improve ftp access to lbb, simplify samba config

etc_apache2_sites-available_comitup.conf

@@ -1,8 +1,8 @@
 <VirtualHost *:8843>
 	SSLEngine on
 
-	SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
-	SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
+	SSLCertificateFile /etc/ssl/certs/little-backup-box.crt
+	SSLCertificateKeyFile /etc/ssl/certs/little-backup-box.key
 
 	ProxyPreserveHost Off
 	ProxyRequests Off

etc_apache2_sites-available_little-backup-box.conf

@@ -51,8 +51,8 @@
 
 		SSLEngine on
 
-		SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
-		SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
+		SSLCertificateFile /etc/ssl/certs/little-backup-box.crt
+		SSLCertificateKeyFile /etc/ssl/certs/little-backup-box.key
 
 		<FilesMatch "\.(cgi|shtml|phtml|php)$">
 			SSLOptions +StdEnvVars
@@ -95,8 +95,8 @@
 		SSLEngine on
 		SSLProxyEngine On
 
-		SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
-		SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
+		SSLCertificateFile /etc/ssl/certs/little-backup-box.crt
+		SSLCertificateKeyFile /etc/ssl/certs/little-backup-box.key
 
 		ProxyPreserveHost Off
 		ProxyRequests Off

etc_samba_smb.conf

@@ -0,0 +1,42 @@
+### Global Settings ###
+[global]
+workgroup = WORKGROUP
+wide links = yes
+unix extensions = no
+dns proxy = no
+
+### Debugging/Accounting ###
+log file = /var/log/samba/log.%m
+max log size = 1000
+syslog = 0
+panic action = /usr/share/samba/panic-action %d
+
+### Authentication ###
+security = user
+map to guest = Bad User
+guest account = www-data
+
+### Better Mac OS X support ###
+vfs objects = fruit streams_xattr
+fruit:metadata = stream
+fruit:model = MacSamba
+fruit:posix_rename = yes
+fruit:veto_appledouble = no
+fruit:nfs_aces = no
+fruit:wipe_intentionally_left_blank_rfork = yes
+fruit:delete_empty_adfiles = yes
+
+### Share Definitions ###
+
+[media]
+comment = Little Backup Box media
+include = /etc/samba/login.conf
+path = /media
+browseable = yes
+force user = www-data
+force group = www-data
+admin users = www-data
+writeable = yes
+read only = no
+create mask = 0777
+directory mask = 0777

etc_vsftpd.conf

@@ -0,0 +1,18 @@
+listen=NO
+listen_ipv6=YES
+anonymous_enable=NO
+local_enable=YES
+local_root=/media
+write_enable=YES
+local_umask=022
+dirmessage_enable=YES
+use_localtime=YES
+xferlog_enable=YES
+xferlog_file=/var/log/vsftpd.log
+connect_from_port_20=YES
+idle_session_timeout=600
+data_connection_timeout=120
+pam_service_name=vsftpd
+rsa_cert_file=/etc/ssl/certs/little-backup-box.pem
+rsa_private_key_file=/etc/ssl/certs/little-backup-box.key
+ssl_enable=YES

install-little-backup-box.sh

@@ -514,7 +514,10 @@ WantedBy=multi-user.target" | tee /etc/systemd/system/multi-user.target.wants/ph
 sudo systemctl daemon-reload
 
 #openssl
-sudo openssl req -x509 -nodes -days 3650 -subj '/C=OW/ST=MilkyWay/L=Earth/CN=10.42.0.1' -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
+sudo openssl req -x509 -nodes -days 3650 -subj '/C=OW/ST=MilkyWay/L=Earth/O=little-backup-box/CN=10.42.0.1' -newkey rsa:2048 -keyout /etc/ssl/certs/little-backup-box.key -out /etc/ssl/certs/little-backup-box.crt
+sudo cat /etc/ssl/certs/little-backup-box.key | sudo tee /etc/ssl/certs/little-backup-box.pem
+sudo cat /etc/ssl/certs/little-backup-box.crt | sudo tee -a /etc/ssl/certs/little-backup-box.pem
+sudo chmod 600 /etc/ssl/certs/little-backup-box.*
 
