thias · disconn3ct · Jun 23, 2014 · Jun 23, 2014 · Jul 1, 2014 · Jul 3, 2014
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+*~
+*.swp
diff --git a/README.md b/README.md
@@ -1,5 +1,111 @@
 # puppet-vsftpd
 
+From Latch Mihaylov (zverocool)
+
+Enhanced funtionality to the vsftpd module to include FTPS compatbility and etc.
+In summary 
+1. enables you to select vsftpd version
+2. Adding the chrooted directory to SELINUX if its enabled
+3. enables FTPS support 
+This is very light documentation and needs to be enhanced.
+
+Examples (wrappers)
+Regular FTP Server, defining version, chrooting, not so different from existing
+```puppet
+      class { 'vsftpd':
+        version               => '2.2.2-11.el6_4.1',
+        ftpd_banner           => 'FTP Server',
+        anonymous_enable      => 'NO',
+        chroot_local_user     => 'YES',
+        local_root            => '/data/ftp/$USER',
+        user_sub_token        => '$USER',
+        local_enable          => 'YES',
+        write_enable          => 'YES',
+        local_umask           => '022',
+        dirmessage_enable     => 'YES',
+        xferlog_enable        => 'YES',
+        connect_from_port_20  => 'YES',
+        xferlog_std_format    => 'YES',
+        listen                => 'YES',
+        pam_service_name      => 'vsftpd',
+        userlist_enable       => 'YES',
+        userlist_log          => 'YES',
+        tcp_wrappers          => 'NO',
+        session_support       => 'YES',
+      }
+```
+FTPS Server with version and chrooting
+```puppet 
+      # Various FTPS Variables
+      $ftps_cert = 'ftps.cer'
+      $ftps_key = 'ftps.key'
+
+      # PASV Settings for FTPS
+      $masquerade_min_port = '36000'
+      $masquerade_max_port = '36999'
+      $masquerade_address  = '127.0.0.1' #use your masq address here
+
+      if $masquerade_address != undef {
+        class { 'vsftpd':
+          version               => '2.2.2-11.el6_4.1',
+          ftpd_banner           => 'FTPS Server',
+          anonymous_enable      => 'NO',
+          chroot_local_user     => 'YES',
+          local_root            => '/data/ftps/$USER',
+          user_sub_token        => '$USER',
+          local_enable          => 'YES',
+          write_enable          => 'YES',
+          local_umask           => '022',
+          dirmessage_enable     => 'YES',
+          xferlog_enable        => 'YES',
+          connect_from_port_20  => 'YES',
+          xferlog_std_format    => 'YES',
+          listen                => 'YES',
+          pam_service_name      => 'vsftpd',
+          userlist_enable       => 'YES',
+          userlist_log          => 'YES',
+          tcp_wrappers          => 'NO',
+          session_support       => 'YES',
+
+          # SSL SUPPORT
+          ssl_enable             => 'YES',
+          rsa_cert_file          => "/etc/vsftpd/cert/$ftps_cert",
+          rsa_private_key_file   => "/etc/vsftpd/cert/$ftps_key",
+          require_ssl_reuse      => 'YES',
+          allow_anon_ssl         => 'YES',
+          force_local_data_ssl   => 'NO',
+          force_local_logins_ssl => 'YES',
+          ssl_tlsv1              => 'YES',
+          ssl_sslv2              => 'NO',
+          ssl_sslv3              => 'NO',
+          ssl_ciphers            => 'HIGH',
+
+          # Adding masquerade abilities for VIP
+          pasv_min_port         => '13000',
+          pasv_max_port         => '13999',
+          pasv_address          => '127.0.0.1', # masquarade address here 127 is for the example
+        }
+
+        # ADDS THE CERT
+        file { "$::vsftpd::params::confdir/cert/$ftps_cert":
+          ensure  => present,
+          source  => "puppet:///cert/${ftps_cert}",
+          mode    => 0644,
+          owner   => root,
+          group   => root,
+          notify  => Service[$::vsftpd::params::service_name],
+        }
+
+        # ADDS THE CERT KEY
+        file { "$::vsftpd::params::confdir/cert/${ftps_key}":
+          ensure  => present,
+          source  => "puppet:///cert/${ftps_key}",
+          mode    => 0644,
+          owner   => root,
+          group   => root,
+          notify  => Service[$::vsftpd::params::service_name],
+        }
+```
 ## Overview
 
 This module enables and configures a vsftpd FTP server instance.

