Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit app password permissions #1995

Merged
merged 6 commits into from
Jun 29, 2024
Merged

Limit app password permissions #1995

merged 6 commits into from
Jun 29, 2024

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented Jun 14, 2024

What does this implement/fix?

Limit app password permissions by default. Add new webserver.api.app_sudo mode for users to remove this new limitation if they really need to

grafik

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories developmental branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

@DL6ER
Limit app password permissions by default. Add new app_sudo mode for …
950fc60 
…users to remove this new limitation if they really need to

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER DL6ER requested a review from a team June 14, 2024 18:12
rdwebdesign
rdwebdesign previously requested changes Jun 14, 2024
View reviewed changes
src/api/config.c Outdated Show resolved Hide resolved
@DL6ER @rdwebdesign
Apply code review
d394808 
Co-authored-by: RD WebDesign <github@rdwebdesign.com.br>
Signed-off-by: Dominik <DL6ER@users.noreply.github.com>
@DL6ER
Copy link
Member Author

DL6ER commented Jun 15, 2024

grafik

@DL6ER
Improve config description of webserver.api.app_sudo
4f60134 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER DL6ER requested a review from rdwebdesign June 15, 2024 09:11
@yubiuser
Copy link
Member

yubiuser commented Jun 15, 2024
edited
Loading

I think I found a bug here.
Login via app password and try a config change. Won't work. Enabled app_sudo > config change will work. Disable app_sudo > Config change will still work

(Also the web interface won't show this active session as coming from an app password)

chrko@ThinkPad-X230:~$ curl -k -XPOST "https://pi.hole/api/auth" --data '{"password":"nDgnVeJVko5buF1HMA/zfZ7KbTDPAbOpv4zvlDkIq8I="}'
{
	"session":	{
		"valid":	true,
		"totp":	false,
		"sid":	"pNMUGNtG42aiQAIwtYT5ng=",
		"csrf":	"eKihaYo8VP9sNHfJLg6syA=",
		"validity":	300,
		"message":	"app-password correct"
	},
	"took":	1.1221466064453125
}chrko@ThinkPad-X230:~$ curl -k -X UT "https://pi.hole/api/config/dns/upstreams/1.1.1.1" --data '{"sid":"pNMUGNtG42aiQAIwtYT5ng="}'
{
	"error":	{
		"key":	"forbidden",
		"message":	"Unable to change configuration (read-only)",
		"hint":	"The current app session is not allowed to modify Pi-hole config settings (webserver.api.app_sudo is false)"
	},
	"took":	0.00031328201293945312
}chrko@ThinkPad-X230:~$ curl -k -X PUT "https://pi.hole/api/config/dns/upstreams/1.1.1.1" --data '{"sid":"pNMUGNtG42aiQAIwtYT5ng="}'
{
	"took":	0.050773859024047852
}chrko@ThinkPad-X230:~$ curl -k -X PUT "https://pi.hole/api/config/dns/upstreams/2.2.2.2" --data '{"sid":"pNMUGNtG42aiQAIwtYT5ng="}'
{
	"took":	0.057279586791992188

@DL6ER
Copy link
Member Author

DL6ER commented Jun 16, 2024

Ah, yes. Your case is special. The reason is that FTL restarted in between (to add the new DNS server) and sessions restoring from the database had a small copy-paste bug causing the app status not to be saved to the database and, hence, all app sessions backed up during a restart became full-blown sessions after the restart and the setting became ineffective by design for them.

@DL6ER DL6ER mentioned this pull request Jun 20, 2024
Merged
5 tasks
@DL6ER DL6ER dismissed rdwebdesign’s stale review June 25, 2024 13:01

Change addressed

@DL6ER DL6ER requested a review from a team June 25, 2024 13:01
yubiuser
yubiuser reviewed Jun 28, 2024
View reviewed changes
Copy link
Member

@yubiuser yubiuser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Somewhere in send_json_error() must be a type (tab instead of space) between message: and the actual message.

	"error":	{
		"key":	"forbidden",
		"message":	"Unable to change configuration (read-only)",
		"hint":	"The current app session is not allowed to modify Pi-hole config settings (webserver.api.app_sudo is false)"
	},

src/config/config.c Outdated Show resolved Hide resolved
@DL6ER
Copy link
Member Author

DL6ER commented Jun 29, 2024

send_json_error() uses cJSON to create the output. If you have webserver.api.prettyJSON = false, the output will be most compact, if the value is true, the expected separator between between keys and values is \t so just as in your example.

Have a look at

FTL/src/webserver/http-common.c

Lines 23 to 47 in 0367117

// Provides a compile-time flag for JSON formatting
// This should never be needed as all modern browsers
// typically contain a JSON explorer
// This string needs to be freed after using it
char *json_formatter(const cJSON *object)
{
if(config.webserver.api.prettyJSON.v.b)
{
/* Exemplary output:
{
"queries in database": 70,
"database filesize": 49152,
"SQLite version": "3.30.1"
}
*/
return cJSON_Print(object);
}
else
{
/* Exemplary output
{"queries in database":70,"database filesize":49152,"SQLite version":"3.30.1"}
*/
return cJSON_PrintUnformatted(object);
}
}

where you can also see that the expected (formatted) output has tabs as separators.

@yubiuser
Copy link
Member

I have webserver.api.prettyJSON = true and was only surprised of the different distances between key and value

yubiuser
yubiuser previously approved these changes Jun 29, 2024
View reviewed changes
@github-actions GitHub Actions
Copy link

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@DL6ER
Merge branch 'development-v6' into new/app_sudo
e0330a3 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@github-actions GitHub Actions
Copy link

Conflicts have been resolved.

@DL6ER DL6ER merged commit 76cfb5b into development-v6 Jun 29, 2024
17 checks passed
@DL6ER DL6ER deleted the new/app_sudo branch June 29, 2024 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yubiuser yubiuser yubiuser approved these changes

@rdwebdesign rdwebdesign Awaiting requested review from rdwebdesign

Assignees
No one assigned
Labels
Pi-hole v6.0 SECURITY
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@DL6ER @yubiuser @rdwebdesign