summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/inc/auth.inc17
-rw-r--r--etc/inc/config.inc36
-rw-r--r--etc/inc/priv.inc16
-rw-r--r--etc/inc/system.inc165
-rwxr-xr-xusr/local/www/system.php47
-rw-r--r--usr/local/www/system_advanced_admin.php197
-rw-r--r--usr/local/www/system_usermanager.php37
7 files changed, 206 insertions, 309 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 0d69505..3bb00e7 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -187,8 +187,8 @@ function local_user_set(& $user) {
$user_group = "nobody";
/* configure shell type */
- if (!hasPrivilegeShell($user)) {
- if (!hasPrivilegeCopyFiles($user))
+ if (!userHasPrivilege($user, "user-shell-access")) {
+ if (!userHasPrivilege($user, "user-copy-files"))
$user_shell = "/sbin/nologin";
else
$user_shell = "/usr/local/bin/scponly";
@@ -227,14 +227,17 @@ function local_user_set(& $user) {
/* create user directory if required */
if (!is_dir($user_home))
- mkdir($user_home, 0755);
+ mkdir($user_home, 0700);
chown($user_home, $user_name);
chgrp($user_home, $user_group);
- chmod($user_home, 0700);
- /* FIXME : ssh keys should be per-admin user */
- if(isset($config['system']['ssh']['sshdkeyonly']) && hasPrivilegeShell($user))
- create_authorized_keys($user_name, $user_home);
+ /* write out ssh authorized key file */
+ if($user['authorizedkeys']) {
+ if (!is_dir("{$user_home}/.ssh"))
+ mkdir("{$user_home}/.ssh", 0700);
+ $keys = base64_decode($user['authorizedkeys']);
+ file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
+ }
}
function local_user_del($user) {
diff --git a/etc/inc/config.inc b/etc/inc/config.inc
index da5bea6..62a6a89 100644
--- a/etc/inc/config.inc
+++ b/etc/inc/config.inc
@@ -1926,6 +1926,42 @@ endif;
$config['version'] = "5.2";
}
+ /* Convert 5.2 -> 5.3 */
+ if ($config['version'] <= 5.2) {
+
+ if (!is_array($config['system']['ca']))
+ $config['system']['ca'] = array();
+ if (!is_array($config['system']['cert']))
+ $config['system']['cert'] = array();
+
+ /* migrate advanced admin page webui ssl to certifcate mngr */
+ if ($config['system']['webgui']['certificate'] &&
+ $config['system']['webgui']['private-key']) {
+
+ /* create cert entry */
+ $cert = array();
+ $cert['refid'] = uniqid();
+ $cert['name'] = "webConfigurator SSL Certificate";
+ $cert['crt'] = $config['system']['webgui']['certificate'];
+ $cert['prv'] = $config['system']['webgui']['private-key'];
+ $config['system']['cert'][] = $cert;
+
+ /* create cert reference */
+ unset($config['system']['webgui']['certificate']);
+ unset($config['system']['webgui']['private-key']);
+ $config['system']['webgui']['ssl-certref'] = $cert['refid'];
+ }
+
+ /* migrate advanced admin page ssh keys to user manager */
+ if ($config['system']['ssh']['authorizedkeys']) {
+ $admin_user =& getUserEntryByUID(0);
+ $admin_user['authorizedkeys'] = $config['system']['ssh']['authorizedkeys'];
+ unset($config['system']['ssh']['authorizedkeys']);
+ }
+
+ $config['version'] = "5.3";
+ }
+
$now = date("H:i:s");
log_error("Ended Configuration upgrade at $now");
diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc
index 89701aa..824ea7b 100644
--- a/etc/inc/priv.inc
+++ b/etc/inc/priv.inc
@@ -279,20 +279,4 @@ function userHasPrivilege($userent, $privid = false) {
return true;
}
-function hasPrivilegeLock($userent) {