  # Apache-config-files
 if [ "${SCRIPT_MODE}" = "install" ]; then
@@ -544,74 +547,18 @@ if [ "${CHOICE_COMITUP}" = "0" ]; then
 fi
 
 # Configure Samba
-if [ "${SCRIPT_MODE}" = "update" ]; then
-	yes | sudo cp -f /etc/samba/smb.conf.orig /etc/samba/smb.conf
-else
-	sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.orig
-fi
-sudo sh -c "echo '' >> /etc/samba/smb.conf"
-sudo sh -c "echo '### Global Settings ###' > /etc/samba/smb.conf"
-sudo sh -c "echo '[global]' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'workgroup = WORKGROUP' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'wide links = yes' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'unix extensions = no' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'dns proxy = no' >> /etc/samba/smb.conf"
-sudo sh -c "echo '' >> /etc/samba/smb.conf"
-
-sudo sh -c "echo '### Debugging/Accounting ###' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'log file = /var/log/samba/log.%m' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'max log size = 1000' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'syslog = 0' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'panic action = /usr/share/samba/panic-action %d' >> /etc/samba/smb.conf"
-sudo sh -c "echo '' >> /etc/samba/smb.conf"
-
-sudo sh -c "echo '### Authentication ###' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'security = user' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'map to guest = Bad User' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'guest account = ${USER_WWW_DATA}' >> /etc/samba/smb.conf"
-sudo sh -c "echo '' >> /etc/samba/smb.conf"
-
-sudo sh -c "echo '### Better Mac OS X support ###' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'vfs objects = fruit streams_xattr' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'fruit:metadata = stream' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'fruit:model = MacSamba' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'fruit:posix_rename = yes' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'fruit:veto_appledouble = no' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'fruit:nfs_aces = no' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'fruit:wipe_intentionally_left_blank_rfork = yes' >> /etc/samba/smb.conf"
-sudo sh -c "echo 'fruit:delete_empty_adfiles = yes' >> /etc/samba/smb.conf"
-sudo sh -c "echo '' >> /etc/samba/smb.conf"
-
-sudo sh -c "echo '### Share Definitions ###' >> /etc/samba/smb.conf"
-
-DIRECTORIES=("${const_MEDIA_DIR}/${const_MOUNTPOINT_USB_TARGET}" "${const_MEDIA_DIR}/${const_MOUNTPOINT_USB_SOURCE}" "${const_MEDIA_DIR}/${const_MOUNTPOINT_NVME_TARGET}" "${const_MEDIA_DIR}/${const_MOUNTPOINT_NVME_SOURCE}" "${const_MEDIA_DIR}/${const_MOUNTPOINT_CLOUD_TARGET}" "${const_MEDIA_DIR}/${const_MOUNTPOINT_CLOUD_SOURCE}" "${const_MEDIA_DIR}/${const_INTERNAL_BACKUP_DIR}")
-for DIRECTORY in "${DIRECTORIES[@]}"; do
-    PATHNAME=$(basename ${DIRECTORY})
-
-    sudo sh -c "echo '' >> /etc/samba/smb.conf"
-    sudo sh -c "echo '[${PATHNAME}]' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'comment = Little Backup Box ${PATHNAME}' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'include = /etc/samba/login.conf' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'path = ${DIRECTORY}' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'browseable = yes' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'force user = ${USER_WWW_DATA}' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'force group = ${USER_WWW_DATA}' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'admin users = ${USER_WWW_DATA}' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'writeable = yes' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'read only = no' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'create mask = 0777' >> /etc/samba/smb.conf"
-    sudo sh -c "echo 'directory mask = 0777' >> /etc/samba/smb.conf"
-done
-
-echo "guest ok = yes" | sudo tee "/etc/samba/login.conf"
-
-sudo samba restart
-cd
+yes | sudo cp -f "${INSTALLER_DIR}/etc_samba_smb.conf" "/etc/samba/smb.conf"
+sudo chmod 0440 "/etc/samba/smb.conf"
 
