pure-ftpd-wrapper

1. #! /usr/bin/perl
2. #
3. # Copyright 2002,2003,2004,2005,2007,2009,2010,2011 by Stefan Hornburg (Racke) <racke@linuxia.de>
4. #
5. # This program is free software; you can redistribute it and/or modify
6. # it under the terms of the GNU General Public License as published by
7. # the Free Software Foundation; either version 2 of the License, or
8. # (at your option) any later version.
9. #
10. # This program is distributed in the hope that it will be useful,
11. # but WITHOUT ANY WARRANTY; without even the implied warranty of
12. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13. # GNU General Public License for more details.
14. #
15. # You should have received a copy of the GNU General Public
16. # License along with this program; if not, write to the Free
17. # Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
18. # MA  02111-1307  USA.
19.  
20. use strict;
21. use warnings;
22.  
23. use File::Basename;
24. use File::Spec;
25.  
26. my $daemon = '/usr/sbin/pure-ftpd';
27. my @capabilities = @ARGV;
28.  
29. if ($ARGV[0]) {
30.     $daemon = "$daemon-$ARGV[0]";
31. }
32.  
33. # configuration schema
34. #
35. # fields of the array:
36. # 0. option name
37. # 1. parser
38. # 2. priority
39. #
40. # SysLogFacility has the highest priority, because we want to
41. # avoid to log to the wrong location (see pure-ftpd manpage).
42.  
43. my %conf = ('AllowAnonymousFXP' => ['-W'],
44.             'AllowDotFiles' => ['-z'],
45.             'AllowUserFXP' => ['-w'],
46.             'AltLog' => ['-O %s', \&parse_string],
47.             'AnonymousBandwidth' => ['-t %s', \&parse_number_1_2],
48.             'AnonymousCanCreateDirs' => ['-M'],
49.             'AnonymousCantUpload' => ['-i'],
50.             'AnonymousOnly', => ['-e'],
51.             'AnonymousRatio' => ['-q %d:%d', \&parse_number_2],
52.             'AntiWarez' => ['-s'],
53.             'AutoRename' => ['-r'],
54.             'Bind' => ['-S %s', \&parse_string],
55.             'BrokenClientsCompatibility' => ['-b'],
56.             'CallUploadScript' => ['-o'],
57.             'ChrootEveryone' => ['-A'],
58.             'CreateHomeDir' => ['-j'],
59.             'CustomerProof' => ['-Z'],
60.             'Daemonize' => ['-B'],
61.             'DisplayDotFiles' => ['-D'],
62.             'DontResolve' => ['-H'],
63.             'ForcePassiveIP' => ['-P %s', \&parse_string],
64.             'FortunesFile' => ['-F %s', \&parse_filename],
65.             'FSCharset' => ['-8 %s', \&parse_string],
66.             'ClientCharset' => ['-9 %s', \&parse_string],
67.             'IPV4Only' => ['-4'],
68.             'IPV6Only' => ['-6'],
69.             'KeepAllFiles' => ['-K'],
70.             'LimitRecursion' => ['-L %d:%d', \&parse_number_2_unlimited],
71.             'LogPID' => ['-1'],
72.             'MaxClientsNumber' => ['-c %d', \&parse_number_1],
73.             'MaxClientsPerIP' => ['-C %d', \&parse_number_1],
74.             'MaxDiskUsage' => ['-k %d', \&parse_number_1],
75.             'MaxIdleTime' => ['-I %d', \&parse_number_1],
76.             'MaxLoad' => ['-m %d', \&parse_number_1],
77.             'MinUID' => ['-u %d', \&parse_number_1],
78.             'NATmode' => ['-N'],
79.             'NoAnonymous' => ['-E'],
80.             'NoChmod' => ['-R'],
81.             'NoRename' => ['-G'],
82.             'NoTruncate' => ['-0'],
83.             'PassivePortRange' => ['-p %d:%d', \&parse_number_2],
84.             'PerUserLimits' => ['-y %d:%d', \&parse_number_2],
85.             'ProhibitDotFilesRead' => ['-X'],
86.             'ProhibitDotFilesWrite' => ['-x'],
87.             'Quota' => ['-n %d:%d', \&parse_number_2],
88.             'SyslogFacility' => ['-f %s', \&parse_word, 99],
89.             'TLS' => ['-Y %d', \&parse_number_1],
90.             'TrustedGID' => ['-a %d', \&parse_number_1],
91.             'TrustedIP' => ['-V %s', \&parse_ip],
92.             'Umask' => ['-U %s:%s', \&parse_umask],
93.             'UserBandwidth' => ['-T %s', \&parse_number_1_2],
94.             'UserRatio' => ['-Q %d:%d', \&parse_number_2],
95.             'VerboseLog' => ['-d'],
96.             );
97.  
