copyparty 1.19.7__py3-none-any.whl → 1.19.9__py3-none-any.whl

copyparty/__init__.py

@@ -108,7 +108,9 @@ class EnvParams(object):
     def __init__(self)  :
         self.t0 = time.time()
         self.mod = ""
+        self.mod_ = ""
         self.cfg = ""
+        self.scfg = True
 
 
 E = EnvParams()

copyparty/__main__.py

@@ -36,6 +36,7 @@ from .__init__ import (
 )
 from .__version__ import CODENAME, S_BUILD_DT, S_VERSION
 from .authsrv import expand_config_file, split_cfg_ln, upgrade_cfg_fmt
+from .bos import bos
 from .cfg import flagcats, onedash
 from .svchub import SvcHub
 from .util import (
@@ -180,7 +181,7 @@ def init_E(EE )  :
 
     E = EE  # pylint: disable=redefined-outer-name
 
-    def get_unixdir()  :
+    def get_unixdir()   :
         paths    = [
             (os.environ.get, "XDG_CONFIG_HOME"),
             (os.path.expanduser, "~/.config"),
@@ -191,6 +192,8 @@ def init_E(EE )  :
         ]
         errs = []
         for npath, (pf, pa) in enumerate(paths):
+            priv = npath < 2  # private/trusted location
+            ram = npath > 1  # "nonvolatile"; not semantically same as `not priv`
             p = ""
             try:
                 p = pf(pa)
@@ -200,15 +203,21 @@ def init_E(EE )  :
                 p = os.path.normpath(p)
                 mkdir = not os.path.isdir(p)
                 if mkdir:
-                    os.mkdir(p)
+                    os.mkdir(p, 0o700)
 
                 p = os.path.join(p, "copyparty")
+                if not priv and os.path.isdir(p):
+                    uid = os.geteuid()
+                    if os.stat(p).st_uid != uid:
+                        p += ".%s" % (uid,)
+                        if os.path.isdir(p) and os.stat(p).st_uid != uid:
+                            raise Exception("filesystem has broken unix permissions")
                 try:
                     os.listdir(p)
                 except:
-                    os.mkdir(p)
+                    os.mkdir(p, 0o700)
 
-                if npath > 1:
+                if ram:
                     t = "Using %s/copyparty [%s] for config; filekeys/dirkeys will change on every restart. Consider setting XDG_CONFIG_HOME or giving the unix-user a ~/.config/"
                     errs.append(t % (pa, p))
                 elif mkdir:
@@ -220,17 +229,19 @@ def init_E(EE )  :
                 if errs:
                     warn(". ".join(errs))
 
-                return p  # type: ignore
+                return p, priv
             except Exception as ex:
-                if p and npath < 2:
+                if p:
                     t = "Unable to store config in %s [%s] due to %r"
                     errs.append(t % (pa, p, ex))
 
-        raise Exception("could not find a writable path for config")
+        t = "could not find a writable path for runtime state:\n> %s"
+        raise Exception(t % ("\n> ".join(errs)))
 
     E.mod = os.path.dirname(os.path.realpath(__file__))
     if E.mod.endswith("__init__"):
         E.mod = os.path.dirname(E.mod)
+    E.mod_ = os.path.join(E.mod, "")
 
     try:
         p = os.environ.get("XDG_CONFIG_HOME")
@@ -241,7 +252,7 @@ def init_E(EE )  :
         p = os.path.abspath(os.path.realpath(p))
         p = os.path.join(p, "copyparty")
         if not os.path.isdir(p):
-            os.mkdir(p)
+            os.mkdir(p, 0o700)
         os.listdir(p)
     except:
         p = ""
@@ -254,11 +265,11 @@ def init_E(EE )  :
     elif sys.platform == "darwin":
         E.cfg = os.path.expanduser("~/Library/Preferences/copyparty")
     else:
-        E.cfg = get_unixdir()
+        E.cfg, E.scfg = get_unixdir()
 
