summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/inc/auth.inc630
-rw-r--r--etc/inc/authgui.inc5
-rw-r--r--etc/inc/config.inc4
-rw-r--r--etc/inc/pfsense-utils.inc32
-rw-r--r--etc/inc/priv.inc6
-rw-r--r--etc/inc/system.inc23
-rw-r--r--etc/phpshellsessions/cvssync4
-rwxr-xr-xetc/rc.bootup7
-rwxr-xr-xetc/rc.initial.password26
-rwxr-xr-xetc/sshd3
-rwxr-xr-xusr/local/www/pkg_mgr_install.php3
-rwxr-xr-xusr/local/www/system.php10
-rw-r--r--usr/local/www/system_groupmanager.php6
-rw-r--r--usr/local/www/system_groupmanager_addprivs.php2
-rw-r--r--usr/local/www/system_usermanager.php22
-rw-r--r--usr/local/www/system_usermanager_addprivs.php2
-rwxr-xr-xusr/local/www/system_usermanager_settings.php4
-rw-r--r--usr/local/www/wizards/setup_wizard.xml10
18 files changed, 308 insertions, 491 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 2d89e5d..3d5b3ac 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -102,7 +102,18 @@ function & getGroupEntryByGID($gid) {
return false;
}
-function sync_local_accounts() {
+function local_backed($username, $passwd) {
+
+ $user = getUserEntry($username);
+ if (!$user)
+ return false;
+
+ $passwd = crypt($passwd, $user['password']);
+
+ return ($passwd == $user['password']);
+}
+
+function local_sync_accounts() {
global $config;
/* remove local users to avoid uid conflicts */
@@ -140,22 +151,20 @@ function sync_local_accounts() {
/* make sure the all group exists */
$allgrp = getGroupEntryByGID(1998);
- set_local_group($allgrp, true);
+ local_group_set($allgrp, true);
/* sync all local users */
if (is_array($config['system']['user']))
foreach ($config['system']['user'] as $user)
- set_local_user($user);
+ local_user_set($user);
/* sync all local groups */
if (is_array($config['system']['group']))
foreach ($config['system']['group'] as $group)
- set_local_group($group);
-
- sync_webgui_passwords();
+ local_group_set($group);
}
-function set_local_user(& $user, $password = false) {
+function local_user_set(& $user) {
global $g;
$home_base = $g['platform'] == "pfSense" ? "/home" : "/var/home";
@@ -168,30 +177,6 @@ function set_local_user(& $user, $password = false) {
$user_shell = "/etc/rc.initial";
$user_group = "nobody";
- /* set all password hashes if required */
- if ($password && strlen($password)) {
-
- $user['password'] = crypt($password);
- $user['md5-hash'] = md5($password);
-
- /*
- * NOTE : This section of code id based on the BSD
- * licensed CHAP.php courtesy of Michael Retterklieber.
- */
- /* Waiting for mhash to settle into the tree
- // Converts ascii to unicode.
- $astr = (string) $password;
- $ustr = '';
- for ($i = 0; $i < strlen($astr); $i++) {
- $a = ord($astr{$i}) << 8;
- $ustr.= sprintf("%X", $a);
- }
-
- // Generate the NT-HASH from the unicode string
- $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
- */
- }
-
/* configure shell type */
if (!hasPrivilegeShell($user)) {
if (!hasPrivilegeCopyFiles($user))
@@ -241,10 +226,10 @@ function set_local_user(& $user, $password = false) {
create_authorized_keys($user_name, $user_home);
}
-function del_local_user($user) {
+function local_user_del($user) {
/* remove all memberships */
- set_local_user_groups($user);
+ local_user_get_groups($user);
/* delete from pw db */
$cmd = "/usr/sbin/pw userdel {$user['name']}";
@@ -255,7 +240,30 @@ function del_local_user($user) {
pclose($fd);
}
-function get_local_user_groups($user, $all = false) {
+function local_user_set_password(& $user, $password) {
+
+ $user['password'] = crypt($password);
+ $user['md5-hash'] = md5($password);
+
+ /*
+ * NOTE : This section of code id based on the BSD
+ * licensed CHAP.php courtesy of Michael Retterklieber.
+ */
+ /* Waiting for mhash to settle into the tree
+ // Converts ascii to unicode.
