| Current File : //usr/share/webmin/proftpd/userpermissions_form.cgi |
#!/usr/bin/perl
# userpermissions_form.cgi
# Display a the list of users and their permissions
# Author: Mattias Gaertner
#
# Abstract:
# - Allows editing the user permissions for a directory with an
# .ftpaccess file.
# - It has a select field to easily add a user to the .ftpaccess file.
# - Shows a list of users with their permissions.
# - Provides minimum allowed commands (at the moment hardcoded in
# $MiniumCommands).
# These commands will applied to any new and changed permissions.
# - Shows names instead of the hard to remember FTP abbreviations
# (e.g. PBSZ).
# - Commands can be combined. For example: RNFR and RNTO are shown
# as only one permission.
# - adds automatically a DenyAll All limit, so the default is to allow
# nothing.
#
# ToDos:
# - multi language support
# - a page to config the minimum commands
# - a page to config the tuples (combined commands)
# - Probably some functions already exists in webmin and can be replaced
require './proftpd-lib.pl';
&ReadParse();
# read .ftpaccess file
$file = $in{'file'};
$title = &text('ftpindex_header', "<tt>$in{'file'}</tt>");
$return = "ftpaccess_index.cgi";
$rmsg = $text{'ftpindex_return'};
&ui_print_header($title, "Edit User Permissions", "",
undef, undef, undef, undef, &restart_button());
#########################################
# Navigation parameters
foreach $h ('virt', 'idx', 'file', 'limit', 'anon', 'global') {
if (defined($in{$h})) {
$NavigationData.="<input type=hidden name=$h value='$in{$h}'>\n";
push(@args, "$h=$in{$h}");
}
}
$args = join('&', @args);
# These are the FTP Commands, that any user have
$MinimumCommands="CWD XCWD CDUP XCUP PORT PASS PASV EPRT EPSV"
." PWD XPWD SIZE HELP NOOP AUTH ABORT USER LIST TYPE PROT QUIT PBSZ MDTM MODE";
$Commands{"CWD"}="Change working directory";
$Commands{"XCWD"}="";
$Commands{"CDUP"}="";
$Commands{"XCUP"}="";
$Commands{"PORT"}="";
$Commands{"PASV"}="enter passive mode";
$Commands{"EPRT"}="";
$Commands{"EPSV"}="";
$Commands{"RNFR"}="Rename From";
$Commands{"RNTO"}="Rename To";
$Commands{"DELE"}="Delete File";
$Commands{"RMD"}="Remove Directory";
$Commands{"XRMD"}="X Remove Directory";
$Commands{"MKD"}="Create Directory";
$Commands{"XMKD"}="X Create Directory";
$Commands{"MODE"}="";
$Commands{"PWD"}="";
$Commands{"XPWD"}="";
$Commands{"SIZE"}="";
$Commands{"SITE_CHMOD"}="Change Unix File Permissions";
$Commands{"STAT"}="Return Server Status";
$Commands{"SYST"}="Prints System Info";
$Commands{"HELP"}="";
$Commands{"NOOP"}="";
$Commands{"AUTH"}="";
$Commands{"PBSZ"}="";
$Commands{"PROT"}="";
$Commands{"TYPE"}="Set Transfer Type";
$Commands{"MODE"}="Set Transfer Mode";
$Commands{"MDTM"}="List Modification Time";
$Commands{"RETR"}="Retrieve (Read)";
$Commands{"STOR"}="Store (Write)";
$Commands{"STOU"}="Store Unique";
$Commands{"APPE"}="Append";
$Commands{"REST"}="Restart Write";
$Commands{"ABOR"}="Abort";
$Commands{"USER"}="";
$Commands{"PASS"}="";
$Commands{"LIST"}="List remote files";
$Commands{"QUIT"}="";
$Commands{"TupleRMD"} = "Remove Directory";
