-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web UI Authentication #220
Comments
screenshots are an interesting way for cross repo issue linking ;-) |
We can write and read from the PHP session. While When we're thinking about a shared secret this should go more into the direction of a signature so that the actual shared secret is never exposed to the admin. Or change this for for each update / from time to time to ensure that ex-administrators (e.g. fired employees) cannot access the web UI in the future. |
yes |
I like that |
But we still require a login form for direct access to the updater. Imagine the instance is already in maintenance mode and you cannot login but want to access the updater. |
great idea. Let's use the session :-) |
@DeepDiver1975 good point. but where doe the user get the hash from? still config.php ? |
@karlitschek under these conditions (no info in session and broken OC) we can generate some hash on our own and put it in a file that user can read via FTP |
Hmm. This is tricky because this file shouldn't be accessible from the browser which is hard to guarantee if it is not guaranteed if .htaccess works. |
@karlitschek it can be a *.php file with content as follows
in this case it doesn't matter whether anyone can access this file or not. |
@LukasReschke Hi, would you be able to help during this week to get this done? Sorry for the late request. @karlitschek would this work? |
Can't promise anything. There is other security related stuff that needs to be done as well. Also I consider 1 week before feature freeze a rather VERY short timeline. But don't get me started ranting here 😉 I can try to take a look and do my best but can't promise anything. |
That said, if the other stuff works and this is just the authentication: Should probably be doable. Will try to spend some time tomorrow… |
@cmonteroluque I discussed with @LukasReschke and @DeepDiver1975. We will figure something out here. |
OK thanks. Looking for tomorrow func freeze |
Ok. Have been thinking some more. Together with owncloud/core#22238 I'm working on a cookieless solution. As the updater basically does remote execution by design this needs to have proper authentication. PR coming later… |
This is done with owncloud/core#22255, #237 and #233 The authentication is implemented in the following way:
I did it implement that way because a leaked token would be very bad. It basically allows remote code execution. The way it is implemented now we don't have to worry about CSRF alike attacks plus old tokens do invalidate. @VicDeo I'd love to make the expiration a tad smaller than 24 hours. Do we have any expectations for how long the updater app is expected to need for an upgrade? |
Plus, without a token by default we keep the risk of abuse way smaller. 😄 |
@LukasReschke I suppose cron jobs are being skipped in maintenance mode, aren't they? I think we can limit it to 2 hours and strongly advice not to use Web UI for big installations. |
- Reset tokens after 2 hours as discussed at owncloud/updater#220 (comment) - Used BCrypt for storing the password in the config.php. This makes it substantially harder in case of a leakage of the token to bruteforce it. In the future we can evaluate also an HMAC including the IP. That's a bit tricker though at the moment considering that we support reverse proxies. Didn't feel brave enough to touch that dragon now as well ;)
Access to the web based updater has to be protected.
Idea:
Store some user password hash in a file within the updater and display a login form to the user when accessing the updater.
To think about:
smooth integration with owncloud core. we want the admin in the admin section to simply click a link
which opens the updater in a new tab/window.
In an ideal world no login form is displayed since we already know that the admin is authorized.
The text was updated successfully, but these errors were encountered: