1 |
jpp |
1.1 |
diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays |
2 |
|
|
--- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-02-28 22:41:40.846000000 -0500 |
3 |
|
|
+++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-03-02 11:57:52.069000000 -0500 |
4 |
|
|
@@ -1,71 +1,92 @@ |
5 |
|
|
{ |
6 |
|
|
use esmith::AccountsDB; |
7 |
|
|
+ use esmith::DAV; |
8 |
|
|
my $adb = esmith::AccountsDB->open_ro(); |
9 |
|
|
$OUT = ""; |
10 |
|
|
foreach my $ibay ($adb->ibays) |
11 |
|
|
{ |
12 |
|
|
my %properties = $ibay->props; |
13 |
|
|
my $key = $ibay->key; |
14 |
|
|
+ my $dynamicContent = $properties{'CgiBin'} || "disabled"; |
15 |
|
|
+ my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled'; |
16 |
|
|
+ my $access = $properties{'PublicAccess'} || 'none'; |
17 |
|
|
+ $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none'; |
18 |
|
|
+ next if $access eq 'none'; |
19 |
|
|
+ # true if have to be password accessible from somewhere. |
20 |
|
|
+ my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all'; |
21 |
|
|
if ($properties{'ModDav'}) |
22 |
|
|
{ |
23 |
|
|
if ($properties{'ModDav'} eq 'enabled') |
24 |
|
|
{ |
25 |
|
|
+ my $ReadRequire = esmith::DAV::getRequireUser("read", $key ); |
26 |
|
|
+ my $WriteRequire = esmith::DAV::getRequireUser("write", $key); |
27 |
|
|
+ my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess ); |
28 |
|
|
+ my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess ); |
29 |
|
|
+ |
30 |
|
|
$OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n\n"; |
31 |
|
|
$OUT .= " # Enable DAV access for this directory tree\n"; |
32 |
|
|
$OUT .= " DAV On\n\n"; |
33 |
|
|
+ #we will not seriously let you type your password over the network without encryption |
34 |
|
|
+ $OUT .= " SSLRequireSSL\n\n"; |
35 |
|
|
+ |
36 |
|
|
+ if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled') |
37 |
|
|
+ { |
38 |
|
|
+ # we do not want PHP or CGI to be runt there for security reason |
39 |
|
|
+ $OUT .= " <FilesMatch \\.php\$>\n"; |
40 |
|
|
+ $OUT .= " #disabling php\n"; |
41 |
|
|
+ $OUT .= " SetHandler !\n"; # could use also SetHandler none |
42 |
|
|
+ $OUT .= " deny from all\n" if ( $properties{'ModDAVhidephp'} || 'enabled' ) eq 'enabled'; |
43 |
|
|
+ $OUT .= " </FilesMatch>\n"; |
44 |
|
|
+ $OUT .= " Options -ExecCGI\n"; |
45 |
|
|
+ $OUT .= " RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n"; |
46 |
|
|
+ $OUT .= " php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use |
47 |
|
|
+ } |
48 |
|
|
+ |
49 |
|
|
+ $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'}); |
50 |
|
|
|
51 |
|
|
- if ($properties{'ModDav-FileETag'}) |
52 |
|
|
- { |
53 |
|
|
- $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n"; |
54 |
|
|
- } |
55 |
|
|
$OUT .= " AllowOverride None\n"; |
56 |
|
|
$OUT .= " Options +Indexes \n\n"; |
57 |
|
|
$OUT .= " # Allow fancy indexing by columns and download by clicking icon\n"; |
58 |
|
|
$OUT .= " IndexOptions FancyIndexing IconsAreLinks\n\n"; |
59 |
|
|
- if ($properties{'Group'}) |
60 |
|
|
- { |
61 |
|
|
- $OUT .= " AuthName \"$key\"\n"; |
62 |
|
|
- $OUT .= " AuthBasicProvider external\n"; |
63 |
|
|
- $OUT .= " AuthType Basic\n"; |
64 |
|
|
- $OUT .= " AuthExternal pwauth\n\n"; |
65 |
|
|
- # Save groupname and find it in the group list |
66 |
|
|
- $iBayGroup = $properties{'Group'}; |
67 |
|
|
- foreach my $group ($adb->groups) |
68 |
|
|
- { |
