From: Jo-Philipp Wich Date: Thu, 9 Apr 2020 20:52:37 +0000 (+0200) Subject: treewide: reorganize base ACLs X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c099344013ad72d01a93b99184c72c5eeb792174;p=oweals%2Fluci.git treewide: reorganize base ACLs Signed-off-by: Jo-Philipp Wich --- diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json new file mode 100644 index 000000000..0ee29ad21 --- /dev/null +++ b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json @@ -0,0 +1,24 @@ +{ + "luci-app-firewall": { + "description": "Grant access to firewall configuration", + "read": { + "file": { + "/etc/firewall.user": [ "read" ] + }, + "ubus": { + "file": [ "read" ], + "luci": [ "getConntrackHelpers" ] + }, + "uci": [ "firewall" ], + }, + "write": { + "file": { + "/etc/firewall.user": [ "write" ] + }, + "ubus": { + "file": [ "write" ] + }, + "uci": [ "firewall" ] + } + } +} diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json deleted file mode 100644 index bc9d8e184..000000000 --- a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "luci-app-openvpn": { - "description": "Grant file upload access to /etc/openvpn", - "write": { - "cgi-io": [ "upload" ], - "file": { - "/etc/openvpn/*": [ "write" ] - } - } - } -} diff --git a/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json b/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json new file mode 100644 index 000000000..bc9d8e184 --- /dev/null +++ b/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json @@ -0,0 +1,11 @@ +{ + "luci-app-openvpn": { + "description": "Grant file upload access to /etc/openvpn", + "write": { + "cgi-io": [ "upload" ], + "file": { + "/etc/openvpn/*": [ "write" ] + } + } + } +} diff --git a/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json b/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json index 37f75fb7c..d6531a58e 100644 --- a/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json +++ b/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json @@ -4,6 +4,8 @@ "read": { "cgi-io": [ "exec" ], "file": { + "/usr/libexec/opkg-list installed": [ "exec" ], + "/usr/libexec/opkg-list available": [ "exec" ], "/usr/libexec/opkg-call list-installed": [ "exec" ], "/usr/libexec/opkg-call list-available": [ "exec" ], "/etc/opkg.conf": [ "read" ], diff --git a/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json b/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json index 2529fca16..3168b3740 100644 --- a/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json +++ b/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json @@ -5,19 +5,29 @@ "cgi-io": [ "read", "exec" ], "file": { "/etc/filesystems": [ "read" ], - "/etc/group": [ "read" ], - "/etc/passwd": [ "read" ], "/proc/filesystems": [ "read" ], "/proc/interrupts": [ "read" ], "/proc/mounts": [ "read" ], "/proc/partitions": [ "read" ], "/proc/sys/kernel/hostname": [ "read" ], - "/usr/bin/rrdtool graph - -a PNG *": [ "exec" ], + "/tmp/rrd": [ "list" ], + "/usr/bin/rrdtool graph - -a PNG -s *": [ "exec" ], + "/usr/lib/collectd": [ "list" ], "/usr/sbin/iptables-save": [ "exec" ], "/usr/sbin/ip6tables-save": [ "exec" ], "/usr/sbin/sensors -j": [ "exec" ], - "/usr/share/luci/statistics/plugins/*.json": [ "read" ] - } + "/usr/share/luci/statistics/plugins": [ "list" ], + "/usr/share/luci/statistics/plugins/*.json": [ "read" ], + "/var/run": [ "list" ], + "/www/luci-static/resources/statistics/rrdtool/definitions": [ "list" ] + }, + "ubus": { + "file": [ "list", "read" ] + }, + "uci": [ "luci_statistics" ] + }, + "write": { + "uci": [ "luci_statistics" ] } } } diff --git a/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json b/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json index 8b8481b1c..f2534f8ed 100644 --- a/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json +++ b/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json @@ -8,122 +8,39 @@ } }, - "uci-access": { - "description": "Grant uci write access to all configurations", - "read": { - "uci": [ "*" ] - }, - "write": { - "uci": [ "*" ] - } - }, - "luci-access": { + "luci-base": { "description": "Grant access to basic LuCI procedures", "read": { - "cgi-io": [ "backup", "download", "exec" ], "file": { "/": [ "list" ], - "/*": [ "list" ], - "/dev/mtdblock*": [ "read" ], - "/etc/crontabs/root": [ "read" ], - "/etc/dropbear/authorized_keys": [ "read" ], - "/etc/filesystems": [ "read" ], - "/etc/rc.local": [ "read" ], - "/etc/sysupgrade.conf": [ "read" ], - "/etc/passwd": [ "read" ], - "/etc/group": [ "read" ], - "/proc/filesystems": [ "read" ], - "/proc/mtd": [ "read" ], - "/proc/partitions": [ "read" ], - "/proc/sys/kernel/hostname": [ "read" ], - "/proc/sys/net/netfilter/nf_conntrack_*": [ "read" ], - "/proc/mounts": [ "read" ], - "/usr/lib/lua/luci/version.lua": [ "read" ], - "/bin/dmesg -r": [ "exec" ], - "/bin/ping *": [ "exec" ], - "/bin/ping6 *": [ "exec" ], - "/bin/traceroute *": [ "exec" ], - "/bin/traceroute6 *": [ "exec" ], - "/sbin/ip -4 neigh show": [ "exec" ], - "/sbin/ip -4 route show table all": [ "exec" ], - "/sbin/ip -6 neigh show": [ "exec" ], - "/sbin/ip -6 route show table all": [ "exec" ], - "/sbin/logread -e ^": [ "exec" ], - "/usr/sbin/logread -e ^": [ "exec" ], - "/usr/bin/ping *": [ "exec" ], - "/usr/bin/ping6 *": [ "exec" ], - "/usr/bin/traceroute *": [ "exec" ], - "/usr/bin/traceroute6 *": [ "exec" ], - "/usr/bin/nslookup *": [ "exec" ], - "/usr/libexec/luci-peeraddr": [ "exec" ], - "/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ], - "/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ] + "/*": [ "list" ] }, "ubus": { - "file": [ "list", "read", "stat" ], - "iwinfo": [ "assoclist", "freqlist", "txpowerlist", "countrylist" ], - "luci": [ "getConntrackList", "getInitList", "getLocaltime", "getProcessList", "getRealtimeStats", "getTimezones", "getLEDs", "getUSBDevices", "getSwconfigFeatures", "getSwconfigPortState", "getBlockDevices", "getMountPoints" ], - "luci-rpc": [ "getBoardJSON", "getDHCPLeases", "getDSLStatus", "getDUIDHints", "getHostHints", "getNetworkDevices", "getWirelessDevices" ], - "network.interface": [ "dump" ], - "network.rrdns": [ "lookup" ], - "network": [ "get_proto_handlers" ], - "system": [ "board", "info", "validate_firmware_image" ], + "file": [ "list" ], "uci": [ "changes", "get" ] - }, - "uci": [ "*" ] + } }, "write": { "cgi-io": [ "upload" ], "file": { - "/etc/crontabs/root": [ "write" ], - "/etc/dropbear/authorized_keys": [ "write" ], - "/etc/init.d/firewall restart": [ "exec" ], "/etc/luci-uploads/*": [ "write" ], - "/etc/rc.local": [ "write" ], - "/etc/sysupgrade.conf": [ "write" ], - "/sbin/block": [ "exec" ], - "/sbin/firstboot": [ "exec" ], - "/sbin/ifdown": [ "exec" ], - "/sbin/ifup": [ "exec" ], - "/sbin/reboot": [ "exec" ], - "/sbin/sysupgrade": [ "exec" ], - "/sbin/wifi": [ "exec" ], - "/bin/kill": [ "exec" ], - "/bin/tar": [ "exec" ], - "/bin/umount": [ "exec" ], - "/tmp/backup.tar.gz": [ "write" ], - "/tmp/firmware.bin": [ "write" ], - "/tmp/upload.ipk": [ "write" ], - "/usr/sbin/iptables -Z": [ "exec" ], - "/usr/sbin/ip6tables -Z": [ "exec" ] }, "ubus": { - "file": [ "write", "remove", "exec" ], - "hostapd.