diff options
| author | Renato Botelho <renato@netgate.com> | 2017-01-11 09:46:41 -0200 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2017-01-11 09:46:41 -0200 |
| commit | 913a04ae2d1f66417a8a9c9e2c7d58f51f4a6898 (patch) | |
| tree | 2b538951d09bd51fa8199149908e455ef6961694 /src/usr/local/www | |
| parent | b38e0fbdb0de562efef1733e4843d3660827e3f7 (diff) | |
| parent | 753280bb6c75fb3aa5a1fcc2ef65640faa78340d (diff) | |
| download | pfsense-913a04ae2d1f66417a8a9c9e2c7d58f51f4a6898.zip pfsense-913a04ae2d1f66417a8a9c9e2c7d58f51f4a6898.tar.gz | |
Merge pull request #3341 from phil-davis/sysprvwarn2
Diffstat (limited to 'src/usr/local/www')
| -rw-r--r-- | src/usr/local/www/diag_backup.php | 1 | ||||
| -rwxr-xr-x | src/usr/local/www/diag_command.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/diag_defaults.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/diag_edit.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/system_authservers.php | 1 | ||||
| -rw-r--r-- | src/usr/local/www/system_groupmanager.php | 21 | ||||
| -rw-r--r-- | src/usr/local/www/system_groupmanager_addprivs.php | 34 | ||||
| -rw-r--r-- | src/usr/local/www/system_usermanager.php | 20 | ||||
| -rw-r--r-- | src/usr/local/www/system_usermanager_addprivs.php | 34 | ||||
| -rw-r--r-- | src/usr/local/www/system_usermanager_settings.php | 1 |
10 files changed, 111 insertions, 4 deletions
diff --git a/src/usr/local/www/diag_backup.php b/src/usr/local/www/diag_backup.php index bd3de22..a2a9f70 100644 --- a/src/usr/local/www/diag_backup.php +++ b/src/usr/local/www/diag_backup.php @@ -27,6 +27,7 @@ ##|*IDENT=page-diagnostics-backup-restore ##|*NAME=Diagnostics: Backup & Restore ##|*DESCR=Allow access to the 'Diagnostics: Backup & Restore' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_backup.php* ##|-PRIV diff --git a/src/usr/local/www/diag_command.php b/src/usr/local/www/diag_command.php index 30f069c..4c32495 100755 --- a/src/usr/local/www/diag_command.php +++ b/src/usr/local/www/diag_command.php @@ -31,6 +31,7 @@ ##|*IDENT=page-diagnostics-command ##|*NAME=Diagnostics: Command ##|*DESCR=Allow access to the 'Diagnostics: Command' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_command.php* ##|-PRIV diff --git a/src/usr/local/www/diag_defaults.php b/src/usr/local/www/diag_defaults.php index 8c1ee6f..fc61e34 100644 --- a/src/usr/local/www/diag_defaults.php +++ b/src/usr/local/www/diag_defaults.php @@ -27,6 +27,7 @@ ##|*IDENT=page-diagnostics-factorydefaults ##|*NAME=Diagnostics: Factory defaults ##|*DESCR=Allow access to the 'Diagnostics: Factory defaults' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_defaults.php* ##|-PRIV diff --git a/src/usr/local/www/diag_edit.php b/src/usr/local/www/diag_edit.php index 10964ea..24dedd7 100644 --- a/src/usr/local/www/diag_edit.php +++ b/src/usr/local/www/diag_edit.php @@ -23,6 +23,7 @@ ##|*IDENT=page-diagnostics-edit ##|*NAME=Diagnostics: Edit File ##|*DESCR=Allow access to the 'Diagnostics: Edit File' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_edit.php* ##|*MATCH=browser.php* ##|*MATCH=vendor/filebrowser/browser.php* diff --git a/src/usr/local/www/system_authservers.php b/src/usr/local/www/system_authservers.php index 93f0c11..86f96e8 100644 --- a/src/usr/local/www/system_authservers.php +++ b/src/usr/local/www/system_authservers.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-authservers ##|*NAME=System: Authentication Servers ##|*DESCR=Allow access to the 'System: Authentication Servers' page. +##|*WARN=standard-warning-root ##|*MATCH=system_authservers.php* ##|-PRIV diff --git a/src/usr/local/www/system_groupmanager.php b/src/usr/local/www/system_groupmanager.php index 2a4da45..c36b193 100644 --- a/src/usr/local/www/system_groupmanager.php +++ b/src/usr/local/www/system_groupmanager.php @@ -29,6 +29,7 @@ ##|*IDENT=page-system-groupmanager ##|*NAME=System: Group Manager ##|*DESCR=Allow access to the 'System: Group Manager' page. +##|*WARN=standard-warning-root ##|*MATCH=system_groupmanager.php* ##|-PRIV @@ -234,15 +235,33 @@ function build_priv_table() { $privhtml .