- return userHasPrivilege($userent, "user-lock-webcfg");
-}
-
-function hasPrivilegeLockPages($userent) {
- return userHasPrivilege($userent, "user-lock-ipages");
-}
-
-function hasPrivilegeShell($userent) {
- return userHasPrivilege($userent, "user-shell-access");
-}
-
-function hasPrivilegeCopyFiles($userent) {
- return userHasPrivilege($userent, "user-copy-files");
-}
-
?>
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 3b19b48..0a4c5d1 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -496,72 +496,30 @@ function system_webgui_start() {
chdir($g['www_path']);
+ /* defaults */
+ $portarg = "80";
+ $crt = "";
+ $key = "";
+
/* non-standard port? */
if ($config['system']['webgui']['port'])
$portarg = "{$config['system']['webgui']['port']}";
- else
- $portarg = "";
if ($config['system']['webgui']['protocol'] == "https") {
- if(!$config['system']['webgui']['port'])
- $portarg = "443";
-
- if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) {
- $cert = base64_decode($config['system']['webgui']['certificate']);
- $key = base64_decode($config['system']['webgui']['private-key']);
- } else {
- /* default certificate/key */
- $cert = <<<EOD
------BEGIN CERTIFICATE-----
-MIIDEzCCAnygAwIBAgIJAJM91W+s6qptMA0GCSqGSIb3DQEBBAUAMGUxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UE
-ChMHcGZTZW5zZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZTAe
-Fw0wNjAzMTAyMzQ1MTlaFw0xNjAzMDcyMzQ1MTlaMGUxCzAJBgNVBAYTAlVTMQsw
-CQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UEChMHcGZTZW5z
-ZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZTCBnzANBgkqhkiG
-9w0BAQEFAAOBjQAwgYkCgYEA3lPNTFH6qge/ygaqe/BS4oH59O6KvAesWcRzSu5N
-21lyVE5tBbL0zqOSXmlLyReMSbtAMZqt1P8EPYFoOcaEQHIWm2VQF80Z18+8Gh4O
-UQGjHq88OeaLqyk3OLpSKzSpXuCFrSN7q9Kez8zp5dQEu7sIW30da3pAbdqYOimA
-1VsCAwEAAaOByjCBxzAdBgNVHQ4EFgQUAnx+ggC4SzJ0CK+rhPhJ2ZpyunEwgZcG
-A1UdIwSBjzCBjIAUAnx+ggC4SzJ0CK+rhPhJ2ZpyunGhaaRnMGUxCzAJBgNVBAYT
-AlVTMQswCQYDVQQIEwJLWTETMBEGA1UEBxMKTG91aXN2aWxsZTEQMA4GA1UEChMH
-cGZTZW5zZTEQMA4GA1UECxMHcGZTZW5zZTEQMA4GA1UEAxMHcGZTZW5zZYIJAJM9
-1W+s6qptMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAAviQpdoeabL8
-1HSZiD7Yjx82pdLpyQOdXvAu3jEAYz53ckx0zSMrzsQ5r7Vae6AE7Xd7Pj+1Yihs
-AJZzOQujnmsuim7qu6YSxzP34xonKwd1C9tZUlyNRNnEmtXOEDupn05bih1ugtLG
-kqfPIgDbDLXuPtEAA6QDUypaunI6+1E=
------END CERTIFICATE-----
-
-EOD;
-
- $key = <<<EOD
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQDeU81MUfqqB7/KBqp78FLigfn07oq8B6xZxHNK7k3bWXJUTm0F
-svTOo5JeaUvJF4xJu0Axmq3U/wQ9gWg5xoRAchabZVAXzRnXz7waHg5RAaMerzw5
-5ourKTc4ulIrNKle4IWtI3ur0p7PzOnl1AS7uwhbfR1rekBt2pg6KYDVWwIDAQAB
-AoGAP7E0VFP8Aq/7os3sE1uS8y8XQ7L+7cUo/AKKoQHKLjfeyAY7t3FALt6vdPqn
-anGjkA/j4RIWELoKJfCnwj17703NDCPwB7klcmZvmTx5Om1ZrRyZdQ6RJs0pOOO1
-r2wOnZNaNWStXE9Afpw3dj20Gh0V/Ioo5HXn3sHfxZm8dnkCQQDwv8OaUdp2Hl8t
-FDfXB1CMvUG1hEAvbQvZK1ODkE7na2/ChKjVPddEI3DvfzG+nLrNuTrAyVWgRLte
-r8qX5PQHAkEA7GlKx0S18LdiKo6wy2QeGu6HYkPncaHNFOWX8cTpvGGtQoWYSh0J
-tjCt1/mz4/XkvZWuZyTNx2FdkVlNF5nHDQJBAIRWVTZqEjVlwpmsCHnp6mxCyHD4
-DrRDNAUfnNuwIr9xPlDlzUzSnpc1CCqOd5C45LKbRGGfCrN7tKd66FmQoFcCQQCy
-Kvw3R1pTCvHJnvYwoshphaC0dvaDVeyINiwYAk4hMf/wpVxLZqz+CJvLrB1dzOBR
-3O+uPjdzbrakpweJpNQ1AkEA3ZtlgEj9eWsLAJP8aKlwB8VqD+EtG9OJSUMnCDiQ
-WFFNj/t3Ze3IVuAyL/yMpiv3JNEnZhIxCta42eDFpIZAKw==
------END RSA PRIVATE KEY-----
-
-EOD;
- }
- } else {
- $cert = "";
- $key = "";
