summaryrefslogtreecommitdiffstats
path: root/etc/inc
diff options
context:
space:
mode:
Diffstat (limited to 'etc/inc')
-rw-r--r--etc/inc/auth.inc508
-rw-r--r--etc/inc/authgui.inc405
-rw-r--r--etc/inc/config.inc95
-rw-r--r--etc/inc/globals.inc2
-rw-r--r--etc/inc/pfsense-utils.inc193
-rw-r--r--etc/inc/xmlparse.inc2
6 files changed, 605 insertions, 600 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 12267ff..47a2431 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -36,101 +36,91 @@
*/
require_once("functions.inc");
+
$groupindex = index_groups();
$userindex = index_users();
-function logout_session() {
- global $_SESSION;
-
- if (hasLockAbility($_SESSION['Username']))
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
-
- /* wipe out $_SESSION */
- $_SESSION = array();
-
- /* and destroy it */
- session_destroy();
+function isAllowedPage($page) {
+ global $config, $userindex, $_SESSION;
+
+ /* admin/root access check */
+ $username = $_SESSION['Username'];
+ if (isset($username))
+ $user = &$config['system']['user'][$userindex[$username]];
+ if (isset($user))
+ if (isset($user['uid']))
+ if ($user['uid']==0)
+ return true;
+
+ /* user privelege access check */
+ $allowed_pages = $_SESSION['privs'];
+ if (in_array("ANY", $allowed_pages))
+ return true;
+ if (in_array(basename($page), $allowed_pages))
+ return true;
- $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]);
- $scriptElms = count($scriptName);
- $scriptName = $scriptName[$scriptElms-1];
+ return false;
}
-function getAllowedGroups($logged_in_user) {
- global $g, $config;
+function getAllowedPages($logged_in_user) {
+ global $config, $_SESSION;
if (!function_exists("ldap_connect"))
return;
- $allowed = array();
+ $allowed_pages = array();
$allowed_groups = array();
$ldapon = $_SESSION['ldapon'];
//log_error("Getting groups for {$logged_in_user}.");
-
- $local_user = false;
- //log_error("Local_user = {$local_user}");
+ /* search for a local user by name */
+ $local_user = false;
+ foreach ($config['system']['user'] as $user) {
+ if ($user['name'] == $logged_in_user) {
+ $local_user = $user;
+ break;
+ }
+ }
- foreach ($config['system']['user'] as $username)
- if ($username['name'] == $logged_in_user)
- $local_user = true;
+ /* obtain local groups if we have a local user */
+ if ($local_user) {
+ $allowed_groups = get_local_user_groups($local_user);
+ foreach ($config['system']['group'] as $group)
+ if (in_array($group['name'], $allowed_groups))
+ if (is_array($group['pages']))
+ foreach ($group['pages'] as $page)
+ $allowed_pages[] = $page;
+ }
- /* return ldap groups if we are in ldap mode */
- if ($config['system']['webgui']['backend'] == "ldap" && $local_user == false) {
+ /* obtain ldap groups if we are in ldap mode */
+ if ($config['system']['webgui']['backend'] == "ldap" && !$local_user) {
//log_error("Calling LDAP_GET_GROUPS from the first section");
$allowed_groups = ldap_get_groups($logged_in_user);
- $fdny = fopen("/tmp/groups","w");
- fwrite($fdny, print_r($allowed, true));
- fclose($fdny);
- $allowed = array();
if (is_array($config['system']['group']) && is_array($allowed_groups))
foreach ($config['system']['group'] as $group)
if (in_array($group['name'], $allowed_groups))
foreach ($group['pages'] as $page)
- $allowed[] = $page;
- return $allowed;
+ $allowed_pages[] = $page;
}
-
- if ($config['system']['webgui']['backend'] == "ldapother" && $local_user == false) {
+ if ($config['system']['webgui']['backend'] == "ldapother" && !$local_user) {
//log_error("Calling LDAP_GET_GROUPS from the first section");
$allowed_groups = ldap_get_groups($logged_in_user);
- $fdny = fopen("/tmp/groups","w");
- fwrite($fdny, print_r($allowed, true));
- fclose($fdny);
- $allowed = array();
if (is_array($config['system']['group']) && is_array($allowed_groups))
foreach ($config['system']['group'] as $group)
if (in_array($group['name'], $allowed_groups))
foreach ($group['pages'] as $page)
- $allowed[] = $page;
- return $allowed;
+ $allowed_pages[] = $page;
}
- $final_allowed = array();
-
- foreach ($config['system']['user'] as $username)
- if ($username['name'] == $logged_in_user)
- $allowed_groups = explode(",", $username['groupname']);
-
- foreach ($config['system']['group'] as $group)
- if (in_array($group['name'], $allowed_groups))
- foreach ($group['pages'] as $page)
- $allowed[] = $page;
-
- return $allowed;
-}
-
-function &getSystemAdminNames() {
- global $config, $g, $userindex;
- $adminUsers = array();
+ $allowed_groups = print_r($allowed, true);
+ $fdny = fopen("/tmp/groups", "w");
+ fwrite($fdny, $allowed_groups);
+ fclose($fdny);
- if (is_array($config['system']['user']))
- foreach ($config['system']['user'] as $user)
- if (isSystemAdmin($user['name']))
- $adminUsers[] = $user['name'];
+ $_SESSION['privs'] = $allowed_pages;
- return $adminUsers;
+ return $allowed_pages;
}
function &getSystemPrivs() {
@@ -171,229 +161,286 @@ function &getSystemPrivs() {
return $privs;
}
-function assignUID($username = "") {
- global $userindex, $config, $g;
-
- if ($username == "")
- return;
-
- $nextuid = $config['system']['nextuid'];
- $user =& $config['system']['user'][$userindex[$username]];
-
- if (empty($user['uid'])) {
