Item12952: Changes to configure security.

Defines a new configuration setting: ConfigureFilter. If configured, this takes precedence over the isAnAdmin test, otherwise all users in the AdminGroup can access the configuration. Add a log call so we know who is using configure. Move the old configure password under Security And Authentication tab as an expert parameter. Still need to figure out what to do with this. (Part 1. Also needs changes to ConfigurePlugin)
foswiki · Aug 30, 2014 · d84dff2 · d84dff2
1 parent 50de5bd
commit d84dff2
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 4 deletions.
diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
@@ -621,6 +621,18 @@ $Foswiki::cfg{FeatureAccess}{AllowRaw} = 'authenticated';
 # Note that this setting also controls access to the <tt>rdiff</tt> and <tt>compare</tt> scripts.
 $Foswiki::cfg{FeatureAccess}{AllowHistory} = 'authenticated';
 
+# **REGEX 80 **
+# FilterIn regex.  If this is configured, then users attempting to access configure
+# are validated using this regex.  If configured, it is applied as a replacement for
+# the isAdmin status of the user.  This can be used to:
+# <ul><li>Allow configure to be used only by a subset of Admins</li>
+# <li>Allow configure to be used by non-admin users.</li></ul>
+# Because users with access to configure can install software on the server and make
+# changes that are potentially difficult to recover from, it is recommended that configure
+# access be limited.   Example:  Limit Restrict configure to "JoeAdmin" and "BobAdmin":
+#   <tt>^(JoeAdmin|BobAdmin)$</tt>
+$Foswiki::cfg{ConfigureFilter} = '';
+
 #---++ Passwords
 # <p>The password manager handles the passwords database, and provides
 # password lookup, and optionally password change, services to the rest of
@@ -741,6 +753,12 @@ $Foswiki::cfg{Htpasswd}{AutoDetect} = $TRUE;
 #
 $Foswiki::cfg{Htpasswd}{BCryptCost} = 8;
 
+# **PASSWORD EXPERT**
+# SuperAdmin password. (Legacy configuration).  If set, this password permits use of the
+# "sudo" facility.  As it is a "shared password", this is no longer recommended per good
+# security practices.
+$Foswiki::cfg{Password} = '';
+
 #---++ Registration
 # <p>Registration is the process by which new users register themselves with
 # Foswiki.</p>
@@ -827,10 +845,6 @@ $Foswiki::cfg{Register}{UniqueEmail} = $FALSE;
 # <code>@(?!(example\.com|example\.net)$)</code>
 $Foswiki::cfg{Register}{EmailFilter} = '';
 
-# **PASSWORD H**
-# Configuration password (not prompted)
-$Foswiki::cfg{Password} = '';
-
 #---++ Environment
 # **PERL**
 # Array of the names of configuration items that are available when using %IF, %SEARCH

diff --git a/core/lib/Foswiki/UI/Configure.pm b/core/lib/Foswiki/UI/Configure.pm
@@ -39,6 +39,32 @@ sub configure {
     my $tmplData =
       $session->templates->readTemplate( 'configure', no_oops => 1 );
 
+    $session->logger->log(
+        {
+            level    => 'info',
+            action   => 'configure',
+            webTopic => $web . '.' . $topic,
+        }
+    );
+
+    if ( defined $Foswiki::cfg{ConfigureFilter}
+        && length( $Foswiki::cfg{ConfigureFilter} ) )
+    {
+        my $filter = eval { $Foswiki::cfg{ConfigureFilter} };
+        unless ( $session->{user} =~ m/$filter/ ) {
+            throw Foswiki::AccessControlException( 'VIEW',
+                $session->{user}, 'System', 'Configuration',
+                $Foswiki::Meta::reason );
+        }
+    }
+    else {
+        unless ( Foswiki::Func::isAnAdmin() ) {
+            throw Foswiki::AccessControlException( 'VIEW',
+                $session->{user}, 'System', 'Configuration',
+                $Foswiki::Meta::reason );
+        }
+    }
+
     if ( !defined($tmplData) ) {
 
         $tmplData =