+ $cert =& lookup_cert($config['system']['webgui']['ssl-certref']);
+ if(is_array($cert) && $cert['crt'] && $cert['prv']) {
+ $crt = base64_decode($cert['crt']);
+ $key = base64_decode($cert['prv']);
+ if(!$config['system']['webgui']['port'])
+ $portarg = "443";
+ } else
+ log_error("Invalid webConfigurator https certificate, defaulting to http");
}
/* generate lighttpd configuration */
system_generate_lighty_config("{$g['varetc_path']}/lighty-webConfigurator.conf",
- $cert, $key, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/");
+ $crt, $key, "lighty-webConfigurator.pid", $portarg, "/usr/local/www/");
/* attempt to start lighthttpd */
$res = mwexec("/usr/local/sbin/lighttpd -f {$g['varetc_path']}/lighty-webConfigurator.conf");
@@ -576,101 +534,6 @@ EOD;
return $res;
}
-function system_webgui_start_old() {
- global $config, $g;
- if(isset($config['system']['developerspew'])) {
- $mt = microtime();
- echo "system_webgui_start() being called $mt\n";
- }
-
- if ($g['booting'])
- echo "Starting webConfigurator...";
-
- /* kill any running mini_httpd */
- killbypid("{$g['varrun_path']}/mini_httpd.pid");
-
- chdir($g['www_path']);
-
- /* non-standard port? */
- if ($config['system']['webgui']['port'])
- $portarg = "-p {$config['system']['webgui']['port']}";
- else
- $portarg = "";
-
- if ($config['system']['webgui']['protocol'] == "https") {
-
- if ($config['system']['webgui']['certificate'] && $config['system']['webgui']['private-key']) {
- $cert = base64_decode($config['system']['webgui']['certificate']);
- $key = base64_decode($config['system']['webgui']['private-key']);
- } else {
- /* default certificate/key */
- $cert = <<<EOD
------BEGIN CERTIFICATE-----
-MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQKEwhtMG4wd2FsbDAe
-Fw0wNTA1MTAxMjI0NDRaFw0wNzA1MTAxMjI0NDRaMBMxETAPBgNVBAoTCG0wbjB3
-YWxsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAShszhFz+o8lsMWTGgTxs
-TMPR+v4+qL5jXDyY97MLTGFK7aqQOtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+
-83LPQmQoSPC0VqhfU3uYf3NzxiK8r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFP
-C4jE2fvjkbzyVolPywBuewIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAFR962c4R5tV
-cTn0OQcszYoW6WC+ini9tQQh5ku5jYDAiC+00atawJEVLnL3lwAcpSKTIWlTkD20
-tl3lz5br1qFgYky+Rd0kwS2nk9jRbkxSXxd6KJVnNRCKre28aw3ENzZfCSurPQsX
-UPp5er+NtwMT1g7s/JDmKTC4w1rGr5/c
------END CERTIFICATE-----
-
-EOD;
-
- $key = <<<EOD
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDAShszhFz+o8lsMWTGgTxsTMPR+v4+qL5jXDyY97MLTGFK7aqQ
-OtpIQc+TcTc4jklgOVlHoR7oBXrsi8YrbCd+83LPQmQoSPC0VqhfU3uYf3NzxiK8
-r97aPCsmWgwT2pQ6TcESTm6sF7nLprOf/zFPC4jE2fvjkbzyVolPywBuewIDAQAB
-AoGAbJJrQW9fQrggJuLMz/hwsYW2m31oyOBmf5u463YQtjRuSuxe/gj87weZuNqY
-H2rXq2k2K+ehl8hgW+egASyUL3L7kCkEAsVREujKTEyhSqqIRDPWTxo9S/YA9Gvn
-2ZnJvkrcKjqCO9aHX3rvJOK/ErYI6akctgI3KmgkYw5XNmECQQDuZU97RTWH9rmP
-aQr57ysNXxgFsyhetOOqeYkPtIVwpOiNbfwE1zi5RGdtO4Ku3fG1lV4J2UoWJ9yD
-awdoyYIHAkEAzn0xJ90IjPsHk+8SODEj5JGdHSZPNu1tgtrbjEi9sfGWg4K7XTxr
-QW90pWb1bKKU1uh5FzW6OhnFfuQXt1kC7QJAPSthqY+onKqCEnoxhtAHi/bKgyvl
-P+fKQwPMV2tKkgy+XwvJjrRqqZ8TqsOKVLQ+QQmCh6RpjiXMPyxHSmvqIQJBAKLR
-HF1ucDuaBROkwx0DwmWMW/KMLpIFDQDNSaiIAuu4rxHrl4mhBoGGPNffI04RtILw
-s+qVNs5xW8T+XaT4ztECQQDFHPnZeoPWE5z+AX/UUQIUWaDExz3XRzmIxRbOrlFi
-CsF1s0TdJLi/wzNQRAL37A8vqCeVFR/ng3Xpg96Yg+8Z
------END RSA PRIVATE KEY-----
-
-EOD;
- }
-
