Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Alpha File System and Upgraded FTP #382
Conpot now has a new bright and shiny file system! It is designed to have "safe to use" os.* wrappers that could be used by protocols. We cannot allow os.chmod like commands that may allow attackers to make arbitrary system calls. At the same time - protocols such as FTP need chmod like methods. Same goes for os.stat etc. For this reason, we needed a file system that can operate on a layer above the actual file system and still provide the flexibility/robustness.
The Conpot's file system solves this problem by proxying the actual files kept at a controlled location.
Consequently, we would keep a cache (a dictionary where we would store all file related data - (information regarding access, permissions, owners, stat etc.). Note that no matter what, we won't change the actual permissions of the file system.
Let us see a demo shall we?
This is what my
total 8 drwxrwxr-x 2 abhinav abhinav 4096 Jul 9 01:20 . drwxrwxr-x 4 abhinav abhinav 4096 Jul 9 01:17 .. -rw-rw-r-- 1 abhinav abhinav 0 Jul 9 01:20 hacked.png
Notice the permissions and the user/group. (There is bug with mtime - please ignore it for now, it shall be fixed in the next PR - I forgot to add it to recent commits)
>>> import conpot.core as conpot_core >>> conpot_core.initialize_vfs('.', data_fs_path='../data_fs') >>> vfs = conpot_core.get_vfs() >>> vfs.listdir('.') ['hacked.png'] >>> [print(i) for i in vfs.format_list('', vfs.listdir('.'))] rwxrwxrwx 1 root root 0 Jul 08 19:53 hacked.png
As you can see, the permissions have changed and so have the user/groups(By default the uid:gid is 0:0 and permissions is 777 - this is configurable).
>>> vfs.register_user('daniel', 2000) >>> vfs.create_group('daniel', 3000) >>> vfs.chown('/', uid=2000, gid=3000, recursive=True) >>> vfs.chmod('/', 0o755, recursive=True) >>> [print(i) for i in vfs.format_list('', vfs.listdir('.'))] rwxr-xr-x 1 daniel daniel 0 Jul 08 19:53 hacked.png
There is no change with the uid:gid:perms of the actual 'hacked.png' file though.
Another big advantage of this approach is : VFS is independent of the physical storage media it is located in. We are currently keeping the contents in '/tmp'. But in future if we want to replace this with somewhat better storage media(or location), we can simply detach the VFS - replace it with new storage media URL and it'll fit right in.
After discussion with Daniel, I have kept for the command channel and the data channel full duplex. Since it said so in the RFC. IOLoop is based on Gevent; Following commands are supported:
Command Channel related:
Data Channel related
Note that commands like STOR would create a copy in the user specified
Pull Request Test Coverage Report for Build 1065