From acc2c8d27781ce24e9d91353bfb211ff960e166c Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 15 Aug 2019 16:07:48 +0200 Subject: [PATCH] luci-base: use native ubus-rpc authorization protocol Instead of granting complete ubus access under the active sysauth session, implement the ubus-rpc authorization mechanism and make the ubus proxy endpoint unauthenticated. Signed-off-by: Jo-Philipp Wich --- .../luasrc/controller/admin/index.lua | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/modules/luci-base/luasrc/controller/admin/index.lua b/modules/luci-base/luasrc/controller/admin/index.lua index 3f2b46587..b0427d6c0 100644 --- a/modules/luci-base/luasrc/controller/admin/index.lua +++ b/modules/luci-base/luasrc/controller/admin/index.lua @@ -96,6 +96,7 @@ function index() page.leaf = true page = entry({"admin", "ubus"}, call("action_ubus"), nil) + page.sysauth = false page.leaf = true -- Logout is last @@ -165,6 +166,17 @@ local ubus_types = { "double" } +local function ubus_access(sid, obj, fun) + local res, code = luci.util.ubus("session", "access", { + ubus_rpc_session = sid, + scope = "ubus", + object = obj, + ["function"] = fun + }) + + return (type(res) == "table" and res.access == true) +end + local function ubus_request(req) if type(req) ~= "table" or type(req.method) ~= "string" or type(req.params) ~= "table" or #req.params < 2 or req.jsonrpc ~= "2.0" or req.id == nil then @@ -177,10 +189,14 @@ local function ubus_request(req) return ubus_reply(req.id, nil, -32602, "Invalid parameters") end - if sid == "00000000000000000000000000000000" then + if sid == "00000000000000000000000000000000" and luci.dispatcher.context.authsession then sid = luci.dispatcher.context.authsession end + if not ubus_access(sid, obj, fun) then + return ubus_reply(req.id, nil, -32002, "Access denied") + end + arg.ubus_rpc_session = sid local res, code = luci.util.ubus(obj, fun, arg) -- 2.25.1