= '</thead>'; $privhtml .= '<tbody>'; + $user_has_root_priv = false; + foreach (get_user_privdesc($a_group[$id]) as $i => $priv) { $privhtml .= '<tr>'; $privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>'; - $privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>'; + $privhtml .= '<td>' . htmlspecialchars($priv['descr']); + if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) { + $privhtml .= ' ' . gettext('(admin privilege)'); + $user_has_root_priv = true; + } + $privhtml .= '</td>'; $privhtml .= '<td><a class="fa fa-trash" title="' . gettext('Delete Privilege') . '" href="system_groupmanager.php?act=delpriv&groupid=' . $id . '&privid=' . $i . '"></a></td>'; $privhtml .= '</tr>'; } + if ($user_has_root_priv) { + $privhtml .= '<tr>'; + $privhtml .= '<td colspan="2">'; + $privhtml .= '<b>' . gettext('Security notice: Users in this group effectively have administrator-level access') . '</b>'; + $privhtml .= '</td>'; + $privhtml .= '<td>'; + $privhtml .= '</td>'; + $privhtml .= '</tr>'; + + } + $privhtml .= '</tbody>'; $privhtml .= '</table>'; $privhtml .= '</div>'; diff --git a/src/usr/local/www/system_groupmanager_addprivs.php b/src/usr/local/www/system_groupmanager_addprivs.php index 5c25e59..c165078 100644 --- a/src/usr/local/www/system_groupmanager_addprivs.php +++ b/src/usr/local/www/system_groupmanager_addprivs.php @@ -28,6 +28,7 @@ ##|*IDENT=page-system-groupmanager-addprivs ##|*NAME=System: Group Manager: Add Privileges ##|*DESCR=Allow access to the 'System: Group Manager: Add Privileges' page. +##|*WARN=standard-warning-root ##|*MATCH=system_groupmanager_addprivs.php* ##|-PRIV @@ -111,6 +112,20 @@ function build_priv_list() { return($list); } +function get_root_priv_item_text() { + global $priv_list; + + $priv_text = ""; + + foreach ($priv_list as $pname => $pdata) { + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $priv_text .= '<br/>' . $pdata['name']; + } + } + + return($priv_text); +} + include("head.inc"); if ($input_errors) { @@ -161,6 +176,19 @@ $section->addInput(new Form_Input( null ))->setHelp('Show only the choices containing this term'); +$section->addInput(new Form_StaticText( + gettext('Privilege information'), + '<span class="help-block">'. + gettext('The following privileges effectively give administrator-level access to users in the group' . + ' because the user gains access to execute general commands, edit system files, ' . + ' modify users, change passwords or similar:') . + '<br/>' . + get_root_priv_item_text() . + '<br/><br/>' . + gettext('Please take care when granting these privileges.') . + '</span>' +)); + $btnfilter = new Form_Button( 'btnfilter', 'Filter', @@ -205,7 +233,11 @@ events.push(function() { continue; } - $desc = addslashes(preg_replace("/pfSense/i", $g['product_name'], $pdata['descr'])); + $desc = preg_replace("/pfSense/i", $g['product_name'], $pdata['descr']); + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $desc .= ' ' . gettext('(This privilege effectively gives administrator-level access to users in the group)'); + } + $desc = addslashes($desc); $jdescs .= "descs[{$id}] = '{$desc}';\n"; $id++; } diff --git a/src/usr/local/www/system_usermanager.php b/src/usr/local/www/system_usermanager.php index fca8657..c52c035 100644 --- a/src/usr/local/www/system_usermanager.php +++ b/src/usr/local/www/system_usermanager.php @@ -29,6 +29,7 @@ ##|*IDENT=page-system-usermanager ##|*NAME=System: User Manager ##|*DESCR=Allow access to the 'System: User Manager' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager.php* ##|-PRIV @@ -443,6 +444,7 @@ function build_priv_table() { $privhtml .