+ $astr = (string) $password;
+ $ustr = '';
+ for ($i = 0; $i < strlen($astr); $i++) {
+ $a = ord($astr{$i}) << 8;
+ $ustr.= sprintf("%X", $a);
+ }
+
+ // Generate the NT-HASH from the unicode string
+ $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
+ */
+}
+
+function local_user_get_groups($user, $all = false) {
global $config;
$groups = array();
@@ -273,13 +281,13 @@ function get_local_user_groups($user, $all = false) {
return $groups;
}
-function set_local_user_groups($user, $new_groups = NULL ) {
+function local_user_set_groups($user, $new_groups = NULL ) {
global $config, $groupindex;
if (!is_array($config['system']['group']))
return;
- $cur_groups = get_local_user_groups($user);
+ $cur_groups = local_user_get_groups($user);
$mod_groups = array();
if (!is_array($new_groups))
@@ -309,10 +317,10 @@ function set_local_user_groups($user, $new_groups = NULL ) {
/* sync all modified groups */
foreach ($mod_groups as $group)
- set_local_group($group);
+ local_group_set($group);
}
-function set_local_group($group, $reset = false) {
+function local_group_set($group, $reset = false) {
$group_name = $group['name'];
$group_gid = $group['gid'];
@@ -340,7 +348,7 @@ function set_local_group($group, $reset = false) {
pclose($fd);
}
-function del_local_group($group) {
+function local_group_del($group) {
/* delete from group db */
$cmd = "/usr/sbin/pw groupdel {$group['name']}";
@@ -351,294 +359,6 @@ function del_local_group($group) {
pclose($fd);
}
-function basic_auth($backing) {
- global $HTTP_SERVER_VARS;
-
- /* Check for AUTH_USER */
- if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") {
- $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
- $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
- }
-
- if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) {
- require_once("authgui.inc");
- header("WWW-Authenticate: Basic realm=\".\"");
- header("HTTP/1.0 401 Unauthorized");
- display_error_form("401", gettext("You must enter valid credentials to access this resource."));
- exit;
- }
-
- return $backing($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']);
-}
-
-function session_auth($backing) {
- global $g, $HTTP_SERVER_VARS, $userindex, $config;
-
- session_start();
-
- /* Validate incoming login request */
- if (isset($_POST['login'])) {
- if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
- $_SESSION['Logged_In'] = "True";
- $_SESSION['Username'] = $_POST['usernamefld'];
- $_SESSION['last_access'] = time();
- log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- } else {
- /* give the user a more detailed error message */
- if (isset($userindex[$_POST['usernamefld']])) {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- } else {
- $_SESSION['Login_Error'] = "Username or Password incorrect";
- log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
- if(isAjax()) {
- echo "showajaxmessage('{$_SESSION['Login_Error']}');";
- return;
- }
- }
- }
- }
-
- /* Show login page if they aren't logged in */
- if (empty($_SESSION['Logged_In'])) {
- /* Don't display login forms to AJAX */
- if (isAjax())
- return false;
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /* If session timeout isn't set, we don't mark sessions stale */
- if (!isset($config['system']['webgui']['session_timeout']) ||
- $config['system']['webgui']['session_timeout'] == 0 ||
- $config['system']['webgui']['session_timeout'] == "")
- $_SESSION['last_access'] = time();
- else {
- /* Check for stale session */
- if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
- $_GET['logout'] = true;
- $_SESSION['Logout'] = true;
- } else {
- /* only update if it wasn't ajax */
- if (!isAjax())
- $_SESSION['last_access'] = time();
- }
- }
-
- /* obtain user object */
- $user = getUserEntry($_SESSION['Username']);
-
- /* user hit the logout button */
- if (isset($_GET['logout'])) {
-
- if ($_SESSION['Logout'])
- log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
- else
- log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
-
- if (hasPrivilegeLock($user))
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
-
- /* wipe out $_SESSION */
- $_SESSION = array();
-
- if (isset($_COOKIE[session_name()]))
- setcookie(session_name(), '', time()-42000, '/');
-
- /* and destroy it */
- session_destroy();
-
- $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
- $scriptElms = count($scriptName);
- $scriptName = $scriptName[$scriptElms-1];
-
- if (isAjax())
- return false;
-
- /* redirect to page the user is on, it'll prompt them to login again */
- pfSenseHeader($scriptName);
-
- return false;
- }
-
- /*
- * user wants to explicitely delete the lock file.
- * Requires a particular privilege.
- */
- if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * user wants to explicitely create a lock.
- * Requires a particular privilege.
- */
- if ($_GET['createlock'] && hasPrivilegeLock($user)) {
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * this is for debugging purpose if you do not want to use Ajax
- * to submit a HTML form. It basically diables the observation
- * of the submit event and hence does not trigger Ajax.
