I was recently looking at the updated feature that allows downloading packages from a local repository using Winbox protocol but couldn’t figure out how to keep packages at the custom location of nvme1 drive. Integrated flash storage on the routerboard is limited in size but I cannot change the location of packages because it is strictly hardcoded to “/packs” directory. Would it be possible to configure it to another custom location like we can do in CAPsMAN?
The path is not hardcoded. I can create any directory with any name and place packages in it. Or even place some packages to one directory, some packages to another. Works with any directory names on both internal flash and tmpfs disk, all packages are discoverable. Should also work with nvme. I think, RouterOS finds them by file type (like /file/print where type=package), so it doesn’t matter where they are located.
Yep, you are correct. I was just about to write that it looks like system is scanning through all available directories to find the NPK packages. Sweet! Thanks for the answer!
My current concern is that such user have to have winbox, read, ftp permissions and if its password can be compromised with some MITM-attack it could allow a malicious user to access files of the local repository and if it let’s say also contained a Dude database for example it could potentially leak some more sensitive data. Have anyone actually looked at Winbox authentication protocol closely? Is it possible to intercept a password using a MITM-attack?
Can’t say anything about attacks, but as to me, RouterOS rights are messy and confusing sometimes. For example, you need ftp right to read the files. But ftp is not related to file reading at all. FTP is a protocol for file transferring, but not for file reading. Yes, FTP server will obviously require file reading access. But it shouldn’t be vice versa, file reading access shouldn’t allow logging in to FTP server.
Regarding this feature, it requires to have read, ftp and winbox rights. Hence, everyone who has credentials, can log in to FTP server and fully read the contents of your router. I think, there should be a separate permission for updating packages that will allow only this specific task without giving access to FTP server.