- $user['uid'] = $nextuid;
- $nextuid++;
- $config['system']['nextuid'] = $nextuid;
-
- write_config();
- return $user;
- }
+function & getUserEntry($name) {
+ global $config, $userindex;
+ return $config['system']['user'][$userindex[$name]];
}
-function assignGID($groupname = "") {
- global $groupindex, $config, $g;
-
- if ($groupname == "")
- return;
-
- $nextgid = $config['system']['nextgid'];
- $group =& $config['system']['group'][$groupindex[$groupname]];
-
- if (empty($group['gid'])) {
- $group['gid'] = $nextgid;
- $nextgid++;
- $config['system']['nextgid'] = $nextgid;
-
- write_config();
- return $group;
- }
+function & getGroupEntry($name) {
+ global $config, $groupindex;
+ return $config['system']['group'][$groupindex[$name]];
}
-function hasPrivilege($user, $privid = "") {
- global $userindex, $config, $g;
+function userHasPrivilege($userent, $privid = false) {
- if ($privid == "" || ! isset($userindex[$user]))
- return 0;
+ if (!$privid || !is_array($userent))
+ return false;
- $privs = &$config['system']['user'][$userindex[$user]]['priv'];
+ if (!is_array($userent['priv']))
+ return false;
- if (is_array($privs))
- foreach ($privs as $priv)
- if ($priv['id'] == $privid)
- return 1;
- return 0;
+ foreach ($userent['priv'] as $priv)
+ if ($priv['id'] == $privid)
+ return true;
}
-function isAllowedToCopyFiles($username) {
- global $userindex, $config, $g;
-
- if ($username == "")
- return 0;
-
- return hasPrivilege($username, "copyfiles");
+function hasPrivilegeCopyFiles($userent) {
+ return userHasPrivilege($userent, "copyfiles");
}
-function hasLockAbility($username) {
- global $userindex, $config, $g;
-
- if ($username == "")
- return 0;
-
- return hasPrivilege($username, "lockwc");
+function hasPrivilegeLock($userent) {
+ return userHasPrivilege($userent, "lockwc");
}
-function hasPageLockAbility($username) {
- global $userindex, $config, $g;
-
- if ($username == "")
- return 0;
-
- return hasPrivilege($username, "lock-ipages");
+function hasPrivilegeLockPages($userent) {
+ return userHasPrivilege($userent, "lock-ipages");
}
-function hasShellAccess($username) {
- global $userindex, $config, $g;
+function hasPrivilegeShell($userent) {
+ return userHasPrivilege($userent, "hasshell");
+}
- if ($username == "")
- return 0;
+function sync_local_accounts() {
+ global $config;
- return hasPrivilege($username, "hasshell");
-}
+ /* remove local users to avoid uid conflicts */
+ $fd = popen("/usr/sbin/pw usershow -a 2>&1", "r");
+ if ($fd) {
+ while (!feof($fd)) {
+ $line = explode(":",fgets($fd));
+ if (!strncmp($line[0], "_", 1))
+ continue;
+ if ($line[2] < 2000)
+ continue;
+ if ($line[2] > 65000)
+ continue;
+ mwexec("/usr/sbin/pw userdel {$line[2]}");
+ }
+ pclose($fd);
+ }
-function isUNIXRoot($username = "") {
- global $userindex, $config;
+ /* remove local groups to avoid gid conflicts */
+ $gids = array();
+ $fd = popen("/usr/sbin/pw groupshow -a 2>&1", "r");
+ if ($fd) {
+ while (!feof($fd)) {
+ $line = explode(":",fgets($fd));
+ if (!strncmp($line[0], "_", 1))
+ continue;
+ if ($line[2] < 2000)
+ continue;
+ if ($line[2] > 65000)
+ continue;
+ mwexec("/usr/sbin/pw groupdel {$line[2]}");
+ }
+ pclose($fd);
+ }
- if ($username == "")
- return 0;
+ /* sync all local users */
+ if (is_array($config['system']['user']))
+ foreach ($config['system']['user'] as $user)
+ set_local_user($user);
- if (isSystemAdmin($username))
- return hasPrivilege($username, "isroot");
+ /* sync all local groups */
+ if (is_array($config['system']['group']))
+ foreach ($config['system']['group'] as $group)
+ set_local_group($group);
- return 0;
+ sync_webgui_passwords();
}
-function setUserFullName($name = "", $new_name = "") {
- global $config, $g, $userindex;
+function set_local_user($user) {
- if ($name == "" || $new_name == "")
- return;
+ $home_base = $g['platform'] == "pfSense" ? "/home" : "/var/home";
+ if (!is_dir($home_base))
+ mkdir($home_base, 0755);
- $user = &$config['system']['user'][$userindex[$name]];
- $user['fullname'] = $new_name;
-}
+ $user_uid = $user['uid'];
+ $user_name = $user['name'];
+ $user_home = "{$home_base}/$user_name";
+ $user_shell = "/etc/rc.initial";
+ $user_group = "nobody";
-function setUserName($name = "", $new_name = "") {
- global $config, $g, $userindex;
+ /* configure shell type */
+ if (!hasPrivilegeShell($user)) {
+ if (!hasPrivilegeCopyFiles($user))
+ $user_shell = "/sbin/nologin";
+ else
+ $user_shell = "/usr/local/bin/scponly";
+ }
- if ($name == "" || $new_name == "")
- return;
+ /* root user special handling */
+ if ($user_uid == 0) {
+ $fd = popen("/usr/sbin/pw usermod -n root -s /bin/sh -H 0", "w");
+ fwrite($fd, $user['password']);
+ pclose($fd);
+ $user_group = "wheel";
+ }
- $user = &$config['system']['user'][$userindex[$name]];
- $user['name'] = $new_name;
+ /* read from pw db */
+ $fd = popen("/usr/sbin/pw usershow {$user_name} 2>&1", "r");
+ $pwread = fgets($fd);
+ pclose($fd);
+
+ /* determine add or mod */
+ if (!strncmp($pwread, "pw:", 3))
+ $user_op = "useradd";
+ else
+ $user_op = "usermod";
+
+ /* add or mod pw db */
+ $cmd = "/usr/sbin/pw {$user_op} -u {$user_uid} -n {$user_name}".
+ " -g {$user_group} -G all -s {$user_shell} -d {$user_home}".