*": [ "del_client" ], - "iwinfo": [ "scan" ], - "luci": [ "setInitAction", "setLocaltime", "setPassword", "setBlockDetect" ], - "uci": [ "add", "apply", "confirm", "delete", "order", "set", "rename" ] - }, - "uci": [ "*" ] + "file": [ "remove" ], + "uci": [ "add", "apply", "confirm", "delete", "order", "set" ] + } } }, - "luci-app-firewall": { - "description": "Grant access to firewall procedures", + + "luci-base-network-status": { + "description": "Grant access to network status information", "read": { - "file": { - "/etc/firewall.user": [ "read" ] - }, "ubus": { - "luci": [ "getConntrackHelpers" ] - }, - "uci": [ "firewall" ] - }, - "write": { - "file": { - "/etc/firewall.user": [ "write" ], - "/etc/init.d/firewall": [ "exec" ] + "luci-rpc": [ "getBoardJSON", "getHostHints", "getNetworkDevices", "getWirelessDevices" ], + "network": [ "get_proto_handlers" ], + "network.interface": [ "dump" ] }, - "uci": [ "firewall" ] + "uci": [ "luci", "network", "wireless" ] } } } diff --git a/modules/luci-mod-network/root/usr/share/rpcd/acl.d/luci-mod-network.json b/modules/luci-mod-network/root/usr/share/rpcd/acl.d/luci-mod-network.json new file mode 100644 index 000000000..d6c84bab2 --- /dev/null +++ b/modules/luci-mod-network/root/usr/share/rpcd/acl.d/luci-mod-network.json @@ -0,0 +1,65 @@ +{ + "luci-mod-network-config": { + "description": "Grant access to network configuration", + "read": { + "cgi-io": [ "exec" ], + "file": { + "/usr/libexec/luci-peeraddr": [ "exec" ] + }, + "ubus": { + "file": [ "exec" ], + "iwinfo": [ "assoclist", "countrylist", "freqlist", "txpowerlist" ], + "luci": [ "getSwconfigFeatures", "getSwconfigPortState" ] + }, + "uci": [ "dhcp", "firewall", "network", "wireless" ] + }, + "write": { + "cgi-io": [ "exec" ], + "file": { + "/sbin/ifup": [ "exec" ], + "/sbin/ifdown": [ "exec" ], + "/sbin/wifi": [ "exec" ] + }, + "ubus": { + "file": [ "exec" ], + "hostapd.*": [ "del_client" ], + "iwinfo": [ "scan" ] + }, + "uci": [ "dhcp", "firewall", "network", "wireless" ] + } + }, + + "luci-mod-network-dhcp": { + "description": "Grant access to DHCP configuration", + "read": { + "ubus": { + "luci-rpc": [ "getDHCPLeases", "getDUIDHints" ] + }, + "uci": [ "dhcp" ] + }, + "write": { + "uci": [ "dhcp" ] + } + }, + + "luci-mod-network-diagnostics": { + "description": "Grant access to network diagnostic tools", + "read": { + "file": { + "/bin/ping": [ "exec" ], + "/bin/ping6": [ "exec", "list" ], + "/bin/traceroute": [ "exec" ], + "/bin/traceroute6": [ "exec", "list" ], + "/usr/bin/nslookup": [ "exec" ], + "/usr/bin/ping": [ "exec" ], + "/usr/bin/ping6": [ "exec", "list" ], + "/usr/bin/traceroute": [ "exec" ], + "/usr/bin/traceroute6": [ "exec", "list" ] + }, + "ubus": { + "file": [ "exec", "stat" ] + }, + "uci": [ "luci" ] + } + } +} diff --git a/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json b/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json