--- /dev/null
+{
+ "luci-app-firewall": {
+ "description": "Grant access to firewall configuration",
+ "read": {
+ "file": {
+ "/etc/firewall.user": [ "read" ]
+ },
+ "ubus": {
+ "file": [ "read" ],
+ "luci": [ "getConntrackHelpers" ]
+ },
+ "uci": [ "firewall" ],
+ },
+ "write": {
+ "file": {
+ "/etc/firewall.user": [ "write" ]
+ },
+ "ubus": {
+ "file": [ "write" ]
+ },
+ "uci": [ "firewall" ]
+ }
+ }
+}
+++ /dev/null
-{
- "luci-app-openvpn": {
- "description": "Grant file upload access to /etc/openvpn",
- "write": {
- "cgi-io": [ "upload" ],
- "file": {
- "/etc/openvpn/*": [ "write" ]
- }
- }
- }
-}
--- /dev/null
+{
+ "luci-app-openvpn": {
+ "description": "Grant file upload access to /etc/openvpn",
+ "write": {
+ "cgi-io": [ "upload" ],
+ "file": {
+ "/etc/openvpn/*": [ "write" ]
+ }
+ }
+ }
+}
"read": {
"cgi-io": [ "exec" ],
"file": {
+ "/usr/libexec/opkg-list installed": [ "exec" ],
+ "/usr/libexec/opkg-list available": [ "exec" ],
"/usr/libexec/opkg-call list-installed": [ "exec" ],
"/usr/libexec/opkg-call list-available": [ "exec" ],
"/etc/opkg.conf": [ "read" ],
"cgi-io": [ "read", "exec" ],
"file": {
"/etc/filesystems": [ "read" ],
- "/etc/group": [ "read" ],
- "/etc/passwd": [ "read" ],
"/proc/filesystems": [ "read" ],
"/proc/interrupts": [ "read" ],
"/proc/mounts": [ "read" ],
"/proc/partitions": [ "read" ],
"/proc/sys/kernel/hostname": [ "read" ],
- "/usr/bin/rrdtool graph - -a PNG *": [ "exec" ],
+ "/tmp/rrd": [ "list" ],
+ "/usr/bin/rrdtool graph - -a PNG -s *": [ "exec" ],
+ "/usr/lib/collectd": [ "list" ],
"/usr/sbin/iptables-save": [ "exec" ],
"/usr/sbin/ip6tables-save": [ "exec" ],
"/usr/sbin/sensors -j": [ "exec" ],
- "/usr/share/luci/statistics/plugins/*.json": [ "read" ]
- }
+ "/usr/share/luci/statistics/plugins": [ "list" ],
+ "/usr/share/luci/statistics/plugins/*.json": [ "read" ],
+ "/var/run": [ "list" ],
+ "/www/luci-static/resources/statistics/rrdtool/definitions": [ "list" ]
+ },
+ "ubus": {
+ "file": [ "list", "read" ]
+ },
+ "uci": [ "luci_statistics" ]
+ },
+ "write": {
+ "uci": [ "luci_statistics" ]
}
}
}
}
},
- "uci-access": {
- "description": "Grant uci write access to all configurations",
- "read": {
- "uci": [ "*" ]
- },
- "write": {
- "uci": [ "*" ]
- }
- },
- "luci-access": {
+ "luci-base": {
"description": "Grant access to basic LuCI procedures",
"read": {
- "cgi-io": [ "backup", "download", "exec" ],
"file": {
"/": [ "list" ],
- "/*": [ "list" ],
- "/dev/mtdblock*": [ "read" ],
- "/etc/crontabs/root": [ "read" ],
- "/etc/dropbear/authorized_keys": [ "read" ],
- "/etc/filesystems": [ "read" ],
- "/etc/rc.local": [ "read" ],
- "/etc/sysupgrade.conf": [ "read" ],
- "/etc/passwd": [ "read" ],
- "/etc/group": [ "read" ],
- "/proc/filesystems": [ "read" ],
- "/proc/mtd": [ "read" ],
- "/proc/partitions": [ "read" ],
- "/proc/sys/kernel/hostname": [ "read" ],
