diff options
| author | Renato Botelho <renato@netgate.com> | 2017-01-11 09:46:41 -0200 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2017-01-11 09:46:41 -0200 |
| commit | 913a04ae2d1f66417a8a9c9e2c7d58f51f4a6898 (patch) | |
| tree | 2b538951d09bd51fa8199149908e455ef6961694 | |
| parent | b38e0fbdb0de562efef1733e4843d3660827e3f7 (diff) | |
| parent | 753280bb6c75fb3aa5a1fcc2ef65640faa78340d (diff) | |
| download | pfsense-913a04ae2d1f66417a8a9c9e2c7d58f51f4a6898.zip pfsense-913a04ae2d1f66417a8a9c9e2c7d58f51f4a6898.tar.gz | |
Merge pull request #3341 from phil-davis/sysprvwarn2
| -rw-r--r-- | src/etc/inc/priv.defs.inc | 11 | ||||
| -rw-r--r-- | src/etc/inc/priv/user.priv.inc | 2 | ||||
| -rw-r--r-- | src/usr/local/www/diag_backup.php | 1 | ||||
| -rwxr-xr-x | src/usr/local/www/diag_command.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/diag_defaults.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/diag_edit.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/system_authservers.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/system_groupmanager.php | 21 | ||||
| -rw-r--r-- | src/usr/local/www/system_groupmanager_addprivs.php | 34 | ||||
| -rw-r--r-- | src/usr/local/www/system_usermanager.php | 20 | ||||
| -rw-r--r-- | src/usr/local/www/system_usermanager_addprivs.php | 34 | ||||
| -rw-r--r-- | src/usr/local/www/system_usermanager_settings.php | 1 | ||||
| -rwxr-xr-x | tools/scripts/generate-privdefs.php | 10 |
13 files changed, 134 insertions, 4 deletions
diff --git a/src/etc/inc/priv.defs.inc b/src/etc/inc/priv.defs.inc index b1d0be1..349b6bb 100644 --- a/src/etc/inc/priv.defs.inc +++ b/src/etc/inc/priv.defs.inc @@ -16,6 +16,7 @@ $priv_list = array(); $priv_list['page-all'] = array(); $priv_list['page-all']['name'] = gettext("WebCfg - All pages"); $priv_list['page-all']['descr'] = gettext("Allow access to all pages"); +$priv_list['page-all']['warn'] = "standard-warning-root"; $priv_list['page-all']['match'] = array(); $priv_list['page-all']['match'][] = "*"; @@ -40,12 +41,14 @@ $priv_list['page-diagnostics-authentication']['match'][] = "diag_authentication. $priv_list['page-diagnostics-backup-restore'] = array(); $priv_list['page-diagnostics-backup-restore']['name'] = gettext("WebCfg - Diagnostics: Backup & Restore"); $priv_list['page-diagnostics-backup-restore']['descr'] = gettext("Allow access to the 'Diagnostics: Backup & Restore' page."); +$priv_list['page-diagnostics-backup-restore']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-backup-restore']['match'] = array(); $priv_list['page-diagnostics-backup-restore']['match'][] = "diag_backup.php*"; $priv_list['page-diagnostics-command'] = array(); $priv_list['page-diagnostics-command']['name'] = gettext("WebCfg - Diagnostics: Command"); $priv_list['page-diagnostics-command']['descr'] = gettext("Allow access to the 'Diagnostics: Command' page."); +$priv_list['page-diagnostics-command']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-command']['match'] = array(); $priv_list['page-diagnostics-command']['match'][] = "diag_command.php*"; @@ -58,6 +61,7 @@ $priv_list['page-diagnostics-configurationhistory']['match'][] = "diag_confbak.p $priv_list['page-diagnostics-factorydefaults'] = array(); $priv_list['page-diagnostics-factorydefaults']['name'] = gettext("WebCfg - Diagnostics: Factory defaults"); $priv_list['page-diagnostics-factorydefaults']['descr'] = gettext("Allow access to the 'Diagnostics: Factory defaults' page."); +$priv_list['page-diagnostics-factorydefaults']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-factorydefaults']['match'] = array(); $priv_list['page-diagnostics-factorydefaults']['match'][] = "diag_defaults.php*"; @@ -82,6 +86,7 @@ $priv_list['page-diagnostics-sourcetracking']['match'][] = "diag_dump_states_sou $priv_list['page-diagnostics-edit'] = array(); $priv_list['page-diagnostics-edit']['name'] = gettext("WebCfg - Diagnostics: Edit File"); $priv_list['page-diagnostics-edit']['descr'] = gettext("Allow access to the 'Diagnostics: Edit