diff options
author | Phil Davis <phil.davis@inf.org> | 2017-01-02 17:45:37 +0545 |
---|---|---|
committer | Phil Davis <phil.davis@inf.org> | 2017-01-02 17:45:37 +0545 |
commit | 57188e4752b9606c54cd49f4d8f96ec0fc38f8f3 (patch) | |
tree | c035bdc261d27847a7dd4667f7a3d83ff8a2fe18 /src | |
parent | 8db81fbcaa33012cb4fa573312a8f72ed3660dd1 (diff) | |
download | pfsense-57188e4752b9606c54cd49f4d8f96ec0fc38f8f3.zip pfsense-57188e4752b9606c54cd49f4d8f96ec0fc38f8f3.tar.gz |
Add security notes for privilege assignment pages
Suggested solution for Redmine 2247
Diffstat (limited to 'src')
-rw-r--r-- | src/etc/inc/priv.defs.inc | 11 | ||||
-rw-r--r-- | src/etc/inc/priv/user.priv.inc | 2 | ||||
-rw-r--r-- | src/usr/local/www/diag_backup.php | 1 | ||||
-rwxr-xr-x | src/usr/local/www/diag_command.php | 1 | ||||
-rw-r--r-- | src/usr/local/www/diag_defaults.php | 1 | ||||
-rw-r--r-- | src/usr/local/www/diag_edit.php | 1 | ||||
-rw-r--r-- | src/usr/local/www/system_authservers.php | 1 | ||||
-rw-r--r-- | src/usr/local/www/system_groupmanager.php | 21 | ||||
-rw-r--r-- | src/usr/local/www/system_groupmanager_addprivs.php | 34 | ||||
-rw-r--r-- | src/usr/local/www/system_usermanager.php | 20 | ||||
-rw-r--r-- | src/usr/local/www/system_usermanager_addprivs.php | 34 | ||||
-rw-r--r-- | src/usr/local/www/system_usermanager_settings.php | 1 |
12 files changed, 124 insertions, 4 deletions
diff --git a/src/etc/inc/priv.defs.inc b/src/etc/inc/priv.defs.inc index b1d0be1..349b6bb 100644 --- a/src/etc/inc/priv.defs.inc +++ b/src/etc/inc/priv.defs.inc @@ -16,6 +16,7 @@ $priv_list = array(); $priv_list['page-all'] = array(); $priv_list['page-all']['name'] = gettext("WebCfg - All pages"); $priv_list['page-all']['descr'] = gettext("Allow access to all pages"); +$priv_list['page-all']['warn'] = "standard-warning-root"; $priv_list['page-all']['match'] = array(); $priv_list['page-all']['match'][] = "*"; @@ -40,12 +41,14 @@ $priv_list['page-diagnostics-authentication']['match'][] = "diag_authentication. $priv_list['page-diagnostics-backup-restore'] = array(); $priv_list['page-diagnostics-backup-restore']['name'] = gettext("WebCfg - Diagnostics: Backup & Restore"); $priv_list['page-diagnostics-backup-restore']['descr'] = gettext("Allow access to the 'Diagnostics: Backup & Restore' page."); +$priv_list['page-diagnostics-backup-restore']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-backup-restore']['match'] = array(); $priv_list['page-diagnostics-backup-restore']['match'][] = "diag_backup.php*"; $priv_list['page-diagnostics-command'] = array(); $priv_list['page-diagnostics-command']['name'] = gettext("WebCfg - Diagnostics: Command"); $priv_list['page-diagnostics-command']['descr'] = gettext("Allow access to the 'Diagnostics: Command' page."); +$priv_list['page-diagnostics-command']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-command']['match'] = array(); $priv_list['page-diagnostics-command']['match'][] = "diag_command.php*"; @@ -58,6 +61,7 @@ $priv_list['page-diagnostics-configurationhistory']['match'][] = "diag_confbak.p $priv_list['page-diagnostics-factorydefaults'] = array(); $priv_list['page-diagnostics-factorydefaults']['name'] = gettext("WebCfg - Diagnostics: Factory defaults"); $priv_list['page-diagnostics-factorydefaults']['descr'] = gettext("Allow access to the 'Diagnostics: Factory defaults' page."); +$priv_list['page-diagnostics-factorydefaults']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-factorydefaults']['match'] = array(); $priv_list['page-diagnostics-factorydefaults']['match'][] = "diag_defaults.php*"; @@ -82,6 +86,7 @@ $priv_list['page-diagnostics-sourcetracking']['match'][] = "diag_dump_states_sou $priv_list['page-diagnostics-edit'] = array(); $priv_list['page-diagnostics-edit']['name'] = gettext("WebCfg - Diagnostics: Edit File"); $priv_list['page-diagnostics-edit']['descr'] = gettext("Allow access to the 'Diagnostics: Edit File' page."); +$priv_list['page-diagnostics-edit']['warn'] = "standard-warning-root"; $priv_list['page-diagnostics-edit']['match'] = array(); $priv_list['page-diagnostics-edit']['match'][] = "diag_edit.php*"; $priv_list['page-diagnostics-edit']['match'][] = "browser.php*"; @@ -1078,6 +1083,7 @@ $priv_list['page-system-advanced-sysctl']['match'][] = "system_advanced_sysctl.p $priv_list['page-system-authservers'] = array(); $priv_list['page-system-authservers']['name'] = gettext("WebCfg - System: Authentication Servers"); $priv_list['page-system-authservers']['descr'] = gettext("Allow access to the 'System: Authentication Servers' page."); +$priv_list['page-system-authservers']['warn'] = "standard-warning-root"; $priv_list['page-system-authservers']['match'] = array(); $priv_list['page-system-authservers']['match'][] = "system_authservers.php*"; @@ -1126,12 +1132,14 @@ $priv_list['page-system-gateways-editgateway']['match'][] = "system_gateways_edi $priv_list['page-system-groupmanager'] = array(); $priv_list['page-system-groupmanager']['name'] = gettext("WebCfg - System: Group Manager"); $priv_list['page-system-groupmanager']['descr'] = gettext("Allow access to the 'System: Group Manager' page."); +$priv_list['page-system-groupmanager']['warn'] = "standard-warning-root"; $priv_list['page-system-groupmanager']['match'] = array(); $priv_list['page-system-groupmanager']['match'][] = "system_groupmanager.php*"; $priv_list['page-system-groupmanager-addprivs'] = array(); $priv_list['page-system-groupmanager-addprivs']['name'] = gettext("WebCfg - System: Group Manager: Add Privileges"); $priv_list['page-system-groupmanager-addprivs']['descr'] = gettext("Allow access to the 'System: Group Manager: Add Privileges' page."); +$priv_list['page-system-groupmanager-addprivs']['warn'] = "standard-warning-root"; $priv_list['page-system-groupmanager-addprivs']['match'] = array(); $priv_list['page-system-groupmanager-addprivs']['match'][] = "system_groupmanager_addprivs.php*"; @@ -1168,12 +1176,14 @@ $priv_list['page-system-user-settings']['match'][] = "system_user_settings.php*" $priv_list['page-system-usermanager'] = array(); $priv_list['page-system-usermanager']['name'] = gettext("WebCfg - System: User Manager"); $priv_list['page-system-usermanager']['descr'] = gettext("Allow access to the 'System: User Manager' page."); +$priv_list['page-system-usermanager']['warn'] = "standard-warning-root"; $priv_list['page-system-usermanager']['match'] = array(); $priv_list['page-system-usermanager']['match'][] = "system_usermanager.php*"; $priv_list['page-system-usermanager-addprivs'] = array(); $priv_list['page-system-usermanager-addprivs']['name'] = gettext("WebCfg - System: User Manager: Add Privileges"); $priv_list['page-system-usermanager-addprivs']['descr'] = gettext("Allow access to the 'System: User Manager: Add Privileges' page."); +$priv_list['page-system-usermanager-addprivs']['warn'] = "standard-warning-root"; $priv_list['page-system-usermanager-addprivs']['match'] = array(); $priv_list['page-system-usermanager-addprivs']['match'][] = "system_usermanager_addprivs.php*"; @@ -1186,6 +1196,7 @@ $priv_list['page-system-usermanager-passwordmg']['match'][] = "system_usermanage $priv_list['page-system-usermanager-settings'] = array(); $priv_list['page-system-usermanager-settings']['name'] = gettext("WebCfg - System: User Manager: Settings"); $priv_list['page-system-usermanager-settings']['descr'] = gettext("Allow access to the 'System: User Manager: Settings' page."); +$priv_list['page-system-usermanager-settings']['warn'] = "standard-warning-root"; $priv_list['page-system-usermanager-settings']['match'] = array(); $priv_list['page-system-usermanager-settings']['match'][] = "system_usermanager_settings.php*"; diff --git a/src/etc/inc/priv/user.priv.inc b/src/etc/inc/priv/user.priv.inc index ff4a40c..6b60116 100644 --- a/src/etc/inc/priv/user.priv.inc +++ b/src/etc/inc/priv/user.priv.inc @@ -49,10 +49,12 @@ $priv_list['user-view-clear-notices']['descr'] = gettext("This user can view and $priv_list['user-shell-access'] = array(); $priv_list['user-shell-access']['name'] = gettext("User - System: Shell account access"); $priv_list['user-shell-access']['descr'] = gettext("Indicates whether the user is able to login for example via SSH."); +$priv_list['user-shell-access']['warn'] = "standard-warning-root"; $priv_list['user-copy-files'] = array(); $priv_list['user-copy-files']['name'] = gettext("User - System: Copy files (scp)"); $priv_list['user-copy-files']['descr'] = gettext("Indicates whether this user is allowed to copy files onto the {$g['product_name']} appliance via SCP/SFTP."); +$priv_list['user-copy-files']['warn'] = "standard-warning-root"; $priv_list['user-copy-files-chroot'] = array(); $priv_list['user-copy-files-chroot']['name'] = gettext("User - System: Copy files to home directory (chrooted scp)"); diff --git a/src/usr/local/www/diag_backup.php b/src/usr/local/www/diag_backup.php index bd3de22..a2a9f70 100644 --- a/src/usr/local/www/diag_backup.php +++ b/src/usr/local/www/diag_backup.php @@ -27,6 +27,7 @@ ##|*IDENT=page-diagnostics-backup-restore ##|*NAME=Diagnostics: Backup & Restore ##|*DESCR=Allow access to the 'Diagnostics: Backup & Restore' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_backup.php* ##|-PRIV diff --git a/src/usr/local/www/diag_command.php b/src/usr/local/www/diag_command.php index 30f069c..4c32495 100755 --- a/src/usr/local/www/diag_command.php +++ b/src/usr/local/www/diag_command.php @@ -31,6 +31,7 @@ ##|*IDENT=page-diagnostics-command ##|*NAME=Diagnostics: Command ##|*DESCR=Allow access to the 'Diagnostics: Command' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_command.php* ##|-PRIV diff --git a/src/usr/local/www/diag_defaults.php b/src/usr/local/www/diag_defaults.php index 8c1ee6f..fc61e34 100644 --- a/src/usr/local/www/diag_defaults.php +++ b/src/usr/local/www/diag_defaults.php @@ -27,6 +27,7 @@ ##|*IDENT=page-diagnostics-factorydefaults ##|*NAME=Diagnostics: Factory defaults ##|*DESCR=Allow access to the 'Diagnostics: Factory defaults' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_defaults.php* ##|-PRIV diff --git a/src/usr/local/www/diag_edit.php b/src/usr/local/www/diag_edit.php index 10964ea..24dedd7 100644 --- a/src/usr/local/www/diag_edit.php +++ b/src/usr/local/www/diag_edit.php @@ -23,6 +23,7 @@ ##|*IDENT=page-diagnostics-edit ##|*NAME=Diagnostics: Edit File ##|*DESCR=Allow access to the 'Diagnostics: Edit File' page. +##|*WARN=standard-warning-root ##|*MATCH=diag_edit.php* ##|*MATCH=browser.php* ##|*MATCH=vendor/filebrowser/browser.php* diff --git a/src/usr/local/www/system_authservers.php b/src/usr/local/www/system_authservers.php index 7b65c46..f21a7a9 100644 --- a/src/usr/local/www/system_authservers.php +++ b/src/usr/local/www/system_authservers.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-authservers ##|*NAME=System: Authentication Servers ##|*DESCR=Allow access to the 'System: Authentication Servers' page. +##|*WARN=standard-warning-root ##|*MATCH=system_authservers.php* ##|-PRIV diff --git a/src/usr/local/www/system_groupmanager.php b/src/usr/local/www/system_groupmanager.php index 2a4da45..c52bf71 100644 --- a/src/usr/local/www/system_groupmanager.php +++ b/src/usr/local/www/system_groupmanager.php @@ -29,6 +29,7 @@ ##|*IDENT=page-system-groupmanager ##|*NAME=System: Group Manager ##|*DESCR=Allow access to the 'System: Group Manager' page. +##|*WARN=standard-warning-root ##|*MATCH=system_groupmanager.php* ##|-PRIV @@ -234,15 +235,33 @@ function build_priv_table() { $privhtml .