diff options
author | Bill Marquette <billm@pfsense.org> | 2007-04-13 03:26:35 +0000 |
---|---|---|
committer | Bill Marquette <billm@pfsense.org> | 2007-04-13 03:26:35 +0000 |
commit | fab7ff44cbc8d2faf0d0a270d8edb8d65807557e (patch) | |
tree | e6dcf342fb2e18d8de67ed7ed9589519d4c64ec3 /etc/inc | |
parent | 6d838c8378006c84402993ab631c1b9947fc41a3 (diff) | |
download | pfsense-fab7ff44cbc8d2faf0d0a270d8edb8d65807557e.zip pfsense-fab7ff44cbc8d2faf0d0a270d8edb8d65807557e.tar.gz |
Backport usermanager code from HEAD so I can get it in the snaps and
start testing it properly
There's still some CSS/HTML fixes needed but the code seems to work
Diffstat (limited to 'etc/inc')
-rw-r--r-- | etc/inc/auth.inc | 702 | ||||
-rw-r--r-- | etc/inc/authgui.inc | 306 | ||||
-rw-r--r-- | etc/inc/config.inc | 53 | ||||
-rw-r--r-- | etc/inc/functions.inc | 3 | ||||
-rw-r--r-- | etc/inc/globals.inc | 5 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 122 |
6 files changed, 1071 insertions, 120 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index a13faaf..c9318bc 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -4,6 +4,12 @@ Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com> All rights reserved. + Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>. + All rights reserved. + + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -26,107 +32,605 @@ POSSIBILITY OF SUCH DAMAGE. */ -require_once("config.inc"); -require_once("globals.inc"); - -/* We only support file backed HTTP Basic auth right now */ -$auth_method="htpasswd_backed_basic_auth"; - -/* Authenticate user - exit if failed (we should have a callback for this maybe) */ -if (!$auth_method()) - exit; - -function basic_auth_prompt(){ - header("WWW-Authenticate: Basic realm=\".\""); - header("HTTP/1.0 401 Unauthorized"); - echo "You must enter valid credentials to access this resource."; - exit; -} - -function passwd_backed_basic_auth() { - global $HTTP_SERVER_VARS; - - $authfile = file("/etc/master.passwd"); - - /* Prompt three times and give up */ - for($attempt = 0; $attempt <= 3; basic_auth_prompt()){ - $attempt++; - /* Check for AUTH_USER */ - if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") { - $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER']; - $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW']; - } - if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) - continue; - - /* Check to see if user even exists */ - $username = $HTTP_SERVER_VARS['AUTH_USER']; - if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile)))) - continue; - - /* Get crypted password */ - $matches = ""; - preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches); - $pass = $matches[1]; - $salt = $matches[2]; - - /* Encrypt entered password with salt */ - $authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt); - - /* And finally validate password */ - if($authpass == $pass) - return true; - else - continue; - } - - /* Should only get here if user fails login three times */ - return false; -} - -function htpasswd_backed_basic_auth() { - global $HTTP_SERVER_VARS; - - $authfile = file("/var/run/htpasswd"); - - /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */ - unlink_if_exists("/usr/local/www/.htpasswd"); - - /* Prompt three times and give up */ - for($attempt = 0; $attempt <= 3; basic_auth_prompt()){ - $attempt++; - - /* Check for AUTH_USER */ - if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") { - $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER']; - $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW']; - } - if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) - continue; - - /* Check to see if user even exists */ - $username = $HTTP_SERVER_VARS['AUTH_USER']; - if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile)))) - continue; - - /* Get crypted password */ - $matches = ""; - preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches); - $pass = $matches[1]; - $salt = $matches[2]; - - /* Encrypt entered password with salt */ - $authpass = crypt($HTTP_SERVER_VARS['AUTH_PW'], $salt); - - /* And finally validate password */ - if($authpass == $pass) - return true; - else - continue; +require_once("functions.inc"); +$groupindex = index_groups(); +$userindex = index_users(); + +function &getSystemAdminNames() { + global $config, $g, $userindex; + $adminUsers = array(); + + if (is_array($config['system']['user'])) { + foreach($config['system']['user'] as $user){ + if (isSystemAdmin($user['name'])) { + $adminUsers[] = $user['name']; + } + } + } + + return $adminUsers; +} + +function &getSystemPrivs() { + global $g; + + $privs = array(); + + $privs[] = array("id" => "lockwc", + "name" => "Lock webConfigurator", + "desc" => "Indicates whether this user will lock access to " . + "the webConfigurator