MCorange/wings
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sftp: deny access if server is suspended (#100)

Browse Source
This commit is contained in:
Matthew Penner 2021-08-03 20:56:02 -06:00 committed by GitHub
parent 930abfb4a7
commit ca25ba5fab
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
sftp/handler.go
View File

@ -14,6 +14,7 @@ import (
"golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh"
"github.com/pterodactyl/wings/config" "github.com/pterodactyl/wings/config"
"github.com/pterodactyl/wings/server"
"github.com/pterodactyl/wings/server/filesystem" "github.com/pterodactyl/wings/server/filesystem"
) )
@ -26,8 +27,10 @@ const (
) )
type Handler struct { type Handler struct {
permissions []string
mu sync.Mutex mu sync.Mutex
permissions []string
server *server.Server
fs *filesystem.Filesystem fs *filesystem.Filesystem
logger *log.Entry logger *log.Entry
ro bool ro bool
@ -35,11 +38,12 @@ type Handler struct {
// Returns a new connection handler for the SFTP server. This allows a given user // Returns a new connection handler for the SFTP server. This allows a given user
// to access the underlying filesystem. // to access the underlying filesystem.
func NewHandler(sc *ssh.ServerConn, fs *filesystem.Filesystem) *Handler { func NewHandler(sc *ssh.ServerConn, srv *server.Server) *Handler {
return &Handler{ return &Handler{
fs: fs,
ro: config.Get().System.Sftp.ReadOnly,
permissions: strings.Split(sc.Permissions.Extensions["permissions"], ","), permissions: strings.Split(sc.Permissions.Extensions["permissions"], ","),
server: srv,
fs: srv.Filesystem(),
ro: config.Get().System.Sftp.ReadOnly,
logger: log.WithFields(log.Fields{ logger: log.WithFields(log.Fields{
"subsystem": "sftp", "subsystem": "sftp",
"username": sc.User(), "username": sc.User(),
@ -278,6 +282,10 @@ func (h *Handler) Filelist(request *sftp.Request) (sftp.ListerAt, error) {
// Determines if a user has permission to perform a specific action on the SFTP server. These // Determines if a user has permission to perform a specific action on the SFTP server. These
// permissions are defined and returned by the Panel API. // permissions are defined and returned by the Panel API.
func (h *Handler) can(permission string) bool { func (h *Handler) can(permission string) bool {
if h.server.IsSuspended() {
return false
}
// SFTPServer owners and super admins have their permissions returned as '[*]' via the Panel // SFTPServer owners and super admins have their permissions returned as '[*]' via the Panel
// API, so for the sake of speed do an initial check for that before iterating over the // API, so for the sake of speed do an initial check for that before iterating over the
// entire array of permissions. // entire array of permissions.

2
sftp/server.go
View File

@ -141,7 +141,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
// Spin up a SFTP server instance for the authenticated user's server allowing // Spin up a SFTP server instance for the authenticated user's server allowing
// them access to the underlying filesystem. // them access to the underlying filesystem.
handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv.Filesystem()).Handlers()) handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv).Handlers())
if err := handler.Serve(); err == io.EOF { if err := handler.Serve(); err == io.EOF {
handler.Close() handler.Close()
} }