diff options
-rw-r--r-- | etc/inc/auth.inc | 630 | ||||
-rw-r--r-- | etc/inc/authgui.inc | 5 | ||||
-rw-r--r-- | etc/inc/config.inc | 4 | ||||
-rw-r--r-- | etc/inc/pfsense-utils.inc | 32 | ||||
-rw-r--r-- | etc/inc/priv.inc | 6 | ||||
-rw-r--r-- | etc/inc/system.inc | 23 | ||||
-rw-r--r-- | etc/phpshellsessions/cvssync | 4 | ||||
-rwxr-xr-x | etc/rc.bootup | 7 | ||||
-rwxr-xr-x | etc/rc.initial.password | 26 | ||||
-rwxr-xr-x | etc/sshd | 3 | ||||
-rwxr-xr-x | usr/local/www/pkg_mgr_install.php | 3 | ||||
-rwxr-xr-x | usr/local/www/system.php | 10 | ||||
-rw-r--r-- | usr/local/www/system_groupmanager.php | 6 | ||||
-rw-r--r-- | usr/local/www/system_groupmanager_addprivs.php | 2 | ||||
-rw-r--r-- | usr/local/www/system_usermanager.php | 22 | ||||
-rw-r--r-- | usr/local/www/system_usermanager_addprivs.php | 2 | ||||
-rwxr-xr-x | usr/local/www/system_usermanager_settings.php | 4 | ||||
-rw-r--r-- | usr/local/www/wizards/setup_wizard.xml | 10 |
18 files changed, 308 insertions, 491 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 2d89e5d..3d5b3ac 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -102,7 +102,18 @@ function & getGroupEntryByGID($gid) { return false;
}
-function sync_local_accounts() {
+function local_backed($username, $passwd) {
+
+ $user = getUserEntry($username);
+ if (!$user)
+ return false;
+
+ $passwd = crypt($passwd, $user['password']);
+
+ return ($passwd == $user['password']);
+}
+
+function local_sync_accounts() {
global $config;
/* remove local users to avoid uid conflicts */
@@ -140,22 +151,20 @@ function sync_local_accounts() { /* make sure the all group exists */
$allgrp = getGroupEntryByGID(1998);
- set_local_group($allgrp, true);
+ local_group_set($allgrp, true);
/* sync all local users */
if (is_array($config['system']['user']))
foreach ($config['system']['user'] as $user)
- set_local_user($user);
+ local_user_set($user);
/* sync all local groups */
if (is_array($config['system']['group']))
foreach ($config['system']['group'] as $group)
- set_local_group($group);
-
- sync_webgui_passwords();
+ local_group_set($group);
}
-function set_local_user(& $user, $password = false) {
+function local_user_set(& $user) {
global $g;
$home_base = $g['platform'] == "pfSense" ? "/home" : "/var/home";
@@ -168,30 +177,6 @@ function set_local_user(& $user, $password = false) { $user_shell = "/etc/rc.initial";
$user_group = "nobody";
- /* set all password hashes if required */
- if ($password && strlen($password)) {
-
- $user['password'] = crypt($password);
- $user['md5-hash'] = md5($password);
-
- /*
- * NOTE : This section of code id based on the BSD
- * licensed CHAP.php courtesy of Michael Retterklieber.
- */
- /* Waiting for mhash to settle into the tree
- // Converts ascii to unicode.
- $astr = (string) $password;
- $ustr = '';
- for ($i = 0; $i < strlen($astr); $i++) {
- $a = ord($astr{$i}) << 8;
- $ustr.= sprintf("%X", $a);
- }
-
- // Generate the NT-HASH from the unicode string
- $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
- */
- }
-
/* configure shell type */
if (!hasPrivilegeShell($user)) {
if (!hasPrivilegeCopyFiles($user))
@@ -241,10 +226,10 @@ function set_local_user(& $user, $password = false) { create_authorized_keys($user_name, $user_home);
}
-function del_local_user($user) {
+function local_user_del($user) {
/* remove all memberships */
- set_local_user_groups($user);
+ local_user_get_groups($user);
/* delete from pw db */
$cmd = "/usr/sbin/pw userdel {$user['name']}";
@@ -255,7 +240,30 @@ function del_local_user($user) { pclose($fd);
}
-function get_local_user_groups($user, $all = false) {
+function local_user_set_password(& $user, $password) {
+
+ $user['password'] = crypt($password);
+ $user['md5-hash'] = md5($password);
+
+ /*
+ * NOTE : This section of code id based on the BSD
+ * licensed CHAP.php courtesy of Michael Retterklieber.