- */
- if ($_GET['disable_ajax']) {
- $_SESSION['NO_AJAX'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * Same to re-enable Ajax.
- */
- if ($_GET['enable_ajax']) {
- unset($_SESSION['NO_AJAX']);
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * is the user is allowed to create a lock
- */
- if (hasPrivilegeLock($user)) {
-
- /*
- * create a lock once per session
- */
- if (!isset($_SESSION['Lock_Created'])) {
-
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- }
-
- } else {
-
- /*
- * give regular users a chance to automatically invalidate
- * a lock if its older than a particular time.
- */
- if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
-
- $offset = 12; //hours
- $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
- $now_minus_offset = mktime(date("H") - $offset, 0, 0,
- date("m"), date("d"), date("Y"));
-
- if (($mtime - $now_minus_offset) < $mtime) {
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /*
- * file is older than mtime + offset which may
- * indicate a stale lockfile, hence we are going
- * to remove it.
- */
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
- }
-
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
-}
-
-function pam_backed($username = "", $password = "") {
-
- /* do not allow blank passwords */
- if ($username == "" || password == "")
- return false;
-
- if (!extension_loaded( 'pam_auth'))
- if (!@dl('pam_auth.so'))
- return false;
-
- /* no php file no auth, sorry */
- if (!file_exists("/etc/pam.d/php")) {
-
- if (!file_exists("/etc/pam.d"))
- mkdir("/etc/pam.d");
-
- $pam_php = <<<EOD
-
-# /etc/pam.d/php
-#
-# note: both an auth and account entry are required
-
-# auth
-auth required pam_nologin.so no_warn
-auth sufficient pam_opie.so no_warn no_fake_prompts
-auth requisite pam_opieaccess.so no_warn allow_local
-auth required pam_unix.so no_warn try_first_pass
-
-# account
-account required pam_unix.so
-
-# session
-session required pam_permit.so
-
-# password
-password required pam_unix.so no_warn try_first_pass
-
-EOD;
-
- file_put_contents("/etc/pam.d/php", $pam_php);
- }
-
- if (pam_auth($username, $password, &$error))
- return true;
-
- return false;
-}
-
-function passwd_backed($username, $passwd) {
-
- $authfile = file("/etc/master.passwd");
- $matches="";
-
- /* Check to see if user even exists */
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /*
- * Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function ldap_test_connection() {
global $config, $g;
@@ -686,8 +406,8 @@ function ldap_get_user_ous($show_complete_ou=true) {
$ldapfilter = "(ou=*)";
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -695,8 +415,8 @@ function ldap_get_user_ous($show_complete_ou=true) {
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -762,8 +482,8 @@ function ldap_get_groups($username) {
/* connect and see if server is up */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -772,8 +492,8 @@ function ldap_get_groups($username) {
/* bind as user that has rights to read group attributes */
if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -838,8 +558,8 @@ function ldap_backed($username, $passwd) {
/* first check if there is even an LDAP server populated */
if(!$ldapserver) {
- log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -849,15 +569,15 @@ function ldap_backed($username, $passwd) {
/* Make sure we can connect to LDAP */
putenv('LDAPTLS_REQCERT=never');
if (!($ldap = ldap_connect($ldapserver))) {
- log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
/* ok, its up. now, lets bind as the bind user so we can search it */
if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in htpasswd_backed()");
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()");
ldap_close($ldap);
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -914,7 +634,7 @@ function ldap_backed($username, $passwd) {
}
if ($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
$_SESSION['ldapon'] = "false";
ldap_close($ldap);
return $status;
@@ -956,7 +676,7 @@ function ldap_backed($username, $passwd) {
}
if($matches != 1){
log_error("ERROR! Either LDAP search failed, or multiple users were found");
- $status = htpasswd_backed($username, $passwd);
+ $status = local_backed($username, $passwd);
ldap_close($ldap);
$_SESSION['ldapon'] = "false";
return $status;
@@ -965,8 +685,8 @@ function ldap_backed($username, $passwd) {
/* Now lets bind as the user we found */
if (!($res = @ldap_bind($ldap, $binduser, $passwd))) {
- log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in htpasswd_backed(). Visit System -> User Manager -> Settings.");
- $status = htpasswd_backed($username, $passwd);
+ log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username} - {$passwd}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings.");
+ $status = local_backed($username, $passwd);
return $status;
}
@@ -976,30 +696,6 @@ function ldap_backed($username, $passwd) {
return true;
}
-function htpasswd_backed($username, $passwd) {
- $authfile = file("/var/run/htpasswd");
-
- /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */
- unlink_if_exists("/usr/local/www/.htpasswd");
-
- $matches="";
- if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile))))
- return false;
-
- /* Get crypted password */
- preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches);
- $pass = $matches[1];
- $salt = $matches[2];
-
- /* Encrypt entered password with salt
- * And finally validate password
- */
- if ($pass == crypt($passwd, $salt))
- return true;
-
- return false;
-}
-
function radius_backed($username, $passwd){
global $config, $debug;
$ret = false;
@@ -1043,4 +739,200 @@ function radius_backed($username, $passwd){
return $ret;
}
+function session_auth($backing) {
+ global $g, $HTTP_SERVER_VARS, $userindex, $config;
+
+ session_start();
+
+ /* Validate incoming login request */
+ if (isset($_POST['login'])) {
+ if ($backing($_POST['usernamefld'], $_POST['passwordfld'])) {
+ $_SESSION['Logged_In'] = "True";
+ $_SESSION['Username'] = $_POST['usernamefld'];
+ $_SESSION['last_access'] = time();
+ log_error("Successful login for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ } else {
+ /* give the user a more detailed error message */
+ if (isset($userindex[$_POST['usernamefld']])) {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Wrong password entered for user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ } else {
+ $_SESSION['Login_Error'] = "Username or Password incorrect";
+ log_error("Attempted login for invalid user '{$_POST['usernamefld']}' from: {$_SERVER['REMOTE_ADDR']}");
+ if(isAjax()) {
+ echo "showajaxmessage('{$_SESSION['Login_Error']}');";
+ return;
+ }
+ }
+ }
+ }
+
+ /* Show login page if they aren't logged in */
+ if (empty($_SESSION['Logged_In'])) {
+ /* Don't display login forms to AJAX */
+ if (isAjax())
+ return false;
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /* If session timeout isn't set, we don't mark sessions stale */
+ if (!isset($config['system']['webgui']['session_timeout']) ||
+ $config['system']['webgui']['session_timeout'] == 0 ||
+ $config['system']['webgui']['session_timeout'] == "")
+ $_SESSION['last_access'] = time();
+ else {
+ /* Check for stale session */
+ if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
+ $_GET['logout'] = true;
+ $_SESSION['Logout'] = true;
+ } else {
+ /* only update if it wasn't ajax */
+ if (!isAjax())
+ $_SESSION['last_access'] = time();
+ }
+ }
+
+ /* obtain user object */
+ $user = getUserEntry($_SESSION['Username']);
+
+ /* user hit the logout button */
+ if (isset($_GET['logout'])) {
+
+ if ($_SESSION['Logout'])
+ log_error("Session timed out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+ else
+ log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
+
+ if (hasPrivilegeLock($user))
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+
+ /* wipe out $_SESSION */
+ $_SESSION = array();
+
+ if (isset($_COOKIE[session_name()]))
+ setcookie(session_name(), '', time()-42000, '/');
+
+ /* and destroy it */
+ session_destroy();
+
+ $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
+ $scriptElms = count($scriptName);
+ $scriptName = $scriptName[$scriptElms-1];
+
+ if (isAjax())
+ return false;
+
+ /* redirect to page the user is on, it'll prompt them to login again */
+ pfSenseHeader($scriptName);
+
+ return false;
+ }
+
+ /*
+ * user wants to explicitely delete the lock file.
+ * Requires a particular privilege.
+ */
+ if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * user wants to explicitely create a lock.
+ * Requires a particular privilege.
+ */
+ if ($_GET['createlock'] && hasPrivilegeLock($user)) {
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * this is for debugging purpose if you do not want to use Ajax
+ * to submit a HTML form. It basically diables the observation
+ * of the submit event and hence does not trigger Ajax.
+ */
+ if ($_GET['disable_ajax']) {
+ $_SESSION['NO_AJAX'] = "True";
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * Same to re-enable Ajax.
+ */
+ if ($_GET['enable_ajax']) {
+ unset($_SESSION['NO_AJAX']);
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+ }
+
+ /*
+ * is the user is allowed to create a lock
+ */
+ if (hasPrivilegeLock($user)) {
+
+ /*
+ * create a lock once per session
+ */
+ if (!isset($_SESSION['Lock_Created'])) {
+
+ $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
+ fclose($fd);
+
+ /*
+ * if the user did delete the lock manually, do not
+ * re-create it while the session is valide.
+ */
+ $_SESSION['Lock_Created'] = "True";
+ }
+
+ } else {
+
+ /*
+ * give regular users a chance to automatically invalidate
+ * a lock if its older than a particular time.
+ */
+ if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+
+ $offset = 12; //hours
+ $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
+ $now_minus_offset = mktime(date("H") - $offset, 0, 0,
+ date("m"), date("d"), date("Y"));
+
+ if (($mtime - $now_minus_offset) < $mtime) {
+ require_once("authgui.inc");
+ display_login_form();
+ return false;
+ }
+
+ /*
+ * file is older than mtime + offset which may
+ * indicate a stale lockfile, hence we are going
+ * to remove it.
+ */
+ unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
+ }
+ }
+
+ $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
+ return true;
+}
+
?>
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc
index 7467ccd..e370250 100644
--- a/etc/inc/authgui.inc
+++ b/etc/inc/authgui.inc
@@ -46,7 +46,6 @@ require_once("functions.inc");
* radius_backed - this will allow you to use a radius server
* pam_backed - this uses the system's PAM facility .htpasswd file
*/
-$auth_method="session_auth";
/* enable correct auth backend, default to htpasswd_backed */
$ldapcase = $config['system']['webgui']['backend'];
@@ -59,11 +58,11 @@ switch($ldapcase)
$backing_method="ldap_backed";
break;
default:
- $backing_method="htpasswd_backed";
+ $backing_method="local_backed";
}
/* Authenticate user - exit if failed */
-if (!$auth_method($backing_method))
+if (!session_auth($backing_method))
exit;
/*
diff --git a/etc/inc/config.inc b/etc/inc/config.inc
index f811b53..cd9e13d 100644
--- a/etc/inc/config.inc
+++ b/etc/inc/config.inc
@@ -1592,7 +1592,7 @@ function convert_config() {
$groups[] = $all;
$groups = array_merge($config['system']['group'],$groups);
$config['system']['group'] = $groups;
- set_local_group($all);
+ local_group_set($all);
$config['version'] = 4.9;
}
@@ -1643,7 +1643,7 @@ function convert_config() {
}
/* sync all local account information */
- sync_local_accounts();
+ local_sync_accounts();
$config['version'] = 5.0;
}
diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc
index 9c71b67..f49943a 100644
--- a/etc/inc/pfsense-utils.inc
+++ b/etc/inc/pfsense-utils.inc
@@ -2580,36 +2580,6 @@ function reload_interfaces() {
touch("/tmp/reload_interfaces");
}
-/****f* pfsense-utils/sync_webgui_passwords
- * NAME
- * sync_webgui_passwords - syncs all www pwdb entries
- * INPUTS
- * none
- * RESULT
- * none
- ******/
-function sync_webgui_passwords() {
- global $config, $g, $groupindex, $userindex;
-
- conf_mount_rw();
- $fd = fopen("{$g['varrun_path']}/htpasswd", "w");
-
- if (!$fd) {
- log_error("Error: cannot open htpasswd in sync_webgui_passwords().\n");
- return 1;
- }
-
- /* loop through custom users and add "virtual" entries */
- if ($config['system']['user'])
- foreach ($config['system']['user'] as $user)
- fwrite($fd, "{$user['name']}:{$user['password']}\n");
-
- fclose($fd);
- chmod("{$g['varrun_path']}/htpasswd", 0600);
-
- conf_mount_ro();
-}
-
/****f* pfsense-utils/reload_all_sync
* NAME
* reload_all - reload all settings
@@ -2693,7 +2663,7 @@ function reload_all_sync() {
system_routing_enable();
/* ensure passwords are sync'd */
- system_password_configure();
+// system_password_configure();
/* start dnsmasq service */
services_dnsmasq_configure();
diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc
index 917cc00..dfacf55 100644
--- a/etc/inc/priv.inc
+++ b/etc/inc/priv.inc
@@ -142,7 +142,7 @@ function get_user_privileges(& $user) {
if (!is_array($privs))
$privs = array();
- $names = get_local_user_groups($user, true);
+ $names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@@ -162,7 +162,7 @@ function get_user_privdesc(& $user) {
if (!is_array($user_privs))
$user_privs = array();
- $names = get_local_user_groups($user, true);
+ $names = local_user_get_groups($user, true);
foreach ($names as $name) {
