- The privileged service will stop by itself if left idle for 5 minutes.
However, if someone is viewing a reloading page such as during manual software
update, the privileged service is never idle.
- When freedombox package is updated to a newer version, the old version of
privileged daemon could run for a long time but newer version of freedombox
service might be running by then. This would cause protocol mismatch
problems (unless backwards compatibility is provided which is unnecessarily
hard).
- Adding PartOf=.socket in .service file means that if .socket unit is stopped
or restarted, the .service unit will be stopped or restarted too. We still don't
want the dh_installsystemd script to be starting the .service unit, so this is
ideal.
Tests:
- During fresh install of freedombox package, freedombox-privilged.socket is
started but freedombox-privileged.service is not. It is started due to socket
activation (as seen in journal logs of privileged daemon).
- During removal of freedombox package, .service is stopped when .socket unit is
stopped.
- During reinstall of freedombox package, .service is restarted when .socket
unit is restarted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Running make install installs to /usr/lib/freedombox. Non-privileged users
don't find it in the path. root user does.
- New service file contains path to /usr/lib/freedombox/. Actions works as
expected.
- Build and install the debian package. Privileged daemon runs as expected and
first setup steps complete as expected. First wizard works as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- /usr/share/plinth/actions/actions is not installed.
- Code check works on plinth directory and container script only
- Provisioning a container does not add sudo configuration for actions. 'fbx'
user can perform 'sudo' operations.
- Make install does not install actions based sudo configuration. Admin users
can perform sudo operations.
- Exporting backup archive works. Validating a transmission directory works.
Some of the privileged operations works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- Files from web service are uploaded to /var/tmp/ directory. They need to
accessible to privileged daemon to that it can move them to a target location.
So, if /var/tmp is isolated for privileged daemon, it can't see those files as a
separate tmpfs filesystem is mounted on that folder.
- Ideally, we should have PrivateTmp=yes and
JoinsNameSpacesOf=freedombox-privileged.service set on plinth.service. However,
this requires further changes to the way developer execution is done command
line. This is done in future.
Tests:
- Uploading a backup works.
- Uploading a kiwix archive works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Daemon starts up with uid/gid set to root.
- Daemon does not run by default if a request is not received. Socket file is
created with 666 permissions and root:root ownership. Socket file parent directory
is created with 755 permissions and root:root ownership.
- Daemon starts if a request is sent to the socket using nc.
- If there an exception in daemon starting, then restart is done every second to
5 seconds, forever.
- Build a Debian package.
- Install it on fresh trixie Debian VM. Ensure that setup works and privileged
daemon is auto-enabled.
- Start a fresh trixie Debian VM and install freedombox from Debian repos.
Upgrade to the built package. Privileged daemon works and is auto-enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
Closes#2256.
Based on a suggestion by Andrew Betts on the mailing list.
https://alioth-lists.debian.net/pipermail/freedombox-discuss/2022-August/009553.html
Sunil:
- Consolidate changes from various apps into a centralized place in
freedombox.conf applicable for all directory listings.
Tests:
- In Sharing, TiddlyWiki and FeatherWiki apps, directory listing when viewed
with Firefox Developer Tools Mobile view set to a Galaxy S20+ looks reasonable.
Without the patch the page is very zoomed out.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Don't redirect to '/index.html' when Apache Default is set as the home page.
This allows having other files such as 'index.php' as index file in
/var/www/html/.
- If the home page is currently set to 'Apache Default' upgrade the
configuration.
Tests:
- With Home page set to 'Apache Default' apply the patches. Config setup is
re-run. The configuration file becomes empty but is still present. Correctly
value is shown in the UI. /var/www/html/index.html is still shown as the home
page.
- With Home page set to 'Bepasty' apply the patches. Config setup is re-reun.
The configuration file is not modified. Bepasty is still shown as the home page.
Correctly value is shown in the UI.
- With Home page not modified apply the patches. Config setup is re-reun. The
configuration file is created. FreedomBox is the home page. Correctly value is
shown in the UI.
- On fresh machine with patches applied, perform first run. The configuration
file is not created. FreedomBox is the home page. Correctly value is shown in
the UI.
- Changing home page to Bepasty or 'Apache Default' works. Changing back to
'FreedomBox Service (Plinth)' also works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This allows TLS configuration to setup for domains that haven't yet
successfully obtained certificates yet.
Tests:
- Apply the patch on a production configuration and ensure that LE certificates
are properly used.
- With full pathset applied, on a test container, add a domain and ensure that
domain has its own site configuration and uses the snake-oil certificate.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- After a domain is added and a TLS configuration for the site is created,
creating each of the 4 files leads to customization for that domain. In case of
last two files, only the domain is effected.
- /etc/apache2/includes/all-domains-include-freedombox.conf
- /etc/apache2/includes/all-domains-include.conf
- /etc/apache2/includes/$domain-include-freedombox.conf
- /etc/apache2/includes/$domain-include.conf
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- From the default 90 seconds (system-wide). This is better when systems are
slow during bootup or have really slow disk IO.
Tests:
- When running 'systemctl start plinth' add a sleep of 120 seconds in main
before notification. The service stays in 'activating' state for 2 minutes but
then succeeds and becomes active.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Run as a Type=notify service with systemd service.
- Notify systemd just before blocking in the main thread.
- This allows systemd to catch any errors with startup of the service and log
appropriately. This also allows clients depending on making DBus calls etc. to
know that service is ready to serve requests.
