secure recalbox-manager

[nadenislamarre]

Starting with recalbox 4.1, recalbox.conf has a variable : system.security.enabled
if this is one, the recalbox manager (among others) must not be open.

It must be secured.

1. at minimum by a basic http password
2. if possible, via ssl while the aim is to secure from network attacks

the login is what you want, but the password to use is the one provided by /etc/init.d/S35rootpasswd
it's in this starting script that you must generate a password file in the temporary location.

I don't manage to do it by myself.
I don't known django and i don't see in recalbox the same configuration files that i found in django documentation (like httpd.conf for example).

The current script content is :

# /etc/shadow is dynamically generated from the password found in /boot/recalbox-boot.conf
# the password is visible only in the es interface
# or to people having already a ssh password via the command : /recalbox/scripts/recalbox-config.sh setRootPassword xyz
MASTERPASSWD=$(/recalbox/scripts/recalbox-config.sh getRootPassword)
if test -z "${MASTERPASSWD}"
then
    # generate a new one
    # hum, in case of error, what to do ? nothing.
    /recalbox/scripts/recalbox-config.sh setRootPassword
    MASTERPASSWD=$(/recalbox/scripts/recalbox-config.sh getRootPassword)
fi

# secure ssh
# write the /etc/shadow file
SHADOWPASSWD=$(openssl passwd -1 "${MASTERPASSWD}")
echo "root:${SHADOWPASSWD}:::::::" > /run/recalbox.shadow

# secure samba
mkdir -p "/var/lib/samba/private"
(echo "${MASTERPASSWD}"; echo "${MASTERPASSWD}") | smbpasswd -a root

# 

[sveetch]

If you want security with the manager, Recalbox will have to ship and launch a real webserver.

But remember, even something lightweight like lighttpd or nginx have a big cost on the few rpi ressources. It's the reason why actually the Django instance is served by its "development server", that is not a real webserver.

We may talk more about this.

[nadenislamarre]

hum, the number of served pages remains limited.
Do you advise to disable the manager when recalbox is running on an open network ? or do you have an other idea ?

[sveetch]

There is no other choices, either we have a real webserver in front of Django either shut it down on opened network.

Sure, i could code something tricky, but if we are talking about real security than can be trusted, this is huge work to accomplish and maintain, too many work time for me.

Or maybe Recalbox system including something like ipban rules to reject all request to the Django server port except some IP from a whitelist to manually configure in some recalbox config file.

[nadenislamarre]

ok, i understand. i will disable in secure mode for the moment. is it complex to put a lighttpd in front of the application ? Nicolas

[sveetch]

It's not very complex but not the easiest.

You know webservers are not application servers, you need something between the webserver and the webapp, for Apache or lighttpd it's "Fastcgi" protocole, for more "recent" webserver it's wscgi, this last solution could be considered easier and lighter. This also a more natural way with Django.