     E.cfg = E.cfg.replace("\\", "/")
     try:
-        os.makedirs(E.cfg)
+        bos.makedirs(E.cfg, bos.MKD_700)
     except:
         if not os.path.isdir(E.cfg):
             raise
@@ -879,6 +890,11 @@ def get_sects():
             middleware and not by clients! and, as an extra precaution,
             send a header named '\033[36mfinalmasterspark\033[0m' (a secret keyword)
             and then \033[36m--idp-h-key finalmasterspark\033[0m to require that
+
+            the login/logout links/buttons can be replaced with links
+            going to your IdP's UI; \033[36m--idp-login /login/?redir={dst}\033[0m
+            will expand \033[36m{dst}\033[0m to the URL of the current page, so
+            the IdP can redirect the user back to where they were
             """
             ),
         ],
@@ -1153,11 +1169,14 @@ def add_qr(ap, tty):
     ap2.add_argument("--qr-every", metavar="SEC", type=float, default=0, help="print the qr-code every \033[33mSEC\033[0m (try this with/without --qr-pin in case of issues)")
     ap2.add_argument("--qr-winch", metavar="SEC", type=float, default=0, help="when --qr-pin is enabled, check for terminal size change every \033[33mSEC\033[0m")
     ap2.add_argument("--qr-file", metavar="TXT", type=u, action="append", help="\033[34mREPEATABLE:\033[0m write qr-code to file.\n └─To create txt or svg, \033[33mTXT\033[0m is Filepath:Zoom:Pad, for example [\033[32mqr.txt:1:2\033[0m]\n └─To create png or gif, \033[33mTXT\033[0m is Filepath:Zoom:Pad:Foreground:Background, for example [\033[32mqr.png:8:2:333333:ffcc55\033[0m], or [\033[32mqr.png:8:2::ffcc55\033[0m] for transparent")
+    ap2.add_argument("--qr-stdout", action="store_true", help="always display the QR-code on STDOUT in the terminal, even if \033[33m-q\033[0m")
+    ap2.add_argument("--qr-stderr", action="store_true", help="always display the QR-code on STDERR in the terminal, even if \033[33m-q\033[0m")
 
 
 def add_fs(ap):
     ap2 = ap.add_argument_group("filesystem options")
     rm_re_def = "15/0.1" if ANYWIN else "0/0"
+    ap2.add_argument("--casechk", metavar="N", type=u, default="auto", help="detect and prevent CI (case-insensitive) behavior if the underlying filesystem is CI? [\033[32my\033[0m] = detect and prevent, [\033[32mn\033[0m] = ignore and allow, [\033[32mauto\033[0m] = \033[32my\033[0m if CI fs detected. NOTE: \033[32my\033[0m is very slow but necessary for correct WebDAV behavior on Windows/Macos (volflag=casechk)")
     ap2.add_argument("--rm-retry", metavar="T/R", type=u, default=rm_re_def, help="if a file cannot be deleted because it is busy, continue trying for \033[33mT\033[0m seconds, retry every \033[33mR\033[0m seconds; disable with 0/0 (volflag=rm_retry)")
     ap2.add_argument("--mv-retry", metavar="T/R", type=u, default=rm_re_def, help="if a file cannot be renamed because it is busy, continue trying for \033[33mT\033[0m seconds, retry every \033[33mR\033[0m seconds; disable with 0/0 (volflag=mv_retry)")
     ap2.add_argument("--iobuf", metavar="BYTES", type=int, default=256*1024, help="file I/O buffer-size; if your volumes are on a network drive, try increasing to \033[32m524288\033[0m or even \033[32m4194304\033[0m (and let me know if that improves your performance)")
@@ -1169,6 +1188,7 @@ def add_share(ap):
     ap2 = ap.add_argument_group("share-url options")
     ap2.add_argument("--shr", metavar="DIR", type=u, default="", help="toplevel virtual folder for shared files/folders, for example [\033[32m/share\033[0m]")
     ap2.add_argument("--shr-db", metavar="FILE", type=u, default=db_path, help="database to store shares in")
+    ap2.add_argument("--shr-who", metavar="TXT", type=u, default="auth", help="who can create a share? [\033[32mno\033[0m]=nobody, [\033[32ma\033[0m]=admin-permission, [\033[32mauth\033[0m]=authenticated (volflag=shr_who)")
     ap2.add_argument("--shr-adm", metavar="U,U", type=u, default="", help="comma-separated list of users allowed to view/delete any share")
     ap2.add_argument("--shr-rt", metavar="MIN", type=int, default=1440, help="shares can be revived by their owner if they expired less than MIN minutes ago; [\033[32m60\033[0m]=hour, [\033[32m1440\033[0m]=day, [\033[32m10080\033[0m]=week")
     ap2.add_argument("--shr-v", action="store_true", help="debug")
@@ -1285,6 +1305,9 @@ def add_auth(ap):
     ap2.add_argument("--idp-store", metavar="N", type=int, default=1, help="how to use \033[33m--idp-db\033[0m; [\033[32m0\033[0m] = entirely disable, [\033[32m1\033[0m] = write-only (effectively disabled), [\033[32m2\033[0m] = remember users, [\033[32m3\033[0m] = remember users and groups.\nNOTE: Will remember and restore the IdP-volumes of all users for all eternity if set to 2 or 3, even when user is deleted from your IdP")
     ap2.add_argument("--idp-adm", metavar="U,U", type=u, default="", help="comma-separated list of users allowed to use /?idp (the cache management UI)")
     ap2.add_argument("--idp-cookie", metavar="S", type=int, default=0, help="generate a session-token for IdP users which is written to cookie \033[33mcppws\033[0m (or \033[33mcppwd\033[0m if plaintext), to reduce the load on the IdP server, lifetime \033[33mS\033[0m seconds.\n └─note: The expiration time is a client hint only; the actual lifetime of the session-token is infinite (until next restart with \033[33m--ses-db\033[0m wiped)")
+    ap2.add_argument("--idp-login", metavar="L", type=u, default="", help="replace all login-buttons with a link to URL \033[33mL\033[0m (unless \033[32mpw\033[0m is in \033[33m--auth-ord\033[0m then both will be shown); [\033[32m{dst}\033[0m] expands to url of current page")
+    ap2.add_argument("--idp-login-t", metavar="T", type=u, default="Login with SSO", help="the label/text for the idp-login button")
+    ap2.add_argument("--idp-logout", metavar="L", type=u, default="", help="replace all logout-buttons with a link to URL \033[33mL\033[0m")
     ap2.add_argument("--auth-ord", metavar="TXT", type=u, default="idp,ipu", help="controls auth precedence; examples: [\033[32mpw,idp,ipu\033[0m], [\033[32mipu,pw,idp\033[0m], see --help-auth-ord")
     ap2.add_argument("--no-bauth", action="store_true", help="disable basic-authentication support; do not accept passwords from the 'Authenticate' header at all. NOTE: This breaks support for the android app")
     ap2.add_argument("--bauth-last", action="store_true", help="keeps basic-authentication enabled, but only as a last-resort; if a cookie is also provided then the cookie wins")
@@ -1299,7 +1322,7 @@ def add_auth(ap):
     ap2.add_argument("--ao-idp-before-pw", type=u, default="", help=argparse.SUPPRESS)
     ap2.add_argument("--ao-h-before-hm", type=u, default="", help=argparse.SUPPRESS)
     ap2.add_argument("--ao-ipu-wins", type=u, default="", help=argparse.SUPPRESS)
-    ap2.add_argument("--ao-has-pw", type=u, default="", help=argparse.SUPPRESS)
+    ap2.add_argument("--ao-have-pw", type=u, default="", help=argparse.SUPPRESS)
 
 
 def add_chpw(ap):
@@ -1445,6 +1468,7 @@ def add_yolo(ap):
     ap2.add_argument("--no-fnugg", action="store_true", help="disable the smoketest for caching-related issues in the web-UI")
     ap2.add_argument("--getmod", action="store_true", help="permit ?move=[...] and ?delete as GET")
     ap2.add_argument("--wo-up-readme", action="store_true", help="allow users with write-only access to upload logues and readmes without adding the _wo_ filename prefix (volflag=wo_up_readme)")
+    ap2.add_argument("--unsafe-state", action="store_true", help="when one of the emergency fallback locations are used for runtime state ($TMPDIR, /tmp), certain features will be force-disabled for security reasons by default. This option overrides that safeguard and allows unsafe storage of secrets")
 