$group = getGroupEntry($name);
@@ -244,7 +244,7 @@ function getAllowedPages($username) {
// obtain local groups if we have a local user
if ($local_user) {
- $allowed_groups = get_local_user_groups($local_user);
+ $allowed_groups = local_user_get_groups($local_user);
getPrivPages($local_user, $allowed_pages);
}
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index 24617c9..c161e8f 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -494,9 +494,6 @@ function system_webgui_start() {
sleep(1);
- /* generate password file */
- system_password_configure();
-
chdir($g['www_path']);
/* non-standard port? */
@@ -592,9 +589,6 @@ function system_webgui_start_old() {
/* kill any running mini_httpd */
killbypid("{$g['varrun_path']}/mini_httpd.pid");
- /* generate password file */
- system_password_configure();
-
chdir($g['www_path']);
/* non-standard port? */
@@ -1000,21 +994,6 @@ EOD;
}
-function system_password_configure() {
- global $config, $g;
- if(isset($config['system']['developerspew'])) {
- $mt = microtime();
- echo "system_password_configure() being called $mt\n";
- }
-
- /* sync passwords */
- sync_webgui_passwords();
-
- /* !NOTE! conf_mount_ro is done by sync_webgui_passwords() */
-
- return 0;
-}
-
function system_timezone_configure() {
global $config, $g;
if(isset($config['system']['developerspew'])) {
@@ -1308,4 +1287,4 @@ function enable_watchdog() {
}
}
-?> \ No newline at end of file
+?>
diff --git a/etc/phpshellsessions/cvssync b/etc/phpshellsessions/cvssync
index fdb7159..6bc1317 100644
--- a/etc/phpshellsessions/cvssync
+++ b/etc/phpshellsessions/cvssync
@@ -148,9 +148,9 @@ function post_cvssync_commands() {
echo "===> Upgrading configuration (if needed)...\n";
convert_config();
-
+
echo "===> Syncing system passwords...\n";
- sync_webgui_passwords();
+ local_sync_accounts();
echo "===> Restarting check_reload_status...\n";
exec("killall check_reload_status");
diff --git a/etc/rc.bootup b/etc/rc.bootup
index eb98118..ec8066c 100755
--- a/etc/rc.bootup
+++ b/etc/rc.bootup
@@ -106,11 +106,6 @@
system_setup_sysctl();
echo "done.\n";
- /* sync user passwords */
- echo "Syncing user passwords...";
- sync_webgui_passwords();
- echo "done.\n";
-
echo "Starting Secure Shell Services...";
mwexec_bg("/etc/sshd");
echo "done.\n";
@@ -216,7 +211,7 @@
system_routing_enable();
/* ensure passwords are sync'd */
- system_password_configure();
+// system_password_configure();
/* configure console menu */
system_console_configure();
diff --git a/etc/rc.initial.password b/etc/rc.initial.password
index f92055f..82a3edd 100755
--- a/etc/rc.initial.password
+++ b/etc/rc.initial.password
@@ -41,17 +41,25 @@ The webConfigurator password will be reset to the default (which is "' . strtolo
gettext('Do you want to proceed [y|n]?');
if (strcasecmp(chop(fgets($fp)), "y") == 0) {
-
- foreach ($config['system']['user'] as & $user) {
- if (isset($user['uid']) && !$user['uid']) {
- $user['name'] = "admin";
- set_local_user($user, strtolower($g['product_name']));
- write_config(gettext("password changed from console menu"));
- system_password_configure();
- break;
- }
+ $admin_user =& getUserEntryByUID(0);
+ if (!$admin_user) {
+ echo "Failed to locate the admin user account! Attempting to restore access.\n";
+ $admin_user = array();
+ $admin_user['uid'] = 0;
+ $admin_user['priv'] = explode(",", "user-shell-access,page-all");
+ if (!is_array($config['system']['user']))
+ $config['system']['user'] = array();
+ $config['system']['user'][] = $admin_user;
}
+ $admin_user['name'] = "admin";
+ $admin_user['scope'] = "system";
+ $admin_user['blah'] = "set by console";
+
+ local_user_set_password($admin_user, strtolower($g['product_name']));
+ local_user_set($admin_user);
+ write_config(gettext("password changed from console menu"));
+
echo "\n" . gettext('
The password for the webConfigurator has been reset and
the default username has been set to "admin".') . "\n" .