+ " -c ".escapeshellarg($user['fullname'])." -H 0";
+
+ log_error("Running: {$cmd}");
+ $fd = popen($cmd, "w");
+ fwrite($fd, $user['password']);
+ pclose($fd);
+
+ /* create user directory if required */
+ if (!is_dir($user_home))
+ mkdir($user_home, 0755);
+ chown($user_home, $user_name);
+ chgrp($user_home, $user_group);
+ chmod($user_home, 0700);
+
+ /* FIXME : ssh keys should be per-admin user */
+ if(isset($config['system']['ssh']['sshdkeyonly']) && hasPrivilegeShell($user))
+ create_authorized_keys($user_name, $user_home);
}
-function setUserPWD($name = "", $password = "") {
- global $config, $g, $userindex;
+function del_local_user($user) {
- if ($name == "" || $password == "")
- return;
+ /* remove all memberships */
+ set_local_user_groups($user);
- $user = &$config['system']['user'][$userindex[$name]];
- $user['password'] = crypt($password);
-}
+ /* delete from pw db */
+ $cmd = "/usr/sbin/pw userdel {$user['name']}";
-function setUserGroupName($name = "", $new_name = "") {
- global $config, $g, $userindex;
+ log_error("Running: {$cmd}");
+ $fd = popen($cmd, "w");
+ fwrite($fd, $user['password']);
+ pclose($fd);
+}
- if ($name == "" || $new_name == "")
- return;
+function get_local_user_groups($user, $all = false) {
+ global $config;
- $user = &$config['system']['user'][$userindex[$name]];
- $user['groupname'] = $new_name;
-}
+ $groups = array();
+ if (!is_array($config['system']['group']))
+ return $groups;
-function setUserType($name = "", $new_type = "") {
- global $config, $g, $userindex;
+ foreach ($config['system']['group'] as $group)
+ if ( $all || ( !$all && ($group['name'] != "all")))
+ if (is_array($group['member']))
+ if (in_array($user['uid'], $group['member']))
+ $groups[] = $group['name'];
- if ($name == "" || $new_type == "")
- return;
+ sort($groups);
- $user = &$config['system']['user'][$userindex[$name]];
- $user['scope'] = $new_type;
+ return $groups;
}
-function getUNIXRoot() {
- global $config, $g, $userindex;
+function set_local_user_password(& $user, $password) {
- if (is_array($config['system']['user'])) {
- foreach($config['system']['user'] as $user) {
- if (isUNIXRoot($user['name'])) {
- $root = &$config['system']['user'][$userindex[$user['name']]];
- return $root;
- }
- }
+ $user['password'] = crypt($password);
+ $user['md5-hash'] = md5($password);
+
+ /*
+ * NOTE : This section of code id based on the BSD
+ * licensed CHAP.php courtesy of Michael Retterklieber.
+ */
+ /* Waiting for mhash to settle into the tree
+ // Converts ascii to unicode.
+ $astr = (string) $password;
+ $ustr = '';
+ for ($i = 0; $i < strlen($astr); $i++) {
+ $a = ord($astr{$i}) << 8;
+ $ustr.= sprintf("%X", $a);
}
- return NULL;
+ // Generate the NT-HASH from the unicode string
+ $user['nt-hash'] = bin2hex(mhash(MHASH_MD4, $ustr));
+ */
}
-function getUNIXRootName() {
- global $config, $g, $userindex;
+function set_local_user_groups($user, $new_groups = NULL ) {
+ global $config, $groupindex;
- if (is_array($config['system']['user']))
- foreach ($config['system']['user'] as $user)
- if (isUNIXRoot($user['name']))
- return $user['name'];
-
- return NULL;
-}
+ if (!is_array($config['system']['group']))
+ return;
-function getGroupHomePage($group = "") {
- global $groupindex, $config, $g;
+ $cur_groups = get_local_user_groups($user);
+ $mod_groups = array();
- if ($group == "")
- return "";
+ if (!is_array($new_groups))
+ $new_groups = array();
- $page = $config['system']['group'][$groupindex[$group]]['home'];
- if (empty($page))
- $page = "";
+ if (!is_array($cur_groups))
+ $cur_groups = array();
- return $page;
-}
+ /* determine which memberships to add */
+ foreach ($new_groups as $groupname) {
+ if (in_array($groupname,$cur_groups))
+ continue;
+ $group = & $config['system']['group'][$groupindex[$groupname]];
+ $group['member'][] = $user['uid'];
+ $mod_groups[] = $group;
+ }
-function isSystemAdmin($username = "") {
- global $groupindex, $userindex, $config, $g, $_SESSION;
+ /* determine which memberships to remove */
+ foreach ($cur_groups as $groupname) {
+ if (in_array($groupname,$new_groups))
+ continue;
+ $group = & $config['system']['group'][$groupindex[$groupname]];
+ $index = array_search($user['uid'], $group['member']);
+ array_splice($group['member'], $index, 1);
+ $mod_groups[] = $group;
+ }
- if ($_SESSION['isSystemAdmin'])
- return $_SESSION['isSystemAdmin'];
+ /* sync all modified groups */
+ foreach ($mod_groups as $group)
+ set_local_group($group);
+}
- if (!function_exists("ldap_connect"))
- return;
+function set_local_group($group) {
- if ($username == "") {
- $_SESSION['isSystemAdmin'] = false;
- return 0;
- }
+ $group_name = $group['name'];
+ $group_gid = $group['gid'];
+ $group_members = "''";
+ if (count($group['member']))
+ $group_members = implode(",",$group['member']);
- $gname = $config['system']['group'][$groupindex[$config['system']['user'][$userindex[$username]]['groupname']]]['name'];
+ /* read from group db */
+ $fd = popen("/usr/sbin/pw groupshow {$group_name} 2>&1", "r");
+ $pwread = fgets($fd);
+ pclose($fd);
- if (isset($gname)) {
- $_SESSION['isSystemAdmin'] = $gname === $g["admin_group"];
- return ($gname === $g["admin_group"]);
- }
+ /* determine add or mod */
+ if (!strncmp($pwread, "pw:", 3))
+ $group_op = "groupadd";
+ else
+ $group_op = "groupmod";
- $_SESSION['isSystemAdmin'] = false;
+ /* add or mod group db */
+ $cmd = "/usr/sbin/pw {$group_op} {$group_name} -g {$group_gid} -M {$group_members}";
- return 0;
+ log_error("Running: {$cmd}");
+ $fd = popen($cmd, "w");
+ fwrite($fd, $user['password']);
+ pclose($fd);
}
-function getRealName($username = "") {
- global $userindex, $config;
+function del_local_group($group) {
- if ($username == "")
- return "";
+ /* delete from group db */
+ $cmd = "/usr/sbin/pw groupdel {$group['name']}";
- return $config['system']['user'][$userindex[$username]]['fullname'];
+ log_error("Running: {$cmd}");
+ $fd = popen($cmd, "w");
+ fwrite($fd, $user['password']);
+ pclose($fd);
}
function basic_auth($backing) {
@@ -475,6 +522,9 @@ function session_auth($backing) {
}
}
+ /* obtain user object */
+ $user = getUserEntry($_SESSION['Username']);
+
/* user hit the logout button */
if (isset($_GET['logout'])) {
@@ -483,7 +533,7 @@ function session_auth($backing) {
else
log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
- if (hasLockAbility($_SESSION['Username']))
+ if (hasPrivilegeLock($user))
unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
/* wipe out $_SESSION */
@@ -512,7 +562,7 @@ function session_auth($backing) {
* user wants to explicitely delete the lock file.