+ */
+ /* Waiting for mhash to settle into the tree
+ // Converts ascii to unicode.
+ $astr = (string) $password;
+ $ustr = '';
+ for ($i = 0; $i < strlen($astr); $i++) {
+ $a = ord($astr{$i}) << 8;
+ $ustr.= sprintf("%X", $a);
+ }
+
+ // Generate the NT-HASH from the unicode string
+ $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
+ */
+}
+
+function local_user_get_groups($user, $all = false) {
global $config;
$groups = array();
@@ -273,13 +281,13 @@ function get_local_user_groups($user, $all = false) { return $groups;
}
-function set_local_user_groups($user, $new_groups = NULL ) {
+function local_user_set_groups($user, $new_groups = NULL ) {
global $config, $groupindex;
if (!is_array($config['system']['group']))
return;
- $cur_groups = get_local_user_groups($user);
+ $cur_groups = local_user_get_groups($user);
$mod_groups = array();
if (!is_array($new_groups))
@@ -309,10 +317,10 @@ function set_local_user_groups($user, $new_groups = NULL ) { /* sync all modified groups */
foreach ($mod_groups as $group)
- set_local_group($group);
+ local_group_set($group);
}
-function set_local_group($group, $reset = false) {
+function local_group_set($group, $reset = false) {
$group_name = $group['name'];
$group_gid = $group['gid'];
@@ -340,7 +348,7 @@ function set_local_group($group, $reset = false) { pclose($fd);
}
-function del_local_group($group) {
+function local_group_del($group) {
/* delete from group db */
$cmd = "/usr/sbin/pw groupdel {$group['name']}";
@@ -351,294 +359,6 @@ function del_local_group($group) { pclose($fd);
}
-function basic_auth($backing) {
- global $HTTP_SERVER_VARS;
-
- /* Check for AUTH_USER */
- if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
- $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
- $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
- }
-
- if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) {
- require_once("authgui.inc");
- header("WWW-Authenticate: Basic realm=\".\"");
- header("HTTP/1.0 401 Unauthorized");
- display_error_form("401", gettext("You must enter valid credentials to access this resource."));
- exit;
- }
-
- return $backing($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']);
-}
-
-function session_auth($backing) {
- global $g, $HTTP_SERVER_VARS, $userindex, $config;
-
- session_start();
-
- /* Validate incoming login request */
- if (isset($_POST['login'])) {
- if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
- $_SESSION['Logged_In'] = "True";
- $_SESSION['Username'] = $_POST['usernamefld'];
- $_SESSION['last_access'] = time();
- log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- } else {
- /* give the user a more detailed error message */
- if (isset($userindex[$_POST['usernamefld']])) {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- } else {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- }
- }
- }
-
- /* Show login page if they aren't logged in */
- if (empty($_SESSION['Logged_In'])) {
- /* Don't display login forms to AJAX */
- if (isAjax())
- return false;
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /* If session timeout isn't set, we don't mark sessions stale */
- if (!isset($config['system']['webgui']['session_timeout']) ||
- $config['system']['webgui']['session_timeout'] == 0 ||
- $config['system']['webgui']['session_timeout'] == "")
- $_SESSION['last_access'] = time();
- else {
- /* Check for stale session */
- if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
- $_GET['logout'] = true;
- $_SESSION['Logout'] = true;
- } else {
- /* only update if it wasn't ajax */
- if (!isAjax())
- $_SESSION['last_access'] = time();
- }
- }
-
- /* obtain user object */
- $user = getUserEntry($_SESSION['Username']);
-
- /* user hit the logout button */
- if (isset($_GET['logout'])) {
-
- if ($_SESSION['Logout'])
- log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
- else
- log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
-
- if (hasPrivilegeLock($user))
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
-
- /* wipe out $_SESSION */
- $_SESSION = array();
-
- if (isset($_COOKIE[session_name()]))
- setcookie(session_name(), '', time()-42000, '/');
-
- /* and destroy it */
- session_destroy();
-
- $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
- $scriptElms = count($scriptName);
- $scriptName = $scriptName[$scriptElms-1];
-
- if (isAjax())
- return false;
-
- /* redirect to page the user is on, it'll prompt them to login again */
- pfSenseHeader($scriptName);
-
- return false;
- }
-
- /*
- * user wants to explicitely delete the lock file.