for other users."); + $privs[] = array("id" => "lock-ipages", + "name" => "Lock individual pages", + "desc" => "Indicates whether this user will lock individual " . + "HTML pages after having accessed a particular page" . + "(the lock will be freed if the user leaves or " . + "saves the page form)."); + $privs[] = array("id" => "hasshell", + "name" => "Has shell access", + "desc" => "Indicates whether this user is able to login for " . + "example via SSH."); + $privs[] = array("id" => "copyfiles", + "name" => "Is allowed to copy files", + "desc" => "Indicates whether this user is allowed to copy files " . + "onto the {$g['product_name']} appliance via SCP/SFTP. " . + "If you are going to use this privilege, you must install " . + "scponly on the appliance (Hint: pkg_add -r scponly)."); + $privs[] = array("id" => "isroot", + "name" => "Is root user", + "desc" => "This user is associated with the UNIX root user " . + "(you should associate this privilege only with one " . + "single user)."); + + return $privs; +} + +function assignUID($username = "") { + global $userindex, $config, $g; + + if ($username == "") { return; } + + $nextuid = $config['system']['nextuid']; + $user =& $config['system']['user'][$userindex[$username]]; + + if (empty($user['uid'])) { + $user['uid'] = $nextuid; + $nextuid++; + $config['system']['nextuid'] = $nextuid; + + write_config(); + + return $user; + } +} + +function assignGID($groupname = "") { + global $groupindex, $config, $g; + + if ($groupname == "") { return; } + + $nextgid = $config['system']['nextgid']; + $group =& $config['system']['group'][$groupindex[$groupname]]; + + if (empty($group['gid'])) { + $group['gid'] = $nextgid; + $nextgid++; + $config['system']['nextgid'] = $nextgid; + + write_config(); + + return $group; + } +} + +function hasPrivilege($user, $privid = "") { + global $userindex, $config, $g; + + if ($privid == "" || ! isset($userindex[$user])) { return 0; } + + $privs = &$config['system']['user'][$userindex[$user]]['priv']; + + if (is_array($privs)) { + foreach($privs as $priv){ + if ($priv['id'] == $privid) { + return 1; + } + } + } + + return 0; +} + +function isAllowedToCopyFiles($username) { + global $userindex, $config, $g; + + if ($username == "") { return 0; } + + return hasPrivilege($username, "copyfiles"); +} + +function hasLockAbility($username) { + global $userindex, $config, $g; + + if ($username == "") { return 0; } + + return hasPrivilege($username, "lockwc"); +} + +function hasPageLockAbility($username) { + global $userindex, $config, $g; + + if ($username == "") { return 0; } + + return hasPrivilege($username, "lock-ipages"); +} + +function hasShellAccess($username) { + global $userindex, $config, $g; + + if ($username == "") { return 0; } + + return hasPrivilege($username, "hasshell"); +} + +function isUNIXRoot($username = "") { + global $userindex, $config; + + if ($username == "") { return 0; } + + if (isSystemAdmin($username)) { + return hasPrivilege($username, "isroot"); + } + + return 0; +} + +function setUserFullName($name = "", $new_name = "") { + global $config, $g, $userindex; + + if ($name == "" || $new_name == "") { return; } + + $user = &$config['system']['user'][$userindex[$name]]; + $user['fullname'] = $new_name; +} + +function setUserName($name = "", $new_name = "") { + global $config, $g, $userindex; + + if ($name == "" || $new_name == "") { return; } + + $user = &$config['system']['user'][$userindex[$name]]; + $user['name'] = $new_name; +} + +function setUserPWD($name = "", $password = "") { + global $config, $g, $userindex; + + if ($name == "" || $password == "") { return; } + + $user = &$config['system']['user'][$userindex[$name]]; + $user['password'] = crypt($password); +} + +function setUserGroupName($name = "", $new_name = "") { + global $config, $g, $userindex; + + if ($name == "" || $new_name == "") { return; } + + $user = &$config['system']['user'][$userindex[$name]]; + $user['groupname'] = $new_name; +} + +function setUserType($name = "", $new_type = "") { + global $config, $g, $userindex; + + if ($name == "" || $new_type == "") { return; } + + $user = &$config['system']['user'][$userindex[$name]]; + $user['scope'] = $new_type; +} + +function getUNIXRoot() { + global $config, $g, $userindex; + + if (is_array($config['system']['user'])) { + foreach($config['system']['user'] as $user){ + if (isUNIXRoot($user['name'])) { + $root = &$config['system']['user'][$userindex[$user['name']]]; + return $root; + } + } + } + + return NULL; +} + +function getUNIXRootName() { + global $config, $g, $userindex; + + if (is_array($config['system']['user'])) { + foreach($config['system']['user'] as $user){ + if (isUNIXRoot($user['name'])) { + return $user['name']; + } + } + } + + return NULL; +} + +function