 
 def add_optouts(ap):
@@ -1458,7 +1482,7 @@ def add_optouts(ap):
     ap2.add_argument("--no-fs-abrt", action="store_true", help="disable ability to abort ongoing copy/move")
     ap2.add_argument("-nth", action="store_true", help="no title hostname; don't show \033[33m--name\033[0m in <title>")
     ap2.add_argument("-nih", action="store_true", help="no info hostname -- don't show in UI")
-    ap2.add_argument("-nid", action="store_true", help="no info disk-usage -- don't show in UI")
+    ap2.add_argument("-nid", action="store_true", help="no info disk-usage -- don't show in UI. This is the same as --du-who no")
     ap2.add_argument("-nb", action="store_true", help="no powered-by-copyparty branding in UI")
     ap2.add_argument("--zipmaxn", metavar="N", type=u, default="0", help="reject download-as-zip if more than \033[33mN\033[0m files in total; optionally takes a unit suffix: [\033[32m256\033[0m], [\033[32m9K\033[0m], [\033[32m4G\033[0m] (volflag=zipmaxn)")
     ap2.add_argument("--zipmaxs", metavar="SZ", type=u, default="0", help="reject download-as-zip if total download size exceeds \033[33mSZ\033[0m bytes; optionally takes a unit suffix: [\033[32m256M\033[0m], [\033[32m4G\033[0m], [\033[32m2T\033[0m] (volflag=zipmaxs)")
@@ -1652,6 +1676,7 @@ def add_db_general(ap, hcores):
     ap2.add_argument("--hash-mt", metavar="CORES", type=int, default=hcores, help="num cpu cores to use for file hashing; set 0 or 1 for single-core hashing")
     ap2.add_argument("--re-maxage", metavar="SEC", type=int, default=0, help="rescan filesystem for changes every \033[33mSEC\033[0m seconds; 0=off (volflag=scan)")
     ap2.add_argument("--db-act", metavar="SEC", type=float, default=10.0, help="defer any scheduled volume reindexing until \033[33mSEC\033[0m seconds after last db write (uploads, renames, ...)")
+    ap2.add_argument("--srch-icase", action="store_true", help="case-insensitive search for all unicode characters (the default is icase for just ascii). NOTE: will make searches much slower (around 4x), and NOTE: only applies to filenames/paths, not tags")
     ap2.add_argument("--srch-time", metavar="SEC", type=int, default=45, help="search deadline -- terminate searches running for more than \033[33mSEC\033[0m seconds")
     ap2.add_argument("--srch-hits", metavar="N", type=int, default=7999, help="max search results to allow clients to fetch; 125 results will be shown initially")
     ap2.add_argument("--srch-excl", metavar="PTN", type=u, default="", help="regex: exclude files from search results if the file-URL matches \033[33mPTN\033[0m (case-sensitive). Example: [\033[32mpassword|logs/[0-9]\033[0m] any URL containing 'password' or 'logs/DIGIT' (volflag=srch_excl)")
@@ -1706,7 +1731,7 @@ def add_og(ap):
     ap2.add_argument("--uqe", action="store_true", help="query-string parceling; translate a request for \033[33m/foo/.uqe/BASE64\033[0m into \033[33m/foo?TEXT\033[0m, or \033[33m/foo/?TEXT\033[0m if the first character in \033[33mTEXT\033[0m is a slash. Automatically enabled for \033[33m--og\033[0m")
 
 
-def add_ui(ap, retry):
+def add_ui(ap, retry ):
     THEMES = 10
     ap2 = ap.add_argument_group("ui options")
     ap2.add_argument("--grid", action="store_true", help="show grid/thumbnails by default (volflag=grid)")
@@ -1736,7 +1761,11 @@ def add_ui(ap, retry):
     ap2.add_argument("--doctitle", metavar="TXT", type=u, default="copyparty @ --name", help="title / service-name to show in html documents")
     ap2.add_argument("--bname", metavar="TXT", type=u, default="--name", help="server name (displayed in filebrowser document title)")
     ap2.add_argument("--pb-url", metavar="URL", type=u, default=URL_PRJ, help="powered-by link; disable with \033[33m-nb\033[0m")
-    ap2.add_argument("--ver", action="store_true", help="show version on the control panel (incompatible with \033[33m-nb\033[0m)")
+    ap2.add_argument("--ver", action="store_true", help="show version on the control panel (incompatible with \033[33m-nb\033[0m). This is the same as --ver-who all")
+    ap2.add_argument("--ver-who", metavar="TXT", type=u, default="no", help="only show version for: [\033[32ma\033[0m]=admin-permission-anywhere, [\033[32mauth\033[0m]=authenticated, [\033[32mall\033[0m]=anyone")
+    ap2.add_argument("--du-who", metavar="TXT", type=u, default="all", help="only show disk usage for: [\033[32mno\033[0m]=nobody, [\033[32ma\033[0m]=admin-permission, [\033[32mrw\033[0m]=read-write, [\033[32mw\033[0m]=write, [\033[32mauth\033[0m]=authenticated, [\033[32mall\033[0m]=anyone (volflag=du_who)")
+    ap2.add_argument("--ver-iwho", type=int, default=0, help=argparse.SUPPRESS)
+    ap2.add_argument("--du-iwho", type=int, default=0, help=argparse.SUPPRESS)
     ap2.add_argument("--k304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable k304 on the controlpanel (workaround for buggy reverse-proxies); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on")
     ap2.add_argument("--no304", metavar="NUM", type=int, default=0, help="configure the option to enable/disable no304 on the controlpanel (workaround for buggy caching in browsers); [\033[32m0\033[0m] = hidden and default-off, [\033[32m1\033[0m] = visible and default-off, [\033[32m2\033[0m] = visible and default-on")
     ap2.add_argument("--ctl-re", metavar="SEC", type=int, default=1, help="the controlpanel Refresh-button will autorefresh every SEC; [\033[32m0\033[0m] = just once")
@@ -1844,18 +1873,21 @@ def run_argparse(
     for k, h, _ in sects:
         ap2.add_argument("--help-" + k, action="store_true", help=h)
 