$Commands{"TupleMKD"} = "Make Directory";
$Commands{"TupleRN"} = "Rename";
$Commands{"TuplePWD"} = "Print Working Directory";
# Not implemented by proftpd:
#$Commands{"STRU"}="Specify File Structure";
# Here you can group commands
$CommandTuples{"TupleRMD"} = "RMD XRMD";
$CommandTuples{"TupleMKD"} = "MKD XMKD";
$CommandTuples{"TupleRN"} = "RNFR RNTO";
$CommandTuples{"TuplePWD"} = "PWD XPWD";
# Create CommandToTuple array
foreach $TupleName(sort keys %CommandTuples){
foreach $Command(split (" ",$CommandTuples{$TupleName})){
next unless ($Command);
$CommandToTuple{$Command}=$TupleName;
}
}
#########################################
# Get user list and read old permissions
&GetUsers();
&GetFTPAccessUserPerms($file);
#########################################
# Parse Input and update .ftpaccess file
foreach $ParamName(keys %in){
#print "Name=\"$ParamName\" Value=\"".$in{$ParamName}."\"<br>\n";
if($ParamName eq "AddUser"){
$Username=$in{$ParamName};
if($Username =~ /^[a-zA-Z0-9_]+$/){
&AddUser($Username,$file);
}
}
if($ParamName eq "DeleteUser"){
$Username=$in{$ParamName};
if($Username =~ /^[a-zA-Z0-9_]+$/){
if($in{"Confirm Delete User"} eq "on"){
&DeleteUser($Username,$file);
#print "New used usernames: $UsedUsernames<br>\n";
} else {
print "<H2>To really delete a user, please check the confim checkbox.</H2>\n";
}
}
}
if($ParamName eq "ChangePermissions"){
$Username=$in{$ParamName};
if($Username =~ /^[a-zA-Z0-9_]+$/){
&ChangePermissions($Username,$file);
}
}
}
#########################################
# select box and button for add user
print "<form action=userpermissions_form.cgi method=get>\n";
print $NavigationData;
print "<H3>Add an User to the permission table</H3>\n";
print "<select name=\"AddUser\">\n";
foreach $Username (sort split(" ",$Usernames)){
print "<option value=\"$Username\">$Username</option>\n";
}
print "</select>\n";
print "<input type=submit value=\"Add User\"><br>\n";
print "</form>\n";
#########################################
# Print Permissions
$MaxColumns=4;
foreach $Username(sort split (" ",$UsedUsernames)){
#print "User: $Username Allowed=\"".$UserAllowedCommands{$Username}."\" Denied=\"".$UserDeniedCommands{$Username}."\"\n";
print "<form action=userpermissions_form.cgi method=get>\n";
print $NavigationData;
print "<input type=hidden name=\"ChangePermissions\" value=\"".$Username."\">\n";
print "<HR WIDTH=\"100%\">\n";
print "<H2>User: $Username</H2>\n";
print "<table border=1>\n";
$Column=0;
$Row=0;
foreach $Command(sort keys %Commands){
if($MinimumCommands =~ /$Command/i){
# skip minimum permissions, that all users are allowed to
next;
}
if($CommandToTuple{$Command}){
# skip commands that belong to a tuple
next;
}
$FTPCommands=$Command;
if($CommandTuples{$FTPCommands}){
$FTPCommands = $CommandTuples{$FTPCommands};
}
if($Column == 0){
if($Row==0){
print " <tr>\n";
for ($i=0; $i<$MaxColumns; $i++){
print " <td>Command</td><td>Allow/Deny/Default</td>\n";
}
print " </tr>\n";
}
print " <tr>\n";
}
$CommandDesc=$Commands{$Command};
if(!$CommandDesc){
$CommandDesc = $Command;
}
print " <td>$CommandDesc</td><td>\n";