diff --git a/etc/sshd b/etc/sshd
index e2264cd..f9c0405 100755
--- a/etc/sshd
+++ b/etc/sshd
@@ -65,9 +65,6 @@
touch("/var/log/lastlog");
}
- /* reset passwords */
- sync_webgui_passwords();
-
$sshConfigDir = "/etc/ssh";
if($config['system']['ssh']['port'] <> "") {
diff --git a/usr/local/www/pkg_mgr_install.php b/usr/local/www/pkg_mgr_install.php
index 359d575..20d2dde 100755
--- a/usr/local/www/pkg_mgr_install.php
+++ b/usr/local/www/pkg_mgr_install.php
@@ -119,9 +119,6 @@ ob_flush();
/* mount rw fs */
conf_mount_rw();
-/* resync password database to avoid out of sync issues */
-sync_webgui_passwords();
-
switch($_GET['mode']) {
case "delete":
$id = get_pkg_id($_GET['pkg']);
diff --git a/usr/local/www/system.php b/usr/local/www/system.php
index b04e9ce..8abaf4d 100755
--- a/usr/local/www/system.php
+++ b/usr/local/www/system.php
@@ -117,9 +117,6 @@ if ($_POST) {
($_POST['webguiport'] < 1) || ($_POST['webguiport'] > 65535))) {
$input_errors[] = "A valid TCP/IP port must be specified for the webConfigurator port.";
}
- if (($_POST['password']) && ($_POST['password'] != $_POST['password2'])) {
- $input_errors[] = "The passwords do not match.";
- }
$t = (int)$_POST['timeupdateinterval'];
if (($t < 0) || (($t > 0) && ($t < 6)) || ($t > 1440)) {
@@ -163,12 +160,6 @@ if ($_POST) {
unset($config['system']['dnsallowoverride']);
$config['system']['dnsallowoverride'] = $_POST['dnsallowoverride'] ? true : false;
- if ($_POST['password']) {
- $config['system']['password'] = crypt($_POST['password']);
- update_changedesc("password changed via webConfigurator");
- sync_webgui_passwords();
- }
-
/* which interface should the dns servers resolve through? */
if($_POST['dns1gwint'])
$config['system']['dns1gwint'] = $pconfig['dns1gwint'];
@@ -205,7 +196,6 @@ if ($_POST) {
$retval = system_hostname_configure();
$retval |= system_hosts_generate();
$retval |= system_resolvconf_generate();
- $retval |= system_password_configure();
$retval |= services_dnsmasq_configure();
$retval |= system_timezone_configure();
$retval |= system_ntp_configure();
diff --git a/usr/local/www/system_groupmanager.php b/usr/local/www/system_groupmanager.php
index e79a77f..d2ab78e 100644
--- a/usr/local/www/system_groupmanager.php
+++ b/usr/local/www/system_groupmanager.php
@@ -63,7 +63,7 @@ if ($_GET['act'] == "delgroup") {
exit;
}
- del_local_group($a_group[$_GET['id']]);
+ local_group_del($a_group[$_GET['id']]);
$groupdeleted = $a_group[$_GET['id']]['name'];
unset($a_group[$_GET['id']]);
write_config();
@@ -84,7 +84,7 @@ if ($_GET['act'] == "delpriv") {
foreach ($a_group[$id]['member'] as $uid) {
$user = getUserEntryByUID($uid);
if ($user)
- set_local_user($user);
+ local_user_set($user);
}
write_config();
@@ -146,7 +146,7 @@ if ($_POST) {
$a_group[] = $group;
}
- set_local_group($group);
+ local_group_set($group);
write_config();
header("Location: system_groupmanager.php");
diff --git a/usr/local/www/system_groupmanager_addprivs.php b/usr/local/www/system_groupmanager_addprivs.php
index 6c808be..a449b2d 100644
--- a/usr/local/www/system_groupmanager_addprivs.php
+++ b/usr/local/www/system_groupmanager_addprivs.php
@@ -85,7 +85,7 @@ if ($_POST) {
foreach ($a_group['member'] as $uid) {
$user = getUserEntryByUID($uid);
if ($user)
- set_local_user($user);
+ local_user_set($user);
}
$retval = write_config();
diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php
index 791fae6..0b8f76e 100644
--- a/usr/local/www/system_usermanager.php
+++ b/usr/local/www/system_usermanager.php
@@ -67,11 +67,10 @@ if (isAllowedPage("system_usermanager")) {
exit;
}
- del_local_user($a_user[$_GET['id']]);
+ local_user_del($a_user[$_GET['id']]);
$userdeleted = $a_user[$_GET['id']]['name'];
unset($a_user[$_GET['id']]);
write_config();
- $retval = system_password_configure();
$savemsg = gettext("User")." {$userdeleted} ".