-    try:
-        if not retry:
-            raise Exception()
-
+    if retry:
+        a = ["ascii", "replace"]
         for x in ap._actions:
-            if not x.help:
-                continue
+            try:
+                x.default = x.default.encode(*a).decode(*a)
+            except:
+                pass
 
-            a = ["ascii", "replace"]
-            x.help = x.help.encode(*a).decode(*a) + "\033[0m"
-    except:
-        pass
+            try:
+                if x.help and x.help is not argparse.SUPPRESS:
+                    x.help = x.help.replace("└─", "`-").encode(*a).decode(*a)
+                    if retry > 2:
+                        x.help = RE_ANSI.sub("", x.help)
+            except:
+                pass
 
     ret = ap.parse_args(args=argv[1:])
     for k, h, t in sects:
@@ -1965,7 +1997,7 @@ def main(argv  = None)  :
     except:
         nc = 486  # mdns/ssdp restart headroom; select() maxfd is 512 on windows
 
-    retry = False
+    retry = 0
     for fmtr in [RiceFormatter, RiceFormatter, Dodge11874, BasicDodge11874]:
         try:
             al = run_argparse(argv, fmtr, retry, nc)
@@ -1974,8 +2006,9 @@ def main(argv  = None)  :
         except SystemExit:
             raise
         except:
-            retry = True
-            lprint("\n[ {} ]:\n{}\n".format(fmtr, min_ex()))
+            retry += 1
+            t = "WARNING: due to limitations in your terminal and/or OS, the helptext cannot be displayed correctly. Will show a simplified version due to the following error:\n[ %s ]:\n%s\n"
+            lprint(t % (fmtr, min_ex()))
 
     try:
         assert al  # type: ignore

copyparty/__version__.py

@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 19, 7)
+VERSION = (1, 19, 9)
 CODENAME = "usernames"
-BUILD_DT = (2025, 8, 28)
+BUILD_DT = (2025, 9, 15)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

copyparty/authsrv.py

@@ -13,7 +13,7 @@ import threading
 import time
 from datetime import datetime
 
-from .__init__ import ANYWIN, PY2, TYPE_CHECKING, WINDOWS, E
+from .__init__ import ANYWIN, MACOS, PY2, TYPE_CHECKING, WINDOWS, E
 from .bos import bos
 from .cfg import flagdescs, permdescs, vf_bmap, vf_cmap, vf_vmap
 from .pwhash import PWHash
@@ -92,6 +92,8 @@ SBADCFG = " ({})".format(BAD_CFG)
 
 PTN_U_GRP = re.compile(r"\$\{u(%[+-][^}]+)\}")
 PTN_G_GRP = re.compile(r"\$\{g(%[+-][^}]+)\}")
+PTN_U_ANY = re.compile(r"(\${[u][}%])")
+PTN_G_ANY = re.compile(r"(\${[g][}%])")
 PTN_SIGIL = re.compile(r"(\${[ug][}%])")
 
 
@@ -417,10 +419,14 @@ class VFS(object):
             self.all_nodes[vpath] = self
             self.all_aps = [(rp, [self])]
             self.all_vps = [(vp, self)]
+            self.canonical = self._canonical
+            self.dcanonical = self._dcanonical
         else:
             self.histpath = self.dbpath = ""
             self.all_aps = []
             self.all_vps = []
+            self.canonical = self._canonical_null
+            self.dcanonical = self._dcanonical_null
 
         self.get_dbv = self._get_dbv
         self.ls = self._ls
@@ -617,7 +623,35 @@ class VFS(object):
         vrem = vjoin(self.vpath[len(dbv.vpath) :].lstrip("/"), vrem)
         return dbv, vrem
 