- * Requires a particular privilege.
- */
- if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * user wants to explicitely create a lock.
- * Requires a particular privilege.
- */
- if ($_GET['createlock'] && hasPrivilegeLock($user)) {
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * this is for debugging purpose if you do not want to use Ajax
- * to submit a HTML form. It basically diables the observation
- * of the submit event and hence does not trigger Ajax.
- */
- if ($_GET['disable_ajax']) {
- $_SESSION['NO_AJAX'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * Same to re-enable Ajax.
- */
- if ($_GET['enable_ajax']) {
- unset($_SESSION['NO_AJAX']);
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * is the user is allowed to create a lock
- */
- if (hasPrivilegeLock($user)) {
-
- /*
- * create a lock once per session
- */
- if (!isset($_SESSION['Lock_Created'])) {
-
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- }
-
- } else {
-
- /*
- * give regular users a chance to automatically invalidate
- * a lock if its older than a particular time.
- */
- if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
-
- $offset = 12; //hours
- $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
- $now_minus_offset = mktime(date("H") - $offset, 0, 0,
- date("m"), date("d"), date("Y"));
-
- if (($mtime - $now_minus_offset) < $mtime) {
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /*
- * file is older than mtime + offset which may
- * indicate a stale lockfile, hence we are going
- * to remove it.
- */
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
- }
-
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-}
-
-function pam_backed($username = "", $password = "") {
-
- /* do not allow blank passwords */
- if ($username == "" || password == "")
- return false;
-
- if (!extension_loaded( 'pam_auth'))
- if (!@dl('pam_auth.so'))
- return false;
-
- /* no php file no auth, sorry */
- if (!file_exists("/etc/pam.d/php")) {
-
- if (!file_exists("/etc/pam.d"))
- mkdir("/etc/pam.d");
-
- $pam_php = <<<EOD
-
-# /etc/pam.d/php
-#
-# note: both an auth and account entry are required
-
-# auth
-auth required pam_nologin.so no_warn
-auth sufficient pam_opie.so no_warn no_fake_prompts
-auth requisite pam_opieaccess.so no_warn allow_local
-auth required pam_unix.so no_warn try_first_pass
-
-# account
-account required pam_unix.so
-
-# session
-session required pam_permit.so
-
-# password
-password required pam_unix.so no_warn try_first_pass
-
-EOD;
-
- file_put_contents("/etc/pam.d/php", $pam_php);
- }
-
- if (pam_auth($username, $password, &$error))
- return true;
-
- return false;
-}
-
-function passwd_backed($username, $passwd) {
-
- $authfile = file("/etc/master.passwd");
- $matches="";
-
- /* Check to see if user even exists */
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /*
- * Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function ldap_test_connection() {
global $config, $g;
@@ -686,8 +406,8 @@ function ldap_get_user_ous($show_complete_ou=true) { $ldapfilter = "(ou=*)";
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -695,8 +415,8 @@ function ldap_get_user_ous($show_complete_ou=true) { ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -762,8 +482,8 @@ function ldap_get_groups($username) { /* connect and see if server is up */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -772,8 +492,8 @@ function ldap_get_groups($username) { /* bind as user that has rights to read group attributes */
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -838,8 +558,8 @@ function ldap_backed($username, $passwd) { /* first check if there is even an LDAP server populated */
if(!$ldapserver) {
- log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -849,15 +569,15 @@ function ldap_backed($username, $passwd) { /* Make sure we can connect to LDAP */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
/* ok, its up. now, lets bind as the bind user so we can search it */
if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
ldap_close($ldap);