File' page."); +$priv_list['page-diagnostics-edit']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-edit']['match'] = array(); $priv_list['page-diagnostics-edit']['match'][] = "diag_edit.php*"; $priv_list['page-diagnostics-edit']['match'][] = "browser.php*"; @@ -1078,6 +1083,7 @@ $priv_list['page-system-advanced-sysctl']['match'][] = "system_advanced_sysctl.p $priv_list['page-system-authservers'] = array(); $priv_list['page-system-authservers']['name'] = gettext("WebCfg - System: Authentication Servers"); $priv_list['page-system-authservers']['descr'] = gettext("Allow access to the 'System: Authentication Servers' page."); +$priv_list['page-system-authservers']['warn'] = "standard-warning-root"; $priv_list['page-system-authservers']['match'] = array(); $priv_list['page-system-authservers']['match'][] = "system_authservers.php*"; @@ -1126,12 +1132,14 @@ $priv_list['page-system-gateways-editgateway']['match'][] = "system_gateways_edi $priv_list['page-system-groupmanager'] = array(); $priv_list['page-system-groupmanager']['name'] = gettext("WebCfg - System: Group Manager"); $priv_list['page-system-groupmanager']['descr'] = gettext("Allow access to the 'System: Group Manager' page."); +$priv_list['page-system-groupmanager']['warn'] = "standard-warning-root"; $priv_list['page-system-groupmanager']['match'] = array(); $priv_list['page-system-groupmanager']['match'][] = "system_groupmanager.php*"; $priv_list['page-system-groupmanager-addprivs'] = array(); $priv_list['page-system-groupmanager-addprivs']['name'] = gettext("WebCfg - System: Group Manager: Add Privileges"); $priv_list['page-system-groupmanager-addprivs']['descr'] = gettext("Allow access to the 'System: Group Manager: Add Privileges' page."); +$priv_list['page-system-groupmanager-addprivs']['warn'] = "standard-warning-root"; $priv_list['page-system-groupmanager-addprivs']['match'] = array(); $priv_list['page-system-groupmanager-addprivs']['match'][] = "system_groupmanager_addprivs.php*"; @@ -1168,12 +1176,14 @@ $priv_list['page-system-user-settings']['match'][] = "system_user_settings.php*" $priv_list['page-system-usermanager'] = array(); $priv_list['page-system-usermanager']['name'] = gettext("WebCfg - System: User Manager"); $priv_list['page-system-usermanager']['descr'] = gettext("Allow access to the 'System: User Manager' page."); +$priv_list['page-system-usermanager']['warn'] = "standard-warning-root"; $priv_list['page-system-usermanager']['match'] = array(); $priv_list['page-system-usermanager']['match'][] = "system_usermanager.php*"; $priv_list['page-system-usermanager-addprivs'] = array(); $priv_list['page-system-usermanager-addprivs']['name'] = gettext("WebCfg - System: User Manager: Add Privileges"); $priv_list['page-system-usermanager-addprivs']['descr'] = gettext("Allow access to the 'System: User Manager: Add Privileges' page."); +$priv_list['page-system-usermanager-addprivs']['warn'] = "standard-warning-root"; $priv_list['page-system-usermanager-addprivs']['match'] = array(); $priv_list['page-system-usermanager-addprivs']['match'][] = "system_usermanager_addprivs.php*"; @@ -1186,6 +1196,7 @@ $priv_list['page-system-usermanager-passwordmg']['match'][] = "system_usermanage $priv_list['page-system-usermanager-settings'] = array(); $priv_list['page-system-usermanager-settings']['name'] = gettext("WebCfg - System: User Manager: Settings"); $priv_list['page-system-usermanager-settings']['descr'] = gettext("Allow access to the 'System: User Manager: Settings' page."); +$priv_list['page-system-usermanager-settings']['warn'] = "standard-warning-root"; $priv_list['page-system-usermanager-settings']['match'] = array(); $priv_list['page-system-usermanager-settings']['match'][] = "system_usermanager_settings.php*"; diff --git a/src/etc/inc/priv/user.priv.inc b/src/etc/inc/priv/user.priv.inc index ff4a40c..6b60116 100644 --- a/src/etc/inc/priv/user.priv.inc +++ b/src/etc/inc/priv/user.priv.inc @@ -49,10 +49,12 @@ $priv_list['user-view-clear-notices']['descr'] = gettext("This user can view and $priv_list['user-shell-access'] = array(); $priv_list['user-shell-access']['name'] = gettext("User - System: Shell account access"); $priv_list['user-shell-access']['descr'] = gettext("Indicates whether the user is able to login for example via SSH."); +$priv_list['user-shell-access']['warn'] = "standard-warning-root"; $priv_list['user-copy-files'] = array(); $priv_list['user-copy-files']['name'] = gettext("User - System: Copy files (scp)"); $priv_list['user-copy-files']['descr'] = gettext("Indicates whether this user is allowed to copy files onto the {$g['product_name']} appliance via SCP/SFTP."); +$priv_list['user-copy-files']['warn'] = "standard-warning-root"; $priv_list['user-copy-files-chroot'] = array(); $priv_list['user-copy-files-chroot']['name'] = gettext("User - System: Copy files to home directory (chrooted scp)"); diff --git a/src/usr/local/www/diag_backup.php b/src/usr/local/www/diag_backup.php index bd3de22..a2a9f70 100644 --- a/src/usr/local/www/diag_backup.php +++ b/src/usr/local/www/diag_backup.php @@ -27,6 +27,7 @@ ##|*IDENT=page-diagnostics-backup-restore ##|*NAME=Diagnostics: Backup & Restore ##|*DESCR=Allow access to the 'Diagnostics: Backup & Restore' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_backup.php* ##|-PRIV diff --git a/src/usr/local/www/diag_command.php b/src/usr/local/www/diag_command.php index 30f069c..4c32495 100755 --- a/src/usr/local/www/diag_command.php +++ b/src/usr/local/www/diag_command.php @@ -31,6 +31,7 @@ ##|*IDENT=page-diagnostics-command ##|*NAME=Diagnostics: Command ##|*DESCR=Allow access to the 'Diagnostics: Command' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_command.php* ##|-PRIV diff --git a/src/usr/local/www/diag_defaults.php b/src/usr/local/www/diag_defaults.php index 8c1ee6f..fc61e34 100644 --- a/src/usr/local/www/diag_defaults.php +++ b/src/usr/local/www/diag_defaults.php @@ -27,6 +27,7 @@ ##|*IDENT=page-diagnostics-factorydefaults ##|*NAME=Diagnostics: Factory defaults ##|*DESCR=Allow access to the 'Diagnostics: Factory defaults' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_defaults.php* ##|-PRIV diff --git a/src/usr/local/www/diag_edit.php b/src/usr/local/www/diag_edit.php index 10964ea..24dedd7 100644 --- a/src/usr/local/www/diag_edit.php +++ b/src/usr/local/www/diag_edit.php @@ -23,6 +23,7 @@ ##|*IDENT=page-diagnostics-edit ##|*NAME=Diagnostics: Edit File ##|*DESCR=Allow access to the 'Diagnostics: Edit File' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_edit.php* ##|*MATCH=browser.php* ##|*MATCH=vendor/filebrowser/browser.php* diff --git a/src/usr/local/www/system_authservers.php b/src/usr/local/www/system_authservers.php index 93f0c11..86f96e8 100644 --- a/src/usr/local/www/system_authservers.php +++ b/src/usr/local/www/system_authservers.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-authservers ##|*NAME=System: Authentication Servers ##|*DESCR=Allow access to the 'System: Authentication Servers' page. +##|*WARN=standard-warning-root ##|*MATCH=system_authservers.php* ##|-PRIV diff --git a/src/usr/local/www/system_groupmanager.php b/src/usr/local/www/system_groupmanager.php index 2a4da45..c36b193 100644 --- a/src/usr/local/www/system_groupmanager.php +++ b/src/usr/local/www/system_groupmanager.php @@ -29,6 +29,7 @@ ##|*IDENT=page-system-groupmanager ##|*NAME=System: Group Manager ##|*DESCR=Allow access to the 'System: Group Manager' page. +##|*WARN=standard-warning-root ##|*MATCH=system_groupmanager.php* ##|-PRIV @@ -234,15 +235,33 @@ function build_priv_table() { $privhtml .= '</thead>'; $privhtml .= '<tbody>'; + $user_has_root_priv = false; + foreach (get_user_privdesc($a_group[$id]) as $i => $priv) { $privhtml .= '<tr>'; $privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>'; - $privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>'; + $privhtml .= '<td>' . htmlspecialchars($priv['descr']); + if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) { + $privhtml .= ' ' . gettext('(admin privilege)'); + $user_has_root_priv = true; + } + $privhtml .= '</td>'; $privhtml .