File manager: security
Introduction
The file-manager allows you to manage the files associated with a collection. Which files, and which actions may be performed, are defined by:
file-rules
Are a list of file-patterns and actions; and
folders
Are a file system path.More details on how to create these via the administration interface are available in the file rules page.
Rules
File rules
The file rules are comprised of three elements:
- A file pattern, for example
*.ftl
; - A list of collections; and
- A list of actions.
For example, the file-rule:
*.ftl : * : edit,delete,upload,download
allows the user to edit, delete, upload and download all FTL files in all collections (the *
means all collections, otherwise you can use a comma-separated list of collection names).
Actions
The following actions are available:
delete
The file can be deleted
download
The file can be downloaded from the Funnelback server
edit
The file can be edited
head
Display the first N lines of a file (gzipped files are expanded)
restore
A backup file can be renamed to replace the original file
show
Display the file (gzipped files are expanded)
tail
Display the last N lines of a file (gzipped files are expanded)
upload
The file can be uploaded to the Funnelback server
all
Turns on all actions (use with caution)
Applying file-rules
The rules and folder definitions are derived by merging the system default rules and any rules for the current user:
- Rules from the user's configuration file,
$SEARCH_HOME/admin/users/user.ini
, are checked first, before the rules from the system defaults,$SEARCH_HOME/conf/file-manager.ini
. - The rules are applied in the order they appear in both files.
For example, given the two files:
conf/file-manager.ini
[file-manager::example-rules]
r1
r2
r3
and users/fred.ini
[file-manager::example-rules]
F1
F2
The rules are checked in the following order:
- F1
- F2
- r1
- r2
- r3
Example
[file-manager-rules::example-rules]
collection.cfg : * : download,edit
simple.ftl : * : upload,download,copy,edit
*.ftl : * : upload,download,copy,edit,delete
Rule sequence
The rules are tried in the order they are placed in the configuration files. Thus, you have to be careful on where the rules are placed in the configuration files.
The following example is wrong: if you were trying to protect the simple.ftl
file the order of the rules means that the first rule matches and the second one is ignored:
*.ftl :*:upload,download,copy,delete,edit
simple.ftl:*:upload,download,copy,edit
The correct order is:
simple.ftl:*:upload,download,copy,edit
*.ftl:*:upload,download,copy,delete,edit
Folders
Folders are used to navigate to directories (or folders) on the file system. Normally this would be the collection's configuration directory, or one of its log directories, for example:
$SEARCH_HOME/funnelback/conf/COLLECTION
$SEARCH_HOME/funnelback/data/search/COLLECTION/live/log
A folder definition is comprised of four elements:
name
A title to be displayed in the web pages.
path
A file system path, possibly using macros (see below).
rules
The name of a file rule that applied to this folder.
folder set
The name of the folder set that this folder belongs to (usually logs for folders under browse log files and "" (blank) for folders under edit configuration files).
For example:
[file-manager::live-logs]
name = Live log files
path = $collection_root/live/log
rules = log-rules
[file-manager::log-rules]
*.log : * : show,head,tail,download
*.gz : * : download
Path macros
Because folders are associated with any number of collection, you cannot used a hard-coded path. A number of macros are available to use in the path: these macros expand to the appropriate file system path, relative to the collection you are working on. These macros are:
$home
The collection's configuration directory: $SEARCH_HOME/conf/<collection>/
$collection_root
The collection's data directory: Usually $SEARCH_HOME/data/<collection>/
, but can be an external one like /data/funnelback/<collection>
if collection_root
has been reconfigured.
$search_home
The Funnelback home directory $SEARCH_HOME
(e.g.: /opt/funnelback
)