 # Configure vsftpd
-if [ "${SCRIPT_MODE}" = "install" ]; then
-	sudo sh -c "echo 'write_enable=YES' >> /etc/vsftpd.conf"
-fi
+yes | sudo cp -f "${INSTALLER_DIR}/etc_vsftpd.conf" "/etc/vsftpd.conf.conf"
+sudo chmod 0440 "/etc/vsftpd.conf.conf"
+
+sudo useradd -s /bin/false -r ftpsecure
+
+sudo mkdir -p /var/run/vsftpd/empty
+sudo chown ftpsecure /var/run/vsftpd/empty
+
 sudo service vsftpd restart
 
 # setup graphical environment
@@ -683,11 +630,10 @@ EOM
 
 fi
 
-# re-establish passwords
-if [ "${SCRIPT_MODE}" = "update" ]; then
-	echo "Restore password-protection"
-	sudo python3 "${const_WEB_ROOT_LBB}/lib_password.py" "$(echo $conf_PASSWORD | base64 --decode)"
-fi
+# (re-)establish passwords
+echo "(Restore) password-protection"
+sudo python3 "${const_WEB_ROOT_LBB}/lib_password.py" "$(echo $conf_PASSWORD | base64 --decode)"
+sudo samba restart
 
 # setup hardware
 	source "${const_WEB_ROOT_LBB}/set_hardware.sh"

scripts/cron_idletime.py

@@ -31,8 +31,9 @@ class idletime(object):
 	def __init__(self):
 		#definitions
 		self.WORKING_DIR	= os.path.dirname(__file__)
-		self.ApacheAccessLogfile		= "/var/log/apache2/lbb-access.log"
-		self.ApacheRcloneAccessLogfile	= "/var/log/apache2/rclone-access.log"
+		self.ApacheAccessLogfile		= '/var/log/apache2/lbb-access.log'
+		self.ApacheRcloneAccessLogfile	= '/var/log/apache2/rclone-access.log'
+		vsftpdAccessLogfile				= '/var/log/vsftpd.log'
 
 		#objects
 		self.__setup	= lib_setup.setup()
@@ -58,12 +59,12 @@ def check(self):
 			return(f'idletime: uptime < idletime ({UpTime}s < {IdleSecToPowerOff}s)')
 
 		# logfile logmonitor
-		LbbLogfileAgeSec	= CompareTime - os.stat(self.const_LOGFILE).st_mtime if os.path.isfile(self.const_LOGFILE) else IdleSecToPowerOff
+		LbbLogfileAgeSec			= CompareTime - os.stat(self.const_LOGFILE).st_mtime if os.path.isfile(self.const_LOGFILE) else IdleSecToPowerOff
 		if LbbLogfileAgeSec < IdleSecToPowerOff:
 			return(f'idletime: logfile logmonitor idletime not reached ({LbbLogfileAgeSec}s < {IdleSecToPowerOff}s)')
 
 		# logfile apache2
-		ApacheLogfileAgeSec	= CompareTime - os.stat(self.ApacheAccessLogfile).st_mtime if os.path.isfile(self.ApacheAccessLogfile) else IdleSecToPowerOff
+		ApacheLogfileAgeSec			= CompareTime - os.stat(self.ApacheAccessLogfile).st_mtime if os.path.isfile(self.ApacheAccessLogfile) else IdleSecToPowerOff
 		if ApacheLogfileAgeSec < IdleSecToPowerOff:
 			return(f'idletime: logfile apache2 idletime not reached ({ApacheLogfileAgeSec}s < {IdleSecToPowerOff}s)')
 
@@ -72,6 +73,11 @@ def check(self):
 		if ApacheRcloneLogfileAgeSec < IdleSecToPowerOff:
 			return(f'idletime: logfile rclone gui idletime not reached ({ApacheRcloneLogfileAgeSec}s < {IdleSecToPowerOff}s)')
 