- $cert = str_replace("\r", "", $cert);
- $key = str_replace("\r", "", $key);
-
- $fd = fopen("{$g['varetc_path']}/cert.pem", "w");
- if (!$fd) {
- printf("Error: cannot open cert.pem in system_webgui_start().\n");
- return 1;
- }
- chmod("{$g['varetc_path']}/cert.pem", 0600);
- fwrite($fd, $cert);
- fwrite($fd, "\n");
- fwrite($fd, $key);
- fclose($fd);
-
- $res = mwexec("/usr/local/sbin/mini_httpd -S -E {$g['varetc_path']}/cert.pem" .
- " -c \"**.php|**.cgi\" -u root -maxproc 16 $portarg" .
- " -i {$g['varrun_path']}/mini_httpd.pid");
- } else {
- $res = mwexec("/usr/local/sbin/mini_httpd -c \"**.php|**.cgi\" -u root" .
- " -maxproc 16 $portarg -i {$g['varrun_path']}/mini_httpd.pid");
- }
-
- if ($g['booting']) {
- if ($res == 0)
- echo "done\n";
- else
- echo "failed\n";
- }
-
- return $res;
-}
-
function system_generate_lighty_config($filename,
$cert,
$key,
diff --git a/usr/local/www/system.php b/usr/local/www/system.php
index d8c62f3..5ed8065 100755
--- a/usr/local/www/system.php
+++ b/usr/local/www/system.php
@@ -43,17 +43,12 @@ $pconfig['hostname'] = $config['system']['hostname'];
$pconfig['domain'] = $config['system']['domain'];
list($pconfig['dns1'],$pconfig['dns2'],$pconfig['dns3'],$pconfig['dns4']) = $config['system']['dnsserver'];
-
$pconfig['dns1gwint'] = $config['system']['dns1gwint'];
$pconfig['dns2gwint'] = $config['system']['dns2gwint'];
$pconfig['dns3gwint'] = $config['system']['dns3gwint'];
$pconfig['dns4gwint'] = $config['system']['dns4gwint'];
$pconfig['dnsallowoverride'] = isset($config['system']['dnsallowoverride']);
-$pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
-if (!$pconfig['webguiproto'])
- $pconfig['webguiproto'] = "http";
-$pconfig['webguiport'] = $config['system']['webgui']['port'];
$pconfig['timezone'] = $config['system']['timezone'];
$pconfig['timeupdateinterval'] = $config['system']['time-update-interval'];
$pconfig['timeservers'] = $config['system']['timeservers'];
@@ -132,11 +127,6 @@ if ($_POST) {
update_if_changed("hostname", $config['system']['hostname'], strtolower($_POST['hostname']));
update_if_changed("domain", $config['system']['domain'], strtolower($_POST['domain']));
- if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto']))
- $restart_webgui = true;
- if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport']))
- $restart_webgui = true;
-
update_if_changed("timezone", $config['system']['timezone'], $_POST['timezone']);
update_if_changed("NTP servers", $config['system']['timeservers'], strtolower($_POST['timeservers']));
update_if_changed("NTP update interval", $config['system']['time-update-interval'], $_POST['timeupdateinterval']);
@@ -181,16 +171,6 @@ if ($_POST) {
if ($changecount > 0)
write_config($changedesc);
- if ($restart_webgui) {
- global $_SERVER;
- list($host) = explode(":", $_SERVER['HTTP_HOST']);
- if ($config['system']['webgui']['port']) {
- $url="{$config['system']['webgui']['protocol']}://{$host}:{$config['system']['webgui']['port']}/system.php";
- } else {
- $url = "{$config['system']['webgui']['protocol']}://{$host}/system.php";
- }
- }
-
$retval = 0;
config_lock();
$retval = system_hostname_configure();
@@ -206,8 +186,6 @@ if ($_POST) {
config_unlock();
$savemsg = get_std_save_message($retval);
- if ($restart_webgui)
- $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds.";
