aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMinteck <nekostarfan@gmail.com>2021-08-09 15:39:56 +0200
committerMinteck <nekostarfan@gmail.com>2021-08-09 15:39:56 +0200
commitbdb80424adb6a3d0b37285f817118592f4e21b18 (patch)
treef447005becd79b0d2c1e5dee557428f9a66772eb
parent94c57fa247ba107fce8fc1d1fc355191229dbddc (diff)
downloadmain-bdb80424adb6a3d0b37285f817118592f4e21b18.tar.gz
main-bdb80424adb6a3d0b37285f817118592f4e21b18.tar.bz2
main-bdb80424adb6a3d0b37285f817118592f4e21b18.zip
Securing the security
Diffstat
-rw-r--r--.idea/workspace.xml29
-rw-r--r--README.md12
-rw-r--r--admin/api/getUbuntuUpgrades.php2
-rw-r--r--admin/api/getUpdates.php2
-rw-r--r--admin/api/refreshUpdates.php2
-rw-r--r--admin/panes/uptime.php2
-rw-r--r--admin/private/permissions.json8
-rw-r--r--admin/private/permissions.php2
8 files changed, 29 insertions, 30 deletions
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index 98257c2..d43e3bc 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -2,30 +2,14 @@
<project version="4">
<component name="ChangeListManager">
<list default="true" id="efd4dd1a-d09c-4a08-b9ea-ac28a5f96210" name="Default Changelist" comment="">
- <change afterPath="$PROJECT_DIR$/admin/panes/denied.php" afterDir="false" />
- <change afterPath="$PROJECT_DIR$/admin/private/header.sso.php" afterDir="false" />
- <change afterPath="$PROJECT_DIR$/admin/private/permissions.json" afterDir="false" />
- <change afterPath="$PROJECT_DIR$/admin/private/permissions.php" afterDir="false" />
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/NeutronManage/index.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/NeutronManage/index.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/api/getIpLocation.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/getIpLocation.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/api/getQuota.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/getQuota.php" afterDir="false" />
+ <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
<change beforePath="$PROJECT_DIR$/admin/api/getUbuntuUpgrades.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/getUbuntuUpgrades.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/api/serverLogSummary.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/serverLogSummary.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/api/serverTemp.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/serverTemp.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/api/serverTime.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/serverTime.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/callback/index.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/callback/index.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/index.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/index.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/panes/audit.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/audit.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/panes/home.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/home.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/panes/neutroning.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/neutroning.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/panes/quotas.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/quotas.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/panes/telemetry.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/telemetry.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/panes/unchained.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/unchained.php" afterDir="false" />
+ <change beforePath="$PROJECT_DIR$/admin/api/getUpdates.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/getUpdates.php" afterDir="false" />
+ <change beforePath="$PROJECT_DIR$/admin/api/refreshUpdates.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/api/refreshUpdates.php" afterDir="false" />
<change beforePath="$PROJECT_DIR$/admin/panes/uptime.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/uptime.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/panes/version.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/panes/version.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/private/header.api.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/private/header.api.php" afterDir="false" />
- <change beforePath="$PROJECT_DIR$/admin/private/header.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/private/header.php" afterDir="false" />
+ <change beforePath="$PROJECT_DIR$/admin/private/permissions.json" beforeDir="false" afterPath="$PROJECT_DIR$/admin/private/permissions.json" afterDir="false" />
+ <change beforePath="$PROJECT_DIR$/admin/private/permissions.php" beforeDir="false" afterPath="$PROJECT_DIR$/admin/private/permissions.php" afterDir="false" />
</list>
<option name="SHOW_DIALOG" value="false" />
<option name="HIGHLIGHT_CONFLICTS" value="true" />
@@ -164,7 +148,8 @@
<workItem from="1628335662043" duration="2109000" />
<workItem from="1628417033420" duration="2437000" />
<workItem from="1628420373945" duration="287000" />
- <workItem from="1628426128888" duration="20963000" />
+ <workItem from="1628426128888" duration="21760000" />
+ <workItem from="1628515885916" duration="503000" />
</task>
<servers />
</component>
diff --git a/README.md b/README.md
index f9498bd..4dcd1ec 100644
--- a/README.md
+++ b/README.md
@@ -10,13 +10,21 @@ $ sudo visudo
And add the following lines:
```text
-www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/apt-get
-www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/do-release-upgrade
+www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/mtsp-apt-get-1
+www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/mtsp-apt-get-2
+www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/mtsp-do-release-upgrade
www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/lshw
```
(replacing `www-data` by the name of the user that runs your Web server)
+You will need to :
+* create a `/usr/bin/mtsp-apt-get-1` file that does `apt-get update`
+* create a `/usr/bin/mtsp-apt-get-2` file that does `apt-get upgrade -s`
+* create a `/usr/bin/mtsp-do-release-upgrade` file that does `do-release-upgrade -c`
+
+And make sure to have the `x` permission bit so we can run these files!
+
### Groups
Add your server user (usually `www-data`) to the following groups:
* `syslog` (required to write /var/log)
diff --git a/admin/api/getUbuntuUpgrades.php b/admin/api/getUbuntuUpgrades.php
index 8273036..ca49f38 100644
--- a/admin/api/getUbuntuUpgrades.php
+++ b/admin/api/getUbuntuUpgrades.php
@@ -2,7 +2,7 @@
require_once $_SERVER['DOCUMENT_ROOT'] . "/admin/private/header.api.php";
-exec("bash -c \"sudo do-release-upgrade -c | grep 'New release'\"", $ret);
+exec("bash -c \"sudo mtsp-do-release-upgrade | grep 'New release'\"", $ret);
if (count($ret) === 1) {
echo(l("<b>Ubuntu " . explode("'", $ret[0])[1] . "</b> is available, use <code>do-release-upgrade</code> to upgrade", "<b>Ubuntu " . explode("'", $ret[0])[1] . "</b> est disponible, exécutez la commande <code>do-release-upgrade</code> pour effectuer la mise à niveau"));
} else {
diff --git a/admin/api/getUpdates.php b/admin/api/getUpdates.php
index 099dd67..5d9c373 100644
--- a/admin/api/getUpdates.php
+++ b/admin/api/getUpdates.php
@@ -3,7 +3,7 @@
header("Content-Type: application/json");
require_once $_SERVER['DOCUMENT_ROOT'] . "/admin/private/header.api.php";
-exec("bash -c \"sudo apt-get upgrade -s| grep ^Inst\"", $ret);
+exec("bash -c \"sudo mtsp-apt-get-2| grep ^Inst\"", $ret);
$data = [];
$data["count"] = count($ret);
$data["packages"] = [];
diff --git a/admin/api/refreshUpdates.php b/admin/api/refreshUpdates.php
index 39ac9ed..ec4c707 100644
--- a/admin/api/refreshUpdates.php
+++ b/admin/api/refreshUpdates.php
@@ -1,4 +1,4 @@
<?php
require_once $_SERVER['DOCUMENT_ROOT'] . "/admin/private/header.api.php";
-exec("bash -c \"sudo apt-get update", $ret); \ No newline at end of file
+exec("bash -c \"sudo mtsp-apt-get-1", $ret); \ No newline at end of file
diff --git a/admin/panes/uptime.php b/admin/panes/uptime.php
index f0d0e7c..199df52 100644
--- a/admin/panes/uptime.php
+++ b/admin/panes/uptime.php
@@ -57,7 +57,7 @@
?></b> <?= l("of data has been collected to ensure easy system maintenance and audit", "de données ont été recueillies pour faciliter la maintenance du système et les audits de sécurité") ?>
</li>
<li class="list-group-item" id="logsummary">
- Calcul en cours...
+ <?= l("Calculating...", "Calcul en cours...") ?>
</li>
<!--suppress JSUnresolvedVariable, JSUnresolvedFunction -->
<script>
diff --git a/admin/private/permissions.json b/admin/private/permissions.json
index 32be506..10c9362 100644
--- a/admin/private/permissions.json
+++ b/admin/private/permissions.json
@@ -1,5 +1,5 @@
{
- "74bca7d2-4694-477c-8bc1-9003315abbee": [
+ "51daefd0-656d-4cf7-8ac1-ea94d8b17780": [
"login",
"home",
"serverTemp",
@@ -18,5 +18,11 @@
"quotas",
"getQuota",
"neutroning"
+ ],
+ "74bca7d2-4694-477c-8bc1-9003315abbee": [
+ "*",
+ "neutron",
+ "addresses",
+ "login"
]
} \ No newline at end of file
diff --git a/admin/private/permissions.php b/admin/private/permissions.php
index 6ad7057..8e6f456 100644
--- a/admin/private/permissions.php
+++ b/admin/private/permissions.php
@@ -11,7 +11,7 @@ if (isset($_OVERRIDEPERMISSION)) {
$permsOkay = false;
foreach ($perms as $user => $uperms) {
if ($user === $_DATA['id']) {
- if (in_array($requested, $uperms)) {
+ if (in_array($requested, $uperms) || in_array("*", $uperms)) {
$permsOkay = true;
}
}
© Floofi Systems, Some rights reserved. Powered by cgit.