+		# logfile vsftpd
+		vsftpdLogfileAgeSec			= CompareTime - os.stat(self.vsftpdAccessLogfile).st_mtime if os.path.isfile(self.vsftpdAccessLogfile) else IdleSecToPowerOff
+		if vsftpdLogfileAgeSec < IdleSecToPowerOff:
+			return(f'idletime: logfile vsftpd idletime not reached ({vsftpdLogfileAgeSec}s < {IdleSecToPowerOff}s)')
+
 		# check processes
 		for process in [
 			['--exact',	'rsync'],

scripts/lang/de.json

@@ -519,7 +519,8 @@
         "info": "Little Backup Box Info",
         "main": "web UI",
         "open_samba": "Im Dateimanager öffnen (Samba / Windows)",
-        "description_https": "https (sicher, Zertifikat kann nicht automatisch verifiziert werden, bitte bestätigen)"
+        "description_https": "https (sicher, Zertifikat kann nicht automatisch verifiziert werden, bitte bestätigen)",
+        "open_ftp": "Per FTP zugreifen"
       }
     },
     "poweroff": {

scripts/lang/en.json

@@ -155,7 +155,8 @@
         "description_http": "http (insecure)",
         "open_samba": "Open in file manager (Samba / Windows)",
         "info": "Little Backup Box Info",
-        "description_https": "https (secure, certificate cannot be verified automatically, please confirm it)"
+        "description_https": "https (secure, certificate cannot be verified automatically, please confirm it)",
+        "open_ftp": "Access via FTP"
       }
     },
     "cmd": {

scripts/lang/es.json

@@ -519,7 +519,8 @@
         "info": "Información Little Backup Box",
         "main": "web UI",
         "open_samba": "Abrir en el administrador de archivos (Samba / Windows)",
-        "description_https": "https (seguro, el certificado no se puede verificar automáticamente, confirme)"
+        "description_https": "https (seguro, el certificado no se puede verificar automáticamente, confirme)",
+        "open_ftp": "Acceso vía FTP"
       }
     },
     "poweroff": {

scripts/lang/fr.json

@@ -519,7 +519,8 @@
         "info": "Little Backup Box Info",
         "main": "web UI",
         "open_samba": "Ouvrir dans le gestionnaire de fichiers (Samba / Windows)",
-        "description_https": "https (sécurisé, le certificat ne peut pas être vérifié automatiquement, veuillez confirmer)"
+        "description_https": "https (sécurisé, le certificat ne peut pas être vérifié automatiquement, veuillez confirmer)",
+        "open_ftp": "Accès via FTP"
       }
     },
     "poweroff": {

scripts/lib_cron_ip.py

@@ -131,10 +131,12 @@ def mail_ip(self):
 			indexLinksPlainSSL		= ''
 			indexLinksPlain8080		= ''
 			sambaLinksPlain			= ''
+			ftpLinksPlain			= ''
 
 			indexLinksHTMLSSL		= ''
 			indexLinksHTML8080		= ''
 			sambaLinksHTML			= ''
+			ftpLinksHTML			= ''
 
 			for IP in self.__IPs:
 				# create qr link
@@ -152,48 +154,56 @@ def mail_ip(self):
 						base64_image	= ''
 						qr_link	= ''
 
-				indexLinksPlainSSL	+= f'\n  https://{IP}\n'
-				indexLinksPlain8080	+= f'  http://{IP}:8080\n'
-				sambaLinksPlain		+= f'  smb://{IP}\n'
+				indexLinksPlainSSL	+= f'\n\t\t https://{IP}'
+				indexLinksPlain8080	+= f'\n\t\thttp://{IP}:8080'
+				sambaLinksPlain		+= f'\n\t\tsmb://{IP}'
+				ftpLinksPlain		+= f'\n\t ftp://lbb@{IP}'
 
-				indexLinksHTMLSSL	+= f'<br>\n  <a href="https://{IP}">https://{IP}{qr_link}</a><br>\n'
-				indexLinksHTML8080	+= f'  <a href="http://{IP}:8080">http://{IP}:8080</a><br>\n'
-				sambaLinksHTML		+= f'  <a href="smb://{IP}">smb://{IP}</a><br>\n'
+				indexLinksHTMLSSL	+= f'<br>\n<a href="https://{IP}">https://{IP}{qr_link}</a>'
+				indexLinksHTML8080	+= f'<br>\n<a href="http://{IP}:8080">http://{IP}:8080</a>'
+				sambaLinksHTML		+= f'<br>\n<a href="smb://{IP}">smb://{IP}</a>'
+				ftpLinksHTML		+= f'<br>\n<a href="ftp://lbb@{IP}">ftp://lbb@{IP}</a>'
 
