webui: fix possible issues due to PAM misconfiguration

Check if UsePAMAuthentication is enabled on configured console in DIR, if not do not proceed with authentication. Fixes #1191: The web interface runs under any login and password
bareos · Sep 29, 2021 · 4378c52 · 4378c52
1 parent 855348e
commit 4378c52
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 14 deletions.
diff --git a/webui/config/autoload/global.php.in b/webui/config/autoload/global.php.in
@@ -5,7 +5,7 @@
  * bareos-webui - Bareos Web-Frontend
  *
  * @link      https://github.com/bareos/bareos for the canonical source repository
- * @copyright Copyright (C) 2013-2019 Bareos GmbH & Co. KG (http://www.bareos.org/)
+ * @copyright Copyright (C) 2013-2021 Bareos GmbH & Co. KG (http://www.bareos.org/)
  * @license   GNU Affero General Public License (http://www.gnu.org/licenses/)
  *
  * This program is free software: you can redistribute it and/or modify
@@ -225,17 +225,20 @@ function read_directors_ini($directors, $directors_ini)
 
          if(array_key_exists('pam_console_name', $instance) && isset($instance['pam_console_name'])) {
             $arr[key($directors)]['console_name'] = $instance['pam_console_name'];
+            $arr[key($directors)]['UsePamAuthentication'] = true;
          }
          else {
             $arr[key($directors)]['console_name'] = null;
          }
 
          if(array_key_exists('pam_console_password', $instance) && isset($instance['pam_console_password'])) {
             $arr[key($directors)]['password'] = $instance['pam_console_password'];
+            $arr[key($directors)]['UsePamAuthentication'] = true;
          }
          else {
             $arr[key($directors)]['password'] = null;
          }
+
       }
 
       next($directors);

diff --git a/webui/install/directors.ini.in b/webui/install/directors.ini.in
@@ -22,11 +22,11 @@ dirport	= @dirport@
 ; Set catalog to explicit value if you have multiple catalogs
 ;catalog = "MyCatalog"
 
-; Set the console name and password for a dedicated pam console;
-; the counterpart console-config in the director must have set
-; UsePamAuthentication = yes
-;pam_console_name = "admin"
-;pam_console_password = "admin"
+; Set the console name and password for a dedicated pam console.
+; Make sure, that "UsePamAuthentication = yes" is set in the
+; counterpart Director console configuration.
+;pam_console_name = "username"
+;pam_console_password = "password"
 
 ; TLS verify peer
 ; Possible values: true or false
@@ -71,6 +71,8 @@ enabled = "no"
 diraddress = "192.168.120.1"
 dirport = @dirport@
 ;catalog = "MyCatalog"
+;pam_console_name = "username"
+;pam_console_password = "password"
 ;tls_verify_peer = false
 ;server_can_do_tls = false
 ;server_requires_tls = false

diff --git a/webui/vendor/Bareos/library/Bareos/BSock/BareosBSock.php b/webui/vendor/Bareos/library/Bareos/BSock/BareosBSock.php
@@ -69,6 +69,7 @@ class BareosBSock implements BareosBSockInterface
       'port' => null,
       'password' => null,
       'console_name' => null,
+      'UsePamAuthentication' => false,
       'pam_password' => null,
       'pam_username' => null,
       'tls_verify_peer' => null,
@@ -565,6 +566,9 @@ private function connect()
       }
 
       if (!self::login()) {
+         if ($this->config['UsePamAuthentication'] === true) {
+            error_log("AUTH: failed to connect to PAM console '" . $this->config['console_name'] . "' on DIR");
+         }
          return false;
       }
 
@@ -573,15 +577,20 @@ private function connect()
          error_log($recv);
       }
 
-      if (!strncasecmp($recv, "1001", 4)) {
-          $pam_answer = "4002".chr(0x1e).$this->config['pam_username'].chr(0x1e).$this->config['pam_password'];
-          if (!self::send($pam_answer)) {
-            error_log("Send failed for pam credentials");
+      if ($this->config['UsePamAuthentication'] === true) {
+          if (!strncasecmp($recv, "1000", 4)) {
+            error_log("AUTH: '" . $this->config['console_name'] . "' is not a defined PAM console on DIR");
             return false;
-          }
-          $recv = self::receive();
-          if($this->config['debug']) {
-             error_log($recv);
+          } elseif (!strncasecmp($recv, "1001", 4)) {
+             $pam_answer = "4002".chr(0x1e).$this->config['pam_username'].chr(0x1e).$this->config['pam_password'];
+             if (!self::send($pam_answer)) {
+               error_log("Send failed for pam credentials");
+               return false;
+             }
+             $recv = self::receive();
+             if($this->config['debug']) {
+                error_log($recv);
+             }
           }
       }