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -17,9 +17,11 @@
   $confdir                 = $::vsftpd::params::confdir,
   $package_name            = $::vsftpd::params::package_name,
   $service_name            = $::vsftpd::params::service_name,
+  $version                 = $::vsftpd::params::version,
   $template                = 'vsftpd/vsftpd.conf.erb',
+  $confname                = 'vsftpd.conf',
   # vsftpd.conf options
-  $anonymous_enable        = 'YES',
+  $anonymous_enable        = 'NO',
   $local_enable            = 'YES',
   $write_enable            = 'YES',
   $local_umask             = '022',
@@ -39,31 +41,63 @@
   $ascii_upload_enable     = 'NO',
   $ascii_download_enable   = 'NO',
   $ftpd_banner             = undef,
+  $guest_enable            = 'NO',
+  $virtual_use_local_privs = 'YES',
+  $log_ftp_protocol        = 'NO',
+  # intentionally not interpolated
+  $user_sub_token          = '$USER',
+  $local_root              = '/ftp/virtual/$USER',
   $chroot_local_user       = 'NO',
   $chroot_list_enable      = 'NO',
   $chroot_list_file        = '/etc/vsftpd/chroot_list',
+  $local_root              = undef,
+  $user_sub_token          = undef,
   $ls_recurse_enable       = 'NO',
   $listen                  = 'YES',
   $listen_port             = undef,
   $pam_service_name        = 'vsftpd',
   $userlist_enable         = 'YES',
+  $userlist_log            = 'NO',
   $userlist_deny           = undef,
   $tcp_wrappers            = 'YES',
+  $session_support         = 'NO',
   $hide_file               = undef,
   $hide_ids                = 'NO',
   $setproctitle_enable     = 'NO',
   $text_userdb_names       = 'NO',
   $max_clients             = undef,
   $max_per_ip              = undef,
+  $pasv_enable             = true,
+  $port_enable             = true,
+  $pasv_address            = undef,
   $pasv_min_port           = undef,
   $pasv_max_port           = undef,
+  $pasv_address            = undef,
   $ftp_username            = undef,
   $banner_file             = undef,
   $allow_writeable_chroot  = undef,
+  $ssl_enable              = 'NO',
+  $rsa_cert_file           = undef,
+  $rsa_private_key_file    = undef,
+  $require_ssl_reuse       = 'YES',
+  $allow_anon_ssl          = 'YES',
+  $force_local_data_ssl    = 'NO',
+  $force_local_logins_ssl  = 'YES',
+  $ssl_tlsv1               = 'YES',
+  $ssl_sslv2               = 'NO',
+  $ssl_sslv3               = 'NO',
+  $ssl_ciphers             = 'HIGH',
   $directives              = {},
+  $users                   = ['user1', 'user2'],
+  $userlist_file	   = "/etc/vsftpd.users.conf",
 ) inherits ::vsftpd::params {
-
-  package { $package_name: ensure => installed }
+
+  if $version == undef {
+   package { $package_name: ensure => installed }    
+  } else {
+   package { $package_name: ensure => $version } 
+  }
+
 
   service { $service_name:
     require   => Package[$package_name],
@@ -72,11 +106,30 @@
     hasstatus => true,
   }
 
-  file { "${confdir}/vsftpd.conf":
+  file { "${confdir}/${confname}":
     require => Package[$package_name],
     content => template($template),
     notify  => Service[$service_name],
   }
+
+  file { "${confdir}/cert":
+    ensure => directory,
+  }
+
+  selboolean { 'ftp_home_dir':
+    persistent => true,
+    value      => on,
+  }
+
+  if ("$userlist_enable" == "YES") {
+    notify{"userlist is YES":}
+  }
+
+  file { "${confdir}/vsftpd.users.conf":
+    require => Package[$package_name],
+    content => template('vsftpd/vsftpd.users.conf.erb'),
+    notify  => Service[$service_name],
+  }
 
