From 7d25635f278549eaac801f78e320e714fe61bf06 Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Tue, 16 Sep 2014 20:40:00 +0000
Subject: Modify passwd actions to detect readonly files and prevent
 modification

If you edit the file with editfile, the permissions will be changed to readwrite, making the file editable
---
 freeradius3-model.lua | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

(limited to 'freeradius3-model.lua')

diff --git a/freeradius3-model.lua b/freeradius3-model.lua
index 4ec9037..83764c7 100644
--- a/freeradius3-model.lua
+++ b/freeradius3-model.lua
@@ -181,6 +181,8 @@ local get_passwd_file = function(self, clientdata, readonly)
 				if f == retval.value.filename.value then
 					retval.value.filename.errtxt = nil
 					if readonly then retval.value.filename.readonly = true end
+					local stat = posix.stat(retval.value.filename.value)
+					retval.value.mode = cfe({ label="Permissions", value=stat.mode, seq=2, readonly=true })
 					passwdconfig = parse_passwd_config(configs[i])
 					break
 				end
@@ -195,6 +197,11 @@ end
 local get_passwd_entry_private = function(self, clientdata, create)
 	local retval,passwdconfig = get_passwd_file(self, clientdata, true)
 	retval.label = "Freeradius passwd entry"
+	if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then
+		retval.value.filename.errtxt = "Readonly file"
+		return retval
+	end
+	retval.value.mode = nil
 	local entry = 0
 	local entryline = {}
 	if not create then
@@ -483,13 +490,18 @@ end
 function mymodule.get_delete_passwd_entry(self, clientdata)
 	local retval,passwdconfig = get_passwd_file(self, clientdata)
 	retval.label = "Delete Freeradius passwd entry"
-	retval.value.filename.key = nil
+	if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then
+		retval.value.filename.errtxt = "Readonly file"
+		return retval
+	end
+	retval.value.mode = nil
 	retval.value.entry = cfe({ label="Entry index", seq=2 })
 	return retval
 end
 
 function mymodule.delete_passwd_entry(self, entry)
-	local success = modelfunctions.validateselect(entry.value.filename)
+	local success = (nil ~= entry.value.entry)
+	success = modelfunctions.validateselect(entry.value.filename) and success
 	if success then
 		local contenttable = fs.read_file_as_array(entry.value.filename.value) or {}
 		if contenttable[tonumber(entry.value.entry.value) or 0] then
@@ -509,6 +521,11 @@ end
 function mymodule.get_passwd(self, clientdata)
 	local retval,passwdconfig = get_passwd_file(self, clientdata, true)
 	retval.label = "Freeradius password"
+	if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then
+		retval.value.filename.errtxt = "Readonly file"
+		return retval
+	end
+	retval.value.mode = nil
 	retval.value.entry = cfe({ label="Entry index", key=true, seq=2 })
 	self.handle_clientdata(retval, clientdata)
 	if passwdconfig then
@@ -559,6 +576,10 @@ function mymodule.get_passwd(self, clientdata)
 end
 
 function mymodule.update_passwd(self, passwd)
+	if not passwd.value.entry then
+		passwd.errtxt = "Failed to set password"
+		return passwd
+	end
 	-- The password/index fields have already been validated
 	if not passwd.value.password then
 		passwd.errtxt = "Invalid passwd entry"
-- 
cgit v1.2.3