From b2bb4fc93697ae24be4701c95988330c193bc15e Mon Sep 17 00:00:00 2001 From: Ansgar Burchardt Date: Fri, 1 Sep 2017 21:03:40 +0200 Subject: [PATCH] security upload ftp server: disallow directory listings and download --- modules/roles/manifests/security_upload.pp | 2 ++ modules/vsftpd/manifests/site.pp | 2 ++ modules/vsftpd/templates/vsftpd.conf.erb | 6 ++++++ 3 files changed, 10 insertions(+) diff --git a/modules/roles/manifests/security_upload.pp b/modules/roles/manifests/security_upload.pp index 4197940dc..cc1c097a4 100644 --- a/modules/roles/manifests/security_upload.pp +++ b/modules/roles/manifests/security_upload.pp @@ -10,6 +10,8 @@ class roles::security_upload { banner => 'ftp.security.upload.debian.org FTP server', logfile => '/var/log/ftp/vsftpd-security.upload.debian.org.log', writable => true, + readable => false, + listable => false, chown_user => dak-unpriv, root => '/srv/security.upload.debian.org/ftp', } diff --git a/modules/vsftpd/manifests/site.pp b/modules/vsftpd/manifests/site.pp index 543332515..352ca688c 100644 --- a/modules/vsftpd/manifests/site.pp +++ b/modules/vsftpd/manifests/site.pp @@ -4,6 +4,8 @@ define vsftpd::site ( $chown_user='', $writable=false, $writable_other=false, + $readable=true, + $listable=true, $banner="${name} FTP Server", $max_clients=100, $logfile="/var/log/ftp/vsftpd-${name}.debian.org.log", diff --git a/modules/vsftpd/templates/vsftpd.conf.erb b/modules/vsftpd/templates/vsftpd.conf.erb index 5a09a5dd7..739efa3cb 100644 --- a/modules/vsftpd/templates/vsftpd.conf.erb +++ b/modules/vsftpd/templates/vsftpd.conf.erb @@ -16,6 +16,12 @@ chown_username=<%= scope.lookupvar('chown_user') %> anon_other_write_enable=YES delete_failed_uploads=YES <%- end -%> +<%- if not scope.lookupvar('readable') -%> +download_enable=NO +<%- end -%> +<%- if not scope.lookupvar('listable') -%> +dirlist_enable=NO +<%- end -%> xferlog_enable=YES xferlog_file=<%= scope.lookupvar('logfile') %> -- 2.20.1