nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-06-10 11:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Recommend/notify about restricted logins

Browse Source 
- Do stricter matches when editing configuration file.  Earlier
  mechanism would match comments etc.

- Move action methods to module core from views.

- During first boot, notify users that console login is restricted and
  that they can changed that from security settings.

- Recommend enabling conosle login restrictions.  Add message about why
  console restrictions are important.

- Show title in security module.
This commit is contained in:
Sunil Mohan Adapa 2016-07-09 22:34:12 +05:30
parent 82c27aabf3
commit 2afae80dd8
No known key found for this signature in database
GPG Key ID: 36C361440C9BC971
6 changed files with 47 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
actions/security
View File

@ -49,7 +49,7 @@ def subcommand_enable_restricted_access(_):
lines = conffile.readlines()
for line in lines:
if ACCESS_CONF_SNIPPET in line:
if ACCESS_CONF_SNIPPET == line.strip():
return
with open(ACCESS_CONF_FILE, 'a') as conffile:
@ -63,7 +63,7 @@ def subcommand_disable_restricted_access(_):
with open(ACCESS_CONF_FILE, 'w') as conffile:
for line in lines:
if ACCESS_CONF_SNIPPET not in line:
if ACCESS_CONF_SNIPPET != line.strip():
conffile.write(line)

12
plinth/modules/first_boot/forms.py
View File

@ -33,7 +33,7 @@ from plinth import actions
from plinth import cfg
from plinth.errors import ActionError, DomainRegistrationError
from plinth.modules.pagekite.utils import PREDEFINED_SERVICES, run
from plinth.modules.security.views import set_restricted_access
from plinth.modules.security import set_restricted_access
from plinth.modules.users.forms import GROUP_CHOICES
from plinth.utils import format_lazy
@ -78,7 +78,15 @@ class State1Form(auth.forms.UserCreationForm):
self.cleaned_data['password1'])
# Restrict console login to users in admin or sudo group
set_restricted_access(True)
try:
set_restricted_access(True)
message = _('Console login access restricted to users in '
'"admin" group. This can be configured in '
'security settings.')
messages.success(self.request, message)
except Exception:
messages.error(self.request,
_('Failed to restrict console access.'))
return user

26
plinth/modules/security/__init__.py
View File

@ -22,6 +22,7 @@ Plinth module for security configuration
from django.utils.translation import ugettext_lazy as _
from plinth import cfg
from plinth import actions
version = 1
@ -33,7 +34,32 @@ depends = ['system']
title = _('Security')
ACCESS_CONF_FILE = '/etc/security/access.conf'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
def init():
"""Initialize the module"""
menu = cfg.main_menu.get('system:index')
menu.add_urlname(title, 'glyphicon-lock', 'security:index')
def get_restricted_access_enabled():
"""Return whether restricted access is enabled"""
with open(ACCESS_CONF_FILE, 'r') as conffile:
lines = conffile.readlines()
for line in lines:
if ACCESS_CONF_SNIPPET in line:
return True
return False
def set_restricted_access(enabled):
"""Enable or disable restricted access"""
action = 'disable-restricted-access'
if enabled:
action = 'enable-restricted-access'
actions.superuser_run('security', [action])

7
plinth/modules/security/forms.py
View File

@ -26,7 +26,8 @@ from django.utils.translation import ugettext_lazy as _
class SecurityForm(forms.Form):
"""Security configuration form"""
restricted_access = forms.BooleanField(
label=_('Restrict console logins'), required=False,
label=_('Restrict console logins (recommended)'), required=False,
help_text=_('When this option is enabled, only users in the "admin" '
'group will be able to login through an attached '
'keyboard/monitor or serial console.'))
'group will be able to log in to console or via SSH. '
'Console users may be able to access some services '
'without further authorization.'))

4
plinth/modules/security/templates/security.html
View File

@ -1,4 +1,4 @@
{% extends "base.html" %}
{% extends "simple_service.html" %}
{% comment %}
#
# This file is part of Plinth.
@ -21,7 +21,7 @@
{% load bootstrap %}
{% load i18n %}
{% block content %}
{% block configuration %}
<form class="form" method="post">
{% csrf_token %}

30
plinth/modules/security/views.py
View File

@ -24,11 +24,7 @@ from django.template.response import TemplateResponse
from django.utils.translation import ugettext as _
from .forms import SecurityForm
from plinth import actions
ACCESS_CONF_FILE = '/etc/security/access.conf'
ACCESS_CONF_SNIPPET = '-:ALL EXCEPT root fbx (admin) (sudo):ALL'
from plinth.modules import security
def index(request):
@ -53,14 +49,14 @@ def index(request):
def get_status(request):
"""Return the current status"""
return {'restricted_access': get_restricted_access_enabled()}
return {'restricted_access': security.get_restricted_access_enabled()}
def _apply_changes(request, old_status, new_status):
"""Apply the form changes"""
if old_status['restricted_access'] != new_status['restricted_access']:
try:
set_restricted_access(new_status['restricted_access'])
security.set_restricted_access(new_status['restricted_access'])
except Exception as exception:
messages.error(
request,
@ -68,23 +64,3 @@ def _apply_changes(request, old_status, new_status):
.format(exception=exception))
else:
messages.success(request, _('Updated security configuration'))
def get_restricted_access_enabled():
"""Return whether restricted access is enabled"""
with open(ACCESS_CONF_FILE, 'r') as conffile:
lines = conffile.readlines()
for line in lines:
if ACCESS_CONF_SNIPPET in line:
return True
return False
def set_restricted_access(enabled):
"""Enable or disable restricted access"""
action = 'disable-restricted-access'
if enabled:
action = 'enable-restricted-access'
actions.superuser_run('security', [action])