From 7d25635f278549eaac801f78e320e714fe61bf06 Mon Sep 17 00:00:00 2001 From: Ted Trask Date: Tue, 16 Sep 2014 20:40:00 +0000 Subject: Modify passwd actions to detect readonly files and prevent modification If you edit the file with editfile, the permissions will be changed to readwrite, making the file editable --- freeradius3-model.lua | 25 +++++++++++++++++++++++-- freeradius3-viewpasswdfile-html.lsp | 12 +++++++++++- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/freeradius3-model.lua b/freeradius3-model.lua index 4ec9037..83764c7 100644 --- a/freeradius3-model.lua +++ b/freeradius3-model.lua @@ -181,6 +181,8 @@ local get_passwd_file = function(self, clientdata, readonly) if f == retval.value.filename.value then retval.value.filename.errtxt = nil if readonly then retval.value.filename.readonly = true end + local stat = posix.stat(retval.value.filename.value) + retval.value.mode = cfe({ label="Permissions", value=stat.mode, seq=2, readonly=true }) passwdconfig = parse_passwd_config(configs[i]) break end @@ -195,6 +197,11 @@ end local get_passwd_entry_private = function(self, clientdata, create) local retval,passwdconfig = get_passwd_file(self, clientdata, true) retval.label = "Freeradius passwd entry" + if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then + retval.value.filename.errtxt = "Readonly file" + return retval + end + retval.value.mode = nil local entry = 0 local entryline = {} if not create then @@ -483,13 +490,18 @@ end function mymodule.get_delete_passwd_entry(self, clientdata) local retval,passwdconfig = get_passwd_file(self, clientdata) retval.label = "Delete Freeradius passwd entry" - retval.value.filename.key = nil + if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then + retval.value.filename.errtxt = "Readonly file" + return retval + end + retval.value.mode = nil retval.value.entry = cfe({ label="Entry index", seq=2 }) return retval end function mymodule.delete_passwd_entry(self, entry) - local success = modelfunctions.validateselect(entry.value.filename) + local success = (nil ~= entry.value.entry) + success = modelfunctions.validateselect(entry.value.filename) and success if success then local contenttable = fs.read_file_as_array(entry.value.filename.value) or {} if contenttable[tonumber(entry.value.entry.value) or 0] then @@ -509,6 +521,11 @@ end function mymodule.get_passwd(self, clientdata) local retval,passwdconfig = get_passwd_file(self, clientdata, true) retval.label = "Freeradius password" + if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then + retval.value.filename.errtxt = "Readonly file" + return retval + end + retval.value.mode = nil retval.value.entry = cfe({ label="Entry index", key=true, seq=2 }) self.handle_clientdata(retval, clientdata) if passwdconfig then @@ -559,6 +576,10 @@ function mymodule.get_passwd(self, clientdata) end function mymodule.update_passwd(self, passwd) + if not passwd.value.entry then + passwd.errtxt = "Failed to set password" + return passwd + end -- The password/index fields have already been validated if not passwd.value.password then passwd.errtxt = "Invalid passwd entry" diff --git a/freeradius3-viewpasswdfile-html.lsp b/freeradius3-viewpasswdfile-html.lsp index 5e6ad7f..fe28b28 100644 --- a/freeradius3-viewpasswdfile-html.lsp +++ b/freeradius3-viewpasswdfile-html.lsp @@ -30,8 +30,16 @@ html = require("acf.html") redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.value) %> +<% +local editable = false +if view.value.mode and string.match(view.value.mode.value, "^.w") then + editable = true +end +%> + <% local header_level = htmlviewfunctions.displaysectionstart(view, page_info) %> <% htmlviewfunctions.displayitem(view.value.filename) %> +<% if view.value.mode then htmlviewfunctions.displayitem(view.value.mode) end %> <% if view.value.data then %> <% local containspasswd = 0 %> @@ -48,6 +56,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val <% for i,r in ipairs( view.value.data.value ) do %> <% for j,f in ipairs(r) do %> @@ -67,7 +77,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val
+<% if editable then %> <% entry.value = i %> <% if viewlibrary.check_permission("editpasswdentry") then %> <% htmlviewfunctions.displayitem(cfe({type="link", value={filename=filename, entry=entry, redir=redir}, label="", option="Edit", action="editpasswdentry"}), page_info, -1) %> @@ -58,6 +67,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val <% if 0 < containspasswd and r[containspasswd] ~= "" and viewlibrary.check_permission("editpasswd") then %> <% htmlviewfunctions.displayitem(cfe({type="link", value={filename=filename, entry=entry, redir=redir}, label="", option="Change Pass", action="editpasswd"}), page_info, -1) %> <% end %> +<% end %> <% if (j == containspasswd) and (f ~= "") then io.write("********") else io.write(html.html_escape(f)) end %>
<% end %> -<% if view.value.data and viewlibrary and viewlibrary.dispatch_component and viewlibrary.check_permission("createpasswdentry") then +<% if editable and view.value.data and viewlibrary and viewlibrary.dispatch_component and viewlibrary.check_permission("createpasswdentry") then local createform = viewlibrary.dispatch_component("createpasswdentry", {filename=view.value.filename.value, redir=redir.value}, true) createform.action = page_info.script .. page_info.prefix .. page_info.controller .. "/createpasswdentry" htmlviewfunctions.displayitem(createform, page_info, htmlviewfunctions.incrementheader(header_level)) -- cgit v1.2.3