}
}
@@ -295,20 +273,6 @@ include("head.inc");
PPTP VPN clients, though.</span></p></td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell">webConfigurator protocol</td>
- <td width="78%" class="vtable"> <input name="webguiproto" type="radio" value="http" <?php if ($pconfig['webguiproto'] == "http") echo "checked"; ?>>
- HTTP &nbsp;&nbsp;&nbsp; <input type="radio" name="webguiproto" value="https" <?php if ($pconfig['webguiproto'] == "https") echo "checked"; ?>>
- HTTPS</td>
- </tr>
- <tr>
- <td valign="top" class="vncell">webConfigurator port</td>
- <td class="vtable"> <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>">
- <br>
- <span class="vexpl">Enter a custom port number for the webConfigurator
- above if you want to override the default (80 for HTTP, 443
- for HTTPS). Changes will take effect immediately after save.</span></td>
- </tr>
- <tr>
<td width="22%" valign="top" class="vncell">Time zone</td>
<td width="78%" class="vtable"> <select name="timezone" id="timezone">
<?php foreach ($timezonelist as $value): ?>
@@ -369,16 +333,5 @@ include("head.inc");
</table>
</form>
<?php include("fend.inc"); ?>
-<?php
- // restart webgui if proto or port changed
- if ($restart_webgui) {
- echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">";
- }
-?>
</body>
</html>
-<?php
-if ($restart_webgui) {
- touch("/tmp/restart_webgui");
-}
-?>
diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php
index 211eca4..179c573 100644
--- a/usr/local/www/system_advanced_admin.php
+++ b/usr/local/www/system_advanced_admin.php
@@ -43,15 +43,24 @@
require("guiconfig.inc");
-$pconfig['cert'] = base64_decode($config['system']['webgui']['certificate']);
-$pconfig['key'] = base64_decode($config['system']['webgui']['private-key']);
+$pconfig['webguiproto'] = $config['system']['webgui']['protocol'];
+$pconfig['webguiport'] = $config['system']['webgui']['port'];
+$pconfig['ssl-certref'] = $config['system']['webgui']['ssl-certref'];
$pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
$pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
$pconfig['enableserial'] = $config['system']['enableserial'];
$pconfig['enablesshd'] = $config['system']['enablesshd'];
$pconfig['sshport'] = $config['system']['ssh']['port'];
$pconfig['sshdkeyonly'] = $config['system']['ssh']['sshdkeyonly'];
-$pconfig['authorizedkeys'] = base64_decode($config['system']['ssh']['authorizedkeys']);
+
+$a_cert =& $config['system']['cert'];
+
+$certs_available = false;
+if (is_array($a_cert) && count($a_cert))
+ $certs_available = true;
+
+if (!$pconfig['webguiproto'] || !$certs_available)
+ $pconfig['webguiproto'] = "http";
if ($_POST) {
@@ -59,15 +68,9 @@ if ($_POST) {
$pconfig = $_POST;
/* input validation */
- if (($_POST['cert'] && !$_POST['key']) || ($_POST['key'] && !$_POST['cert']))
- $input_errors[] = "Certificate and key must always be specified together.";
-
- if ($_POST['cert'] && $_POST['key']) {
- if (!strstr($_POST['cert'], "BEGIN CERTIFICATE") || !strstr($_POST['cert'], "END CERTIFICATE"))
- $input_errors[] = "This certificate does not appear to be valid.";
- if (!strstr($_POST['key'], "BEGIN RSA PRIVATE KEY") || !strstr($_POST['key'], "END RSA PRIVATE KEY"))
- $input_errors[] = "This key does not appear to be valid.";
- }
+ if ($_POST['webguiport'])
+ if(!is_port($_POST['webguiport']))