* Requires a particular privilege.
*/
- if ($_GET['deletelock'] && hasLockAbility($_SESSION['Username'])) {
+ if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
$HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
return true;
@@ -522,10 +572,9 @@ function session_auth($backing) {
* user wants to explicitely create a lock.
* Requires a particular privilege.
*/
- if ($_GET['createlock'] && hasLockAbility($_SESSION['Username'])) {
+ if ($_GET['createlock'] && hasPrivilegeLock($user)) {
$fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" .
- getRealName($_SESSION['Username']) . ")");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
fclose($fd);
/*
@@ -560,7 +609,7 @@ function session_auth($backing) {
/*
* is the user is allowed to create a lock
*/
- if (hasLockAbility($_SESSION['Username'])) {
+ if (hasPrivilegeLock($user)) {
/*
* create a lock once per session
@@ -568,8 +617,7 @@ function session_auth($backing) {
if (!isset($_SESSION['Lock_Created'])) {
$fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" .
- getRealName($_SESSION['Username']) . ")");
+ fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
fclose($fd);
/*
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc
index 12f45bc..7467ccd 100644
--- a/etc/inc/authgui.inc
+++ b/etc/inc/authgui.inc
@@ -41,243 +41,254 @@ require_once("functions.inc");
/* We only support htpasswd backed HTTP Basic auth and session
* based backing methods at the moment.
* session_auth - this will use session based authentication and timeout
- * htpasswd_backed - this uses the "standard" .htpasswd file
- * passwd_backed - this will use the system passwd file in /etc
- * radius_backed - this will allow you to use a radius server
- * pam_backed - this uses the system's PAM facility .htpasswd file
+ * htpasswd_backed - this uses the "standard" .htpasswd file
+ * passwd_backed - this will use the system passwd file in /etc
+ * radius_backed - this will allow you to use a radius server
+ * pam_backed - this uses the system's PAM facility .htpasswd file
*/
$auth_method="session_auth";
/* enable correct auth backend, default to htpasswd_backed */
-
$ldapcase = $config['system']['webgui']['backend'];
switch($ldapcase)
{
-case ldap:
- $backing_method="ldap_backed";
- break;
-case ldapother:
- $backing_method="ldap_backed";
- break;
-default:
- $backing_method="htpasswd_backed";
+ case ldap:
+ $backing_method="ldap_backed";
+ break;
+ case ldapother:
+ $backing_method="ldap_backed";
+ break;
+ default:
+ $backing_method="htpasswd_backed";
}
/* Authenticate user - exit if failed */
-if (!$auth_method($backing_method)) { exit; }
+if (!$auth_method($backing_method))
+ exit;
+
+/*
+ * scriptname is set in headjs.php if the user tried to access
+ * a page other than index.php without beeing logged in.
+ *
+ * NOTE : This doesn't make sense to me. -mgrooms
+ */
+/* if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
+ * pfSenseHeader("{$_POST['scriptname']}");
+ * exit;
+ * }
+ */
+
+/*
+ * Once here, the user has authenticated with the web server.
+ * We give them access only to the appropriate pages based on
+ * the user or group privileges.
+ */
+getAllowedPages($HTTP_SERVER_VARS['AUTH_USER']);
-/* scriptname is set in headjs.php if the user did try to access a page other
- * than index.php without beeing logged in.
+/*
+ * get the group homepage, to be able to forward
+ * the user to this particular PHP page.
+ */
+$home = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['home'];
+if (!$home)
+ $home = "/index.php";
+
+/*
+ * If the user tries to explicitly access a particular
+ * page, set $home to that page instead.
*/
-if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
- pfSenseHeader("{$_POST['scriptname']}");
- exit;
+if (isset($_POST['scriptname']) &&
+ $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") {
+ $home = str_replace('/', '', basename($_POST['scriptname']));
+ $pagereq = $home;
}
-// Once here, the user has authenticated with the web server.
-// Now, we give them access only to the appropriate pages for their group.
-
-if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) {
- $_SESSION['privs'] = getAllowedGroups($HTTP_SERVER_VARS['AUTH_USER']);
- $allowed = $_SESSION['privs'];
-
- $allowed_groups = print_r($_SESSION['privs'],true);
- $fdny = fopen("/tmp/groups", "w");
- fwrite($fdny, $allowed_groups);
- fclose($fdny);
-
- $group = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname'];
- /* get the group homepage, to be able to forward
- * the user to this particular PHP page.
- */
- getGroupHomePage($group) == "" ? $home = "/index.php" : $home = "/" . getGroupHomePage($group);
-
- /* okay but if the user realy tries to explicitely access a particular
- * page, set $home to that page instead.
- */
- if (isset($_POST['scriptname']) && $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") {
- $home = str_replace('/', '', basename($_POST['scriptname']));
- $pagereq = $home;
- }
-
- // If the user is attempting to hit the default page, set it to specifically look for /index.php.
- // Without this, any user would have access to the index page.
- if ($_SERVER['SCRIPT_NAME'] == '/')
- $_SERVER['SCRIPT_NAME'] = $home;
- if ($pagereq == "")
+/*
+ * If the user is attempting to hit the default page, set it to
+ * specifically look for /index.php. Without this, any user would
+ * have access to the index page.
+ */
+if ($_SERVER['SCRIPT_NAME'] == '/')
+ $_SERVER['SCRIPT_NAME'] = $home;
+if ($pagereq == "")
$pagereq = str_replace('/', '', basename($_SERVER['SCRIPT_NAME']));
- // Strip the leading / from the currently requested PHP page
- if (!in_array($pagereq,$allowed) && !in_array("ANY", $allowed)) {
- // The currently logged in user is not allowed to access the page
- // they are attempting to go to. Redirect them to an allowed page.