98. my %authconf = ('ExtAuth' => ['extauth:%s', \&parse_sockname],
99.                 'LDAPConfigFile' => ['ldap:%s', \&parse_filename, 0,
100.                                          'ldap'],
101.                 'MySQLConfigFile' => ['mysql:%s', \&parse_filename, 0,
102.                                       'mysql'],
103.                 'PGSQLConfigFile' => ['pgsql:%s', \&parse_filename, 0,
104.                                       'postgresql'],
105.                 'PAMAuthentication' => ['pam'],
106.                 'PureDB' => ['puredb:%s', \&parse_filename],
107.                 'UnixAuthentication' => ['unix'],
108.                );
109.                
110. # examine all configuration files in /etc/pure-ftpd/conf
111.  
112. my @conffiles;
113.  
114. opendir (ETCCONF, '/etc/pure-ftpd/conf')
115.     || die "$0: Couldn't examine directory /etc/pure-ftpd/conf: $!\n";
116. @conffiles = readdir (ETCCONF);
117. closedir (ETCCONF);
118.  
119. # examine authentication files in /etc/pure-ftpd/auth
120.  
121. my @authfiles;
122.  
123. opendir (ETCAUTH, '/etc/pure-ftpd/auth')
124.     || die "$0: Couldn't examine directory /etc/pure-ftpd/auth: $!\n";
125. @authfiles = sort (grep {-l "/etc/pure-ftpd/auth/$_"} readdir (ETCAUTH));
126. closedir (ETCAUTH);
127.  
128. my ($file, $cref, $name);
129. my (@options, $option, $ret);
130.  
131. for my $authname (@authfiles) {
132.     # check if corresponding file exists
133.     next unless $file = readlink("/etc/pure-ftpd/auth/$authname");
134.     unless (File::Spec->file_name_is_absolute($file)) {
135.         $file = File::Spec->catfile('/etc/pure-ftpd/auth',$file);
136.     }
137.     next unless -f $file;
138.    
139.     # check if configuration directive exists
140.     $name = basename($file);
141.  
142.     # check if we have the right capability for this authentication method
143.     next if $authconf{$authname}->[3] && ! grep {$authconf{$authname}->[3] eq $_} @capabilities;
144.    
145.     if ($ret = parse_file(\%authconf, $file, $name)) {
146.         $ret->[0] = "-l $ret->[0]";
147.         push (@options, $ret);
148.     }
149. }
150.  
151.  
152. for (@conffiles) {
153.     # simply skip files with non-word/non-numeric characters
154.     next unless /^[A-Za-z][A-Za-z0-9]+$/;
155.  
156.     # skip authentication configuration files
157.     next if exists $authconf{$_};
158.    
159.     $file = "/etc/pure-ftpd/conf/$_";
160.     if ($ret = parse_file(\%conf, $file, $_)) {
161.         push (@options, $ret);
162.     }
163. }
164.  
165. @options = map {split(/ /, $_->[0], 2)} (sort {$b->[1] <=> $a->[1]} @options);
166.  
167. if (exists $ENV{STANDALONE_OR_INETD} && $ENV{STANDALONE_OR_INETD} eq 'standalone') {
168.     push (@options, '-B');
169.     print "Running: $daemon ", join (' ', @options), "\n";
170. }
171.  
172. # force PID file to /var/run/pure-ftpd/pure-ftpd.pid
173. push(@options, '-g', '/var/run/pure-ftpd/pure-ftpd.pid');
174.  
175. exec { $daemon } ($daemon, @options) or die "$0: Cannot exec $daemon: $!";
176.  
177. sub parse_file {
178.     my ($cref, $file, $option) = @_;
179.     my @lines;
180.  
181.     unless (exists $cref->{$option}) {
182.         die "$0: Invalid configuration file $file: No corresponding directive\n";
183.     }
184.  
185.     open (FILE, $file)
186.         || die "$0: Couldn't open configuration file $file: $!\n";
187.     while (<FILE>) {
188.         next unless /\S/;
189.         s/^\s+//;
190.         s/\s+$//;
191.         next if /^\#/;
192.         push (@lines, $_);
193.     }
194.     close (FILE);
195.    
196.     # call parser
197.     for my $line (@lines) {
198.         my $buf = '';
199.  
200.         if (defined $cref->{$option}->[1]) {
201.             $ret = $cref->{$option}->[1]->(\$buf, $cref->{$option}->[0], $line);
202.         } else {
203.             $ret = parse_yesno(\$buf, $cref->{$option}->[0], $line);
204.         }
205.    