= '<tbody>'; $i = 0; + $user_has_root_priv = false; foreach (get_user_privdesc($a_user[$id]) as $priv) { $group = false; @@ -453,7 +455,12 @@ function build_priv_table() { $privhtml .= '<tr>'; $privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>'; $privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>'; - $privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>'; + $privhtml .= '<td>' . htmlspecialchars($priv['descr']); + if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) { + $privhtml .= ' ' . gettext('(admin privilege)'); + $user_has_root_priv = true; + } + $privhtml .= '</td>'; $privhtml .= '<td>'; if (!$group) { $privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>'; @@ -467,6 +474,17 @@ function build_priv_table() { } } + if ($user_has_root_priv) { + $privhtml .= '<tr>'; + $privhtml .= '<td colspan="3">'; + $privhtml .= '<b>' . gettext('Security notice: This user effectively has administrator-level access') . '</b>'; + $privhtml .= '</td>'; + $privhtml .= '<td>'; + $privhtml .= '</td>'; + $privhtml .= '</tr>'; + + } + $privhtml .= '</tbody>'; $privhtml .= '</table>'; $privhtml .= '</div>'; diff --git a/src/usr/local/www/system_usermanager_addprivs.php b/src/usr/local/www/system_usermanager_addprivs.php index 3b2ec2e..8babcd5 100644 --- a/src/usr/local/www/system_usermanager_addprivs.php +++ b/src/usr/local/www/system_usermanager_addprivs.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-usermanager-addprivs ##|*NAME=System: User Manager: Add Privileges ##|*DESCR=Allow access to the 'System: User Manager: Add Privileges' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager_addprivs.php* ##|-PRIV @@ -109,6 +110,20 @@ function build_priv_list() { return($list); } +function get_root_priv_item_text() { + global $priv_list; + + $priv_text = ""; + + foreach ($priv_list as $pname => $pdata) { + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $priv_text .= '<br/>' . $pdata['name']; + } + } + + return($priv_text); +} + include("head.inc"); if ($input_errors) { @@ -151,6 +166,19 @@ $section->addInput(new Form_Input( null ))->setHelp('Show only the choices containing this term'); +$section->addInput(new Form_StaticText( + gettext('Privilege information'), + '<span class="help-block">'. + gettext('The following privileges effectively give the user administrator-level access ' . + ' because the user gains access to execute general commands, edit system files, ' . + ' modify users, change passwords or similar:') . + '<br/>' . + get_root_priv_item_text() . + '<br/><br/>' . + gettext('Please take care when granting these privileges.') . + '</span>' +)); + $btnfilter = new Form_Button( 'btnfilter', 'Filter', @@ -205,7 +233,11 @@ events.push(function() { if (in_array($pname, $a_user['priv'])) { continue; } - $desc = addslashes(preg_replace("/pfSense/i", $g['product_name'], $pdata['descr'])); + $desc = preg_replace("/pfSense/i", $g['product_name'], $pdata['descr']); + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $desc .= ' ' . gettext('(This privilege effectively gives administrator-level access to the user)'); + } + $desc = addslashes($desc); $jdescs .= "descs[{$id}] = '{$desc}';\n"; $id++; } diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 4418f4f..501070d 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-usermanager-settings ##|*NAME=System: User Manager: Settings ##|*DESCR=Allow access to the 'System: User Manager: Settings' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager_settings.php* ##|-PRIV |