getGroupHomePage($group = "") { + global $groupindex, $config, $g; + + if ($group == "") { return ""; } + + $page = $config['system']['group'][$groupindex[$group]]['home']; + if(empty($page)) { $page = ""; } + return $page; +} + +function isSystemAdmin($username = "") { + global $groupindex, $userindex, $config, $g; + + if ($username == "") { return 0; } + + $gname = $config['system']['group'][$groupindex[$config['system']['user'][$userindex[$username]]['groupname']]]['name']; + + if (isset($gname)) { + return ($gname === $g["admin_group"]); + } + + return 0; +} + +function getRealName($username = "") { + global $userindex, $config; + + if ($username == "") { return ""; } + + return $config['system']['user'][$userindex[$username]]['fullname']; + +} + +function basic_auth($backing) { + global $HTTP_SERVER_VARS; + + /* Check for AUTH_USER */ + if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") { + $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER']; + $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW']; + } + if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) { + require_once("authgui.inc"); + header("WWW-Authenticate: Basic realm=\".\""); + header("HTTP/1.0 401 Unauthorized"); + display_error_form("401", gettext("You must enter valid credentials to access this resource.")); + exit; + } else { + return $backing($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']); + } +} + +function session_auth($backing) { + global $g, $HTTP_SERVER_VARS, $userindex, $config; + + session_start(); + + /* Validate incoming login request */ + if (isset($_POST['login'])) { + if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) { + $_SESSION['Logged_In'] = "True"; + $_SESSION['Username'] = $_POST['usernamefld']; + $_SESSION['last_access'] = time(); + } else { + /* give the user a more detailed error message */ + if (isset($userindex[$_POST['usernamefld']])) { + $_SESSION['Login_Error'] = "Wrong password"; + } else { + $_SESSION['Login_Error'] = "User does not exist"; + } + } + } + + /* Show login page if they aren't logged in */ + if (empty($_SESSION['Logged_In'])) { + /* Don't display login forms to AJAX */ + if (isAjax()) + return false; + require_once("authgui.inc"); + display_login_form(); + return false; + } else { + /* If session timeout isn't set, we don't mark sessions stale */ + if (!isset($config['system']['webgui']['session_timeout']) or + $config['system']['webgui']['session_timeout'] == 0 or + $config['system']['webgui']['session_timeout'] == "") + $_SESSION['last_access'] = time(); + else + /* Check for stale session */ + if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) + $_GET['logout'] = true; + else + /* only update if it wasn't ajax */ + if (!isAjax()) + $_SESSION['last_access'] = time(); + + /* user hit the logout button */ + if (isset($_GET['logout'])) { + if (hasLockAbility($_SESSION['Username'])) { + unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock"); + } + + /* wipe out $_SESSION */ + $_SESSION = array(); + + if (isset($_COOKIE[session_name()])) { + setcookie(session_name(), '', time()-42000, '/'); + } + + /* and destroy it */ + session_destroy(); + + $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]); + $scriptElms = count($scriptName); + $scriptName = $scriptName[$scriptElms-1]; + + if (isAjax()) + return false; + + /* redirect to page the user is on, it'll prompt them to login again */ + pfSenseHeader($scriptName); + + return false; + + /* user wants to explicitely delete the log file. + * Requires a particular privilege. + */ + } else if ($_GET['deletelock'] && hasLockAbility($_SESSION['Username'])) { + unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock"); + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* this is for debugging purpose if you do not want to use Ajax + * to submit a HTML form. It basically diables the observation + * of the submit event and hence does not trigger Ajax. + */ + } else if ($_GET['disable_ajax']) { + $_SESSION['NO_AJAX'] = "True"; + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* Same to re-enable Ajax. + */ + } else if ($_GET['enable_ajax']) { + unset($_SESSION['NO_AJAX']); + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* user wants to explicitely create a lock. + * Requires a particular privilege. + */ + } else if ($_GET['createlock'] && hasLockAbility($_SESSION['Username'])) { + $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w"); + fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" . + getRealName($_SESSION['Username']) . ")"); + fclose($fd); + /* if the user did delete the lock manually, do not + * re-create it while the session is valide. + */ + $_SESSION['Lock_Created'] = "True"; + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* proceed with the login process */ + } else { + /* if the user is allowed to create a lock, + * create it once per session. + */ + if (hasLockAbility($_SESSION['Username']) && + ! isset($_SESSION['Lock_Created'])) { + + $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w"); + fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" . + getRealName($_SESSION['Username']) . ")"); + fclose($fd); + /* if the user did delete the lock manually, do not + * re-create it while the session is valide. + */ + $_SESSION['Lock_Created'] = "True"; + + /* give regular users a chance to automatically invalidate + * a lock if its older than a particular time. + */ + } else if (! hasLockAbility($_SESSION['Username']) && + file_exists("{$g['tmp_path']}/webconfigurator.lock")) { + + $offset = 12; //hours + $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock"); + $now_minus_offset = mktime(date("H") - $offset, 0, 0, date("m"), date("d"), date("Y")); + + if (($mtime - $now_minus_offset) < $mtime) { + require_once("authgui.inc"); + display_login_form(); + return false; + } else { + /* file is older than mtime + offset which may + * indicate a stale lockfile, hence we are going + * to remove it. + */ + unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock"); } + } + + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + } + } +} + +function pam_backed($username = "", $password = "") { + /* we do not support blank pwds, don't we? */ + if ($username == "" || password == "") { return false; } + + if(! extension_loaded( 'pam_auth' )) { + if(! @dl( 'pam_auth.so' )) { + return false; + } else { + /* no php file no auth, sorry */ + if (! file_exists("/etc/pam.d/php")) { + if (! file_exists("/etc/pam.d")) { mkdir("/etc/pam.d"); } + + $pam_php = <<<EOD +# /etc/pam.d/php +# +# note: both an auth and account entry are required + +# auth +auth required pam_nologin.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_unix.so + +# session +session required pam_permit.so - /* Should only get here if user fails login three times */ +# password +password required pam_unix.so no_warn try_first_pass + +EOD; + + file_put_contents("/etc/pam.d/php", $pam_php); + } // end if + + if (pam_auth($username, $password, &$error)) { + return true; + } else { return false; + } + } + } +} + +function passwd_backed($username, $passwd) { + $authfile = file("/etc/master.passwd"); + + $matches=""; + + /* Check to see if user even exists */ + if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile)))) + return false; + + /* Get crypted password */ + preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches); + $pass = $matches[1]; + $salt = $matches[2]; + + /* Encrypt entered password with salt + * And finally validate password + */ + if ($pass == crypt($passwd, $salt)) + return true; + else + return false; +} + +function htpasswd_backed($username, $passwd) { + $authfile = file("/var/run/htpasswd"); + + /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */ + unlink_if_exists("/usr/local/www/.htpasswd"); + + $matches=""; + if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile)))) + return false; + + /* Get crypted password */ + preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches); + $pass = $matches[1]; + $salt = $matches[2]; + + /* Encrypt entered password with salt + * And finally validate password + */ + if ($pass == crypt($passwd, $salt)) + return true; + else + return false; +} + +function radius_backed($username, $passwd){ + global $config, $debug; + $ret = false; + $radiusservers = $config['system']['radius']['servers']; + + $rauth = new Auth_RADIUS_PAP($username, $passwd); + foreach ($radiusservers as $radsrv) { + // Add a new server to our instance + $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret']); + } + + if (!$rauth->start()) { + $retvalue['auth_val'] = 1; + $retvalue['error'] = $rauth->getError(); + if ($debug) + printf("Radius start: %s<br>\n", $retvalue['error']); + } + + // XXX - billm - somewhere in here we need to handle securid challenge/response + + // Send request + $result = $rauth->send(); + if (PEAR::isError($result)) { + $retvalue['auth_val'] = 1; + $retvalue['error'] = $result->getMessage(); + if ($debug) + printf("Radius send failed: %s<br>\n", $retvalue['error']); + } else if ($result === true) { + $retvalue['auth_val'] = 2; + if ($debug) + printf (gettext("Radius Auth succeeded") . "<br>\n"); + $ret = true; + } else { + $retvalue['auth_val'] = 3; + if ($debug) + printf (gettext("Radius Auth rejected") . "<br>\n"); + } + // close OO RADIUS_AUTHENTICATION + $rauth->close(); + + return $ret; +} + + +function index_groups() { + global $g, $config, $groupindex; + + $groupindex = array(); + + if (isset($config['system']['group'])) { + $i = 0; + foreach($config['system']['group'] as $groupent) { + $groupindex[$groupent['name']] = $i; + $i++; + } + } + return ($groupindex); +} + +function index_users() { + global $g, $config; + + if (isset($config['system']['user'])) { + $i = 0; + foreach($config['system']['user'] as $userent) { + $userindex[$userent['name']] = $i; + $i++; + } + } + return ($userindex); } -?>