69 |
|
|
- my %groupprops = $group->props; |
70 |
|
|
- my $grpkey = $group->key; |
71 |
|
|
- if ($grpkey eq $iBayGroup) |
72 |
|
|
- { |
73 |
|
|
- # we have the group that owns the DAV iBay |
74 |
|
|
- # If there are members of the group validate on them, |
75 |
|
|
- # otherwise on the ibayname |
76 |
|
|
- if ($groupprops{'Members'}) |
77 |
|
|
- { |
78 |
|
|
- # need to break user list on commas then output each one... |
79 |
|
|
- my @values = split(',',$groupprops{'Members'}); |
80 |
|
|
- $OUT .= " # Replace ibay name with any valid group member to validate\n"; |
81 |
|
|
- $OUT .= " Require user "; |
82 |
|
|
- foreach my $val (@values) { |
83 |
|
|
- $OUT .= $val . " "; |
84 |
|
|
- } |
85 |
|
|
- $OUT .= "\n\n"; |
86 |
|
|
- } |
87 |
|
|
- else |
88 |
|
|
- { |
89 |
|
|
- # No group members so use ibay name for validation |
90 |
|
|
- $OUT .= " # use ibay name to validate\n"; |
91 |
|
|
- $OUT .= " Require user " . $key . "\n\n"; |
92 |
|
|
- } |
93 |
|
|
- } |
94 |
|
|
- } |
95 |
|
|
- } |
96 |
|
|
- # Ensure only valid users get to do stuff... |
97 |
|
|
- $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n"; |
98 |
|
|
- $OUT .= " Allow from all\n"; |
99 |
|
|
- $OUT .= " Require valid-user\n\n"; |
100 |
|
|
- $OUT .= " </Limit>\n\n"; |
101 |
|
|
+ |
102 |
|
|
+ # bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail |
103 |
|
|
+ $OUT .= " #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n"; |
104 |
|
|
+ $OUT .= " DirectoryIndex disabled\n\n" unless ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled"); |
105 |
|
|
+ $OUT .= " #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'DavNoDirectoryIndex'}||"enabled" ) eq "disabled"); |
106 |
|
|
+ |
107 |
|
|
+ $OUT .= " order deny,allow\n"; |
108 |
|
|
+ $OUT .= " deny from all\n"; |
109 |
|
|
+ $OUT .= " " . $ReadAllow . "\n"; |
110 |
|
|
+ $OUT .= " AuthName \"$properties{'Name'}\"\n"; |
111 |
|
|
+ $OUT .= " AuthBasicProvider external\n"; |
112 |
|
|
+ $OUT .= " AuthType Basic\n"; |
113 |
|
|
+ $OUT .= " AuthExternal pwauth\n"; |
114 |
|
|
+ $OUT .= " " . $ReadRequire . "\n"; |
115 |
|
|
+ $OUT .= " Satisfy $satisfy\n\n"; |
116 |
|
|
+ |
117 |
|
|
+ # Ensure only valid users get to do stuff... update 2021/02: |
118 |
|
|
+ # GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK |
119 |
|
|
+ # some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE |
120 |
|
|
+ # TRACE is not supposed to be limited by this directive, should use TraceEnable |
121 |
|
|
+ # LimitExcept is suggested over Limit in order to catch all non standard methods |
122 |
|
|
+ # however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless |
123 |
|
|
+ # unless we reduce it to one user, or are fool to enlarge to Require valid-user |
124 |
|
|
+# $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n"; |
125 |
|
|
+# $OUT .= " Allow from all\n"; |
126 |
|
|
+# $OUT .= " Require user $userlist\n\n"; |
127 |
|
|
+# $OUT .= " </Limit>\n\n"; |
128 |
|
|
+ |
129 |
|
|
+ $OUT .= " <LimitExcept GET POST PROPFIND OPTIONS CONNECT>\n"; |
130 |
|
|
+ $OUT .= " " . $WriteRequire . "\n"; |
131 |
|
|
+ $OUT .= " Satisfy All\n"; |
132 |
|
|
+ $OUT .= " ". $WriteAllow ."\n"; |
133 |
|
|
+ $OUT .= " </LimitExcept>\n\n"; |
134 |
|
|
$OUT .= "</Directory>\n"; |
135 |
|
|
} |
136 |
|
|
} |
137 |
|
|
+ else |
138 |
|
|
+ { |
139 |
|
|
+ $OUT .= "\n # DAV disabled for ibay $key\n"; |
140 |
|
|
+ } |
141 |