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -914,7 +634,7 @@ function ldap_backed($username, $passwd) { }
if ($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
$_SESSION['ldapon'] = "false";
ldap_close($ldap);
return $status;
@@ -956,7 +676,7 @@ function ldap_backed($username, $passwd) { }
if($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
ldap_close($ldap);
$_SESSION['ldapon'] = "false";
return $status;
@@ -965,8 +685,8 @@ function ldap_backed($username, $passwd) { /* Now lets bind as the user we found */
if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -976,30 +696,6 @@ function ldap_backed($username, $passwd) { return true;
}
-function htpasswd_backed($username, $passwd) {
- $authfile = file("/var/run/htpasswd");
-
- /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
- unlink_if_exists("/usr/local/www/.htpasswd");
-
- $matches="";
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /* Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function radius_backed($username, $passwd){
global $config, $debug;
$ret = false;
@@ -1043,4 +739,200 @@ function radius_backed($username, $passwd){ return $ret;
}
+function session_auth($backing) {
+ global $g, $HTTP_SERVER_VARS, $userindex, $config;
+
+ session_start();
+
+ /* Validate incoming login request */
+ if (isset($_POST['login'])) {
+ if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
+ $_SESSION['Logged_In'] = "True";
+ $_SESSION['Username'] = $_POST['usernamefld'];
+ $_SESSION['last_access'] = time();
+ log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ } else {
+ /* give the user a more detailed error message */
+ if (isset($userindex[$_POST['usernamefld']])) {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ } else {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ }
+ }
+ }
+
+ /* Show login page if they aren't logged in */
+ if (empty($_SESSION['Logged_In'])) {
+ /* Don't display login forms to AJAX */
+ if (isAjax())
+ return false;
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /* If session timeout isn't set, we don't mark sessions stale */
+ if (!isset($config['system']['webgui']['session_timeout']) ||
+ $config['system']['webgui']['session_timeout'] == 0 ||
+ $config['system']['webgui']['session_timeout'] == "")
+ $_SESSION['last_access'] = time();
+ else {
+ /* Check for stale session */
+ if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
+ $_GET['logout'] = true;
+ $_SESSION['Logout'] = true;
+ } else {
+ /* only update if it wasn't ajax */
+ if (!isAjax())
+ $_SESSION['last_access'] = time();
+ }
+ }
+
+ /* obtain user object */
+ $user = getUserEntry($_SESSION['Username']);
+
+ /* user hit the logout button */
+ if (isset($_GET['logout'])) {
+
+ if ($_SESSION['Logout'])
+ log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+ else
+ log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+
+ if (hasPrivilegeLock($user))
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+
+ /* wipe out $_SESSION */
+ $_SESSION = array();
+
+ if (isset($_COOKIE[session_name()]))
+ setcookie(session_name(), '', time()-42000, '/');
+
+ /* and destroy it */
+ session_destroy();
+
+ $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
+ $scriptElms = count($scriptName);
+ $scriptName = $scriptName[$scriptElms-1];
+
+ if (isAjax())
+ return false;
+
+ /* redirect to page the user is on, it'll prompt them to login again */
+ pfSenseHeader($scriptName);
+
+ return false;
+ }
+
+ /*
+ * user wants to explicitely delete the lock file.
+ * Requires a particular privilege.
+ */
+ if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * user wants to explicitely create a lock.
+ * Requires a particular privilege.
+ */
+ if ($_GET['createlock'] && hasPrivilegeLock($user)) {
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * this is for debugging purpose if you do not want to use Ajax
+ * to submit a HTML form. It basically diables the observation
+ * of the submit event and hence does not trigger Ajax.
+ */
+ if ($_GET['disable_ajax']) {
+ $_SESSION['NO_AJAX'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * Same to re-enable Ajax.