- "/proc/sys/net/netfilter/nf_conntrack_*": [ "read" ],
- "/proc/mounts": [ "read" ],
- "/usr/lib/lua/luci/version.lua": [ "read" ],
- "/bin/dmesg -r": [ "exec" ],
- "/bin/ping *": [ "exec" ],
- "/bin/ping6 *": [ "exec" ],
- "/bin/traceroute *": [ "exec" ],
- "/bin/traceroute6 *": [ "exec" ],
- "/sbin/ip -4 neigh show": [ "exec" ],
- "/sbin/ip -4 route show table all": [ "exec" ],
- "/sbin/ip -6 neigh show": [ "exec" ],
- "/sbin/ip -6 route show table all": [ "exec" ],
- "/sbin/logread -e ^": [ "exec" ],
- "/usr/sbin/logread -e ^": [ "exec" ],
- "/usr/bin/ping *": [ "exec" ],
- "/usr/bin/ping6 *": [ "exec" ],
- "/usr/bin/traceroute *": [ "exec" ],
- "/usr/bin/traceroute6 *": [ "exec" ],
- "/usr/bin/nslookup *": [ "exec" ],
- "/usr/libexec/luci-peeraddr": [ "exec" ],
- "/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ],
- "/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ]
+ "/*": [ "list" ]
},
"ubus": {
- "file": [ "list", "read", "stat" ],
- "iwinfo": [ "assoclist", "freqlist", "txpowerlist", "countrylist" ],
- "luci": [ "getConntrackList", "getInitList", "getLocaltime", "getProcessList", "getRealtimeStats", "getTimezones", "getLEDs", "getUSBDevices", "getSwconfigFeatures", "getSwconfigPortState", "getBlockDevices", "getMountPoints" ],
- "luci-rpc": [ "getBoardJSON", "getDHCPLeases", "getDSLStatus", "getDUIDHints", "getHostHints", "getNetworkDevices", "getWirelessDevices" ],
- "network.interface": [ "dump" ],
- "network.rrdns": [ "lookup" ],
- "network": [ "get_proto_handlers" ],
- "system": [ "board", "info", "validate_firmware_image" ],
+ "file": [ "list" ],
"uci": [ "changes", "get" ]
- },
- "uci": [ "*" ]
+ }
},
"write": {
"cgi-io": [ "upload" ],
"file": {
- "/etc/crontabs/root": [ "write" ],
- "/etc/dropbear/authorized_keys": [ "write" ],
- "/etc/init.d/firewall restart": [ "exec" ],
"/etc/luci-uploads/*": [ "write" ],
- "/etc/rc.local": [ "write" ],
- "/etc/sysupgrade.conf": [ "write" ],
- "/sbin/block": [ "exec" ],
- "/sbin/firstboot": [ "exec" ],
- "/sbin/ifdown": [ "exec" ],
- "/sbin/ifup": [ "exec" ],
- "/sbin/reboot": [ "exec" ],
- "/sbin/sysupgrade": [ "exec" ],
- "/sbin/wifi": [ "exec" ],
- "/bin/kill": [ "exec" ],
- "/bin/tar": [ "exec" ],
- "/bin/umount": [ "exec" ],
- "/tmp/backup.tar.gz": [ "write" ],
- "/tmp/firmware.bin": [ "write" ],
- "/tmp/upload.ipk": [ "write" ],
- "/usr/sbin/iptables -Z": [ "exec" ],
- "/usr/sbin/ip6tables -Z": [ "exec" ]
},
"ubus": {
- "file": [ "write", "remove", "exec" ],
- "hostapd.*": [ "del_client" ],
- "iwinfo": [ "scan" ],
- "luci": [ "setInitAction", "setLocaltime", "setPassword", "setBlockDetect" ],
- "uci": [ "add", "apply", "confirm", "delete", "order", "set", "rename" ]
- },
- "uci": [ "*" ]
+ "file": [ "remove" ],
+ "uci": [ "add", "apply", "confirm", "delete", "order", "set" ]
+ }
}
},
- "luci-app-firewall": {