|
|
} |
142 |
|
|
} |
143 |
|
|
diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav |
144 |
|
|
--- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 1969-12-31 19:00:00.000000000 -0500 |
145 |
|
|
+++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 2021-03-02 11:57:55.866000000 -0500 |
146 |
|
|
@@ -0,0 +1,34 @@ |
147 |
|
|
+{ |
148 |
|
|
+# this fragment is to force SSL redirection for webdav activated account in case it is not already enabled |
149 |
|
|
+# could be removed if core fragment 20IbaysContent introduce forced ssl for DAV |
150 |
|
|
+ use esmith::AccountsDB; |
151 |
|
|
+ my $adb = esmith::AccountsDB->open_ro(); |
152 |
|
|
+ $OUT = ""; |
153 |
|
|
+ foreach my $ibay ($adb->ibays) |
154 |
|
|
+ { |
155 |
|
|
+ my %properties = $ibay->props; |
156 |
|
|
+ my $key = $ibay->key; |
157 |
|
|
+ my $dynamicContent = $properties{'CgiBin'} || "disabled"; |
158 |
|
|
+ my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled'; |
159 |
|
|
+ my $access = $properties{'PublicAccess'} || 'none'; |
160 |
|
|
+ $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none'; |
161 |
|
|
+ next if $access eq 'none'; |
162 |
|
|
+ # true if have to be password accessible from somewhere. |
163 |
|
|
+ my $ispassibay = $access =~ /-pw/; |
164 |
|
|
+ my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all'; |
165 |
|
|
+ if ($properties{'ModDav'}) |
166 |
|
|
+ { |
167 |
|
|
+ if ($properties{'ModDav'} eq 'enabled') |
168 |
|
|
+ { |
169 |
|
|
+ # we force SSL redirection in case DAV is enabled |
170 |
|
|
+ if (( $port ne $httpsPort ) && (($ibay->prop('SSL') || 'disabled') ne 'enabled')) |
171 |
|
|
+ { |
172 |
|
|
+ my $portspec = ($httpsPort eq 443) ? "" : ":$httpsPort"; |
173 |
|
|
+ $OUT .= " RewriteEngine on\n"; |
174 |
|
|
+ $OUT .= " RewriteRule ^/$key(/.*|\$) https://%{HTTP_HOST}${portspec}/$key\$1 \[L,R\]\n"; |
175 |
|
|
+ } |
176 |
|
|
+ } |
177 |
|
|
+ } |
178 |
|
|
+ } |
179 |
|
|
+} |
180 |
|
|
+ |
181 |
|
|
diff -Nur smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm |
182 |
|
|
--- smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 1969-12-31 19:00:00.000000000 -0500 |
183 |
|
|
+++ smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 2021-03-02 12:07:13.442000000 -0500 |
184 |
|
|
@@ -0,0 +1,118 @@ |
185 |
|
|
+ |
186 |
|
|
+package esmith::DAV; |
187 |
|
|
+ |
188 |
|
|
+use strict; |
189 |
|
|
+use warnings; |
190 |
|
|
+use esmith::AccountsDB; |
191 |
|
|
+my $adb = esmith::AccountsDB->open_ro(); |
192 |
|
|
+ |
193 |
|
|
+use vars qw( $AUTOLOAD @ISA ); |
194 |
|
|
+ |
195 |
|
|
+ sub getRequireUser { |
196 |
|
|
+ my ($mode, $key) = @_; |
197 |
|
|
+ my $ibay = $adb->get($key) or return "Require user admin"; |
198 |
|
|
+ my %properties = $ibay->props or return "Require user admin"; |
199 |
|
|
+ my $iBayGroup = $properties{'Group'} || 'admin'; |
200 |
|
|
+ my $accessMode = $properties{'UserAccess'} || 'wr-admin-rd-group'; |
201 |
|
|
+ my $access = $properties{'PublicAccess'} || 'none'; |
202 |
|
|
+ my $ispassibay = $access =~ /-pw/; |
203 |
|
|
+ my $Anonymous = $properties{'ModDavAnonymousRead'} || "enabled"; |
204 |
|
|
+ my $MEMBERS = getMembers( $key, $iBayGroup); |
205 |
|
|
+ my $REQUIRE = ""; |
206 |
|
|
+ if ($mode eq "read") |
207 |
|
|
+ { |
208 |
|
|
+ if ($accessMode eq "wr-group-rd-everyone") |
209 |
|
|
+ { |
210 |
|
|
+ if ( $Anonymous eq "enabled" ) |
211 |
|
|
+ { |
212 |
|
|