+ */
+ if ($_GET['enable_ajax']) {
+ unset($_SESSION['NO_AJAX']);
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * is the user is allowed to create a lock
+ */
+ if (hasPrivilegeLock($user)) {
+
+ /*
+ * create a lock once per session
+ */
+ if (!isset($_SESSION['Lock_Created'])) {
+
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ }
+
+ } else {
+
+ /*
+ * give regular users a chance to automatically invalidate
+ * a lock if its older than a particular time.
+ */
+ if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+
+ $offset = 12; //hours
+ $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
+ $now_minus_offset = mktime(date("H") - $offset, 0, 0,
+ date("m"), date("d"), date("Y"));
+
+ if (($mtime - $now_minus_offset) < $mtime) {
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /*
+ * file is older than mtime + offset which may
+ * indicate a stale lockfile, hence we are going
+ * to remove it.
+ */
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ }
+ }
+
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+}
+
?>
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 7467ccd..e370250 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -46,7 +46,6 @@ require_once("functions.inc"); * radius_backed - this will allow you to use a radius server * pam_backed - this uses the system's PAM facility .htpasswd file */ -$auth_method="session_auth"; /* enable correct auth backend, default to htpasswd_backed */ $ldapcase = $config['system']['webgui']['backend']; @@ -59,11 +58,11 @@ switch($ldapcase) $backing_method="ldap_backed"; break; default: - $backing_method="htpasswd_backed"; + $backing_method="local_backed"; } /* Authenticate user - exit if failed */ -if (!$auth_method($backing_method)) +if (!session_auth($backing_method)) exit; /* diff --git a/etc/inc/config.inc b/etc/inc/config.inc index f811b53..cd9e13d 100644 --- a/etc/inc/config.inc +++ b/etc/inc/config.inc @@ -1592,7 +1592,7 @@ function convert_config() { $groups[] = $all; $groups = array_merge($config['system']['group'],$groups); $config['system']['group'] = $groups; - set_local_group($all); + local_group_set($all); $config['version'] = 4.9; } @@ -1643,7 +1643,7 @@ function convert_config() { } /* sync all local account information */ - sync_local_accounts(); + local_sync_accounts(); $config['version'] = 5.0; } diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 9c71b67..f49943a 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -2580,36 +2580,6 @@ function reload_interfaces() { touch("/tmp/reload_interfaces"); } -/****f* pfsense-utils/sync_webgui_passwords - * NAME - * sync_webgui_passwords - syncs all www pwdb entries - * INPUTS - * none - * RESULT - * none - ******/ -function sync_webgui_passwords() { - global $config, $g, $groupindex, $userindex; - - conf_mount_rw(); - $fd = fopen("{$g['varrun_path']}/htpasswd", "w"); - - if (!$fd) { - log_error("Error: cannot open htpasswd in sync_webgui_passwords().\n"); - return 1; - } - - /* loop through custom users and add "virtual" entries */ - if ($config['system']['user']) - foreach ($config['system']['user'] as $user) - fwrite($fd, "{$user['name']}:{$user['password']}\n"); - - fclose($fd); - chmod("{$g['varrun_path']}/htpasswd", 0600); - - conf_mount_ro(); -} - /****f* pfsense-utils/reload_all_sync * NAME * reload_all - reload all settings @@ -2693,7 +2663,7 @@ function reload_all_sync() { system_routing_enable(); /* ensure passwords are sync'd */ - system_password_configure(); +// system_password_configure(); /* start dnsmasq service */ services_dnsmasq_configure(); diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index 917cc00..dfacf55 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -142,7 +142,7 @@ function get_user_privileges(& $user) { if (!is_array($privs))
$privs = array();
- $names = get_local_user_groups($user, true);