-    def canonical(self, rem , resolve  = True)  :
+    def casechk(self, rem , do_stat )  :
+        ap = self.canonical(rem, False)
+        if do_stat and not bos.path.exists(ap):
+            return True  # doesn't exist at all; good to go
+        dp, fn = os.path.split(ap)
+        try:
+            fns = os.listdir(dp)
+        except:
+            return True  # maybe chmod 111; assume ok
+        if fn in fns:
+            return True
+        hit = "<?>"
+        lfn = fn.lower()
+        for zs in fns:
+            if lfn == zs.lower():
+                hit = zs
+                break
+        if self.log:
+            t = "returning 404 due to underlying case-insensitive filesystem:\n  http-req: %r\n  local-fs: %r"
+            self.log("vfs", t % (fn, hit))
+        return False
+
+    def _canonical_null(self, rem , resolve  = True)  :
+        return ""
+
+    def _dcanonical_null(self, rem )  :
+        return ""
+
+    def _canonical(self, rem , resolve  = True)  :
         """returns the canonical path (fully-resolved absolute fs path)"""
         ap = self.realpath
         if rem:
@@ -625,7 +659,7 @@ class VFS(object):
 
         return absreal(ap) if resolve else ap
 
-    def dcanonical(self, rem )  :
+    def _dcanonical(self, rem )  :
         """resolves until the final component (filename)"""
         ap = self.realpath
         if rem:
@@ -634,6 +668,42 @@ class VFS(object):
         ad, fn = os.path.split(ap)
         return os.path.join(absreal(ad), fn)
 
+    def _canonical_shr(self, rem , resolve  = True)  :
+        """returns the canonical path (fully-resolved absolute fs path)"""
+        ap = self.realpath
+        if rem:
+            ap += "/" + rem
+
+        rap = absreal(ap)
+        if self.shr_files:
+            vn, rem = self.shr_src
+            chk = absreal(os.path.join(vn.realpath, rem))
+            if chk != rap:
+                # not the dir itself; assert file allowed
+                ad, fn = os.path.split(rap)
+                if chk != ad or fn not in self.shr_files:
+                    return "\n\n"
+
+        return rap if resolve else ap
+
+    def _dcanonical_shr(self, rem )  :
+        """resolves until the final component (filename)"""
+        ap = self.realpath
+        if rem:
+            ap += "/" + rem
+
+        ad, fn = os.path.split(ap)
+        ad = absreal(ad)
+        if self.shr_files:
+            vn, rem = self.shr_src
+            chk = absreal(os.path.join(vn.realpath, rem))
+            if chk != absreal(ap):
+                # not the dir itself; assert file allowed
+                if ad != chk or fn not in self.shr_files:
+                    return "\n\n"
+
+        return os.path.join(ad, fn)
+
     def _ls_nope(
         self, *a, **ka
     )      :
@@ -666,8 +736,12 @@ class VFS(object):
         """return user-readable [fsdir,real,virt] items at vpath"""
         virt_vis = {}  # nodes readable by user
         abspath = self.canonical(rem)
-        real = list(statdir(self.log, scandir, lstat, abspath, throw))
-        real.sort()
+        if abspath:
+            real = list(statdir(self.log, scandir, lstat, abspath, throw))
+            real.sort()
+        else:
+            real = []
+
         if not rem:
             # no vfs nodes in the list of real inodes
             real = [x for x in real if x[0] not in self.nodes]
@@ -969,6 +1043,14 @@ class AuthSrv(object):
         self.indent = ""
         self.is_lxc = args.c == ["/z/initcfg"]
 
+        self._vf0b = {
+            "tcolor": self.args.tcolor,
+            "du_iwho": self.args.du_iwho,
+            "shr_who": self.args.shr_who if self.args.shr else "no",
+        }
+        self._vf0 = self._vf0b.copy()
+        self._vf0["d2d"] = True
+
         # fwd-decl
         self.vfs = VFS(log_func, "", "", "", AXS(), {})
         self.acct   = {}  # uname->pw
@@ -1007,7 +1089,10 @@ class AuthSrv(object):
         yield prev, True
 
     def vf0(self):
-        return {"d2d": True, "tcolor": self.args.tcolor}
+        return self._vf0.copy()
+
+    def vf0b(self):
+        return self._vf0b.copy()
 
     def idp_checkin(
         self, broker , uname , gname 
@@ -1072,6 +1157,16 @@ class AuthSrv(object):
         src0 = src  # abspath
         dst0 = dst  # vpath
 