+ $input_errors[] = "You must specify a valid webConfigurator port number";
if ($_POST['sshport'])
if(!is_port($_POST['sshport']))
@@ -83,10 +86,12 @@ if ($_POST) {
if (!$input_errors) {
- $oldcert = $config['system']['webgui']['certificate'];
- $oldkey = $config['system']['webgui']['private-key'];
- $config['system']['webgui']['certificate'] = base64_encode($_POST['cert']);
- $config['system']['webgui']['private-key'] = base64_encode($_POST['key']);
+ if (update_if_changed("webgui protocol", $config['system']['webgui']['protocol'], $_POST['webguiproto']))
+ $restart_webgui = true;
+ if (update_if_changed("webgui port", $config['system']['webgui']['port'], $_POST['webguiport']))
+ $restart_webgui = true;
+ if (update_if_changed("webgui certificate", $config['system']['webgui']['ssl-certref'], $_POST['ssl-certref']))
+ $restart_webgui = true;
if($_POST['disableconsolemenu'] == "yes") {
$config['system']['disableconsolemenu'] = true;
@@ -106,37 +111,50 @@ if ($_POST) {
else
unset($config['system']['enableserial']);
- if($_POST['enablesshd'] == "yes") {
+ $sshd_enabled = $config['system']['enablesshd'];
+ if($_POST['enablesshd'])
$config['system']['enablesshd'] = "enabled";
- touch("{$g['tmp_path']}/start_sshd");
- } else {
+ else
unset($config['system']['enablesshd']);
- mwexec("/usr/bin/killall sshd");
- }
-
- $oldsshport = $config['system']['ssh']['port'];
- if ($_POST['sshdkeyonly'] == "yes") {
+ $sshd_keyonly = $config['system']['sshdkeyonly'];
+ if ($_POST['sshdkeyonly'])
$config['system']['sshdkeyonly'] = true;
- touch("{$g['tmp_path']}/start_sshd");
- } else {
+ else
unset($config['system']['sshdkeyonly']);
- mwexec("/usr/bin/killall sshd");
- }
- $config['system']['ssh']['port'] = $_POST['sshport'];
- $config['system']['ssh']['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
+ $sshd_port = $config['system']['ssh']['port'];
+ if ($_POST['sshport'])
+ $config['system']['ssh']['port'] = $_POST['sshport'];
+ else
+ unset($config['system']['ssh']['port']);
+
+ if (($sshd_enabled != $config['system']['enablesshd']) ||
+ ($sshd_keyonly != $config['system']['sshdkeyonly']) ||
+ ($sshd_port != $config['system']['ssh']['port']))
+ $restart_sshd = true;
+
+ if ($restart_webgui) {
+ global $_SERVER;
+ list($host) = explode(":", $_SERVER['HTTP_HOST']);
+ $prot = $config['system']['webgui']['protocol'];
+ $port = $config['system']['webgui']['port'];
+ if ($port)
+ $url = "{$prot}://{$host}:{$port}/system_advanced_admin.php";
+ else
+ $url = "{$prot}://{$host}/system.php";
+ }
write_config();
config_lock();
$retval = filter_configure();
- if(stristr($retval, "error") <> true)
- $savemsg = get_std_save_message($retval);
- else
- $savemsg = $retval;
config_unlock();
+ $savemsg = get_std_save_message($retval);
+ if ($restart_webgui)
+ $savemsg .= "<br />One moment...redirecting to {$url} in 10 seconds.";
+
conf_mount_rw();
setup_serial_port();
conf_mount_ro();
@@ -149,8 +167,21 @@ include("head.inc");
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<script language="JavaScript">
+<!--
+
+function prot_change() {
+
+ if (document.iform.https_proto.checked)
+ document.getElementById("ssl_opts").style.display="";
+ else
+ document.getElementById("ssl_opts").style.display="none";
+}
+
+//-->
+</script>
<?php
- include("fbegin.inc");
if ($input_errors)