-
- if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) {
- echo "||Access to AJAX has been disallowed for this user.";
- exit;
- }
-
- if ($pagereq <> "" && (in_array($pagereq, $allowed) || in_array("ANY", $allowed))) {
- pfSenseHeader("{$home}");
- exit;
- } else {
- header("HTTP/1.0 401 Unauthorized");
- header("Status: 401 Unauthorized");
-
- echo display_error_form("401", "Unauthorized. You do not have access to the page {$pagereq}");
- exit;
- }
- }
-
- if (isset($_SESSION['Logged_In'])) {
- /*
- * only forward if the user has just logged in
- * TODO: session auth based - may be an issue.
- */
- if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) {
- $_SESSION['First_Visit'] = "False";
- pfSenseHeader("{$home}");
- exit;
- }
- }
+/*
+ * determine if the user is allowed access to the requested page
+ */
+if (!isAllowedPage($pagereq)) {
+
+ /*
+ * The currently logged in user is not allowed to access the page
+ * they are attempting to view. Redirect them to an allowed page.
+ */
+ if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) {
+ echo "||Access to AJAX has been disallowed for this user.";
+ exit;
+ }
+
+ header("HTTP/1.0 401 Unauthorized");
+ header("Status: 401 Unauthorized");
+ display_error_form("401", "Unauthorized. You do not have access to the page {$pagereq}");
+ exit;
+}
+
+if (isset($_SESSION['Logged_In'])) {
+ /*
+ * only forward if the user has just logged in
+ * TODO: session auth based - may be an issue.
+ */
+ if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) {
+ $_SESSION['First_Visit'] = "False";
+ pfSenseHeader("{$home}");
+ exit;
+ }
}
function display_error_form($http_code, $desc) {
- global $config, $g;
- $g['theme'] = $config['theme'];
+ global $config, $g;
+ $g['theme'] = $config['theme'];
if(isAjax()) {
echo "Error: {$http_code} Description: {$desc}";
return;
}
?>
+
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
- <head>
- <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
- <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
- <title>An error occurred: {$http_code}</title>
- <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
- <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" />
- <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?>
- <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" />
- <?php else: ?>
- <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" />
- <?php endif; ?>
- <script type="text/javascript">
- <title>An error occurred: {$http_code}</title>
- <!--
- function page_load() {
- NiftyCheck();
- Rounded("div#login inputerrors","bl br","transparent","#cccccc","smooth");
- Effect.Pulsate('errortext', { duration: 10 });
- }
- <?php
- require("headjs.php");
- echo getHeadJS();
- ?>
- //-->
- </script>
- <script type="text/javascript" src="/themes/{$g['theme']}/javascript/niftyjsCode.js"></script>
- </head>
- <body onload="page_load();">
- <div id="errordesc">
- <h1>&nbsp</h1>
- <a href="/">
- <p id="errortext" style="vertical-align: middle; text-align: center;"><span style="color: #000000; font-weight: bold;">{$desc}</span></p>
- </div>
- </body>
+ <head>
+ <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
+ <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
+ <title><?=$http_code?></title>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+ <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" />
+ <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?>
+ <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" />
+ <?php else: ?>
+ <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" />
+ <?php endif; ?>
+ <script type="text/javascript">
+ <!--
+ function page_load() {}
+ function clearError() {
+ if($('inputerrors'))
+ $('inputerrors').innerHTML='';
+ }
+ <?php
+ require("headjs.php");
+ echo getHeadJS();
+ ?>
+ //-->
+ </script>
+ <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script>
+ </head>
+ <body onload="page_load();">
+ <div id="errordesc">
+ <h1>&nbsp</h1>
+ <a href="/">
+ <p id="errortext" style="vertical-align: middle; text-align: center;">
+ <span style="color: #000000; font-weight: bold;">
+ <?=$desc;?>
+ </span>
+ </p>
+ </div>
+ </body>
</html>
+
<?php
-} // end function
+} // end function
function display_login_form() {
- require_once("globals.inc");
- global $config, $g;
- $g['theme'] = $config['theme'];
-
- unset($input_errors);
-
- if(isAjax()) {
- if (isset($_POST['login'])) {
- if($_SESSION['Logged_In'] <> "True") {
- isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason";
- echo "showajaxmessage('Invalid login ({$login_error}).');";
- }
- if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
- // TODO: add the IP from the user who did lock the device
- $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
- echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');";
- }
- }
- exit;
- }
+ require_once("globals.inc");
+ global $config, $g;
+ $g['theme'] = $config['theme'];
+
+ unset($input_errors);
+
+ if(isAjax()) {
+ if (isset($_POST['login'])) {
+ if($_SESSION['Logged_In'] <> "True") {
+ isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason";
+ echo "showajaxmessage('Invalid login ({$login_error}).');";
+ }
+ if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+ // TODO: add the IP from the user who did lock the device
+ $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
+ echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');";
+ }
+ }
+ exit;
+ }
?>
+
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
- <head>
- <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
- <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
- <title><?=gettext("Login"); ?></title>
- <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
- <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" />
- <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?>
- <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" />
- <?php else: ?>
- <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" />