if(&CommandContains($UserAllowedCommands{$Username},$FTPCommands)){
$AllowChecked=" checked";
} else {
$AllowChecked="";
}
if(&CommandContains($UserDeniedCommands{$Username},$FTPCommands)){
$DenyChecked=" checked";
} else {
$DenyChecked="";
}
if($AllowChecked || $DenyChecked){
$DefaultChecked = "";
} else {
$DefaultChecked = " checked";
}
print " <input type=\"radio\" name=\"".$Command."\" value=\"allow\"".$AllowChecked.">\n";
print " <input type=\"radio\" name=\"".$Command."\" value=\"deny\"".$DenyChecked.">\n";
print " <input type=\"radio\" name=\"".$Command."\" value=\"default\"".$DefaultChecked.">\n";
print " </td>";
$Column++;
if($Column == $MaxColumns){
print " </tr>\n";
$Column=0;
$Row++;
}
}
if($Column > 0){
print " </tr>\n";
}
print "</table>\n";
print "<input type=submit value=\"Change Permissions\">\n";
print "</form><br>\n";
print "<form action=userpermissions_form.cgi method=get>\n";
print $NavigationData;
print "<input type=hidden name=\"DeleteUser\" value=\"".$Username."\">\n";
print "<input type=submit value=\"Delete User Permissions\">\n";
print "<input type=checkbox name=\"Confirm Delete User\">I'm sure<br>\n";
print "</form>\n";
}
#########################################
# print textarea
print "<HR WIDTH=100%>\n";
print &text('manual_header', "<tt>$file</tt>"),"<p>\n";
print "<form action=manual_save.cgi method=post enctype=multipart/form-data>\n";
print $NavigationData;
print "<br><textarea rows=15 cols=80 name=directives>\n";
$lref = &read_file_lines($file);
if (!defined($start)) {
$start = 0;
$end = @$lref - 1;
}
for($i=$start; $i<=$end; $i++) {
print &html_escape($lref->[$i]),"\n";
}
print "</textarea><br><input type=submit value=\"$text{'save'}\"></form>\n";
#########################################
# print footer
&ui_print_footer("$return?$args", $rmsg);
exit;
#########################################################
sub GetUsers(){
my $UserCount=0;
setpwent();
while(my @uinfo = getpwent()) {
if ($uinfo[2] > 100) {
$UserCount++;
$Users[$UserCount]=$uinfo[0];
$Usernames.=" ".$uinfo[0];
}
}
endpwent();
}
sub GetFTPAccessUserPerms(){
# Fills global variables:
# $UsedUsernames, %UserAllowedCommands, %UserDeniedCommands
my ($FTPAccessFile) = @_;
##################################################
# Read .ftpaccess file
my $Commands = "";
open FTPACCESS, "$FTPAccessFile" or &error("Can't open $FTPAccessFile: $!");
while (my $line=<FTPACCESS>){
chomp $line;
#print $line."\n";
if($line =~ /<Limit (.*)>/i){
$Commands = $1;
#print "Limit $Commands\n";
}
if($line =~ /<\/Limit(.*)>/i){
$Commands = "";
#print "End Limit $Commands\n";
}
if($Commands){
#print "$line\n";
if($line =~ /AllowUser (.+)/i){
my $AllowedUsernames = $1;
#print "AllowUser $AllowedUsernames\n";
foreach $AllowedUsername (split (" ",$AllowedUsernames)){
next unless ($AllowedUsername);
$UserAllowedCommands{$AllowedUsername}.=" ".$Commands;
#print "AllowUser $AllowedUsername\n";
}
}
if($line =~ /DenyUser (.+)/i){
my $DeniedUsernames = $1;
foreach $DeniedUsername (split (" ",$DeniedUsernames)){
next unless ($DeniedUsername);
$UserDeniedCommands{$DeniedUsername}.=" ".$Commands;