\ No newline at end of file +?> diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc new file mode 100644 index 0000000..2d7975a --- /dev/null +++ b/etc/inc/authgui.inc @@ -0,0 +1,306 @@ +<?php +/* $Id$ */ +/* + Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com> + All rights reserved. + + Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>. + All rights reserved. + + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +include_once("auth.inc"); +require_once("functions.inc"); +/* TODO: Needs testing... require_once("pages.inc"); */ + +/* We only support htpasswd backed HTTP Basic auth right now + * backing methods + * passwd_backed - this will use the system passwd file in /etc + * radius_backed - this will allow you to use a radius server + * htpasswd_backed - this uses the "standard" .htpasswd file + * pam_backed - this uses the system's PAM facility .htpasswd file + */ +//$auth_method="basic_auth"; +$auth_method="session_auth"; +$backing_method="htpasswd_backed"; + +/* Authenticate user - exit if failed (we should have a callback for this maybe) */ +if (!$auth_method($backing_method)) { exit; } + +/* scriptname is set in headjs.php if the user did try to access a page other + * than index.php without beeing logged in. + */ +if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { + pfSenseHeader("{$_POST['scriptname']}"); + exit; +} + +/* TODO: Needs testing +if ($_SESSION) { + if (isset($_SESSION['Pages'])) { + $pfPages = getPageObjectFromSession(); + } else { + $pfPages = getPageObject($HTTP_SERVER_VARS['AUTH_USER']); + $pages =& $pfPages->getPages(); + $pages_index =& $pfPages->getPagesIndex(); + $allowed_pages_index =& $pfPages->getAllowedPagesIndex(); + + $_SESSION['Pages'] = serialize($pages); + $_SESSION['Pages_Index'] = serialize($pages_index); + $_SESSION['Allowed_Pages_Index'] = serialize($allowed_pages_index); + } +} else { + $pfPages = getPageObject($HTTP_SERVER_VARS['AUTH_USER']); +} +*/ + +// Once here, the user has authenticated with the web server. +// Now, we give them access only to the appropriate pages for their group. +if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) { + $allowed[] = ''; + if (isset($config['system']['group'][$groupindex[$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']]]['pages'][0])) { + $allowed = &$config['system']['group'][$groupindex[$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']]]['pages']; + } + + $group = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']; + /* get the group homepage, to be able to forward + * the user to this particular PHP page. + */ + getGroupHomePage($group) == "" ? $home = "/index.php" : $home = "/" . getGroupHomePage($group); + + /* okay but if the user realy tries to explicitely access a particular + * page, set $home to that page instead. + */ + if (isset($_POST['scriptname']) && $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") + $home = basename($_POST['scriptname']); + + // If the user is attempting to hit the default page, set it to specifically look for /index.php. + // Without this, any user would have access to the index page. + //if ($_SERVER['SCRIPT_NAME'] == '/') + // $_SERVER['SCRIPT_NAME'] = $home; + + // Strip the leading / from the currently requested PHP page + if (!in_array(basename($_SERVER['SCRIPT_NAME']),$allowed) && !in_array("ANY", $allowed)) { + // The currently logged in user is not allowed to access the page + // they are attempting to go to. Redirect them to an allowed page. + + if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) { + echo "||Access to AJAX has been disallowed for this user."; + exit; + } + + if ($home <> "" && (in_array($home, $allowed) || in_array("ANY", $allowed))) { + pfSenseHeader("{$home}"); + exit; + } else { + header("HTTP/1.0 401 Unauthorized"); + header("Status: 401 Unauthorized"); + + echo display_error_form("401", "401 Unauthorized. Authorization required."); + exit; + } + } + + if (isset($_SESSION['Logged_In'])) { + /* + * only forward if the user has just logged in + * TODO: session auth based - may be an issue. + */ + if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) { + $_SESSION['First_Visit'] = "False"; + pfSenseHeader("{$home}"); + exit; + } + } +} + +function display_error_form($http_code, $desc) { + global $config, $g; + $g['theme'] = $config['theme']; + + $htmlstr = <<<EOD +<html> + <head> + <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> + <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> + <title>An