+ $names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@@ -162,7 +162,7 @@ function get_user_privdesc(& $user) { if (!is_array($user_privs))
$user_privs = array();
- $names = get_local_user_groups($user, true);
+ $names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@@ -244,7 +244,7 @@ function getAllowedPages($username) { // obtain local groups if we have a local user
if ($local_user) {
- $allowed_groups = get_local_user_groups($local_user);
+ $allowed_groups = local_user_get_groups($local_user);
getPrivPages($local_user, $allowed_pages);
}
diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 24617c9..c161e8f 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -494,9 +494,6 @@ function system_webgui_start() { sleep(1); - /* generate password file */ - system_password_configure(); - chdir($g['www_path']); /* non-standard port? */ @@ -592,9 +589,6 @@ function system_webgui_start_old() { /* kill any running mini_httpd */ killbypid("{$g['varrun_path']}/mini_httpd.pid"); - /* generate password file */ - system_password_configure(); - chdir($g['www_path']); /* non-standard port? */ @@ -1000,21 +994,6 @@ EOD; } -function system_password_configure() { - global $config, $g; - if(isset($config['system']['developerspew'])) { - $mt = microtime(); - echo "system_password_configure() being called $mt\n"; - } - - /* sync passwords */ - sync_webgui_passwords(); - - /* !NOTE! conf_mount_ro is done by sync_webgui_passwords() */ - - return 0; -} - function system_timezone_configure() { global $config, $g; if(isset($config['system']['developerspew'])) { @@ -1308,4 +1287,4 @@ function enable_watchdog() { } } -?>
\ No newline at end of file +?> diff --git a/etc/phpshellsessions/cvssync b/etc/phpshellsessions/cvssync index fdb7159..6bc1317 100644 --- a/etc/phpshellsessions/cvssync +++ b/etc/phpshellsessions/cvssync @@ -148,9 +148,9 @@ function post_cvssync_commands() { echo "===> Upgrading configuration (if needed)...\n"; convert_config(); - + echo "===> Syncing system passwords...\n"; - sync_webgui_passwords(); + local_sync_accounts(); echo "===> Restarting check_reload_status...\n"; exec("killall check_reload_status"); diff --git a/etc/rc.bootup b/etc/rc.bootup index eb98118..ec8066c 100755 --- a/etc/rc.bootup +++ b/etc/rc.bootup @@ -106,11 +106,6 @@ system_setup_sysctl(); echo "done.\n"; - /* sync user passwords */ - echo "Syncing user passwords..."; - sync_webgui_passwords(); - echo "done.\n"; - echo "Starting Secure Shell Services..."; mwexec_bg("/etc/sshd"); echo "done.\n"; @@ -216,7 +211,7 @@ system_routing_enable(); /* ensure passwords are sync'd */ - system_password_configure(); +// system_password_configure(); /* configure console menu */ system_console_configure(); diff --git a/etc/rc.initial.password b/etc/rc.initial.password index f92055f..82a3edd 100755 --- a/etc/rc.initial.password +++ b/etc/rc.initial.password @@ -41,17 +41,25 @@ The webConfigurator password will be reset to the default (which is "' . strtolo gettext('Do you want to proceed [y|n]?'); if (strcasecmp(chop(fgets($fp)), "y") == 0) { - - foreach ($config['system']['user'] as & $user) { - if (isset($user['uid']) && !$user['uid']) { - $user['name'] = "admin"; - set_local_user($user, strtolower($g['product_name'])); - write_config(gettext("password changed from console menu")); - system_password_configure(); - break; - } + $admin_user =& getUserEntryByUID(0); + if (!$admin_user) { + echo "Failed to locate the admin user account! Attempting to restore access.