}
}
}
}
close FTPACCESS;
##################################################
# collect all mentioned users in table
$UsedUsernames="";
foreach $Username(keys %UserAllowedCommands){
#print "Adding $Username\n";
$UserAllowedCommands{$Username}=
&UnifyAndExpandCommands($UserAllowedCommands{$Username}." ".$Commands);
if($UsedUsernames !~ /\b$Username\b/){
$UsedUsernames.=$Username." ";
}
}
foreach $Username(keys %UserDeniedCommands){
$UserDeniedCommands{$Username}=
&UnifyAndExpandCommands($UserDeniedCommands{$Username}." ".$Commands);
if($UsedUsernames !~ /\b$Username\b/){
$UsedUsernames.=$Username." ";
}
}
}
sub UnifyAndExpandCommands(){
(my $Commands) = @_;
my $NewCommands = "";
foreach $Command(split(" ",$Commands)){
next unless($Command);
if($CommandTuples{$Command}){
$NewCommands.=" ".$CommandTuples{$Command};
} else {
$NewCommands.=" ".$Command;
}
}
return &UnifyCommands($NewCommands);
}
sub UnifyCommands(){
(my $Commands) = @_;
my $NewCommands = "";
foreach $Command(split(" ",$Commands)){
next unless($Command);
next if($NewCommands =~ /\b$Command\b/i);
if($NewCommands){
$NewCommands.=" ";
}
$NewCommands.=$Command;
}
return $NewCommands;
}
sub AddUser(){
(my $Username, $FTPAccessFile) = @_;
if($Usernames =~ /\b$Usernames\b/){
print "<H2>Username $Username does not exist.</H2>\n";
return;
}
if ($UserAllowedCommands{$Username} || $UserDeniedCommands{$Username}){
# user already exists
print "<H2>Username $Username already exists.</H2>\n";
return;
}
$UserAllowedCommands{$Username}=$MinimumCommands;
$UserDeniedCommands{$Username}="";
if($UsedUsernames !~ /\b$Username\b/){
$UsedUsernames.=$Username." ";
}
&WritePermissions($FTPAccessFile);
}
sub DeleteUser(){
(my $Username, $FTPAccessFile) = @_;
if($UsedUsernames =~ /\b$Usernames\b/){
print "<H2>Username $Username does not exist in table.</H2>\n";
return;
}
if ((!$UserAllowedCommands{$Username}) && (!$UserDeniedCommands{$Username})){
# user already deleted
print "<H2>Username $Username is already not in table.</H2>\n";
return;
}
$UserAllowedCommands{$Username}="";
$UserDeniedCommands{$Username}="";
$UsedUsernames =~ s/\b$Username\b *//;
&WritePermissions($FTPAccessFile);
}
sub ChangePermissions(){
(my $Username, $FTPAccessFile) = @_;
if($UsedUsernames =~ /\b$Usernames\b/){
print "<H2>Username $Username does not exist in table.</H2>\n";
return;
}
foreach $Command(keys %Commands){
#print "$Command value=".$in{$Command}."<br>\n";
if($CommandToTuple{$Command}){
# skip commands in tuples
next;
}
my $FTPCommands=$Command;
if($CommandTuples{$FTPCommands}){
$FTPCommands = $CommandTuples{$FTPCommands};
}
if ($in{$Command} eq "allow"){
$UserAllowedCommands{$Username}.=" ".$FTPCommands;
#print "Allow $Username $Command<br>\n";
} else {
$UserAllowedCommands{$Username} =
&RemoveCommands($UserAllowedCommands{$Username},$FTPCommands);
}
if ($in{$Command} eq "deny"){
$UserDeniedCommands{$Username}.=" ".$FTPCommands;
#print "Deny $Username $Command<br>\n";
} else {
$UserDeniedCommands{$Username} =
&RemoveCommands($UserDeniedCommands{$Username},$FTPCommands);
}
}
$UserAllowedCommands{$Username}=