- <?php endif; ?>
- <script type="text/javascript">
- <!--
- function page_load() {}
- function clearError() {
- if($('inputerrors'))
- $('inputerrors').innerHTML='';
- }
- <?php
- require("headjs.php");
- echo getHeadJS();
- ?>
- //-->
- </script>
- <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script>
- </head>
- <body onload="page_load()">
- <div id="login">
- <form id="iform" name="login_iform" method="post" autocomplete="off" action="<?= $_SERVER['SCRIPT_NAME'] ?>">
- <h1>&nbsp</h1>
- <div id="inputerrors"></div>
- <p>
- <span style="text-align:left">
- <?=gettext("Username"); ?>:<br>
- <input onclick="clearError();" onchange="clearError();" id="usernamefld" type="text" name="usernamefld" class="formfld user" tabindex="1" />
- </span>
- </p>
- <br>
- <p>
- <span style="text-align:left">
- <?=gettext("Password"); ?>: <br>
- <input onclick="clearError();" onchange="clearError();" id="passwordfld" type="password" name="passwordfld" class="formfld pwd" tabindex="2" />
- </span>
- </p>
- <br>
- <p>
- <span style="text-align:center; font-weight: normal ; font-style: italic"><?=gettext("Enter username and password to login."); ?></span>
- </p>
- <p>
- <span style="text-align:center">
- <input type="submit" name="login" class="formbtn" value="<?=gettext("Login"); ?>" tabindex="3" />
- </span>
- </P>
- </form>
- </div>
- </body>
+ <head>
+ <script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script>
+ <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script>
+ <title><?=gettext("Login"); ?></title>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+ <link rel="shortcut icon" href="/themes/<?= $g['theme'] ?>/images/icons/favicon.ico" />
+ <?php if (file_exists("{$g['www_path']}/themes/{$g['theme']}/login.css")): ?>
+ <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/login.css" media="all" />
+ <?php else: ?>
+ <link rel="stylesheet" type="text/css" href="/themes/<?= $g['theme'] ?>/all.css" media="all" />
+ <?php endif; ?>
+ <script type="text/javascript">
+ <!--
+ function page_load() {}
+ function clearError() {
+ if($('inputerrors'))
+ $('inputerrors').innerHTML='';
+ }
+ <?php
+ require("headjs.php");
+ echo getHeadJS();
+ ?>
+ //-->
+ </script>
+ <script type="text/javascript" src="/themes/<?= $g['theme'] ?>/javascript/niftyjsCode.js"></script>
+ </head>
+ <body onload="page_load()">
+ <div id="login">
+ <form id="iform" name="login_iform" method="post" autocomplete="off" action="<?= $_SERVER['SCRIPT_NAME'] ?>">
+ <h1></h1>
+ <div id="inputerrors"><?=$_SESSION['Login_Error'];?></div>
+ <p>
+ <span style="text-align:left">
+ <?=gettext("Username"); ?>:<br>
+ <input onclick="clearError();" onchange="clearError();" id="usernamefld" type="text" name="usernamefld" class="formfld user" tabindex="1" />
+ </span>
+ </p>
+ <br>
+ <p>
+ <span style="text-align:left">
+ <?=gettext("Password"); ?>: <br>
+ <input onclick="clearError();" onchange="clearError();" id="passwordfld" type="password" name="passwordfld" class="formfld pwd" tabindex="2" />
+ </span>
+ </p>
+ <br>
+ <p>
+ <span style="text-align:center; font-weight: normal ; font-style: italic">
+ <?=gettext("Enter username and password to login."); ?>
+ </span>
+ </p>
+ <p>
+ <span style="text-align:center">
+ <input type="submit" name="login" class="formbtn" value="<?=gettext("Login"); ?>" tabindex="3" />
+ </span>
+ </P>
+ </form>
+ </div>
+ </body>
</html>
<?php
} // end function
-?> \ No newline at end of file
+?>
diff --git a/etc/inc/config.inc b/etc/inc/config.inc
index cb12d94..5e58689 100644
--- a/etc/inc/config.inc
+++ b/etc/inc/config.inc
@@ -1470,7 +1470,7 @@ function convert_config() {
}
/* Convert 4.7 -> 4.8 */
- if ($config['version'] <= 4.7) {
+ if ($config['version'] <= 4.7) {
$config['dyndnses']['dyndns'] = array();
if (isset($config['dyndns']['enable'])) {
$tempdyn = array();
@@ -1502,7 +1502,7 @@ function convert_config() {
$config['dnsupdates']['dnsupdate'][] = $pconfig;
unset($config['dnsupdate']);
}
-
+
if (is_array($config['pppoe'])) {
$pconfig = array();
$pconfig['username'] = $config['pppoe']['username'];
@@ -1518,28 +1518,87 @@ function convert_config() {
$config['interfaces']['wan']['timeout'] = $pconfig['timeout'];
}
if (is_array($config['pptp'])) {
- $pconfig = array();
- $pconfig['username'] = $config['pptp']['username'];
- $pconfig['password'] = $config['pptp']['password'];
- $pconfig['provider'] = $config['pptp']['provider'];
- $pconfig['ondemand'] = isset($config['pptp']['ondemand']);
- $pconfig['timeout'] = $config['pptp']['timeout'];
- unset($config['pptp']);
- $config['interfaces']['wan']['username'] = $pconfig['username'];
- $config['interfaces']['wan']['password'] = $pconfig['password'];
- $config['interfaces']['wan']['provider'] = $pconfig['provider'];
- $config['interfaces']['wan']['username'] = isset($pconfig['ondemand']
-);
- $config['interfaces']['wan']['timeout'] = $pconfig['timeout'];
- }
+ $pconfig = array();
+ $pconfig['username'] = $config['pptp']['username'];
+ $pconfig['password'] = $config['pptp']['password'];
+ $pconfig['provider'] = $config['pptp']['provider'];
+ $pconfig['ondemand'] = isset($config['pptp']['ondemand']);
+ $pconfig['timeout'] = $config['pptp']['timeout'];
+ unset($config['pptp']);
+ $config['interfaces']['wan']['username'] = $pconfig['username'];
+ $config['interfaces']['wan']['password'] = $pconfig['password'];
+ $config['interfaces']['wan']['provider'] = $pconfig['provider'];
+ $config['interfaces']['wan']['username'] = isset($pconfig['ondemand'] );
+ $config['interfaces']['wan']['timeout'] = $pconfig['timeout'];
+ }
$config['version'] = 4.8;
}
+ /* Convert 4.8 -> 4.9 */
+ if ($config['version'] <= 4.8) {
+
+ /* setup new all users group */
+ $all = array();
+ $all['name'] = "all";
+ $all['description'] = "All Users";
+ $all['scope'] = "System";
+ $all['gid'] = 1998;
+ $all['member'] = array();
+
+ if (!is_array($config['system']['group']))
+ $config['system']['group'] = array();
+
+ /* work around broken uid assignments */
