+<%- end -%>
 
 xferlog_enable=YES
 xferlog_file=<%= scope.lookupvar('logfile') %>