= '</thead>'; $privhtml .= '<tbody>'; + $user_has_root_priv = false; + foreach (get_user_privdesc($a_group[$id]) as $i => $priv) { $privhtml .= '<tr>'; $privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>'; - $privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>'; + $privhtml .= '<td>' . htmlspecialchars($priv['descr']); + if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) { + $privhtml .= ' ' . gettext('(root privilege)'); + $user_has_root_priv = true; + } + $privhtml .= '</td>'; $privhtml .= '<td><a class="fa fa-trash" title="' . gettext('Delete Privilege') . '" href="system_groupmanager.php?act=delpriv&groupid=' . $id . '&privid=' . $i . '"></a></td>'; $privhtml .= '</tr>'; } + if ($user_has_root_priv) { + $privhtml .= '<tr>'; + $privhtml .= '<td colspan="2">'; + $privhtml .= '<b>' . gettext('Security notice: Users in this group effectively have root privilege') . '</b>'; + $privhtml .= '</td>'; + $privhtml .= '<td>'; + $privhtml .= '</td>'; + $privhtml .= '</tr>'; + + } + $privhtml .= '</tbody>'; $privhtml .= '</table>'; $privhtml .= '</div>'; diff --git a/src/usr/local/www/system_groupmanager_addprivs.php b/src/usr/local/www/system_groupmanager_addprivs.php index ad07c1c..0947d97 100644 --- a/src/usr/local/www/system_groupmanager_addprivs.php +++ b/src/usr/local/www/system_groupmanager_addprivs.php @@ -28,6 +28,7 @@ ##|*IDENT=page-system-groupmanager-addprivs ##|*NAME=System: Group Manager: Add Privileges ##|*DESCR=Allow access to the 'System: Group Manager: Add Privileges' page. +##|*WARN=standard-warning-root ##|*MATCH=system_groupmanager_addprivs.php* ##|-PRIV @@ -117,6 +118,20 @@ function build_priv_list() { return($list); } +function get_root_priv_item_text() { + global $priv_list; + + $priv_text = ""; + + foreach ($priv_list as $pname => $pdata) { + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $priv_text .= '<br/>' . $pdata['name']; + } + } + + return($priv_text); +} + include("head.inc"); if ($input_errors) { @@ -171,6 +186,19 @@ $section->addInput(new Form_Input( null ))->setHelp('Show only the choices containing this term'); +$section->addInput(new Form_StaticText( + gettext('Privilege information'), + '<span class="help-block">'. + gettext('The following privileges effectively give root privilege to users in the group' . + ' because the user gains access to execute general commands, edit system files, ' . + ' modify users, change passwords or similar:') . + '<br/>' . + get_root_priv_item_text() . + '<br/><br/>' . + gettext('Please take care when granting these privileges.') . + '</span>' +)); + $btnfilter = new Form_Button( 'btnfilter', 'Filter', @@ -215,7 +243,11 @@ events.push(function() { continue; } - $desc = addslashes(preg_replace("/pfSense/i", $g['product_name'], $pdata['descr'])); + $desc = preg_replace("/pfSense/i", $g['product_name'], $pdata['descr']); + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $desc .= ' ' . gettext('(This privilege effectively gives root privilege to users in the group)'); + } + $desc = addslashes($desc); $jdescs .= "descs[{$id}] = '{$desc}';\n"; $id++; } diff --git a/src/usr/local/www/system_usermanager.php b/src/usr/local/www/system_usermanager.php index fca8657..c4bca18 100644 --- a/src/usr/local/www/system_usermanager.php +++ b/src/usr/local/www/system_usermanager.php @@ -29,6 +29,7 @@ ##|*IDENT=page-system-usermanager ##|*NAME=System: User Manager ##|*DESCR=Allow access to the 'System: User Manager' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager.php* ##|-PRIV @@ -443,6 +444,7 @@ function build_priv_table() { $privhtml .