= '<td><a class="fa fa-trash" title="' . gettext('Delete Privilege') . '" href="system_groupmanager.php?act=delpriv&groupid=' . $id . '&privid=' . $i . '"></a></td>'; $privhtml .= '</tr>'; } + if ($user_has_root_priv) { + $privhtml .= '<tr>'; + $privhtml .= '<td colspan="2">'; + $privhtml .= '<b>' . gettext('Security notice: Users in this group effectively have administrator-level access') . '</b>'; + $privhtml .= '</td>'; + $privhtml .= '<td>'; + $privhtml .= '</td>'; + $privhtml .= '</tr>'; + + } + $privhtml .= '</tbody>'; $privhtml .= '</table>'; $privhtml .= '</div>'; diff --git a/src/usr/local/www/system_groupmanager_addprivs.php b/src/usr/local/www/system_groupmanager_addprivs.php index 5c25e59..c165078 100644 --- a/src/usr/local/www/system_groupmanager_addprivs.php +++ b/src/usr/local/www/system_groupmanager_addprivs.php @@ -28,6 +28,7 @@ ##|*IDENT=page-system-groupmanager-addprivs ##|*NAME=System: Group Manager: Add Privileges ##|*DESCR=Allow access to the 'System: Group Manager: Add Privileges' page. +##|*WARN=standard-warning-root ##|*MATCH=system_groupmanager_addprivs.php* ##|-PRIV @@ -111,6 +112,20 @@ function build_priv_list() { return($list); } +function get_root_priv_item_text() { + global $priv_list; + + $priv_text = ""; + + foreach ($priv_list as $pname => $pdata) { + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $priv_text .= '<br/>' . $pdata['name']; + } + } + + return($priv_text); +} + include("head.inc"); if ($input_errors) { @@ -161,6 +176,19 @@ $section->addInput(new Form_Input( null ))->setHelp('Show only the choices containing this term'); +$section->addInput(new Form_StaticText( + gettext('Privilege information'), + '<span class="help-block">'. + gettext('The following privileges effectively give administrator-level access to users in the group' . + ' because the user gains access to execute general commands, edit system files, ' . + ' modify users, change passwords or similar:') . + '<br/>' . + get_root_priv_item_text() . + '<br/><br/>' . + gettext('Please take care when granting these privileges.') . + '</span>' +)); + $btnfilter = new Form_Button( 'btnfilter', 'Filter', @@ -205,7 +233,11 @@ events.push(function() { continue; } - $desc = addslashes(preg_replace("/pfSense/i", $g['product_name'], $pdata['descr'])); + $desc = preg_replace("/pfSense/i", $g['product_name'], $pdata['descr']); + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $desc .= ' ' . gettext('(This privilege effectively gives administrator-level access to users in the group)'); + } + $desc = addslashes($desc); $jdescs .= "descs[{$id}] = '{$desc}';\n"; $id++; } diff --git a/src/usr/local/www/system_usermanager.php b/src/usr/local/www/system_usermanager.php index fca8657..c52c035 100644 --- a/src/usr/local/www/system_usermanager.php +++ b/src/usr/local/www/system_usermanager.php @@ -29,6 +29,7 @@ ##|*IDENT=page-system-usermanager ##|*NAME=System: User Manager ##|*DESCR=Allow access to the 'System: User Manager' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager.php* ##|-PRIV @@ -443,6 +444,7 @@ function build_priv_table() { $privhtml .= '<tbody>'; $i = 0; + $user_has_root_priv = false; foreach (get_user_privdesc($a_user[$id]) as $priv) { $group = false; @@ -453,7 +455,12 @@ function build_priv_table() { $privhtml .= '<tr>'; $privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>'; $privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>'; - $privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>'; + $privhtml .= '<td>' . htmlspecialchars($priv['descr']); + if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) { + $privhtml .= ' ' . gettext('(admin privilege)'); + $user_has_root_priv = true; + } + $privhtml .= '</td>'; $privhtml .= '<td>'; if (!$group) { $privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>'; @@ -467,6 +474,17 @@ function build_priv_table() { } } + if ($user_has_root_priv) { + $privhtml .= '<tr>'; + $privhtml .= '<td colspan="3">'; + $privhtml .= '<b>' . gettext('Security notice: This user effectively has administrator-level access') . '</b>'; + $privhtml .