+ $REQUIRE = "# Allowing unauthenticated read access"; |
213 |
|
|
+ } |
214 |
|
|
+ else |
215 |
|
|
+ { |
216 |
|
|
+ my $EVERYONE = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )); #shared user members |
217 |
|
|
+ #$REQUIRE = "#wr-group-rd-everyone : members of shared\n"; |
218 |
|
|
+ $REQUIRE .= "Require user " . $EVERYONE; |
219 |
|
|
+ } |
220 |
|
|
+ } |
221 |
|
|
+ else |
222 |
|
|
+ { |
223 |
|
|
+ $REQUIRE = "Require user " . $MEMBERS; |
224 |
|
|
+ if ($accessMode eq "wr-admin-rd-group") |
225 |
|
|
+ { |
226 |
|
|
+ # add "admin" to the read group to avoid read/write auth conflicts |
227 |
|
|
+ $REQUIRE .= " admin"; |
228 |
|
|
+ } |
229 |
|
|
+ } |
230 |
|
|
+ if ($ispassibay) |
231 |
|
|
+ { |
232 |
|
|
+ #we have local-pw or global-pw or global-pw-remote |
233 |
|
|
+ $REQUIRE = ( $REQUIRE =~ /Require user / ) ? "$REQUIRE $key" : "Require user $key"; |
234 |
|
|
+ $REQUIRE .= " $MEMBERS" if ( $access =~ /remote/ ); |
235 |
|
|
+ } |
236 |
|
|
+ } |
237 |
|
|
+ else |
238 |
|
|
+ { |
239 |
|
|
+ if ($accessMode eq "wr-admin-rd-group") |
240 |
|
|
+ { |
241 |
|
|
+ $REQUIRE = "Require user admin"; |
242 |
|
|
+ } |
243 |
|
|
+ else |
244 |
|
|
+ { |
245 |
|
|
+ $REQUIRE = "Require user " . $MEMBERS; |
246 |
|
|
+ } |
247 |
|
|
+ } |
248 |
|
|
+ return $REQUIRE; |
249 |
|
|
+ } |
250 |
|
|
+ |
251 |
|
|
+ sub getAllow { |
252 |
|
|
+ my ($mode, $key, $localAccess ) = @_; |
253 |
|
|
+ $localAccess = (defined $localAccess ) ? $localAccess : "127.0.0.1"; |
254 |
|
|
+ my $ibay = $adb->get($key) or return "allow from 127.0.0.1"; |
255 |
|
|
+ my %properties = $ibay->props or return "allow from 127.0.0.1"; |
256 |
|
|
+ my $Public = $properties{'PublicAccess'} || 'none'; |
257 |
|
|
+ |
258 |
|
|
+ my $allow = "allow from 127.0.0.1"; |
259 |
|
|
+ if ($Public eq 'none') |
260 |
|
|
+ { |
261 |
|
|
+ $allow = "# allow from set to NONE"; |
262 |
|
|
+ } |
263 |
|
|
+ elsif ($Public =~ /(local|remote)/ ) |
264 |
|
|
+ { |
265 |
|
|
+ $allow = "allow from " . $localAccess; |
266 |
|
|
+ } |
267 |
|
|
+ elsif ($Public =~ /global/) |
268 |
|
|
+ { |
269 |
|
|
+ $allow = "allow from all"; |
270 |
|
|
+ } |
271 |
|
|
+ return $allow; |
272 |
|
|
+ } |
273 |
|
|
+ |
274 |
|
|
+ sub getMembers { |
275 |
|
|
+ my ($key, $iBayGroup) = @_; |
276 |
|
|
+ my $MEMBERS = $key; |
277 |
|
|
+ foreach my $group ( ($adb->groups, $adb->get('admin'), $adb->get('shared') ) ) |
278 |
|
|
+ { |
279 |
|
|
+ my %groupprops = $group->props; |
280 |
|
|
+ my $grpkey = $group->key; |
281 |
|
|
+ if ($grpkey eq $iBayGroup) |
282 |
|
|
+ { |
283 |
|
|
+ # we have the group that owns the DAV iBay |
284 |
|
|
+ # If there are members of the group validate on them, |
285 |
|
|
+ # otherwise on the ibayname |
286 |
|
|
+ my $GroupMembers = $groupprops{'Members'} || undef; |
287 |
|
|
+ $GroupMembers = "admin" if ( $grpkey eq "admin" ); |
288 |
|
|
+ $GroupMembers = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )) if ( $grpkey eq "shared" ) ; |
289 |
|
|
+ |
290 |
|
|
+ if ($GroupMembers) |
291 |
|
|
+ { |
292 |
|
|
+ # need to break user list on commas then output each one... |
293 |
|
|
+ my @values = split(',',$GroupMembers); |
294 |
|
|
+ $MEMBERS = "" unless (!@values) ; |
295 |
|
|
+ foreach my $val (@values) { |
296 |
|
|
+ $MEMBERS .= $val . " "; |
297 |
|
|
+ } |
298 |
|
|
+ } |
299 |
|
|
+ } |
300 |
|
|
+ } |
301 |
|
|
+ return $MEMBERS; |
302 |
|
|
+ } |