print_input_errors($input_errors);
if ($savemsg)
@@ -192,19 +223,54 @@ include("head.inc");
<td colspan="2" valign="top" class="listtopic">webConfigurator</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell">Certificate</td>
+ <td width="22%" valign="top" class="vncell">Protocol</td>
<td width="78%" class="vtable">
- <textarea name="cert" cols="65" rows="7" id="cert" class="formpre"><?=htmlspecialchars($pconfig['cert']);?></textarea>
+ <?php
+ if ($pconfig['webguiproto'] == "http")
+ $http_chk = "checked";
+ if ($pconfig['webguiproto'] == "https")
+ $https_chk = "checked";
+ if (!$certs_available)
+ $https_disabled = "disabled";
+ ?>
+ <input name="webguiproto" id="http_proto" type="radio" value="http" <?=$http_chk;?> onClick="prot_change()">
+ HTTP
+ &nbsp;&nbsp;&nbsp;
+ <input name="webguiproto" id="https_proto" type="radio" value="https" <?=$https_chk;?> <?=$https_disabled;?> onClick="prot_change()">
+ HTTPS
+ <?php if (!$certs_available): ?>
<br/>
- Paste a signed certificate in X.509 PEM format here. <a href="javascript:if(openwindow('system_advanced_create_certs.php') == false) alert('Popup blocker detected. Action aborted.');" >Create</a> certificates automatically.
+ No Certificates have been defined. You must
+ <a href="system_certmanager.php">Create or Import</a>
+ a Certificate before SSL can be enabled.
+ <?php endif; ?>
</td>
</tr>
- <tr>
- <td width="22%" valign="top" class="vncell">Key</td>
+ <tr id="ssl_opts">
+ <td width="22%" valign="top" class="vncell">SSL Certificate</td>
<td width="78%" class="vtable">
- <textarea name="key" cols="65" rows="7" id="key" class="formpre"><?=htmlspecialchars($pconfig['key']);?></textarea>
- <br/>
- Paste an RSA private key in PEM format here.
+ <select name="ssl-certref" id="ssl-certref" class="formselect">
+ <?php
+ foreach($a_cert as $cert):
+ $selected = "";
+ if ($pconfig['ssl-certref'] == $cert['refid'])
+ $selected = "selected";
+ ?>
+ <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['name'];?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell">TCP port</td>
+ <td class="vtable">
+ <input name="webguiport" type="text" class="formfld unknown" id="webguiport" "size="5" value="<?=htmlspecialchars($config['system']['webgui']['port']);?>">
+ <br>
+ <span class="vexpl">
+ Enter a custom port number for the webConfigurator
+ above if you want to override the default (80 for HTTP, 443
+ for HTTPS). Changes will take effect immediately after save.
+ </span>
</td>
</tr>
<tr>
@@ -246,9 +312,9 @@ include("head.inc");
<input name="sshdkeyonly" type="checkbox" id="sshdkeyonly" value="yes" <?php if (isset($pconfig['sshdkeyonly'])) echo "checked"; ?> />
<strong>Disable Password login for Secure Shell (rsa key only)</strong>
<br/>
- When this option is enabled, you will need to configure
- allowed keys for each user that has secure shell
- access.
+ When enabled, authorized keys need to be configured for each
+ <a href="system_usermanager.php">user</a>
+ that has been granted secure shell access.
</td>
</tr>
<tr>
@@ -260,14 +326,6 @@ include("head.inc");
</td>
</tr>
<tr>
- <td width="22%" valign="top" class="vncell"><?=gettext("Authorizedkeys");?></td>
- <td width="78%" class="vtable">
- <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea>
- <br/>
- Paste an authorized keys file here.