 			#send mail
 			if IPs_changed:
 				# returns thread of sendmail process
 				return(
 						mailObj.sendmail(
 						Subject		= f"{self.__lan.l('box_cronip_mail_info')}: {', '.join(self.__IPs)}",
-						TextPlain	= self.__getTextPlain(indexLinksPlainSSL,indexLinksPlain8080,sambaLinksPlain),
-						TextHTML	= self.__getTextHTML(indexLinksHTMLSSL,indexLinksHTML8080,sambaLinksHTML)
+						TextPlain	= self.__getTextPlain(indexLinksPlainSSL, indexLinksPlain8080, sambaLinksPlain, ftpLinksPlain),
+						TextHTML	= self.__getTextHTML(indexLinksHTMLSSL, indexLinksHTML8080, sambaLinksHTML, ftpLinksHTML)
 						)
 					)
 
-	def __getTextPlain(self,indexLinksPlainSSL,indexLinksPlain8080,sambaLinksPlain):
+	def __getTextPlain(self, indexLinksPlainSSL, indexLinksPlain8080, sambaLinksPlain, ftpLinksPlain):
 		return(f"""
 	*** {self.__lan.l('box_cronip_mail_main')}: ***
 	{self.__lan.l('box_cronip_mail_description_https')}:
-	{indexLinksPlainSSL}
+{indexLinksPlainSSL}
 
 	{self.__lan.l('box_cronip_mail_description_http')}:
-	{indexLinksPlain8080}
+{indexLinksPlain8080}
 
 	*** {self.__lan.l('box_cronip_mail_open_samba')}: ***
-	{sambaLinksPlain}""")
+{sambaLinksPlain}
 
-	def __getTextHTML(self,indexLinksHTMLSSL,indexLinksHTML8080,sambaLinksHTML):
+	*** {self.__lan.l('box_cronip_mail_open_ftp')}: ***
+{ftpLinksPlain}""")
+
+	def __getTextHTML(self, indexLinksHTMLSSL, indexLinksHTML8080, sambaLinksHTML, ftpLinksHTML):
 		return(f"""
-	<b>{self.__lan.l('box_cronip_mail_main')}:</b><br>
-	{self.__lan.l('box_cronip_mail_description_https')}:<br>
+	<h2>{self.__lan.l('box_cronip_mail_main')}:</h2>
+	<h3>{self.__lan.l('box_cronip_mail_description_https')}:</h3>
 	{indexLinksHTMLSSL}
-	<br>
-	{self.__lan.l('box_cronip_mail_description_http')}:<br>
+	<br><br>
+	<h3>{self.__lan.l('box_cronip_mail_description_http')}:</h3>
 	{indexLinksHTML8080}
-	<br>
-	<b>{self.__lan.l('box_cronip_mail_open_samba')}:</b><br>
-	{sambaLinksHTML}"""
+	<br><br>
+	<h2>{self.__lan.l('box_cronip_mail_open_samba')}:</h2>
+	{sambaLinksHTML}
+	<br><br>
+	<h2>{self.__lan.l('box_cronip_mail_open_ftp')}:</h2>
+	{ftpLinksHTML}"""
 	)
 
 if __name__ == "__main__":

scripts/lib_storage.py

@@ -558,9 +558,6 @@ def createPath(self,MountPoint='',SubPathBelowMountPoint=''):
 		pathlib.Path(MountPoint, SubPathBelowMountPoint).mkdir(parents=True, exist_ok=True)
 		self.set_mountpoint_permissions(MountPoint)
 
-		Command	= 'service smbd restart &'
-		subprocess.run(Command, shell=True)
-
 	def set_mountpoint_permissions(self, MountPoint=''):
 		MountPoint	= MountPoint if MountPoint else self.MountPoint