+        zsl = []
+        for ptn, sigil in ((PTN_U_ANY, "${u}"), (PTN_G_ANY, "${g}")):
+            if bool(ptn.search(src)) != bool(ptn.search(dst)):
+                zsl.append(sigil)
+        if zsl:
+            t = "ERROR: if %s is mentioned in a volume definition, it must be included in both the filesystem-path [%s] and the volume-url [/%s]"
+            t = "\n".join([t % (x, src, dst) for x in zsl])
+            self.log(t, 1)
+            raise Exception(t)
+
         un_gn = [(un, gn) for un, gns in un_gns.items() for gn in gns]
         if not un_gn:
             # ensure volume creation if there's no users
@@ -1164,8 +1259,8 @@ class AuthSrv(object):
             self.log(t, c=3)
             raise Exception(BAD_CFG)
 
-        if not bos.path.isdir(src):
-            self.log("warning: filesystem-path does not exist: {}".format(src), 3)
+        if not bos.path.exists(src):
+            self.log("warning: filesystem-path did not exist: %r" % (src,), 3)
 
         mount[dst] = (src, dst0)
         daxs[dst] = AXS()
@@ -1743,12 +1838,15 @@ class AuthSrv(object):
                     files = os.listdir(E.cfg)
                 except:
                     files = []
-                hits = [x for x in files if x.lower().endswith(".conf")]
+                hits = [
+                    x
+                    for x in files
+                    if x.lower().endswith(".conf") and not x.startswith(".")
+                ]
                 if hits:
                     t = "Hint: Found some config files in [%s], but these were not automatically loaded because they are in the wrong place%s %s\n"
                     self.log(t % (E.cfg, ehint, ", ".join(hits)), 3)
-            zvf = {"tcolor": self.args.tcolor}
-            vfs = VFS(self.log_func, absreal("."), "", "", axs, zvf)
+            vfs = VFS(self.log_func, absreal("."), "", "", axs, self.vf0b())
             if not axs.uread:
                 self.badcfg1 = True
         elif "" not in mount:
@@ -1784,7 +1882,7 @@ class AuthSrv(object):
             vol.all_vps.sort(key=lambda x: len(x[0]), reverse=True)
             vol.root = vfs
 
-        zs = "neversymlink"
+        zs = "neversymlink du_iwho"
         k_ign = set(zs.split())
         for vol in vfs.all_vols.values():
             unknown_flags = set()
@@ -1935,6 +2033,8 @@ class AuthSrv(object):
         promote = []
         demote = []
         for vol in vfs.all_vols.values():
+            if not vol.realpath:
+                continue
             hid = self.hid_cache.get(vol.realpath)
             if not hid:
                 zb = hashlib.sha512(afsenc(vol.realpath)).digest()
@@ -1973,6 +2073,8 @@ class AuthSrv(object):
             vol.histpath = absreal(vol.histpath)
 
         for vol in vfs.all_vols.values():
+            if not vol.realpath:
+                continue
             hid = self.hid_cache[vol.realpath]
             vflag = vol.flags.get("dbpath")
             if vflag == "-":
@@ -2281,6 +2383,11 @@ class AuthSrv(object):
                 vol.lim.uid = vol.flags["uid"]
                 vol.lim.gid = vol.flags["gid"]
 
+            vol.flags["du_iwho"] = n_du_who(vol.flags["du_who"])
+
+            if not enshare:
+                vol.flags["shr_who"] = self.args.shr_who = "no"
+
             if vol.flags.get("og"):
                 self.args.uqe = True
 
@@ -2456,6 +2563,47 @@ class AuthSrv(object):
                     self.log(t.format(vol.vpath, mtp), 1)
                     errors = True
 