- </td>
- </tr>
- <tr>
<td colspan="2" class="list" height="12">&nbsp;</td>
</tr>
<?php if($g['platform'] == "pfSense" || $g['platform'] == "cdrom"): ?>
@@ -311,22 +369,35 @@ include("head.inc");
</td>
</tr>
</table>
+ <script language="JavaScript" type="text/javascript">
+ <!--
+ prot_change();
+ //-->
+ </script>
<?php include("fend.inc"); ?>
+<?php
+ if ($restart_webgui)
+ echo "<meta http-equiv=\"refresh\" content=\"10;url={$url}\">";
+?>
</body>
</html>
<?php
+if ($restart_sshd) {
-if($_POST['cert'] || $_POST['key']) {
- if (($config['system']['webgui']['certificate'] != $oldcert)
- || ($config['system']['webgui']['private-key'] != $oldkey)) {
- ob_flush();
- flush();
- log_error("webConfigurator certificates have changed. Restarting webConfigurator.");
- sleep(1);
- touch("/tmp/restart_webgui");
+ mwexec("/usr/bin/killall sshd");
+ log_error("secure shell configuration has changed. Stopping sshd.");
+
+ if ($config['system']['enablesshd']) {
+ log_error("secure shell configuration has changed. Restarting sshd.");
+ touch("{$g['tmp_path']}/start_sshd");
}
}
-
+if ($restart_webgui) {
+ ob_flush();
+ flush();
+ log_error("webConfigurator configuration has changed. Restarting webConfigurator.");
+ touch("{$g['tmp_path']}/restart_webgui");
+}
?>
diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php
index 5426524..cdb2c35 100644
--- a/usr/local/www/system_usermanager.php
+++ b/usr/local/www/system_usermanager.php
@@ -197,12 +197,7 @@ if (isAllowedPage("system_usermanager")) {
}
}
- if(is_array($_POST['groups']))
- foreach($_POST['groups'] as $groupname)
- if ($pconfig['utype'] <> "system" && !isset($groupindex[$groupname]))
- $input_errors[] = gettext("group {$groupname} does not exist, please define the group before assigning users.");
-
- if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys']))
+ if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys']))
$input_errors[] = gettext("You must provide an authorized key otherwise you won't be able to login into this system.");
/* if this is an AJAX caller then handle via JSON */
@@ -216,6 +211,8 @@ if (isAllowedPage("system_usermanager")) {
if (isset($id) && $a_user[$id])
$userent = $a_user[$id];
+ isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
+
/* the user name was modified */
if ($_POST['usernamefld'] <> $_POST['oldusername'])
$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
@@ -226,11 +223,7 @@ if (isAllowedPage("system_usermanager")) {
$userent['name'] = $_POST['usernamefld'];
$userent['fullname'] = $_POST['fullname'];
-
- isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system";
-
- if(isset($config['system']['ssh']['sshdkeyonly']))
- $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
+ $userent['authorizedkeys'] = base64_encode($_POST['authorizedkeys']);
if (isset($id) && $a_user[$id])
$a_user[$id] = $userent;
@@ -367,20 +360,6 @@ function presubmit() {
<?=gettext("User's full name, for your own information only");?>
</td>
</tr>
-
- <?php if (isset($config['system']['ssh']['sshdkeyonly'])): ?>
-
- <tr>
- <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td>
- <td width="78%" class="vtable">
- <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea>
- <br/>
- <?=gettext("Paste an authorized keys file here.");?>
- </td>
- </tr>
-
- <?php endif; ?>
-
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Group Memberships");?></td>
<td width="78%" class="vtable" align="center">
@@ -552,6 +531,14 @@ function presubmit() {
<?php endif; ?>
<tr>
+ <td width="22%" valign="top" class="vncell"><?=gettext("Authorized keys");?></td>
+ <td width="78%" class="vtable">
+ <textarea name="authorizedkeys" cols="65" rows="7" id="authorizedkeys" class="formfld_cert" wrap="off"><?=htmlspecialchars($pconfig['authorizedkeys']);?></textarea>
+ <br/>
+ <?=gettext("Paste an authorized keys file here.");?>
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%">
<input id="submit" name="save" type="submit" class="formbtn" value="Save" />
OpenPOWER on IntegriCloud