- "description": "Grant access to firewall procedures",
+
+ "luci-base-network-status": {
+ "description": "Grant access to network status information",
"read": {
- "file": {
- "/etc/firewall.user": [ "read" ]
- },
"ubus": {
- "luci": [ "getConntrackHelpers" ]
- },
- "uci": [ "firewall" ]
- },
- "write": {
- "file": {
- "/etc/firewall.user": [ "write" ],
- "/etc/init.d/firewall": [ "exec" ]
+ "luci-rpc": [ "getBoardJSON", "getHostHints", "getNetworkDevices", "getWirelessDevices" ],
+ "network": [ "get_proto_handlers" ],
+ "network.interface": [ "dump" ]
},
- "uci": [ "firewall" ]
+ "uci": [ "luci", "network", "wireless" ]
}
}
}
--- /dev/null
+{
+ "luci-mod-network-config": {
+ "description": "Grant access to network configuration",
+ "read": {
+ "cgi-io": [ "exec" ],
+ "file": {
+ "/usr/libexec/luci-peeraddr": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec" ],
+ "iwinfo": [ "assoclist", "countrylist", "freqlist", "txpowerlist" ],
+ "luci": [ "getSwconfigFeatures", "getSwconfigPortState" ]
+ },
+ "uci": [ "dhcp", "firewall", "network", "wireless" ]
+ },
+ "write": {
+ "cgi-io": [ "exec" ],
+ "file": {
+ "/sbin/ifup": [ "exec" ],
+ "/sbin/ifdown": [ "exec" ],
+ "/sbin/wifi": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec" ],
+ "hostapd.*": [ "del_client" ],
+ "iwinfo": [ "scan" ]
+ },
+ "uci": [ "dhcp", "firewall", "network", "wireless" ]
+ }
+ },
+
+ "luci-mod-network-dhcp": {
+ "description": "Grant access to DHCP configuration",
+ "read": {
+ "ubus": {
+ "luci-rpc": [ "getDHCPLeases", "getDUIDHints" ]
+ },
+ "uci": [ "dhcp" ]
+ },
+ "write": {
+ "uci": [ "dhcp" ]
+ }
+ },
+
+ "luci-mod-network-diagnostics": {
+ "description": "Grant access to network diagnostic tools",
+ "read": {
+ "file": {
+ "/bin/ping": [ "exec" ],
+ "/bin/ping6": [ "exec", "list" ],
+ "/bin/traceroute": [ "exec" ],
+ "/bin/traceroute6": [ "exec", "list" ],
+ "/usr/bin/nslookup": [ "exec" ],
+ "/usr/bin/ping": [ "exec" ],
+ "/usr/bin/ping6": [ "exec", "list" ],
+ "/usr/bin/traceroute": [ "exec" ],
+ "/usr/bin/traceroute6": [ "exec", "list" ]
+ },
+ "ubus": {
+ "file": [ "exec", "stat" ]
+ },
+ "uci": [ "luci" ]
+ }
+ }
+}
--- /dev/null
+{
+ "luci-mod-status-realtime": {
+ "description": "Grant access to realtime statistics",
+ "read": {
+ "ubus": {
+ "luci": [ "getConntrackList", "getRealtimeStats" ],
+ "network.rrdns": [ "lookup" ]
+ }
+ }
+ },
+
+ "luci-mod-status-processes": {
+ "description": "Grant access to process status",
+ "read": {
+ "ubus": {
+ "luci": [ "getProcessList" ]
+ }
+ },
+ "write": {
+ "file": {
+ "/bin/kill": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec" ]
+ }
+ }
+ },
+
+ "luci-mod-status-logs": {
+ "description": "Grant access to system logs",
+ "read": {
+ "cgi-io": [ "exec" ],
+ "file": {
+ "/bin/dmesg -r": [ "exec" ],
+ "/sbin/logread": [ "stat" ],