error occurred: {$http_code}</title> + <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> + <link rel="shortcut icon" href="/themes/{$g['theme']}/images/icons/favicon.ico" /> + <link rel="stylesheet" type="text/css" href="/themes/{$g['theme']}/all.css" media="all" /> + <style type="text/css"> + #errordesc { + background: #cccccc; + border: 0px solid #666666; + margin: 5em auto; + padding: 0em; + width: 340px; + } + #errordesc h1 { + background: url(/themes/{$g['theme']}/images/misc/logon.png) no-repeat top left; + margin-top: 0; + display: block; + text-indent: -1000px; + height: 50px; + border-bottom: none; + } + + #login p { + font-size: 1em; + font-weight: bold; + padding: 3px; + margin: 0em; + text-indent: 10px; + } + + #login span { + font-size: 1em; + font-weight: bold; + width: 20%; + padding: 3px; + margin: 0em; + text-indent: 10px; + } + + #login p#text { + font-size: 1em; + font-weight: normal; + padding: 3px; + margin: 0em; + text-indent: 10px; + } + </style> + + <script type="text/javascript"> + <!-- + function page_load() { + NiftyCheck(); + Rounded("div#errordesc","bl br","#333","#cccccc","smooth"); + Effect.Pulsate('errortext', { duration: 10 }); + } + <?php + require("headjs.php"); + echo getHeadJS(); + ?> + //--> + </script> + <script type="text/javascript" src="/themes/{$g['theme']}/javascript/niftyjsCode.js"></script> + </head> + <body onload="page_load();"> + <div id="errordesc"> + <h1> </h1> + <p id="errortext" style="vertical-align: middle; text-align: center;"><span style="color: #000000; font-weight: bold;">{$desc}</span></p> + </div> + </body> +</html> + +EOD; + + return $htmlstr; +} + +function display_login_form() { + require_once("globals.inc"); + global $config, $g; + $g['theme'] = $config['theme']; + + unset($input_errors); + + if(isAjax()) { + if (isset($_POST['login'])) { + if($_SESSION['Logged_In'] <> "True") { + isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason"; + echo "showajaxmessage('Invalid login ({$login_error}).');"; + } + if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) { + // TODO: add the IP from the user who did lock the device + $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock"); + echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');"; + } + } + exit; + } + +?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + <head> + <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> + <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> + <title><?=gettext("Login"); ?></title> + <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> + <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" /> + <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" /> + <script type="text/javascript"> + <!-- + function page_load() { + NiftyCheck(); + Rounded("div#login","bl br","#333","#cccccc","smooth"); + document.login_iform.usernamefld.focus(); + } + function clearError() { + if($('inputerrors')) + $('inputerrors').innerHTML=''; + } + <?php + require("headjs.php"); + echo getHeadJS(); + ?> + //--> + </script> + <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script> + </head> + <body onload="page_load()"> + <div id="login"> + <h1> </h1> + <form id="iform" name="login_iform" method="post" autocomplete="off" action="<?= $_SERVER['SCRIPT_NAME'] ?>"> + <div id="inputerrors"></div> + <p> + <span style="text-align: left;"> + <?=gettext("Username"); ?>: + </span> + <input onclick="clearError();" onchange="clearError();" id="usernamefld" type="text" name="usernamefld" class="formfld user" tabindex="1" /> + </p> + <p> + <span style="text-align: left;"> + <?=gettext("Password"); ?>: + </span> + <input onclick="clearError();" onchange="clearError();" id="passwordfld" type="password" name="passwordfld" class="formfld pwd" tabindex="2" /> + </p> + <table width="90%" style="margin-right: auto; margin-left: auto;"> + <tr> + <td valign="middle" align="right" style="font-style: italic;"><br /><?=gettext("Enter username and password to login."); ?></td> + <td valign="middle" align="left"><input type="submit" id="submit" name="login" class="formbtn" value="<?=gettext("Login"); ?>" tabindex="3" /></td> + </tr> + </table> + </form> + </div> + </body> +</html> +<?php +} // end function + +?