README.md 6.72 KB
Newer Older
Daniela Daniel's avatar
Daniela Daniel committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
# FTP Setup Guide

### Overview

This FTP application (Flash FTP) relies on `vsftpd` and `pam_mysql` so that FTP guest users 
are not required to be LDAP system users. The credentials for an FTP guest user 
reside in a MySQL table and `pam_mysql` handles taking the FTP username/password, 
hashing it and comparing it to the username/password fields in the database 
table, thus allowing or denying guest users access to the FTP service. Users 
that wish to share files with a guest are able to login into the system (i.e., 
authenticate against LDAP) and send invitations to guests users by e-mail.
This documentation assumes that the Django app resides in `/devel/ftp_project` 
and the FTP directory is `/project/ftp_public`.

![Service Diagram](./service_diagram.png)

### Components
- Python 3.6.8
- Django 2.2 LTS
- MySQL
- LDAP
- Folders, file permissions and mounts
- IP Tables/Firewall Daemon

### Install EPEL and build packages
```sh
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y groupinstall "Development Tools" "Development Libraries"
```

### MySQL
Edit the file `/etc/yum.repos.d/mysql-community.repo`:
```sh
# Enable to use MySQL 5.7
[mysql57-community]
name=MySQL 5.7 Community Server
baseurl=http://repo.mysql.com/yum/mysql-5.7-community/el/7/$basearch/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-mysql
```
Install MySQL:
```sh
yum repolist enabled | grep mysql
yum install mysql-community-server
systemctl start mysqld.service
systemctl enable mysqld.service
```

### Create the database
```sh
mysql -u root
mysql> CREATE DATABASE vsftpd;
mysql> exit;
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql
```

### FTP
Create user `vsftpd` and configure `vsftpd`:
```ssh
useradd -G users -s /bin/false -d /home/vsftpd vsftpd
passwd vsftpd
yum install -y vsftpd
cp -p /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf-backup
cp -p provision/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf
chown root.root /etc/vsftpd/vsftpd.conf
mkdir -p /project/ftp_public/
mkdir -p /project/vsftpd_user_conf
chmod 755 /project/ftp_public/
chown <vsftpd_service>:<vsftpd_service> /project/ftp_public/
systemctl start vsftpd
systemctl enable vsftpd
```

### User directories
Create an FTP directory for each FTP user under `/project/ftp_public/`: 
```sh
mkdir <user>
chmod 700 <user>
chown <vsftpd_service>:<vsftpd_service> <user>
chmod g+s <user>
setfacl -R -m u:<user>:rwx <user>
setfacl -R -m u:vsftpd-guest:rwx <user>
setfacl -R -m d:u:vsftpd-guest:rwx <user>
setfacl -R -m d:u:<user>:rwx <user>
```

### Create user `vsftpd` in the database
```sh
mysql> CREATE USER 'vsftpd'@'localhost' IDENTIFIED BY 'vsftpd';
mysql> GRANT ALL PRIVILEGES ON vsftpd.* TO 'vsftpd'@'localhost';
```

### PAM MySQL
Download and install `pam_mysql`. Check if there's a library called _pam_mysql.so_ in folder `/usr/lib64/security/`.
```sh
cp /etc/pam.d/vsftpd vsftpd.orig
cp provision/vsftpd/vsftpd_pam /etc/pam.d/vsftpd
chown root:root /etc/pam.d/vsftpd
```
Download mirrors: https://centos.pkgs.org/7/cheese-x86_64/pam_mysql-0.7-0.21.rc1.el7.x86_64.rpm.html

### LDAP client
```sh
yum install openldap-clients nss-pam-ldapd pam_ldap
authconfig --enableldap --enableldapauth --ldapserver="<ldap_server>" --ldapbasedn="<base_dn>" --update
authconfig --enableforcelegacy --update
```
You might need to edit `/etc/nslcd.conf` to provide cetificate info. Test the client:
```sh
systemctl restart nslcd
getent passwd
```

### IP Tables
```sh
yum install iptables-services
iptables --flush INPUT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
service iptables save
systemctl enable iptables
```

### Python 3

Install Python 3 and set up a virtual environment for user _<vsftpd_service>_. Then become _<vsftpd_service>_ user:
```sh
pip install --upgrade pip
pip install -r requirements.txt
pip install gunicorn
```

### Deploy the Django database
```sh
python manage.py makemigrations
python manage.py migrate
```

Create the authentication view for library `pam_mysql.so`:
```sh
mysql> CREATE VIEW account_table AS SELECT username,password from ftp_manager_secondaryaccount WHERE expiration_time>now() UNION SELECT username,password FROM ftp_manager_account WHERE expiration_time>now();
```

__Edit `settings.py` to suit your needs (LDAP and FTP and e-mail settings):__
```
# ----------------------------------------------------------------------------
# biohpc_accounts app
# ----------------------------------------------------------------------------

# LDAP URI, user and password for BioHPC Directory (read/write)
BIOHPC_ACCOUNTS_LDAP_URI = "ldap://localhost"
BIOHPC_ACCOUNTS_LDAP_USER = ''
BIOHPC_ACCOUNTS_LDAP_PASSWORD = ''
# Default primary GID for newly created users
BIOHPC_ACCOUNTS_DEFAULT_GID = 9999
# Samba Domain Name
BIOHPC_ACCOUNTS_SAMBA_DOMAIN = ''
# Samba Domain SID
BIOHPC_ACCOUNTS_SAMBA_SID = ''
# LDAP Base DN to check for users/groups anywhere in the tree
BIOHPC_ACCOUNTS_BASE_DN = ''
# LDAP suffix for new users added to directory, but not enabled for services
# Have portal access only
BIOHPC_ACCOUNTS_NEW_USER_SUFFIX = ''
# LDAP suffix for active users in directory
BIOHPC_ACCOUNTS_ACTIVE_USER_SUFFIX = ''
# LDAP Suffix for group search
BIOHPC_ACCOUNTS_GROUP_SUFFIX = ''
# Permitted domains for users email at registration
BIOHPC_ACCOUNTS_GOOD_EMAIL_DOMAINS = ['', '']

# ----------------------------------------------------------------------------
# ftp_manager app
# ----------------------------------------------------------------------------

FTP_SECRETE = ''
FROM_EMAIL = ''

```

### Run locally
Set `DEBUG=True` and test the application:
```sh
python manage.py runserver 
```

### Static files and Apache
During development, if you use `django.contrib.staticfiles`, this will be done automatically by runserver when `DEBUG` is set to `True`. For production, run `collectstatic` to copy all the static files into `STATIC_ROOT`:
```sh
python manage.py collectstatic
```
Have `httpd` serve static files:
```sh
yum install httpd
cp provision/httpd/apache.conf /etc/httpd/conf.d/apache.conf
systemctl start httpd
systemctl enable httpd
```

In `settings.py`, set `DEBUG` and `TEMPLATE_DEBUG` to `False`.

### Final check
```
python manage.py check --deploy
```
### Run FTP application
```sh
gunicorn ftp_site.wsgi:application
```

## Contributing to Flash FTP
We are open to contributions from external developers. We advise you to open an issue that describes the contribution and then submit a pull request. 
For additional details, refer to the LICENSE file contained in this repository.