+ "/sbin/logread -e ^": [ "exec" ],
+ "/usr/sbin/logread": [ "stat" ],
+ "/usr/sbin/logread -e ^": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "stat" ]
+ }
+ }
+ },
+
+ "luci-mod-status-routes": {
+ "description": "Grant access to the system route status",
+ "read": {
+ "file": {
+ "/sbin/ip -[46] neigh show": [ "exec" ],
+ "/sbin/ip -[46] route show table all": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec" ]
+ }
+ }
+ },
+
+ "luci-mod-status-firewall": {
+ "description": "Grant access to firewall status",
+ "read": {
+ "cgi-io": [ "exec" ],
+ "file": {
+ "/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ],
+ "/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ],
+ "/usr/sbin/ip6tables": [ "list" ]
+ },
+ "ubus": {
+ "file": [ "stat" ]
+ }
+ },
+ "write": {
+ "cgi-io": [ "exec" ],
+ "file": {
+ "/etc/init.d/firewall restart": [ "exec" ],
+ "/usr/sbin/iptables -Z": [ "exec" ],
+ "/usr/sbin/ip6tables -Z": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec" ]
+ }
+ }
+ },
+
+ "luci-mod-status-index": {
+ "description": "Grant access to main status display",
+ "read": {
+ "file": {
+ "/proc/sys/net/netfilter/nf_conntrack_count": [ "read" ],
+ "/proc/sys/net/netfilter/nf_conntrack_max": [ "read" ],
+ "/usr/lib/lua/luci/version.lua": [ "read" ],
+ "/www/luci-static/resources/view/status/include": [ "list" ]
+ },
+ "ubus": {
+ "file": [ "list", "read" ],
+ "system": [ "board", "info" ]
+ }
+ }
+ },
+
+ "luci-mod-status-index-dhcp": {
+ "description": "Grant access to DHCP status display",
+ "read": {
+ "ubus": {
+ "luci-rpc": [ "getDHCPLeases" ]
+ }
+ }
+ },
+
+ "luci-mod-status-index-dsl": {
+ "description": "Grant access to DSL status display",
+ "read": {
+ "ubus": {
+ "luci-rpc": [ "getDSLStatus" ]
+ }
+ }
+ },
+
+ "luci-mod-status-index-wifi": {
+ "description": "Grant access to wireless status display",
+ "read": {
+ "ubus": {
+ "iwinfo": [ "assoclist" ]
+ }
+ },
+ "write": {
+ "ubus": {
+ "hostapd.*": [ "del_client" ]
+ }
+ }
+ },
+}
--- /dev/null
+{
+ "luci-mod-system-config": {
+ "description": "Grant access to system configuration",
+ "read": {
+ "ubus": {
+ "luci": [ "getInitList", "getLEDs", "getLocaltime", "getTimezones", "getUSBDevices" ]
+ },
+ "uci": [ "luci", "system" ]
+ },
+ "write": {
+ "ubus": {
+ "luci": [ "setInitAction", "setLocaltime", "setPassword" ]
+ },
+ "uci": [ "luci", "system" ]
+ }
+ },
+
+ "luci-mod-system-ssh": {
+ "description": "Grant access to SSH configuration",
+ "read": {
+ "file": {
+ "/etc/dropbear/authorized_keys": [ "read" ]
+ },
+ "ubus": {
+ "file": [ "read" ]
+ },
+ "uci": [ "dropbear" ]
+ },
+ "write": {
+ "file": {
+ "/etc/dropbear/authorized_keys": [ "write" ]
+ },
+ "ubus": {
+ "file": [ "write" ],
+ "luci": [ "setInitAction", "setLocaltime" ]
+ },
+ "uci": [ "system" ]
+ }
+ },
+
+ "luci-mod-system-init": {
