Setting up a file server can be intimidating to the uninitiated. There are many servers to choose from, and then you need to decide how to install it — Docker? Kubernates? Well, what’s all that then? [9001] has come to the rescue with Copyparty, a full-featured file server in a single Python script.
It’s light enough to run on nearly anything, and getting it running could not be easier: run copyparty-sfx.py, and you’ve got a server. There’s even a 32-bit .exe for older Windows machines — Windows 2000 seems to be the oldest version tested.
It’ll connect to anything, both in terms of the variety of protocols supported, and the browsers its web interface loads in. The GitHub documentation says browser support : “Yes”, which is pretty accurate going down the list. Sadly Copyparty’s pages do not work in NACA Mosaic, but IE4 is A-OK.
There’s, FTP, TFTP, HTTP/HTTPS, WebDAV, SMB/CIFS, with unp/zeroconf/mdns/ssdp, etc etc. You need to check the readme for all features, some of which — like transcoding — are only available when dependencies such as ffmpeg installed on the server. Alternatively you can watch the video embedded below to get walked through the features. If the video whets your appetite, can also visit a read-only Copyparty server being demoed on a NUC sitting in [9001]’s basement.
Over the years we’ve seen plenty of folks create personal servers, but the focus is generally on the hardware side of things. While those with more software experience might prefer to configure the various services involved manually, we can definitely see the appeal of a project like Copyparty. In some ways it’s the inverse of the UNIX Philosophy: instead of doing one thing perfectly, this program is doing everything [9001] could think of, and doing it “good enough”.
Thanks to [pedropolis] for inviting us to the Copyparty via the tips line. Building a NAS? Writing software? Hardware?Whatever you do, the tips line is for you.
This software will be exploited quickly.
It’s an old project. Security vulnerabilties are found and fixed:
https://github.com/9001/copyparty/security
It’s an old-ish obscure project that has limited eyes on it. Its attack surface is vast. It has the fundamental complexity of a much larger project, with far fewer maintainers. It explicitly aims to “do an OK job”. It warns people not to try to learn from its code.
The “security” page you link to lists five vulnerabilities found since 2023. That makes it non-credible that anybody’s finding even a large fraction of the problems that exist. It has 75 issues of any kind in the 5-year life of the repo. It’s the classic look of a project where neither the maintainers nor any attackers have really ever systematically looked for issues. Something with that many moving parts, especially with the stated “philosophy”, should have a lot of bugs.
There should also be a lot more obscure bugs. The oldest of the listed bugs is a path traversal, which is in the “trivially easy to find, embarrassing mistake” category. The rest are XSS and the like, which are similar. The bugs being found are the bugs you really don’t feel like you should have in the first place, which indicates the project isn’t at the level of engaging with the tricky stuff at all.
… and, for many of the most reasonable values of “securely”, you can’t interoperate securely with a lot of the stuff it supports. Either security doesn’t exist in the protocol at all, or the other end doesn’t understand those options. Nor can you secure so many protocols and possible use cases without demanding a certain irreducible amount of configuration information from the user… information the user cannot provide without, yes, actually understanding how things work.
The video frame lists TFTP as a feature. TFTP.
Don’t expose stuff like this to a network. Not unless you literally don’t care about your data being stolen, corrupted, or deleted. And if the software is somewhat widely used, don’t do it unless you also don’t care about being made into part of a botnet. Use systematically vetted, aggressively maintained software with a large community behind it, learn how it works, keep the code volume down, minimize the size of the supply web, avoid “configuration helpers”, and only enable the features you will actually use. By the way, that also means avoiding giant complicated highly privileged proven bug factories like Docker.
… and a firewall will only save you if you understand that. Which you don’t if you’re in the intended audience for this.
You’re worried about a program called copy party running on Windows 2000 being compromised and someone’s data stolen.
It’s likely that users intend to share software off insecure, likely old, machines for fun.
Although apparently the author runs a public instance, so I look forward with interest to the proof of a compromise.
Of course it’s designed like this. It’s only meant to work, not be secure.
This isn’t intended for actually having a server open to the Internet. This would be perfect for an isolated home server, and I would probably try it out if I didn’t already make my own.
It’s got FTP support, that’s already enough vulnerability. :P
But obviously this is meant for lanparties, and is not meant to be publicly accessible from the internet.
Do you honestly think an application like this should be run on the open internet?
Do you honestly think it won’t?
I’m all for it!
Morons need to learn, somehow.
Stupidity should be painful.
Python is fun, sure, but since python isn’t natively installed on any OS, it always causes problems for first-time-users… you think you’ve installed python, nope, you need to add the serial port add-ons., etc . Although I understand why, it is a major hurdle for many people.
Wouldn’t it be fun if you could “compile” a python script into a real executable? Do these kind of tools even exist?
Most of the Linux distros I have experience with include at least the base Python 3 package as standard.
Such tools do indeed exist. Copyparty, for example, is available as an .EXE for Win32 and Win64.
I don’t know if [9001] used py2exe, pyInstaller, Nukita, or something else to produce those files.
But yes, it isn’t installed by default on Windows or, AFAIK Mac OS.
True, but it’s one of those things that can easily make an appearance. e.g. Excel, etc.
macOS has python installed by default.
Did you look at the linked readme page? They give so many ways of installing the program including windows executables.
To me yours is not even a reasonable criticism of a project that’s being hosted on github; “first-time-user”s do not stumble across github projects.
There is is first time for everything and for everyone, but thanks for the tip.
I bet there are some things you will never, ever do.
For many people one of those things is ‘write a computer program’.
For most people one of those things should be ‘setup a public server’.
Python is like VBA, if you’re lucky, you will never have to code ether.
But they get everywhere, like a bad case of bedbugs.
As to github, many projects will link end users to github projects.
Eh… this seems like the sort of thing you should do with native code.
…why?
What if you have a lanparty with 100.000 participants who all want to download warez at the same time? Python would be too slow.
:P
My biggest reason for liking containerization is scripting languages like Python.
They’re the cause of the pain, not the solution.
LXC, Docker, it’s not so much the container being hard. It’s all the fiddly details inside it that can be hard.
What other scripting languages are you thinking about?
As far as I can tell, the Python community is the all-time champion at encouraging library authors (and language maintainers!) not to think things through ahead of time, resulting in constant API churn. If you’re doing anything but the most basic stuff that’s been untouched for ages, then you’re lucky if you can find a combination of dependency versions that works for one script. You have to keep 5 or 6 versions of the interpreter around. Oh, and the package management is also garbage.
What else is that bad? Server-side JavaScript, maybe?
Personally, I don’t “like” containers, but I will say that Python is perhaps my biggest reason for being forced to overcome my hate and use them anyway. But of course that gives Python cover for not mending its ways…
“You have to keep 5 or 6 versions of the interpreter around. Oh, and the package management is also garbage.”
Use a ‘uv.lock’ and a ‘.python-version’ file, and download everything with ‘uv sync’, including the python interpreter. If you are not a weird arch, most of the binaries should be there. I said most because pypi recently switched to finally shipping precompiled C libs and other dependencies, something I complained about in Europython 2004.
Server side JS is great interview question.
If the company uses any server JS, you don’t want to work for them.
Javascript is a perfectly valid school of magic
This opinion is 10 years out of date https://buttondown.com/whatever_jamie/archive/the-many-many-many-javascript-runtimes-of-the-last-decade/
It’s funny seeing all the comments ripping into this, when I’m just happy to have a trivial and somewhat universal solution to remotely sharing files between devices, since Apple and Microsoft try their hardest to make it suck as much as possible
Yeah, sometimes you’ve got a weird potato of a messed up machine that you just want to rip the data off and nothing’s cooperating with you and you just want to get the job done…
I’m with everyone on the whole “Don’t expose this to the internet” though!
Hmm, wonder if it supports AFP AppleTalk for 90s era Macs