> diff --git a/etc/inc/config.inc b/etc/inc/config.inc index f4af73c..abedcf3 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -955,6 +955,57 @@ function convert_config() { $config['version'] = "2.9"; } + /* Convert 2.9 -> 3.0 */ + if ($config['version'] <= 2.9) { + $config['system']['webgui']['auth_method'] = "session"; + $config['system']['webgui']['backing_method'] = "htpasswd"; + + if (isset ($config['system']['username'])) { + $config['system']['group'] = array(); + $config['system']['group'][0]['name'] = "admins"; + $config['system']['group'][0]['description'] = "System Administrators"; + $config['system']['group'][0]['scope'] = "system"; + $config['system']['group'][0]['pages'] = "ANY"; + $config['system']['group'][0]['home'] = "index.php"; + $config['system']['group'][0]['gid'] = "110"; + + $config['system']['user'] = array(); + $config['system']['user'][0]['name'] = "{$config['system']['username']}"; + $config['system']['user'][0]['fullname'] = "System Administrator"; + $config['system']['user'][0]['scope'] = "system"; + $config['system']['user'][0]['groupname'] = "admins"; + $config['system']['user'][0]['password'] = "{$config['system']['password']}"; + $config['system']['user'][0]['uid'] = "0"; + + $config['system']['user'][0]['priv'] = array(); + $config['system']['user'][0]['priv'][0]['id'] = "lockwc"; + $config['system']['user'][0]['priv'][0]['name'] = "Lock webConfigurator"; + $config['system']['user'][0]['priv'][0]['descr'] = "Indicates whether this user will lock access to the webConfigurator for other users."; + $config['system']['user'][0]['priv'][1]['id'] = "lock-ipages"; + $config['system']['user'][0]['priv'][1]['name'] = "Lock individual pages"; + $config['system']['user'][0]['priv'][1]['decr'] = "Indicates whether this user will lock individual HTML pages after having accessed a particular page (the lock will be freed if the user leaves or saves the page form)."; + $config['system']['user'][0]['priv'][2]['id'] = "hasshell"; + $config['system']['user'][0]['priv'][2]['name'] = "Has shell access"; + $config['system']['user'][0]['priv'][2]['descr'] = "Indicates whether this user is able to login for example via SSH."; + $config['system']['user'][0]['priv'][3]['id'] = "copyfiles"; + $config['system']['user'][0]['priv'][3]['name'] = "Is allowed to copy files"; + $config['system']['user'][0]['priv'][3]['descr'] = "Indicates whether this user is allowed to copy files onto the {$g['product_name']} appliance via SCP/SFTP. If you are going to use this privilege, you must install scponly on the appliance (Hint: pkg_add -r scponly)."; + $config['system']['user'][0]['priv'][4]['id'] = "isroot"; + $config['system']['user'][0]['priv'][4]['name'] = "Is root user"; + $config['system']['user'][0]['priv'][4]['descr'] = "This user is associated with the UNIX root user (you should associate this privilege only with one single user)."; + + $config['system']['nextuid'] = "111"; + $config['system']['nextgid'] = "111"; + + /* wipe previous auth configuration */ + unset ($config['system']['username']); + unset ($config['system']['password']); + } + + $config['version'] = "3.0"; + } + + if ($prev_version != $config['version']) write_config("Upgraded config version level from {$prev_version} to {$config['version']}"); } @@ -1758,4 +1809,4 @@ function set_device_perms() { if($g['booting']) echo "."; $config = parse_config(); -?>
\ No newline at end of file +?> diff --git a/etc/inc/functions.inc b/etc/inc/functions.inc index 77a08cb..7fdbcbf 100644 --- a/etc/inc/functions.inc +++ b/etc/inc/functions.inc @@ -46,6 +46,7 @@ if(!function_exists("pfSenseHeader")) { /* END compatibility goo with HEAD */ /* include all configuration functions */ +require_once("auth.inc"); require_once("captiveportal.inc"); require_once("filter.inc"); require_once("interfaces.inc"); @@ -57,4 +58,4 @@ require_once("util.inc"); require_once("vpn.inc"); require_once("vslb.inc"); -?>
\ No newline at end of file +?> diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 69bf973..00063eb 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -47,13 +47,14 @@ $g = array( "cf_conf_path" => "/cf/conf", "www_path" => "/usr/local/www", "xml_rootobj" => "pfsense", + "admin_group" => "admins", "pppoe_interface" => "ng0", "n_pptp_units" => 16, /* this value can be overriden in pptp->n_pptp_units */ "pptp_subnet" => 28, /* this value can be overriden in pptp->pptp_subnet */ "n_pppoe_units" => 16, /* this value can be overriden in pppoe->n_pppoe_units */ "pppoe_subnet" => 28, /* this value can be overriden in pppoe->pppoe_subnet */ "debug" => false, - "latest_config" => "2.9", + "latest_config" => "3.0", "nopkg_platforms" => array("cdrom"), "nopccard_platforms" => array("wrap", "net48xx"), "xmlrpcbaseurl" => "www.pfsense.com", @@ -73,4 +74,4 @@ $iptos = array("lowdelay", "throughput", "reliability"); /* TCP flags */ $tcpflags = array("syn", "ack", "fin", "rst", "psh", "urg"); -?>