206.         unless ($ret) {
207.             die "$0: Invalid configuration file $file: $buf\n";
208.         }
209.  
210.         return [$buf, $cref->{$option}->[2] || 0] if length $buf;
211.     }
212.  
213. }
214.  
215. sub parse_filename {
216.     my ($buf, $fmt, $val) = @_;
217.  
218.     unless (-f $val) {
219.         $$buf = qq{"$val": No such file};
220.         return;
221.     }
222.     $$buf = sprintf $fmt, $val;
223.     return 1;
224. }
225.  
226. sub parse_ip {
227.     my ($buf, $fmt, $val) = @_;
228.  
229.     if ($val =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/
230.         && $1 < 256 && $2 < 256 && $3 < 256 && $4 < 256) {
231.         $$buf = sprintf $fmt, $val;
232.         return 1;
233.     }
234.  
235.     $$buf = qq{"$val": Invalid IP address};
236. }
237.  
238. sub parse_number_1 {
239.     my ($buf, $fmt, $val) = @_;
240.  
241.     if ($val =~ /\D/) {
242.         $$buf = qq{"$val" not a number};
243.         return;
244.     }
245.    
246.     $$buf = sprintf $fmt, $val;
247.     return 1;
248. }
249.  
250. sub parse_number_1_2 {
251.     my ($buf, $fmt, $val) = @_;
252.  
253.     if ($val =~ /^(\d+)(\s+|:)(\d+)$/) {
254.         $$buf = sprintf $fmt, "$1:$3";
255.         return 1;
256.     }
257.  
258.     if ($val =~ /^(:?\d+)$/ || $val =~ /^(\d+:)/) {
259.         $$buf = sprintf $fmt, $1;
260.         return 1;
261.     }
262.    
263.     $$buf = qq{"$val" not one or two numbers};
264.     return;
265. }
266.  
267. sub parse_number_2 {
268.     my ($buf, $fmt, $val) = @_;
269.  
270.     if ($val !~ /^(\d+)\s+(\d+)$/) {
271.         $$buf = qq{"$val" not two numbers};
272.         return;
273.     }
274.    
275.     $$buf = sprintf $fmt, $1, $2;
276.     return 1;
277. }
278.  
279. sub parse_number_2_unlimited {
280.     my ($buf, $fmt, $val) = @_;
281.  
282.     if ($val !~ /^(\-?\d+)\s+(\-?\d+)$/) {
283.         $$buf = qq{"$val" not two numbers};
284.         return;
285.     }
286.  
287.     if ($1 < -1 || $2 < -1) {
288.         $$buf = qq{"$val" smaller than unlimited (-1)};
289.         return;
290.     }
291.    
292.     $$buf = sprintf $fmt, $1, $2;
293.     return 1;
294. }
295.  
296. sub parse_sockname {
297.     my ($buf, $fmt, $val) = @_;
298.  
299.     unless (-S $val) {
300.         $$buf = qq{"$val": No such socket};
301.         return;
302.     }
303.     $$buf = sprintf $fmt, $val;
304.     return 1;
305. }
306.  
307. sub parse_string {
308.     my ($buf, $fmt, $val) = @_;
309.  
310.     if ($val =~ /\s/) {
311.         $$buf = qq{"$val" contains whitespace};
312.         return;
313.     }
314.    
315.     $$buf = sprintf $fmt, $val;
316.     return 1;
317. }
318.  
319. sub parse_umask {
320.     my ($buf, $fmt, $val) = @_;
321.  
322.     if ($val !~ /^([0-7]{3,3})\s+([0-7]{3,3})$/) {
323.         $$buf = qq{"$val" not two octal numbers};
324.         return;
325.     }
326.    
327.     $$buf = sprintf $fmt, $1, $2;
328.     return 1;
329. }
330.  
331. sub parse_word {
332.     my ($buf, $fmt, $val) = @_;
333.  
334.     if ($val !~ /^(\w+)$/) {
335.         $$buf = qq{"$val" contains non-word characters};
336.         return;
337.     }
338.    
339.     $$buf = sprintf $fmt, $1;
340.     return 1;
341. }
342.  
343. sub parse_yesno {
344.     my ($buf, $fmt, $val) = @_;
345.     my @y = ('yes', 1, 'on');
346.     my @n = ('no', 0, 'off');
347.  
348.     if (grep {$_ eq lc($val)} @y) {
349.         # result is 'yes'
350.         $$buf = $fmt;
351.         return 1;
352.     }
353.     if (grep {$_ eq lc($val)} @n) {
354.         # result is 'no'
355.         $$buf = '';
356.         return 1;
357.     }
358.     # error
359.     $$buf = qq{"$val" not convertible to true or false};
360.     return;
361. }
362.  