\n"; + $admin_user = array(); + $admin_user['uid'] = 0; + $admin_user['priv'] = explode(",", "user-shell-access,page-all"); + if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); + $config['system']['user'][] = $admin_user; } + $admin_user['name'] = "admin"; + $admin_user['scope'] = "system"; + $admin_user['blah'] = "set by console"; + + local_user_set_password($admin_user, strtolower($g['product_name'])); + local_user_set($admin_user); + write_config(gettext("password changed from console menu")); + echo "\n" . gettext(' The password for the webConfigurator has been reset and the default username has been set to "admin".') . "\n" . @@ -65,9 +65,6 @@ touch("/var/log/lastlog"); } - /* reset passwords */ - sync_webgui_passwords(); - $sshConfigDir = "/etc/ssh"; if($config['system']['ssh']['port'] <> "") { diff --git a/usr/local/www/pkg_mgr_install.php b/usr/local/www/pkg_mgr_install.php index 359d575..20d2dde 100755 --- a/usr/local/www/pkg_mgr_install.php +++ b/usr/local/www/pkg_mgr_install.php @@ -119,9 +119,6 @@ ob_flush(); /* mount rw fs */ conf_mount_rw(); -/* resync password database to avoid out of sync issues */ -sync_webgui_passwords(); - switch($_GET['mode']) { case "delete": $id = get_pkg_id($_GET['pkg']); diff --git a/usr/local/www/system.php b/usr/local/www/system.php index b04e9ce..8abaf4d 100755 --- a/usr/local/www/system.php +++ b/usr/local/www/system.php @@ -117,9 +117,6 @@ if ($_POST) { ($_POST['webguiport'] < 1) || ($_POST['webguiport'] > 65535))) { $input_errors[] = "A valid TCP/IP port must be specified for the webConfigurator port."; } - if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) { - $input_errors[] = "The passwords do not match."; - } $t = (int)$_POST['timeupdateinterval']; if (($t < 0) || (($t > 0) && ($t < 6)) || ($t > 1440)) { @@ -163,12 +160,6 @@ if ($_POST) { unset($config['system']['dnsallowoverride']); $config['system']['dnsallowoverride'] = $_POST['dnsallowoverride'] ? true : false; - if ($_POST['password']) { - $config['system']['password'] = crypt($_POST['password']); - update_changedesc("password changed via webConfigurator"); - sync_webgui_passwords(); - } - /* which interface should the dns servers resolve through? */ if($_POST['dns1gwint']) $config['system']['dns1gwint'] = $pconfig['dns1gwint']; @@ -205,7 +196,6 @@ if ($_POST) { $retval = system_hostname_configure(); $retval |= system_hosts_generate(); $retval |= system_resolvconf_generate(); - $retval |= system_password_configure(); $retval |= services_dnsmasq_configure(); $retval |= system_timezone_configure(); $retval |= system_ntp_configure(); diff --git a/usr/local/www/system_groupmanager.php b/usr/local/www/system_groupmanager.php index e79a77f..d2ab78e 100644 --- a/usr/local/www/system_groupmanager.php +++ b/usr/local/www/system_groupmanager.php @@ -63,7 +63,7 @@ if ($_GET['act'] == "delgroup") { exit; } - del_local_group($a_group[$_GET['id']]); + local_group_del($a_group[$_GET['id']]); $groupdeleted = $a_group[$_GET['id']]['name']; unset($a_group[$_GET['id']]); write_config(); @@ -84,7 +84,7 @@ if ($_GET['act'] == "delpriv") { foreach ($a_group[$id]['member'] as $uid) { $user = getUserEntryByUID($uid); if ($user) - set_local_user($user); + local_user_set($user); } write_config(); @@ -146,7 +146,7 @@ if ($_POST) { $a_group[] = $group; } - set_local_group($group); + local_group_set($group); write_config(); header("Location: system_groupmanager.php"); diff --git a/usr/local/www/system_groupmanager_addprivs.php b/usr/local/www/system_groupmanager_addprivs.php index 6c808be..a449b2d 100644 --- a/usr/local/www/system_groupmanager_addprivs.php +++ b/usr/local/www/system_groupmanager_addprivs.php @@ -85,7 +85,7 @@ if ($_POST) { foreach ($a_group['member'] as $uid) { $user = getUserEntryByUID($uid); if ($user) - set_local_user($user); + local_user_set($user); } $retval = write_config(); diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 791fae6..0b8f76e 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -67,11 +67,10 @@ if (isAllowedPage("system_usermanager")) { exit; } - del_local_user($a_user[$_GET['id']]); + local_user_del($a_user[$_GET['id']]); $userdeleted = $a_user[$_GET['id']]['name']; unset($a_user[$_GET['id']]); write_config(); - $retval = system_password_configure(); $savemsg = gettext("User")." {$userdeleted} ". gettext("successfully deleted")."