&UnifyCommands($MinimumCommands." ".$UserAllowedCommands{$Username});
$UserDeniedCommands{$Username}=
&UnifyCommands($UserDeniedCommands{$Username});
&WritePermissions($FTPAccessFile);
}
sub WritePermissions(){
# Read .ftpaccess file, remove all user command permissions
# and add new set of user permissions
(my $FTPAccessFile) = @_;
my $NewConfig = "";
my $OldCommands = "";
my $Username;
# Lock .ftpaccess file
&lock_file($FTPAccessFile);
&lock_file($FTPAccessFile);
# Read old .ftpaccess file
open FTPACCESS, "$FTPAccessFile" or die "Can't read $FTPAccessFile: $!";
$DenyAllBlockFound = 0;
while(my $line = <FTPACCESS>){
my $ShortLine = $line;
chomp $ShortLine;
#print $ShortLine."\n";
if($ShortLine =~ /<Limit (.*)>/i){
# start of Limit block
$OldCommands = $1;
#print "Limit $OldCommands\n";
$LimitBlock = $line;
$ImportantLimitLineFound = 0;
$DenyAllFound = 0;
} elsif($ShortLine =~ /<\/Limit(.*)>/i){
# end of Limit block
#print "End Limit $OldCommands\n";
$LimitBlock .= $line;
if($ImportantLimitLineFound){
$NewConfig .= $LimitBlock;
}
if(($OldCommands =~ /\bALL\b/i) && ($DenyAllFound)){
# this was a DenyAll for All commands block
$DenyAllBlockFound = 1;
}
$OldCommands = "";
} elsif($OldCommands){
#print "$ShortLine\n";
if($ShortLine =~ /AllowUser (.*)/i){
# AllowUser line -> will be replaced, not important
} elsif($ShortLine =~ /DenyUser (.*)/i){
# DenyUser line -> will be replaced, not important
} elsif($ShortLine =~ /^ +$/){
# empty line -> not important, but keep it for readability
$LimitBlock .= $line;
} else {
# other limit directive -> important
$LimitBlock .= $line;
$ImportantLimitLineFound = 1;
if($ShortLine =~ /\bDenyAll\b/i){
$DenyAllFound = 1;
}
}
} else {
# other directives -> keep
$NewConfig .= $line;
}
}
close FTPACCESS;
# Append new directives
# Append DenyAll block if not already there
if(!$DenyAllBlockFound){
$NewConfig.="<Limit All>\n";
$NewConfig.=" DenyAll\n";
$NewConfig.="</Limit>\n";
}
# Append Limit blocks for users
foreach $Username (sort split(" ",$Usernames)){
my $CurAllow = $UserAllowedCommands{$Username};
if ($CurAllow){
$NewConfig.="<Limit ".$CurAllow.">\n";
$NewConfig.=" AllowUser ".$Username."\n";
$NewConfig.="</Limit>\n";
}
my $CurDeny = $UserDeniedCommands{$Username};
if ($CurDeny){
$NewConfig.="<Limit ".$CurDeny.">\n";
$NewConfig.=" DenyUser ".$Username."\n";
$NewConfig.="</Limit>\n";
}
}
#print "<br>\n".$NewConfig."<br>\n";
# Write new .ftpaccess file
open FTPACCESS, "> $FTPAccessFile" or die "Can't append to $FTPAccessFile: $!";
print FTPACCESS $NewConfig;
close FTPACCESS;
# Unlock .ftpaccess file
&unlock_file($FTPAccessFile);
$logtype = 'ftpaccess';
$logname = $in{'file'};
&webmin_log($logtype, "user permissions", $logname, \%in);
}
sub CommandContains(){
(my $Commands, my $SubSet) = @_;
foreach my $Command(split(" ",$SubSet)){
next unless($Command);
if($Commands =~ /\b$Command\b/i){
return 1;
}
}
return 0;
}
sub RemoveCommands(){
(my $Commands, my $SubSet) = @_;
foreach my $Command(split(" ",$SubSet)){
next unless($Command);
$Commands =~ s/\b$Command\b *//gi;
}
return $Commands;
}
# end.