+ $config['system']['nextuid'] = 2000;
+ foreach ($config['system']['user'] as & $user) {
+ if (isset($user['uid']) && !$user['uid'])
+ continue;
+ $user['uid'] = $config['system']['nextuid']++;
+ }
+
+ /* work around broken gid assignments */
+ $config['system']['nextgid'] = 2000;
+ foreach ($config['system']['group'] as & $group) {
+ if ($group['name'] == $g['admin_group'])
+ $group['gid'] = 1999;
+ else
+ $group['gid'] = $config['system']['nextgid']++;
+ }
+
+ /* build group membership information */
+ foreach ($config['system']['group'] as & $group) {
+ $group['member'] = array();
+ foreach ($config['system']['user'] as & $user) {
+ $groupnames = explode(",", $user['groupname']);
+ if (in_array($group['name'],$groupnames))
+ $group['member'][] = $user['uid'];
+ }
+ }
+
+ /* reset user group information */
+ foreach ($config['system']['user'] as & $user) {
+ unset($user['groupname']);
+ $all['member'][] = $user['uid'];
+ }
+
+ /* insert new all group */
+ $groups = Array();
+ $groups[] = $all;
+ $groups = array_merge($config['system']['group'],$groups);
+ $config['system']['group'] = $groups;
+ set_local_group($all);
+
+ /* sync all local account information */
+ sync_local_accounts();
+
+ $config['version'] = 4.9;
+ }
+
$now = date("H:i:s");
log_error("Ended Configuration upgrade at $now");
-// if ($prev_version != $config['version'])
+ if ($prev_version != $config['version'])
write_config("Upgraded config version level from {$prev_version} to {$config['version']}");
}
@@ -2434,4 +2493,4 @@ function set_device_perms() {
if($g['booting']) echo ".";
$config = parse_config();
-?> \ No newline at end of file
+?>
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc
index ddc9724..c37119b 100644
--- a/etc/inc/globals.inc
+++ b/etc/inc/globals.inc
@@ -60,7 +60,7 @@ $g = array(
"n_pppoe_units" => 16, /* this value can be overriden in pppoe->n_pppoe_units */
"pppoe_subnet" => 28, /* this value can be overriden in pppoe->pppoe_subnet */
"debug" => false,
- "latest_config" => "4.8",
+ "latest_config" => "4.9",
"nopkg_platforms" => array("cdrom"),
"minimum_ram_warning" => "115",
"minimum_ram_warning_text" => "128 megabytes",
diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc
index 4a47a2a..311e077 100644
--- a/etc/inc/pfsense-utils.inc
+++ b/etc/inc/pfsense-utils.inc
@@ -42,12 +42,8 @@
* returns true if user has access to edit a specific firewall nat one to one interface
******/
function have_natonetooneruleint_access($if) {
- global $config, $g, $HTTP_SERVER_VARS;
- $allowed = $g['privs'];
- if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))
- return true;
$security_url = "firewall_nat_1to1_edit.php?if=". strtolower($if);
- if(in_array($security_url, $allowed))
+ if(isAllowedPage($security_url, $allowed))
return true;
return false;
}
@@ -61,13 +57,8 @@ function have_natonetooneruleint_access($if) {
* returns true if user has access to edit a specific firewall nat port forward interface
******/
function have_natpfruleint_access($if) {
- global $config, $g, $HTTP_SERVER_VARS, $allowed;
- if(!$allowed)
- $allowed = $g['privs'];
- if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))
- return true;
$security_url = "firewall_nat_edit.php?if=". strtolower($if);
- if(in_array($security_url, $allowed))
+ if(isAllowedPage($security_url, $allowed))
return true;
return false;
}
@@ -81,14 +72,9 @@ function have_natpfruleint_access($if) {
* returns true if user has access to edit a specific firewall interface
******/
function have_ruleint_access($if) {
- global $config, $g, $HTTP_SERVER_VARS;
- $allowed = $g['privs'];
- if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))
- return true;
$security_url = "firewall_rules.php?if=". strtolower($if);
- if(is_array($allowed))
- if(in_array($security_url, $allowed))
- return true;
+ if(isAllowedPage($security_url))
+ return true;
return false;
}
@@ -2336,43 +2322,42 @@ function display_top_tabs(& $tab_array) {
global $HTTP_SERVER_VARS;
global $config;
global $g;
- $allowed = $g['privs'];
- if(!$allowed)
- $allowed = $_SESSION['privs'];
-
- /* does the user have access to this tab?
- * master user has access to everything.
- * if the user does not have access, simply
- * unset the tab item.
+
+ /* does the user have access to this tab?
+ * master user has access to everything.
+ * if the user does not have access, simply
+ * unset the tab item.
+ */
+
+ $tab_temp = array ();
+ foreach ($tab_array as $ta)
+ if(isAllowedPage($ta[2]))
+ $tab_temp[] = $ta;
+ /*
+ // FIXME : if the checks are not good enough
+ // in isAllowedPage, it needs to be
+ // fixed instead of kludging here
+
+ // TODO: humm what shall we do with pkg_edit.php and pkg.php?
+ if ((strpos($link, "pkg.php")) !== false || (strpos($link, "pkg_edit.php")) !== false) {
+ $pos_equal = strpos($link, "=");
+ $pos_xmlsuffix = strpos($link, ".xml");
+ // do we match an absolute url including ?xml= foo
+ if(!isAllowedPage($link, $allowed))
+ $link = substr($link, $pos_equal +1, ($pos_xmlsuffix - $pos_equal +3));
+ }
+ // next check - what if the basename contains a query string?
+ if ((strpos($link, "?")) !== false) {
+ $pos_qmark = strpos($link, "?");
+ $link = substr($link, 0, $pos_qmark);
+ }
+ $authorized_text = print_r($allowed, true);
+ if(is_array($authorized))
+ if (in_array(basename($link), $authorized))
*/
- if (!isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
- $authorized = & $allowed;
- $tab_temp = array ();
- foreach ($tab_array as $ta) {
- $link = $ta[2];
- // TODO: humm what shall we do with pkg_edit.php and pkg.php?
- if ((strpos($link, "pkg.php")) !== false || (strpos($link, "pkg_edit.php")) !== false) {
- $pos_equal = strpos($link, "=");
- $pos_xmlsuffix = strpos($link, ".xml");
- /* do we match an absolute url including ?xml= foo */
- if(!in_array($link, $allowed))
- $link = substr($link, $pos_equal +1, ($pos_xmlsuffix - $pos_equal +3));
- }
- // next check - what if the basename contains a query string?