\ No newline at end of file +?> diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 2d7d27b..ca0a7aa 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2293,26 +2293,38 @@ function reload_interfaces() { * none ******/ function sync_webgui_passwords() { - global $config, $g; + global $config, $g, $groupindex, $userindex; + conf_mount_rw(); $fd = fopen("{$g['varrun_path']}/htpasswd", "w"); + if (!$fd) { - printf("Error: cannot open htpasswd in system_password_configure().\n"); + log_error("Error: cannot open htpasswd in sync_webgui_passwords().\n"); return 1; } - /* set admin account */ - $username = $config['system']['username']; - /* set defined user account */ - if($username <> "admin") { - $username = $config['system']['username']; - fwrite($fd, $username . ":" . $config['system']['password'] . "\n"); - } else { - fwrite($fd, $username . ":" . $config['system']['password'] . "\n"); + /* loop through custom users and add "virtual" entries */ + if ($config['system']['user']) { + foreach ($config['system']['user'] as $user) + fwrite($fd, "{$user['name']}:{$user['password']}\n"); } + fclose($fd); chmod("{$g['varrun_path']}/htpasswd", 0600); - $crypted_pw = $config['system']['password']; + + if ($config['system']['user']) { + $root =& getUNIXRoot(); + $crypted_pw = $root['password']; + } + + if (empty ($crypted_pw)) { + log_error("Error: cannot determine root pwd in sync_webgui_passwords().\nRoot user struct follows:\n"); + empty($root) ? log_error("Unable to determine root user!\n") : print_r($root); + log_error("Testing whether your system has the necessary users... "); + empty($config['system']['user']) ? log_error("users are missing.\n") : log_error("users found.\n"); + return 1; + } + mwexec("/usr/sbin/pwd_mkdb -d /etc -p /etc/master.passwd"); mwexec("/usr/sbin/pwd_mkdb -p /etc/master.passwd"); /* sync root */ @@ -2320,16 +2332,79 @@ function sync_webgui_passwords() { fwrite($fd, $crypted_pw); pclose($fd); mwexec("/usr/sbin/pw usermod -n root -s /bin/sh"); - /* sync admin */ - $fd = popen("/usr/sbin/pw usermod -n admin -H 0", "w"); - fwrite($fd, $crypted_pw); - pclose($fd); - mwexec("/usr/sbin/pw usermod -n admin -s /etc/rc.initial"); + + /* and again for shell users */ + /* only users with hasShellAccess() == true should be synced */ + if($config['system']['user']) { + $home_base = $g['platform'] == "pfSense" ? "/home" : "/var/home"; + + if(! is_dir($home_base)) + mkdir($home_base, 0755); + + foreach($config['system']['user'] as $user) { + if (hasShellAccess($user['name']) || isAllowedToCopyFiles($user['name'])) { + $home = hasShellAccess($user['name']) ? "{$home_base}/{$user['name']}" : "{$home_base}/scponly"; + $shell = isAllowedToCopyFiles($user['name']) ? "/usr/local/bin/scponly" : "/etc/rc.initial"; + if (isAllowedToCopyFiles($user['name'])) + $user['groupname'] = "scponly"; + + $fd = popen("/usr/sbin/pw groupshow -n {$user['groupname']} 2>&1", "r"); + $pwread = fgets($fd, 4096); + pclose($fd); + + if (strpos($pwread, "unknown group") !== false) { + $groupname = $user['groupname']; + $group = $config['system']['group'][$groupindex[$groupname]]; + + if (isset($group) && is_array($group)) { + $fd = popen("/usr/sbin/pw groupadd -g {$group['gid']} -n {$group['name']}", "r"); + pclose($fd); + } elseif (isAllowedToCopyFiles($user['name'])) { + $fd = popen("/usr/sbin/pw groupadd -g 100 -n scponly", "r"); + pclose($fd); + } + } + + $fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r"); + $pwread = fgets($fd, 4096); + pclose($fd); + + isSystemAdmin($user['name']) ? $group = "wheel" : $group = "staff"; + + if (strpos($pwread, "no such user") === false) { + $fd = popen("/usr/sbin/pw usermod -n {$user['name']} -g ${user['groupname']} -G {$group} -H 0", "w"); + fwrite($fd, $user['password']); + pclose($fd); + } else { + $fd = popen("/usr/sbin/pw useradd -u {$user['uid']} -n {$user['name']} -c '{$user['fullname']}' -g ${user['groupname']} -G {$group} -H 0", "w"); + fwrite($fd, $user['password']); + pclose($fd); + } + + /* common user related operations */ + mwexec("/usr/sbin/pw usermod -n {$user['name']} -s {$shell}"); + + if(! is_dir($home)) mkdir($home, 0755); + mwexec("/usr/sbin/pw usermod -n {$user['name']} -d {$home} -m"); + + if (isAllowedToCopyFiles($user['name'])) { + mwexec("/usr/sbin/pw usermod -n {$user['name']} -g scponly"); + } + + if (file_exists("{$home_base}/scponly")) + mwexec("chmod 0660 {$home_base}/scponly"); + + if(isset($config['system']['ssh']['sshdkeyonly']) && ! isAllowedToCopyFiles($user['name'])) { + create_authorized_keys($user['name'], $home); + } + } + } + } + mwexec("/usr/sbin/pwd_mkdb -d /etc -p /etc/master.passwd"); mwexec("/usr/sbin/pwd_mkdb -p /etc/master.passwd"); conf_mount_ro(); } - /****f* pfsense-utils/cleanup_opt_interfaces_after_removal * NAME * cleanup_opt_interfaces_after_removal - renumber interfaces after removing @@ -3291,4 +3366,17 @@ function interface_has_gateway($friendly) { } } +/****f* pfsense-utils/isAjax + * NAME + * isAjax - reports if the request is driven from prototype + * INPUTS + * none + * RESULT + * true/false + ******/ +function isAjax() { + return isset ($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'; +} + + ?> |