new file mode 100644 index 000000000..989da497b --- /dev/null +++ b/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json @@ -0,0 +1,132 @@ +{ + "luci-mod-status-realtime": { + "description": "Grant access to realtime statistics", + "read": { + "ubus": { + "luci": [ "getConntrackList", "getRealtimeStats" ], + "network.rrdns": [ "lookup" ] + } + } + }, + + "luci-mod-status-processes": { + "description": "Grant access to process status", + "read": { + "ubus": { + "luci": [ "getProcessList" ] + } + }, + "write": { + "file": { + "/bin/kill": [ "exec" ] + }, + "ubus": { + "file": [ "exec" ] + } + } + }, + + "luci-mod-status-logs": { + "description": "Grant access to system logs", + "read": { + "cgi-io": [ "exec" ], + "file": { + "/bin/dmesg -r": [ "exec" ], + "/sbin/logread": [ "stat" ], + "/sbin/logread -e ^": [ "exec" ], + "/usr/sbin/logread": [ "stat" ], + "/usr/sbin/logread -e ^": [ "exec" ] + }, + "ubus": { + "file": [ "stat" ] + } + } + }, + + "luci-mod-status-routes": { + "description": "Grant access to the system route status", + "read": { + "file": { + "/sbin/ip -[46] neigh show": [ "exec" ], + "/sbin/ip -[46] route show table all": [ "exec" ] + }, + "ubus": { + "file": [ "exec" ] + } + } + }, + + "luci-mod-status-firewall": { + "description": "Grant access to firewall status", + "read": { + "cgi-io": [ "exec" ], + "file": { + "/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ], + "/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ], + "/usr/sbin/ip6tables": [ "list" ] + }, + "ubus": { + "file": [ "stat" ] + } + }, + "write": { + "cgi-io": [ "exec" ], + "file": { + "/etc/init.d/firewall restart": [ "exec" ], + "/usr/sbin/iptables -Z": [ "exec" ], + "/usr/sbin/ip6tables -Z": [ "exec" ] + }, + "ubus": { + "file": [ "exec" ] + } + } + }, + + "luci-mod-status-index": { + "description": "Grant access to main status display", + "read": { + "file": { + "/proc/sys/net/netfilter/nf_conntrack_count": [ "read" ], + "/proc/sys/net/netfilter/nf_conntrack_max": [ "read" ], + "/usr/lib/lua/luci/version.lua": [ "read" ], + "/www/luci-static/resources/view/status/include": [ "list" ] + }, + "ubus": { + "file": [ "list", "read" ], + "system": [ "board", "info" ] + } + } + }, + + "luci-mod-status-index-dhcp": { + "description": "Grant access to DHCP status display", + "read": { + "ubus": { + "luci-rpc": [ "getDHCPLeases" ] + } + } + }, + + "luci-mod-status-index-dsl": { + "description": "Grant access to DSL status display", + "read": { + "ubus": { + "luci-rpc": [ "getDSLStatus" ] + } + } + }, + + "luci-mod-status-index-wifi": { + "description": "Grant access to wireless status display", + "read": { + "ubus": { + "iwinfo": [ "assoclist" ] + } + }, + "write": { + "ubus": { + "hostapd.*": [ "del_client" ] + } + } + }, +} diff --git a/modules/luci-mod-system/root/usr/share/rpcd/acl.d/luci-mod-system.json b/modules/luci-mod-system/root/usr/share/rpcd/acl.d/luci-mod-system.json new file mode 100644 index 000000000..ec03ce288 --- /dev/null +++ b/modules/luci-mod-system/root/usr/share/rpcd/acl.d/luci-mod-system.json @@ -0,0 +1,167 @@ +{ + "luci-mod-system-config": { + "description": "Grant access to system configuration", + "read": { + "ubus": { + "luci": [ "getInitList", "getLEDs", "getLocaltime", "getTimezones", "getUSBDevices" ] + }, + "uci": [ "luci", "system" ] + }, + "write": { + "ubus": { + "luci": [ "setInitAction", "setLocaltime", "setPassword" ] + }, + "uci": [ "luci", "system" ] + } + }, + + "luci-mod-system-ssh": { + "description": "Grant access to SSH configuration", + "read": { + "file": { + "/etc/dropbear/authorized_keys": [ "read" ] + }, + "ubus": { + "file": [ "read" ] + }, + "uci": [ "dropbear" ] + }, + "write": { + "file": { + "/etc/dropbear/authorized_keys": [ "write" ] + }, + "ubus": { + "file": [ "write" ], + "luci": [ "setInitAction", "setLocaltime" ] + }, + "uci": [ "system" ] + } + }, + + "luci-mod-system-init": { + "description": "Grant access to startup configuration", + "read": { + "file": { + "/etc/rc.local": [ "read" ] + }, + "ubus": { + "file": [ "read" ], + "luci": [ "getInitList" ] + } + }, + "write": { + "file": { + "/etc/rc.local": [ "write" ] + }, + "ubus": { + "file": [ "write" ], + "luci": [ "setInitAction" ] + } + } + }, + + "luci-mod-system-cron": { + "description": "Grant access to crontab configuration", + "read": { + "file": { + "/etc/crontabs/root": [ "read" ] + }, + "ubus": { + "file": [ "read" ] + } + }, + "write": { + "file": { + "/etc/crontabs/root": [ "write" ] + }, + "ubus": { + "file": [ "write" ] + } + } + }, + + "luci-mod-system-mounts": { + "description": "Grant access to mount configuration", + "read": { + "file": { + "/etc/filesystems": [ "read" ], + "/proc/filesystems": [ "read" ], + "/usr/bin/btrfsck": [ "list" ], + "/usr/bin/ntfsfix": [ "list" ], + "/usr/sbin/e2fsck": [ "list" ], + "/usr/sbin/fsck.f2fs": [ "list" ], + "/usr/sbin/fsck.fat": [ "list" ] + }, + "ubus": { + "file": [ "read", "stat" ], + "luci": [ "getBlockDevices", "getMountPoints" ] + }, + "uci": [ "fstab" ] + }, + "write": { + "file": { + "/etc/crontabs/root": [ "write" ], + "/bin/umount": [ "exec" ], + "/sbin/block": [ "exec" ] + }, + "ubus": { + "file": [ "exec", "write" ], + "luci": [ "setBlockDetect" ] + }, + "uci": [ "fstab" ] + } + }, + + "luci-mod-system-flash": { + "description": "Grant access to flash operations", + "read": { + "cgi-io": [ "backup", "download" ], + "file": { + "/dev/mtdblock[0-9]*": [ "read" ], + "/etc/sysupgrade.conf": [ "read" ], + "/lib/upgrade/platform.sh": [ "list" ], + "/proc/mounts": [ "read" ], + "/proc/mtd": [ "read" ], + "/proc/partitions": [ "read" ], + "/proc/sys/kernel/hostname": [ "read" ], + "/sbin/sysupgrade --list-backup": [ "exec" ] + }, + "ubus": { + "file": [ "exec", "read", "stat" ] + } + }, + "write": { + "cgi-io": [ "upload" ], + "file": { + "/bin/tar -tzf /tmp/backup.tar.gz": [ "exec" ], + "/etc/sysupgrade.conf": [ "write" ], + "/sbin/firstboot -r -y": [ "exec" ], + "/sbin/reboot": [ "exec" ], + "/sbin/sysupgrade --force /tmp/firmware.bin": [ "exec" ], + "/sbin/sysupgrade -n --force /tmp/firmware.bin": [ "exec" ], + "/sbin/sysupgrade -n /tmp/firmware.bin": [ "exec" ], + "/sbin/sysupgrade --restore-backup /tmp/backup.tar.gz": [ "exec" ], + "/sbin/sysupgrade --test /tmp/firmware.bin": [ "exec" ], + "/sbin/sysupgrade /tmp/firmware.bin": [ "exec" ], + "/tmp/backup.tar.gz": [ "write" ], + "/tmp/firmware.bin": [ "write" ] + }, + "ubus": { + "file": [ "exec", "remove", "write" ], + "system": [ "validate_firmware_image" ] + } + } + }, + + "luci-mod-system-reboot": { + "description": "Allow rebooting the device", + "write": { + "file": { + "/sbin/reboot": [ "exec" ] + }, + "ubus": { + "file": [ "exec" ] + } + } + } +}