- if ((strpos($link, "?")) !== false) {
- $pos_qmark = strpos($link, "?");
- $link = substr($link, 0, $pos_qmark);
- }
- $authorized_text = print_r($allowed, true);
-// log_error("comparing " . basename($link) . " {$authorized_text}");
- if(is_array($authorized))
- if (in_array(basename($link), $authorized))
- $tab_temp[] = $ta;
- }
- unset ($tab_array);
- $tab_array = & $tab_temp;
- }
+ unset ($tab_array);
+ $tab_array = & $tab_temp;
echo "<table cellpadding='0' cellspacing='0'>\n";
echo " <tr>\n";
@@ -2595,7 +2580,7 @@ function reload_interfaces() {
/****f* pfsense-utils/sync_webgui_passwords
* NAME
- * sync_webgui_passwords - syncs webgui and ssh passwords
+ * sync_webgui_passwords - syncs all www pwdb entries
* INPUTS
* none
* RESULT
@@ -2613,111 +2598,13 @@ function sync_webgui_passwords() {
}
/* loop through custom users and add "virtual" entries */
- if ($config['system']['user']) {
+ if ($config['system']['user'])
foreach ($config['system']['user'] as $user)
fwrite($fd, "{$user['name']}:{$user['password']}\n");
- }
fclose($fd);
chmod("{$g['varrun_path']}/htpasswd", 0600);
- $root =& getUNIXRoot();
- $crypted_pw = &$root['password'];
-
- if (!$crypted_pw) {
- log_error("Error: cannot determine root pwd in sync_webgui_passwords().\nRoot user struct follows:\n");
- if(!$root)
- log_error("Unable to determine root user" . print_r($root, true));
- log_error("Testing whether your system has the necessary users... ");
- empty($config['system']['user']) ? log_error("users are missing.\n") : log_error("users found.\n");
- return 1;
- }
-
- if(file_exists("/etc/pwd.db.tmp"))
- unlink("/etc/pwd.db.tmp");
-
- mwexec("/usr/sbin/pwd_mkdb -d /etc -p /etc/master.passwd");
- mwexec("/usr/sbin/pwd_mkdb -p /etc/master.passwd");
- /* sync root */
- $fd = popen("/usr/sbin/pw usermod -n root -H 0", "w");
- fwrite($fd, $crypted_pw);
- pclose($fd);
- mwexec("/usr/sbin/pw usermod -n root -s /bin/sh");
-
- /* and again for shell users */
- /* only users with hasShellAccess() == true should be synced */
- if($config['system']['user']) {
- $home_base = $g['platform'] == "pfSense" ? "/home" : "/var/home";
-
- if(! is_dir($home_base))
- mkdir($home_base, 0755);
-
- foreach($config['system']['user'] as $user) {
- if (hasShellAccess($user['name']) || isAllowedToCopyFiles($user['name'])) {
- $home = hasShellAccess($user['name']) ? "{$home_base}/{$user['name']}" : "{$home_base}/scponly";
- $shell = isAllowedToCopyFiles($user['name']) ? "/usr/local/bin/scponly" : "/etc/rc.initial";
- if (isAllowedToCopyFiles($user['name']))
- $user['groupname'] = "scponly";
-
- $fd = popen("/usr/sbin/pw groupshow -n {$user['groupname']} 2>&1", "r");
- $pwread = fgets($fd, 4096);
- pclose($fd);
-
- if (strpos($pwread, "unknown group") !== false) {
- $groupname = $user['groupname'];
- $group = $config['system']['group'][$groupindex[$groupname]];
-
- if (isset($group) && is_array($group)) {
- log_error("Running: /usr/sbin/pw groupadd -g {$group['gid']} -n {$group['name']}");
- $fd = popen("/usr/sbin/pw groupadd -g {$group['gid']} -n {$group['name']}", "r");
- pclose($fd);
- } elseif (isAllowedToCopyFiles($user['name'])) {
- log_error("Running: /usr/sbin/pw groupadd -g 100 -n scponly");
- $fd = popen("/usr/sbin/pw groupadd -g 100 -n scponly", "r");
- pclose($fd);
- }
- }
-
- $fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r");
- $pwread = fgets($fd, 4096);
- pclose($fd);
-
- isSystemAdmin($user['name']) ? $group = "wheel" : $group = "staff";
-
- if (strpos($pwread, "no such user") === false) {
- log_error("Running: /usr/sbin/pw usermod -n {$user['name']} -g {$user['groupname']} -G {$group} -H 0");
- $fd = popen("/usr/sbin/pw usermod -n {$user['name']} -g {$user['groupname']} -G {$group} -H 0", "w");
- fwrite($fd, $user['password']);
- pclose($fd);
- } else {
- log_error("Running: /usr/sbin/pw useradd -u {$user['uid']} -n {$user['name']} -c '" . escapeshellarg($user['fullname']) . " -g {$user['groupname']} -G {$group} -H 0");
- $fd = popen("/usr/sbin/pw useradd -u {$user['uid']} -n {$user['name']} -c " . escapeshellarg($user['fullname']) . " -g {$user['groupname']} -G {$group} -H 0", "w");
- fwrite($fd, $user['password']);
- pclose($fd);
- }
-
- /* common user related operations */
- mwexec("/usr/sbin/pw usermod -n {$user['name']} -s {$shell}");
-
- if(! is_dir($home)) mkdir($home, 0755);
- mwexec("/usr/sbin/pw usermod -n {$user['name']} -d {$home} -m");
-
- if (isAllowedToCopyFiles($user['name'])) {
- mwexec("/usr/sbin/pw usermod -n {$user['name']} -g scponly");
- }
-
- if (file_exists("{$home_base}/scponly"))
- mwexec("chmod 0660 {$home_base}/scponly");
-
- if(isset($config['system']['ssh']['sshdkeyonly']) && ! isAllowedToCopyFiles($user['name'])) {
- create_authorized_keys($user['name'], $home);
- }
- }
- }
- }
-
- mwexec("/usr/sbin/pwd_mkdb -d /etc -p /etc/master.passwd");
- mwexec("/usr/sbin/pwd_mkdb -p /etc/master.passwd");
conf_mount_ro();
}
diff --git a/etc/inc/xmlparse.inc b/etc/inc/xmlparse.inc
index d74ff0d..3409aa1 100644
--- a/etc/inc/xmlparse.inc
+++ b/etc/inc/xmlparse.inc
@@ -34,7 +34,7 @@
function listtags() {
$ret = explode(" ", "element alias aliasurl allowedip cacert config columnitem disk dnsserver domainoverrides " .
"earlyshellcmd encryption-algorithm-option field fieldname hash-algorithm-option " .
- "hosts group interface_array item key lbpool menu mobilekey mount onetoone option ppp package passthrumac phase1 phase2 priv proxyarpnet " .
+ "hosts group member interface_array item key lbpool menu mobilekey mount onetoone option ppp package passthrumac phase1 phase2 priv proxyarpnet " .
"queue pages pipe route row rule schedule service servernat servers serversdisabled earlyshellcmd shellcmd staticmap subqueue " .
"timerange tunnel user vip virtual_server vlan winsserver ntpserver wolentry widget depends_on_package gateway_item gateway_group dyndns dnsupdate gre gif");
return $ret;
OpenPOWER on IntegriCloud