= '</td>'; + $privhtml .= '<td>'; + $privhtml .= '</td>'; + $privhtml .= '</tr>'; + + } + $privhtml .= '</tbody>'; $privhtml .= '</table>'; $privhtml .= '</div>'; diff --git a/src/usr/local/www/system_usermanager_addprivs.php b/src/usr/local/www/system_usermanager_addprivs.php index 3b2ec2e..8babcd5 100644 --- a/src/usr/local/www/system_usermanager_addprivs.php +++ b/src/usr/local/www/system_usermanager_addprivs.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-usermanager-addprivs ##|*NAME=System: User Manager: Add Privileges ##|*DESCR=Allow access to the 'System: User Manager: Add Privileges' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager_addprivs.php* ##|-PRIV @@ -109,6 +110,20 @@ function build_priv_list() { return($list); } +function get_root_priv_item_text() { + global $priv_list; + + $priv_text = ""; + + foreach ($priv_list as $pname => $pdata) { + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $priv_text .= '<br/>' . $pdata['name']; + } + } + + return($priv_text); +} + include("head.inc"); if ($input_errors) { @@ -151,6 +166,19 @@ $section->addInput(new Form_Input( null ))->setHelp('Show only the choices containing this term'); +$section->addInput(new Form_StaticText( + gettext('Privilege information'), + '<span class="help-block">'. + gettext('The following privileges effectively give the user administrator-level access ' . + ' because the user gains access to execute general commands, edit system files, ' . + ' modify users, change passwords or similar:') . + '<br/>' . + get_root_priv_item_text() . + '<br/><br/>' . + gettext('Please take care when granting these privileges.') . + '</span>' +)); + $btnfilter = new Form_Button( 'btnfilter', 'Filter', @@ -205,7 +233,11 @@ events.push(function() { if (in_array($pname, $a_user['priv'])) { continue; } - $desc = addslashes(preg_replace("/pfSense/i", $g['product_name'], $pdata['descr'])); + $desc = preg_replace("/pfSense/i", $g['product_name'], $pdata['descr']); + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $desc .= ' ' . gettext('(This privilege effectively gives administrator-level access to the user)'); + } + $desc = addslashes($desc); $jdescs .= "descs[{$id}] = '{$desc}';\n"; $id++; } diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 4418f4f..501070d 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-usermanager-settings ##|*NAME=System: User Manager: Settings ##|*DESCR=Allow access to the 'System: User Manager: Settings' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager_settings.php* ##|-PRIV diff --git a/tools/scripts/generate-privdefs.php b/tools/scripts/generate-privdefs.php index c8e2421..da76692 100755 --- a/tools/scripts/generate-privdefs.php +++ b/tools/scripts/generate-privdefs.php @@ -96,6 +96,7 @@ $pdata .= "\n"; $pdata .= "\$priv_list['page-all'] = array();\n"; $pdata .= "\$priv_list['page-all']['name'] = gettext(\"WebCfg - All pages\");\n"; $pdata .= "\$priv_list['page-all']['descr'] = gettext(\"Allow access to all pages\");\n"; +$pdata .= "\$priv_list['page-all']['warn'] = \"standard-warning-root\";\n"; $pdata .= "\$priv_list['page-all']['match'] = array();\n"; $pdata .= "\$priv_list['page-all']['match'][] = \"*\";\n"; $pdata .= "\n"; @@ -107,6 +108,7 @@ foreach ($data as $fname => $tags) { $ident = ""; $name = ""; $descr = ""; + $warn = ""; $match = array(); foreach ($vals as $vname => $vlist) { @@ -121,6 +123,9 @@ foreach ($data as $fname => $tags) { case "DESCR": $descr = $vlist[0]; break; + case "WARN": + $warn = $vlist[0]; + break; case "MATCH": $match = $vlist; break; @@ -140,6 +145,11 @@ foreach ($data as $fname => $tags) { $pdata .= "\$priv_list['{$ident}'] = array();\n"; $pdata .= "\$priv_list['{$ident}']['name'] = gettext(\"WebCfg - {$name}\");\n"; $pdata .= "\$priv_list['{$ident}']['descr'] = gettext(\"{$descr}\");\n"; + + if (strlen($warn) > 0) { + $pdata .= "\$priv_list['{$ident}']['warn'] = \"{$warn}\";\n"; + } + $pdata .= "\$priv_list['{$ident}']['match'] = array();\n"; foreach ($match as $url) |