363. __END__
364.  
365. =head1 NAME
366.  
367. pure-ftpd-wrapper - configures and starts Pure-FTPd daemon
368.  
369. =head1 SYNOPSIS
370.  
371. pure-ftpd-wrapper
372.  
373. =head1 DESCRIPTION
374.  
375. B<pure-ftpd-wrapper> reads the configuration for the Pure-FTPd daemon
376. from files in the directory F</etc/pure-ftpd/conf>. Each file in this
377. directory is related to a command line option. No more than one
378. line with configuration values is allowed. Empty lines or lines
379. starting with the comment character C<#> are discarded.
380.  
381. The Pure-FTPd daemon allows to use different authentication methods
382. together. The authentication methods are tried in the order they are
383. specified on the command line. In order to achieve the same flexibility
384. with files in the F</etc/pure-ftpd> directory, B<pure-ftpd-wrapper>
385. checks all valid symbolic links within the directory F</etc/pure-ftpd/auth>
386. in alphabetical order. E.g., a link in this directory pointing to
387. F</etc/pure-ftpd/conf/PureDB> would enable authentication against
388. a PureDB database.
389.  
390. There are no means to configure the I<PIDFile> setting, it is hardwired
391. to /var/run/pure-ftpd/pure-ftpd.pid in this script.
392.  
393. =head1 CONFIGURATION
394.  
395. =head2 Boolean values
396.  
397. The strings C<Yes>,C<1>,C<On> enable the corresponding commandline option
398. (case doesn't matter). To disable the option use C<No>,C<0> or C<Off>.
399.  
400. Configuration files containing boolean values are C<AllowAnonymousFXP>,
401. C<AllowDotFiles>, C<AllowUserFXP>, C<AnonymousCanCreateDirs>,
402. C<AnonymousCantUpload>, C<AnonymousOnly>, C<AntiWarez>, C<AutoRename>,
403. C<BrokenClientsCompatibility>, C<CallUploadScript>, C<ChrootEveryone>,
404. C<CreateHomeDir>, C<CustomerProof>, C<Daemonize>, C<DisplayDotFiles>,
405. C<DontResolve>, C<IPV4Only>, C<IPV6Only>, C<KeepAllFiles>, C<LogPID>,
406. C<NATmode>, C<NoAnonymous>, C<NoChmod>, C<NoRename>, C<PAMAuthentication>,
407. C<ProhibitDotFilesRead>, C<ProhibitDotFilesWrite>, C<UnixAuthentication>
408. and C<VerboseLog>.
409.  
410. =head2 Numerical values
411.  
412. There are several types of numerical values (one number, two numbers,
413. one or two numbers, two octal numbers).
414.  
415. =over 4
416.  
417. =item One number
418.  
419. C<MaxClientsNumber>, C<MaxClientsPerIP>, C<MaxDiskUsage>, C<MaxIdleTime>,
420. C<MaxLoad>, C<MinUID>, C<TLS>, C<TrustedGID>.
421.  
422. =item Two numbers
423.  
424. C<AnonymousRatio>, C<LimitRecursion>, C<PassivePortRange>,
425. C<PerUserLimits>, C<Quota>, C<UserRatio>.
426.  
427. =item Two numbers (with unlimited value)
428.  
429. This allows -1 in addition to positive numbers indicating an unlimited
430. values.
431.  
432. C<LimitRecursion>.
433.  
434. =item One or two numbers
435.  
436. C<AnonymousBandwidth>, C<UserBandwidth>.
437.  
438. =item Two octal numbers
439.  
440. C<Umask>.
441.  
442. =back
443.  
444. =head2 String values
445.  
446. =over
447.  
448. =item Arbritrary strings
449.  
450. C<AltLog>, C<Bind>, C<ForcePassiveIP>.
451.  
452. =item Words
453.  
454. C<SyslogFacility>.
455.  
456. =back
457.  
458. =head2 Character Sets
459.  
460. C<FSCharset>, C<ClientCharset>.
461.  
462. =head2 IP values
463.  
464. C<TrustedIP>.
465.  
466. =head2 File values
467.  
468. These values designate an existing file or socket.
469.  
470. =over
471.  
472. =item File
473.  
474. C<FortunesFile>, C<LDAPConfigFile>, C<MySQLConfigFile>, C<PGSQLConfigFile>, C<PureDB>.
475.  
476. =item Socket
477.  
478. C<ExtAuth>.
479.  
480. =back
481.  
482. =head1 AUTHOR
483.  
484. This manual page was written by Stefan Hornburg (Racke) <racke@linuxia.de>
485. for the Debian GNU/Linux system.