security upload ftp server: disallow directory listings and download

author Ansgar Burchardt <ansgar@debian.org>

Fri, 1 Sep 2017 19:03:40 +0000 (21:03 +0200)

committer Ansgar Burchardt <ansgar@debian.org>

Fri, 1 Sep 2017 19:10:29 +0000 (21:10 +0200)
author Ansgar Burchardt <ansgar@debian.org>
Fri, 1 Sep 2017 19:03:40 +0000 (21:03 +0200)
committer Ansgar Burchardt <ansgar@debian.org>
Fri, 1 Sep 2017 19:10:29 +0000 (21:10 +0200)
diff --git a/modules/roles/manifests/security_upload.pp b/modules/roles/manifests/security_upload.pp

index 4197940..cc1c097 100644 (file)
--- a/modules/roles/manifests/security_upload.pp
+++ b/modules/roles/manifests/security_upload.pp
@@ -10,6 +10,8 @@ class roles::security_upload {
                 banner     => 'ftp.security.upload.debian.org FTP server',
                 logfile    => '/var/log/ftp/vsftpd-security.upload.debian.org.log',
                 writable   => true,
+               readable   => false,
+               listable   => false,
                 chown_user => dak-unpriv,
                 root       => '/srv/security.upload.debian.org/ftp',
         }
diff --git a/modules/vsftpd/manifests/site.pp b/modules/vsftpd/manifests/site.pp

index 5433325..352ca68 100644 (file)
--- a/modules/vsftpd/manifests/site.pp
+++ b/modules/vsftpd/manifests/site.pp
@@ -4,6 +4,8 @@ define vsftpd::site (
         $chown_user='',
         $writable=false,
         $writable_other=false,
+       $readable=true,
+       $listable=true,
         $banner="${name} FTP Server",
         $max_clients=100,
         $logfile="/var/log/ftp/vsftpd-${name}.debian.org.log",
diff --git a/modules/vsftpd/templates/vsftpd.conf.erb b/modules/vsftpd/templates/vsftpd.conf.erb

index 5a09a5d..739efa3 100644 (file)
--- a/modules/vsftpd/templates/vsftpd.conf.erb
+++ b/modules/vsftpd/templates/vsftpd.conf.erb
@@ -16,6 +16,12 @@ chown_username=<%= scope.lookupvar('chown_user') %>
  anon_other_write_enable=YES
  delete_failed_uploads=YES
  <%- end -%>
+<%- if not scope.lookupvar('readable') -%>
+download_enable=NO
+<%- end -%>
+<%- if not scope.lookupvar('listable') -%>
+dirlist_enable=NO
+<%- end -%>
  
  xferlog_enable=YES
  xferlog_file=<%= scope.lookupvar('logfile') %>
author	Ansgar Burchardt <ansgar@debian.org>
	Fri, 1 Sep 2017 19:03:40 +0000 (21:03 +0200)
committer	Ansgar Burchardt <ansgar@debian.org>
	Fri, 1 Sep 2017 19:10:29 +0000 (21:10 +0200)
modules/roles/manifests/security_upload.pp		patch \| blob \| history
modules/vsftpd/manifests/site.pp		patch \| blob \| history
modules/vsftpd/templates/vsftpd.conf.erb		patch \| blob \| history