<br/>"; } @@ -96,7 +95,7 @@ if (isAllowedPage("system_usermanager")) { if (isset($id) && $a_user[$id]) { $pconfig['usernamefld'] = $a_user[$id]['name']; $pconfig['fullname'] = $a_user[$id]['fullname']; - $pconfig['groups'] = get_local_user_groups($a_user[$id]); + $pconfig['groups'] = local_user_get_groups($a_user[$id]); $pconfig['utype'] = $a_user[$id]['scope']; $pconfig['uid'] = $a_user[$id]['uid']; $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']); @@ -163,10 +162,14 @@ if (isAllowedPage("system_usermanager")) { if (isset($id) && $a_user[$id]) $userent = $a_user[$id]; - /* the user did change his username */ + /* the user name was modified */ if ($_POST['usernamefld'] <> $_POST['oldusername']) $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; + /* the user password was mofified */ + if ($_POST['passwordfld1']) + local_user_set_password($userent, $_POST['passwordfld1']); + $userent['name'] = $_POST['usernamefld']; $userent['fullname'] = $_POST['fullname']; @@ -182,10 +185,9 @@ if (isAllowedPage("system_usermanager")) { $a_user[] = $userent; } - set_local_user($userent, $_POST['passwordfld1']); - set_local_user_groups($userent,$_POST['groups']); + local_user_set($userent); + local_user_set_groups($userent,$_POST['groups']); write_config(); - $retval = system_password_configure(); pfSenseHeader("system_usermanager.php"); } @@ -488,7 +490,7 @@ function presubmit() { <td class="listr"><?=htmlspecialchars($userent['fullname']);?> </td> <td class="listbg"> <font color="white"> - <?=implode(",",get_local_user_groups($userent));?> + <?=implode(",",local_user_get_groups($userent));?> </font> </td> @@ -563,10 +565,6 @@ function presubmit() { $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1'])); write_config(); - - sync_webgui_passwords(); - - $retval = system_password_configure(); $savemsg = "Password successfully changed<br />"; } } diff --git a/usr/local/www/system_usermanager_addprivs.php b/usr/local/www/system_usermanager_addprivs.php index 61758b7..0214d63 100644 --- a/usr/local/www/system_usermanager_addprivs.php +++ b/usr/local/www/system_usermanager_addprivs.php @@ -86,7 +86,7 @@ if ($_POST) { else $a_user['priv'] = array_merge($a_user['priv'], $pconfig['sysprivs']); - set_local_user($a_user); + local_user_set($a_user); $retval = write_config(); $savemsg = get_std_save_message($retval); diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php index c1d3a71..90e6598 100755 --- a/usr/local/www/system_usermanager_settings.php +++ b/usr/local/www/system_usermanager_settings.php @@ -126,12 +126,8 @@ if ($_POST) { else
unset($pconfig['ldapgroupattribute']);
-
write_config();
- $retval = system_password_configure();
- sync_webgui_passwords();
-
}
}
diff --git a/usr/local/www/wizards/setup_wizard.xml b/usr/local/www/wizards/setup_wizard.xml index e6b46bc..1cf882c 100644 --- a/usr/local/www/wizards/setup_wizard.xml +++ b/usr/local/www/wizards/setup_wizard.xml @@ -418,14 +418,10 @@ <stepsubmitphpaction> if($_POST['adminpassword'] != "") { if($_POST['adminpassword'] == $_POST['adminpasswordagain']) { - $fd = popen("/usr/sbin/pw usermod -n root -H 0", "w"); - $salt = md5(time()); - $crypted_pw = crypt($_POST['adminpassword'],$salt); - fwrite($fd, $crypted_pw); - pclose($fd); - $config['system']['password'] = crypt($_POST['adminpassword']); + $admin_user =& getUserEntryByUID(0); + local_user_set_password($admin_user, $_POST['adminpassword']); + local_user_set($admin_user); write_config(); - system_password_configure(); } else { print_info_box_np("Passwords do not match! Please press back in your browser window and correct."); die; |