+        for vol in vfs.all_nodes.values():
+            if not vol.realpath or os.path.isfile(vol.realpath):
+                continue
+            ccs = vol.flags["casechk"][:1].lower()
+            if ccs in ("y", "n"):
+                if ccs == "y":
+                    vol.flags["bcasechk"] = True
+                continue
+            try:
+                bos.makedirs(vol.realpath, vf=vol.flags)
+                files = os.listdir(vol.realpath)
+                for fn in files:
+                    fn2 = fn.lower()
+                    if fn == fn2:
+                        fn2 = fn.upper()
+                    if fn == fn2 or fn2 in files:
+                        continue
+                    is_ci = os.path.exists(os.path.join(vol.realpath, fn2))
+                    ccs = "y" if is_ci else "n"
+                    break
+                if ccs not in ("y", "n"):
+                    ap = os.path.join(vol.realpath, "casechk")
+                    open(ap, "wb").close()
+                    ccs = "y" if os.path.exists(ap[:-1] + "K") else "n"
+                    os.unlink(ap)
+            except Exception as ex:
+                if ANYWIN:
+                    zs = "Windows"
+                    ccs = "y"
+                elif MACOS:
+                    zs = "Macos"
+                    ccs = "y"
+                else:
+                    zs = "Linux"
+                    ccs = "n"
+                t = "unable to determine if filesystem at %r is case-insensitive due to %r; assuming casechk=%s due to %s"
+                self.log(t % (vol.realpath, ex, ccs, zs), 3)
+            vol.flags["casechk"] = ccs
+            if ccs == "y":
+                vol.flags["bcasechk"] = True
+
         tags = self.args.mtp or []
         tags = [x.split("=")[0] for x in tags]
         tags = [y for x in tags for y in x.split(",")]
@@ -2723,8 +2871,12 @@ class AuthSrv(object):
 
                     shn.shr_files = set(fns)
                     shn.ls = shn._ls_shr
+                    shn.canonical = shn._canonical_shr
+                    shn.dcanonical = shn._dcanonical_shr
                 else:
                     shn.ls = shn._ls
+                    shn.canonical = shn._canonical
+                    shn.dcanonical = shn._dcanonical
 
                 shn.shr_owner = s_un
                 shn.shr_src = (s_vfs, s_rem)
@@ -2787,6 +2939,7 @@ class AuthSrv(object):
                 "dcrop": vf["crop"],
                 "dth3x": vf["th3x"],
                 "u2ts": vf["u2ts"],
+                "shr_who": vf["shr_who"],
                 "frand": bool(vf.get("rand")),
                 "lifetime": vf.get("lifetime") or 0,
                 "unlist": vf.get("unlist") or "",
@@ -2795,11 +2948,13 @@ class AuthSrv(object):
             js_htm = {
                 "SPINNER": self.args.spinner,
                 "s_name": self.args.bname,
+                "idp_login": self.args.idp_login,
                 "have_up2k_idx": "e2d" in vf,
                 "have_acode": not self.args.no_acode,
                 "have_c2flac": self.args.allow_flac,
                 "have_c2wav": self.args.allow_wav,
                 "have_shr": self.args.shr,
+                "shr_who": vf["shr_who"],
                 "have_zip": not self.args.no_zip,
                 "have_mv": not self.args.no_mv,
                 "have_del": not self.args.no_del,
@@ -2865,7 +3020,7 @@ class AuthSrv(object):
         self.args.ao_idp_before_pw = min(h, hm) < pw
         self.args.ao_h_before_hm = h < hm
         self.args.ao_ipu_wins = ipu == 0
-        self.args.ao_have_pw = pw < 99
+        self.args.ao_have_pw = pw < 99 or not self.args.have_idp_hdrs
 
     def load_idp_db(self, quiet=False)  :
         # mutex me
@@ -3456,6 +3611,30 @@ class AuthSrv(object):
         self.log("generated config:\n\n" + "\n".join(ret))
 
 
+def n_du_who(s )  :
+    if s == "all":
+        return 9
+    if s == "auth":
+        return 7
+    if s == "w":
+        return 5
+    if s == "rw":
+        return 4
+    if s == "a":
+        return 3
+    return 0
+
+
+def n_ver_who(s )  :
+    if s == "all":
+        return 9
+    if s == "auth":
+        return 6
+    if s == "a":
+        return 3
+    return 0
+
+
 def split_cfg_ln(ln )   :
     # "a, b, c: 3" => {a:true, b:true, c:3}
     ret = {}
@@ -3488,7 +3667,9 @@ def expand_config_file(
 
     if os.path.isdir(fp):
         names = list(sorted(os.listdir(fp)))
-        cnames = [x for x in names if x.lower().endswith(".conf")]
+        cnames = [
+            x for x in names if x.lower().endswith(".conf") and not x.startswith(".")
+        ]
         if not cnames:
             t = "warning: tried to read config-files from folder '%s' but it does not contain any "
             if names: