diff options
author | Ted Trask <ttrask01@yahoo.com> | 2014-09-16 20:40:00 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2014-09-16 20:40:00 +0000 |
commit | 7d25635f278549eaac801f78e320e714fe61bf06 (patch) | |
tree | 085dcf3ca805e3f569cb4e5feadc999e687d1b10 | |
parent | 674ea5218b182cb7ba2ba84e9e143f7cf1dd1862 (diff) | |
download | acf-freeradius3-7d25635f278549eaac801f78e320e714fe61bf06.tar.bz2 acf-freeradius3-7d25635f278549eaac801f78e320e714fe61bf06.tar.xz |
Modify passwd actions to detect readonly files and prevent modification
If you edit the file with editfile, the permissions will be changed to readwrite, making the file editable
-rw-r--r-- | freeradius3-model.lua | 25 | ||||
-rw-r--r-- | freeradius3-viewpasswdfile-html.lsp | 12 |
2 files changed, 34 insertions, 3 deletions
diff --git a/freeradius3-model.lua b/freeradius3-model.lua index 4ec9037..83764c7 100644 --- a/freeradius3-model.lua +++ b/freeradius3-model.lua @@ -181,6 +181,8 @@ local get_passwd_file = function(self, clientdata, readonly) if f == retval.value.filename.value then retval.value.filename.errtxt = nil if readonly then retval.value.filename.readonly = true end + local stat = posix.stat(retval.value.filename.value) + retval.value.mode = cfe({ label="Permissions", value=stat.mode, seq=2, readonly=true }) passwdconfig = parse_passwd_config(configs[i]) break end @@ -195,6 +197,11 @@ end local get_passwd_entry_private = function(self, clientdata, create) local retval,passwdconfig = get_passwd_file(self, clientdata, true) retval.label = "Freeradius passwd entry" + if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then + retval.value.filename.errtxt = "Readonly file" + return retval + end + retval.value.mode = nil local entry = 0 local entryline = {} if not create then @@ -483,13 +490,18 @@ end function mymodule.get_delete_passwd_entry(self, clientdata) local retval,passwdconfig = get_passwd_file(self, clientdata) retval.label = "Delete Freeradius passwd entry" - retval.value.filename.key = nil + if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then + retval.value.filename.errtxt = "Readonly file" + return retval + end + retval.value.mode = nil retval.value.entry = cfe({ label="Entry index", seq=2 }) return retval end function mymodule.delete_passwd_entry(self, entry) - local success = modelfunctions.validateselect(entry.value.filename) + local success = (nil ~= entry.value.entry) + success = modelfunctions.validateselect(entry.value.filename) and success if success then local contenttable = fs.read_file_as_array(entry.value.filename.value) or {} if contenttable[tonumber(entry.value.entry.value) or 0] then @@ -509,6 +521,11 @@ end function mymodule.get_passwd(self, clientdata) local retval,passwdconfig = get_passwd_file(self, clientdata, true) retval.label = "Freeradius password" + if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then + retval.value.filename.errtxt = "Readonly file" + return retval + end + retval.value.mode = nil retval.value.entry = cfe({ label="Entry index", key=true, seq=2 }) self.handle_clientdata(retval, clientdata) if passwdconfig then @@ -559,6 +576,10 @@ function mymodule.get_passwd(self, clientdata) end function mymodule.update_passwd(self, passwd) + if not passwd.value.entry then + passwd.errtxt = "Failed to set password" + return passwd + end -- The password/index fields have already been validated if not passwd.value.password then passwd.errtxt = "Invalid passwd entry" diff --git a/freeradius3-viewpasswdfile-html.lsp b/freeradius3-viewpasswdfile-html.lsp index 5e6ad7f..fe28b28 100644 --- a/freeradius3-viewpasswdfile-html.lsp +++ b/freeradius3-viewpasswdfile-html.lsp @@ -30,8 +30,16 @@ html = require("acf.html") redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.value) %> +<% +local editable = false +if view.value.mode and string.match(view.value.mode.value, "^.w") then + editable = true +end +%> + <% local header_level = htmlviewfunctions.displaysectionstart(view, page_info) %> <% htmlviewfunctions.displayitem(view.value.filename) %> +<% if view.value.mode then htmlviewfunctions.displayitem(view.value.mode) end %> <% if view.value.data then %> <% local containspasswd = 0 %> <table id="list" class="tablesorter"><thead> @@ -48,6 +56,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val <% for i,r in ipairs( view.value.data.value ) do %> <tr> <td> +<% if editable then %> <% entry.value = i %> <% if viewlibrary.check_permission("editpasswdentry") then %> <% htmlviewfunctions.displayitem(cfe({type="link", value={filename=filename, entry=entry, redir=redir}, label="", option="Edit", action="editpasswdentry"}), page_info, -1) %> @@ -58,6 +67,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val <% if 0 < containspasswd and r[containspasswd] ~= "" and viewlibrary.check_permission("editpasswd") then %> <% htmlviewfunctions.displayitem(cfe({type="link", value={filename=filename, entry=entry, redir=redir}, label="", option="Change Pass", action="editpasswd"}), page_info, -1) %> <% end %> +<% end %> </td> <% for j,f in ipairs(r) do %> <td><% if (j == containspasswd) and (f ~= "") then io.write("********") else io.write(html.html_escape(f)) end %></td> @@ -67,7 +77,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val </tbody></table> <% end %> -<% if view.value.data and viewlibrary and viewlibrary.dispatch_component and viewlibrary.check_permission("createpasswdentry") then +<% if editable and view.value.data and viewlibrary and viewlibrary.dispatch_component and viewlibrary.check_permission("createpasswdentry") then local createform = viewlibrary.dispatch_component("createpasswdentry", {filename=view.value.filename.value, redir=redir.value}, true) createform.action = page_info.script .. page_info.prefix .. page_info.controller .. "/createpasswdentry" htmlviewfunctions.displayitem(createform, page_info, htmlviewfunctions.incrementheader(header_level)) |