 }
 
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -4,6 +4,7 @@
 
   $package_name = 'vsftpd'
   $service_name = 'vsftpd'
+  $version      = undef
 
   case $::operatingsystem {
     'RedHat',

diff --git a/templates/vsftpd.conf.erb b/templates/vsftpd.conf.erb
@@ -13,7 +13,25 @@ anonymous_enable=<%= @anonymous_enable %>
 #
 # Uncomment this to allow local users to log in.
 local_enable=<%= @local_enable %>
-#
+
+# If enabled, all non-anonymous logins are classed as "guest" logins. i
+# A guest login is remapped to the user specified in the guest_username setting.
+guest_enable=<%= @guest_enable %>
+
+# If enabled, virtual users will use the same privileges as local users.
+# By default, virtual users will use the same privileges as anonymous users,
+# which tends to be more restrictive (especially in terms of write access).
+virtual_use_local_privs=<%=@virtual_use_local_privs%>
+
+# It is used to automatically generate a home directory for each virtual user, based on a template.
+user_sub_token=<%=@user_sub_token%>
+
+# This option represents a directory which vsftpd will try to change into after a local (i.e. non-anonymous) login.
+local_root=<%=@local_root%>
+
+# When enabled, all FTP requests and responses are logged, providing the option xferlog_std_format is not enabled. Useful for debugging.
+log_ftp_protocol=<%=@log_ftp_protocol%>
+
 # Uncomment this to enable any form of FTP write command.
 write_enable=<%= @write_enable %>
 #
@@ -144,6 +162,22 @@ chroot_list_file=<%= @chroot_list_file %>
 # (default follows)
 #chroot_list_file=/etc/vsftpd/chroot_list
 <% end -%>
+<% if @local_root -%>
+local_root=<%= @local_root %>
+<% end -%>
+<% if @user_sub_token -%>
+user_sub_token=<%= @user_sub_token %>
+<% end -%>
+#session_support
+#This controls whether vsftpd attempts to maintain sessions for logins. 
+#If vsftpd is maintaining sessions, it will try and update utmp and wtmp.
+#It will also open a pam_session if using PAM to authenticate, and only 
+#close this upon logout. You may wish to disable this if you do not need
+#session logging, and you wish to give vsftpd more opportunity to run 
+#with less processes and / or less privilege. 
+# NOTE - utmp and wtmp support is only provided with PAM enabled builds.
+# Default: NO
+session_support=<%= @session_support %>
 #
 # You may activate the "-R" option to the builtin ls. This is disabled by
 # default to avoid remote users being able to cause excessive I/O on large
@@ -170,9 +204,11 @@ listen_port=<%= @listen_port %>
 
 pam_service_name=<%= @pam_service_name %>
 userlist_enable=<%= @userlist_enable %>
+userlist_log=<%= @userlist_log %>
 <% if @userlist_deny -%>
 userlist_deny=<%= @userlist_deny %>
 <% end -%>
+userlist_file=<%= @userlist_file %>
 tcp_wrappers=<%= @tcp_wrappers %>
 <% if @hide_file -%>
 hide_file=<%= @hide_file %>
@@ -186,12 +222,24 @@ max_clients=<%= @max_clients %>
 <% if @max_per_ip -%>
 max_per_ip=<%= @max_per_ip %>
 <% end -%>
+<% if @pasv_enable -%>
+pasv_enable=YES
+<% end -%>
+<% if @port_enable -%>
+port_enable=YES
+<% end -%>
+<% if @pasv_address -%>
+pasv_address=<%= @pasv_address %>
+<% end -%>
 <% if @pasv_min_port -%>
 pasv_min_port=<%= @pasv_min_port %>
 <% end -%>
 <% if @pasv_max_port -%>
 pasv_max_port=<%= @pasv_max_port %>
 <% end -%>
+<% if @pasv_address -%>
+pasv_address=<%= @pasv_address %>
+<% end -%>
 <% if @ftp_username -%>
 ftp_username=<%= @ftp_username %>
 <% end -%>
@@ -204,3 +252,16 @@ allow_writeable_chroot=<%= @allow_writeable_chroot %>
 <% @directives.reject {|key,value| value == :undef}.sort_by {|key,value| key}.each do |key,value| -%>
 <%= key %>=<%= value %>
 <% end -%>
+<% if @ssl_enable == 'YES' -%>
+ssl_enable=<%= @ssl_enable %>
+rsa_cert_file=<%= @rsa_cert_file %>
+rsa_private_key_file=<%= @rsa_private_key_file %>
+require_ssl_reuse=<%= @require_ssl_reuse %>
+allow_anon_ssl=<%= @allow_anon_ssl %>
+force_local_data_ssl=<%= @force_local_data_ssl %>
+force_local_logins_ssl=<%= @force_local_logins_ssl %>
+ssl_tlsv1=<%= @ssl_tlsv1 %>
+ssl_sslv2=<%= @ssl_sslv2 %>
+ssl_sslv3=<%= @ssl_sslv3 %>
+ssl_ciphers=<%= @ssl_ciphers %>
+<% end -%>
diff --git a/templates/vsftpd.users.conf.erb b/templates/vsftpd.users.conf.erb
@@ -0,0 +1,3 @@
+<% @users.each do |val| -%>
+<%= val %>
+<% end -%>