sftp: deny access if server is suspended (#100)
This commit is contained in:
parent
930abfb4a7
commit
ca25ba5fab
|
@ -14,6 +14,7 @@ import (
|
||||||
"golang.org/x/crypto/ssh"
|
"golang.org/x/crypto/ssh"
|
||||||
|
|
||||||
"github.com/pterodactyl/wings/config"
|
"github.com/pterodactyl/wings/config"
|
||||||
|
"github.com/pterodactyl/wings/server"
|
||||||
"github.com/pterodactyl/wings/server/filesystem"
|
"github.com/pterodactyl/wings/server/filesystem"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -26,8 +27,10 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
type Handler struct {
|
type Handler struct {
|
||||||
|
mu sync.Mutex
|
||||||
|
|
||||||
permissions []string
|
permissions []string
|
||||||
mu sync.Mutex
|
server *server.Server
|
||||||
fs *filesystem.Filesystem
|
fs *filesystem.Filesystem
|
||||||
logger *log.Entry
|
logger *log.Entry
|
||||||
ro bool
|
ro bool
|
||||||
|
@ -35,11 +38,12 @@ type Handler struct {
|
||||||
|
|
||||||
// Returns a new connection handler for the SFTP server. This allows a given user
|
// Returns a new connection handler for the SFTP server. This allows a given user
|
||||||
// to access the underlying filesystem.
|
// to access the underlying filesystem.
|
||||||
func NewHandler(sc *ssh.ServerConn, fs *filesystem.Filesystem) *Handler {
|
func NewHandler(sc *ssh.ServerConn, srv *server.Server) *Handler {
|
||||||
return &Handler{
|
return &Handler{
|
||||||
fs: fs,
|
|
||||||
ro: config.Get().System.Sftp.ReadOnly,
|
|
||||||
permissions: strings.Split(sc.Permissions.Extensions["permissions"], ","),
|
permissions: strings.Split(sc.Permissions.Extensions["permissions"], ","),
|
||||||
|
server: srv,
|
||||||
|
fs: srv.Filesystem(),
|
||||||
|
ro: config.Get().System.Sftp.ReadOnly,
|
||||||
logger: log.WithFields(log.Fields{
|
logger: log.WithFields(log.Fields{
|
||||||
"subsystem": "sftp",
|
"subsystem": "sftp",
|
||||||
"username": sc.User(),
|
"username": sc.User(),
|
||||||
|
@ -278,6 +282,10 @@ func (h *Handler) Filelist(request *sftp.Request) (sftp.ListerAt, error) {
|
||||||
// Determines if a user has permission to perform a specific action on the SFTP server. These
|
// Determines if a user has permission to perform a specific action on the SFTP server. These
|
||||||
// permissions are defined and returned by the Panel API.
|
// permissions are defined and returned by the Panel API.
|
||||||
func (h *Handler) can(permission string) bool {
|
func (h *Handler) can(permission string) bool {
|
||||||
|
if h.server.IsSuspended() {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
// SFTPServer owners and super admins have their permissions returned as '[*]' via the Panel
|
// SFTPServer owners and super admins have their permissions returned as '[*]' via the Panel
|
||||||
// API, so for the sake of speed do an initial check for that before iterating over the
|
// API, so for the sake of speed do an initial check for that before iterating over the
|
||||||
// entire array of permissions.
|
// entire array of permissions.
|
||||||
|
|
|
@ -141,7 +141,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
|
||||||
|
|
||||||
// Spin up a SFTP server instance for the authenticated user's server allowing
|
// Spin up a SFTP server instance for the authenticated user's server allowing
|
||||||
// them access to the underlying filesystem.
|
// them access to the underlying filesystem.
|
||||||
handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv.Filesystem()).Handlers())
|
handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv).Handlers())
|
||||||
if err := handler.Serve(); err == io.EOF {
|
if err := handler.Serve(); err == io.EOF {
|
||||||
handler.Close()
|
handler.Close()
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user