gettext("successfully deleted")."<br/>";
}
@@ -96,7 +95,7 @@ if (isAllowedPage("system_usermanager")) {
if (isset($id) && $a_user[$id]) {
$pconfig['usernamefld'] = $a_user[$id]['name'];
$pconfig['fullname'] = $a_user[$id]['fullname'];
- $pconfig['groups'] = get_local_user_groups($a_user[$id]);
+ $pconfig['groups'] = local_user_get_groups($a_user[$id]);
$pconfig['utype'] = $a_user[$id]['scope'];
$pconfig['uid'] = $a_user[$id]['uid'];
$pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']);
@@ -163,10 +162,14 @@ if (isAllowedPage("system_usermanager")) {
if (isset($id) && $a_user[$id])
$userent = $a_user[$id];
- /* the user did change his username */
+ /* the user name was modified */
if ($_POST['usernamefld'] <> $_POST['oldusername'])
$_SERVER['REMOTE_USER'] = $_POST['usernamefld'];
+ /* the user password was mofified */
+ if ($_POST['passwordfld1'])
+ local_user_set_password($userent, $_POST['passwordfld1']);
+
$userent['name'] = $_POST['usernamefld'];
$userent['fullname'] = $_POST['fullname'];
@@ -182,10 +185,9 @@ if (isAllowedPage("system_usermanager")) {
$a_user[] = $userent;
}
- set_local_user($userent, $_POST['passwordfld1']);
- set_local_user_groups($userent,$_POST['groups']);
+ local_user_set($userent);
+ local_user_set_groups($userent,$_POST['groups']);
write_config();
- $retval = system_password_configure();
pfSenseHeader("system_usermanager.php");
}
@@ -488,7 +490,7 @@ function presubmit() {
<td class="listr"><?=htmlspecialchars($userent['fullname']);?>&nbsp;</td>
<td class="listbg">
<font color="white">
- <?=implode(",",get_local_user_groups($userent));?>
+ <?=implode(",",local_user_get_groups($userent));?>
</font>
&nbsp;
</td>
@@ -563,10 +565,6 @@ function presubmit() {
$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['password'] = crypt(trim($_POST['passwordfld1']));
write_config();
-
- sync_webgui_passwords();
-
- $retval = system_password_configure();
$savemsg = "Password successfully changed<br />";
}
}
diff --git a/usr/local/www/system_usermanager_addprivs.php b/usr/local/www/system_usermanager_addprivs.php
index 61758b7..0214d63 100644
--- a/usr/local/www/system_usermanager_addprivs.php
+++ b/usr/local/www/system_usermanager_addprivs.php
@@ -86,7 +86,7 @@ if ($_POST) {
else
$a_user['priv'] = array_merge($a_user['priv'], $pconfig['sysprivs']);
- set_local_user($a_user);
+ local_user_set($a_user);
$retval = write_config();
$savemsg = get_std_save_message($retval);
diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php
index c1d3a71..90e6598 100755
--- a/usr/local/www/system_usermanager_settings.php
+++ b/usr/local/www/system_usermanager_settings.php
@@ -126,12 +126,8 @@ if ($_POST) {
else
unset($pconfig['ldapgroupattribute']);
-
write_config();
- $retval = system_password_configure();
- sync_webgui_passwords();
-
}
}
diff --git a/usr/local/www/wizards/setup_wizard.xml b/usr/local/www/wizards/setup_wizard.xml
index e6b46bc..1cf882c 100644
--- a/usr/local/www/wizards/setup_wizard.xml
+++ b/usr/local/www/wizards/setup_wizard.xml
@@ -418,14 +418,10 @@
<stepsubmitphpaction>
if($_POST['adminpassword'] != "") {
if($_POST['adminpassword'] == $_POST['adminpasswordagain']) {
- $fd = popen("/usr/sbin/pw usermod -n root -H 0", "w");
- $salt = md5(time());
- $crypted_pw = crypt($_POST['adminpassword'],$salt);
- fwrite($fd, $crypted_pw);
- pclose($fd);
- $config['system']['password'] = crypt($_POST['adminpassword']);
+ $admin_user =& getUserEntryByUID(0);
+ local_user_set_password($admin_user, $_POST['adminpassword']);
+ local_user_set($admin_user);
write_config();
- system_password_configure();
} else {
print_info_box_np("Passwords do not match! Please press back in your browser window and correct.");
die;
OpenPOWER on IntegriCloud