+ "description": "Grant access to startup configuration",
+ "read": {
+ "file": {
+ "/etc/rc.local": [ "read" ]
+ },
+ "ubus": {
+ "file": [ "read" ],
+ "luci": [ "getInitList" ]
+ }
+ },
+ "write": {
+ "file": {
+ "/etc/rc.local": [ "write" ]
+ },
+ "ubus": {
+ "file": [ "write" ],
+ "luci": [ "setInitAction" ]
+ }
+ }
+ },
+
+ "luci-mod-system-cron": {
+ "description": "Grant access to crontab configuration",
+ "read": {
+ "file": {
+ "/etc/crontabs/root": [ "read" ]
+ },
+ "ubus": {
+ "file": [ "read" ]
+ }
+ },
+ "write": {
+ "file": {
+ "/etc/crontabs/root": [ "write" ]
+ },
+ "ubus": {
+ "file": [ "write" ]
+ }
+ }
+ },
+
+ "luci-mod-system-mounts": {
+ "description": "Grant access to mount configuration",
+ "read": {
+ "file": {
+ "/etc/filesystems": [ "read" ],
+ "/proc/filesystems": [ "read" ],
+ "/usr/bin/btrfsck": [ "list" ],
+ "/usr/bin/ntfsfix": [ "list" ],
+ "/usr/sbin/e2fsck": [ "list" ],
+ "/usr/sbin/fsck.f2fs": [ "list" ],
+ "/usr/sbin/fsck.fat": [ "list" ]
+ },
+ "ubus": {
+ "file": [ "read", "stat" ],
+ "luci": [ "getBlockDevices", "getMountPoints" ]
+ },
+ "uci": [ "fstab" ]
+ },
+ "write": {
+ "file": {
+ "/etc/crontabs/root": [ "write" ],
+ "/bin/umount": [ "exec" ],
+ "/sbin/block": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec", "write" ],
+ "luci": [ "setBlockDetect" ]
+ },
+ "uci": [ "fstab" ]
+ }
+ },
+
+ "luci-mod-system-flash": {
+ "description": "Grant access to flash operations",
+ "read": {
+ "cgi-io": [ "backup", "download" ],
+ "file": {
+ "/dev/mtdblock[0-9]*": [ "read" ],
+ "/etc/sysupgrade.conf": [ "read" ],
+ "/lib/upgrade/platform.sh": [ "list" ],
+ "/proc/mounts": [ "read" ],
+ "/proc/mtd": [ "read" ],
+ "/proc/partitions": [ "read" ],
+ "/proc/sys/kernel/hostname": [ "read" ],
+ "/sbin/sysupgrade --list-backup": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec", "read", "stat" ]
+ }
+ },
+ "write": {
+ "cgi-io": [ "upload" ],
+ "file": {
+ "/bin/tar -tzf /tmp/backup.tar.gz": [ "exec" ],
+ "/etc/sysupgrade.conf": [ "write" ],
+ "/sbin/firstboot -r -y": [ "exec" ],
+ "/sbin/reboot": [ "exec" ],
+ "/sbin/sysupgrade --force /tmp/firmware.bin": [ "exec" ],
+ "/sbin/sysupgrade -n --force /tmp/firmware.bin": [ "exec" ],
+ "/sbin/sysupgrade -n /tmp/firmware.bin": [ "exec" ],
+ "/sbin/sysupgrade --restore-backup /tmp/backup.tar.gz": [ "exec" ],
+ "/sbin/sysupgrade --test /tmp/firmware.bin": [ "exec" ],
+ "/sbin/sysupgrade /tmp/firmware.bin": [ "exec" ],
+ "/tmp/backup.tar.gz": [ "write" ],
+ "/tmp/firmware.bin": [ "write" ]
+ },
+ "ubus": {
+ "file": [ "exec", "remove", "write" ],
+ "system": [ "validate_firmware_image" ]
+ }
+ }
+ },
+
+ "luci-mod-system-reboot": {
+ "description": "Allow rebooting the device",
+ "write": {
+ "file": {
+ "/sbin/reboot": [ "exec" ]
+ },
+ "ubus": {
+ "file": [ "exec" ]
+ }
+ }
+ }
+}
projects / oweals / luci.git / commitdiff