= '<tbody>'; $i = 0; + $user_has_root_priv = false; foreach (get_user_privdesc($a_user[$id]) as $priv) { $group = false; @@ -453,7 +455,12 @@ function build_priv_table() { $privhtml .= '<tr>'; $privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>'; $privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>'; - $privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>'; + $privhtml .= '<td>' . htmlspecialchars($priv['descr']); + if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) { + $privhtml .= ' ' . gettext('(root privilege)'); + $user_has_root_priv = true; + } + $privhtml .= '</td>'; $privhtml .= '<td>'; if (!$group) { $privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>'; @@ -467,6 +474,17 @@ function build_priv_table() { } } + if ($user_has_root_priv) { + $privhtml .= '<tr>'; + $privhtml .= '<td colspan="3">'; + $privhtml .= '<b>' . gettext('Security notice: This user effectively has root privilege') . '</b>'; + $privhtml .= '</td>'; + $privhtml .= '<td>'; + $privhtml .= '</td>'; + $privhtml .= '</tr>'; + + } + $privhtml .= '</tbody>'; $privhtml .= '</table>'; $privhtml .= '</div>'; diff --git a/src/usr/local/www/system_usermanager_addprivs.php b/src/usr/local/www/system_usermanager_addprivs.php index ee6d416..d5751e9 100644 --- a/src/usr/local/www/system_usermanager_addprivs.php +++ b/src/usr/local/www/system_usermanager_addprivs.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-usermanager-addprivs ##|*NAME=System: User Manager: Add Privileges ##|*DESCR=Allow access to the 'System: User Manager: Add Privileges' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager_addprivs.php* ##|-PRIV @@ -110,6 +111,20 @@ function build_priv_list() { return($list); } +function get_root_priv_item_text() { + global $priv_list; + + $priv_text = ""; + + foreach ($priv_list as $pname => $pdata) { + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $priv_text .= '<br/>' . $pdata['name']; + } + } + + return($priv_text); +} + /* if ajax is calling, give them an update message */ if (isAjax()) { print_info_box($savemsg, 'success'); @@ -161,6 +176,19 @@ $section->addInput(new Form_Input( null ))->setHelp('Show only the choices containing this term'); +$section->addInput(new Form_StaticText( + gettext('Privilege information'), + '<span class="help-block">'. + gettext('The following privileges effectively give the user root privilege ' . + ' because the user gains access to execute general commands, edit system files, ' . + ' modify users, change passwords or similar:') . + '<br/>' . + get_root_priv_item_text() . + '<br/><br/>' . + gettext('Please take care when granting these privileges.') . + '</span>' +)); + $btnfilter = new Form_Button( 'btnfilter', 'Filter', @@ -215,7 +243,11 @@ events.push(function() { if (in_array($pname, $a_user['priv'])) { continue; } - $desc = addslashes(preg_replace("/pfSense/i", $g['product_name'], $pdata['descr'])); + $desc = preg_replace("/pfSense/i", $g['product_name'], $pdata['descr']); + if (isset($pdata['warn']) && ($pdata['warn'] == 'standard-warning-root')) { + $desc .= ' ' . gettext('(This privilege effectively gives root privilege to the user)'); + } + $desc = addslashes($desc); $jdescs .= "descs[{$id}] = '{$desc}';\n"; $id++; } diff --git a/src/usr/local/www/system_usermanager_settings.php b/src/usr/local/www/system_usermanager_settings.php index 5a4e322..a6df556 100644 --- a/src/usr/local/www/system_usermanager_settings.php +++ b/src/usr/local/www/system_usermanager_settings.php @@ -24,6 +24,7 @@ ##|*IDENT=page-system-usermanager-settings ##|*NAME=System: User Manager: Settings ##|*DESCR=Allow access to the 'System: User Manager: Settings' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager_settings.php* ##|-PRIV |