- This will increase the boot time slightly as systemd will wait until
FreedomBox service to become active.
Tests:
- Raise an exception in main() during startup. Run 'systemctl start plinth'. No
error is thrown without this patch. With the patch, an error is shown.
- After 'systemctl start plinth', service shows in 'active' state.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Needed for many inline SVG images included by Bootstrap 5 using data: URLs.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Without this change when opening popups, Firefox throws the error 'Blocked
Page' under certain conditions.
- Complete a comment that was seemingly left unfinished.
Tests:
- With the changes installed with 'make build install', opening popups with
<a target="_blank"></a> works without 'Blocked page' error.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
1. Set temporary directory to /var/tmp
2. Drop MemoryFileUploadHandler
Tests:
- During upload notice that file are in /var/tmp/system-private... folder
instead of /var/tmp.
- Upload a file but rename with another extension instead of moving to
destination through changes in code. Notice that the file is available in
/var/tmp/systemd-private... directory after the upload operation is completed.
Stop the service and notice that the file has been deleted. Folder is empty
after the service starts again.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Add PrivateTmp=yes in plinth.service file]
[sunil: Update comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Closes: #2325.
We have recently started allowing all the users to login to FreedomBox console
instead of just the administrators accounts. Remove the message that only
administrators can login.
Tests:
- Run ./setup.py install and then notice that login message got updated in a
vagrant machine.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2264.
- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.
- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.
- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.
- There is also file with CustomLog directive that logs for other vhosts.
- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.
- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.
- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Currently privileged actions use stdout for returning the results. If any of the
sub-processes accidentally output to stdout, decoding errors occur. Prevent this
by opening a pipe to the privileged action and returning the output in that
pipe.
Tests:
- Run unit tests
- Functional tests for other apps pass
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Redirect with separate identifiers so that they can retrieved separately.
- Enable virtual host log format that include name of the domain accessed so
that that information is preserved.
- There is no need to increment the apache app's version number as it has been
incremented earlier in the patch series (for this release).
Tests:
- In a fresh container, setup succeeds. Default apache sites 000-default.conf
and default-ssl.conf are disabled. freedombox-default.conf is enabled. Apache
access logs and error logs are sent to systemd journal.
- Without the patch applied, create a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s default and
a2query -s 000-default show that sites are not enabled. a2query -s
freedombox-default shows that site is enabled. Apache access logs and error logs
are sent to systemd journal.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is useful mostly for future when we may switch from /plinth to /freedombox.
Tests:
- Accessing /freedombox/app/transmission works. Although redirects generated by
the FreedomBox web service still redirect to /plinth. For example, redirection
after logout and auto-redirection to login page.
- Accessing pages of FreedomBox works as usual on /plinth and /freedombox.
Content-Security-Policy is set.
- Accessing /foo/plinth/app/transmission throws 404.
- Accessing http:// redirects to https:// for /plinth and /freedombox.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It is simpler to keep all the configuration in a single file. Any overrides
are expected to be done by writing additional configuration files with higher
priority.
- /etc/apache2/site-available/ is typically reserved for virtual host
configurations. Redirections and proxying for all virtual hosts rather belongs
in /etc/apache2/conf-available/.
- This looses the option of disabling plinth-ssl.conf when needed. In the
initial days of enabling TLS, there was a need felt to keep the option of easily
disabling redirection to TLS in case there is a need for it. However, TLS
certificate setup is mature and the limitations are well understood. There is no
longer a need for it. It still may be possible to avoid the redirection with an
additional configuration.
Tests:
- In a fresh container, setup succeeds. Redirecting to https:// for /plinth
works. FreedomBox web interface is available.
- Without the patch applied created a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s plinth and a2query
-s plinth-ssl show that sites are not enabled. Redirecting to https:// for
/plinth works. FreedomBox web interface is available.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2174.
When HSTS is set, there is no way to override the certificate warnings. LE does
not yet issue certificates for .onion domains. Certificate warnings are
certainly show there. Although browsers don't accept HSTS headers when the
certificate is invalid, it is best be safe and not set them for .onion domains.
Tests:
- Without the patch, on normal and .onion domains, HSTS is set only when using
HTTPS.
- With the patch, HSTS is set only when using HTTPS but only for normal domains
but not .onion domains.
- The patch works when tested with .onion and .ONION hosts.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Without the patch, run torsocks curl -kv http://DOMAIN.onion. Observe that
redirection to https happens.
- Without the patch, run curl -kv http://localhost. Observe that redirection to
https happens.
- With the patch, run torsocks curl -kv http://DOMAIN.onion. Observe that
redirection to https does not happen.
- With the patch, run curl -kv http://localhost. Observe that redirection to
https happens.
[sunil: Perform case insensitive match]
[sunil: Remove capture of domain name match]
[sunil: Strictly check that domain ends with .onion]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
This is now the preferred location in Debian. See:
https://lintian.debian.org/tags/systemd-service-in-odd-locationhttps://bugs.debian.org/992465https://bugs.debian.org/987989d70caa69c6https://lists.debian.org/debian-devel/2021/08/msg00275.html
Tests:
- Lintian no longer shows errors:
E: freedombox: systemd-service-in-odd-location lib/.../calibre-server-freedombox.service
- Comparing the old .deb and newly generated .deb with these changes. All the
systemd files show that they are moved from /lib to /usr/lib/systemd.
- After upgrading the deb from older version to a version these changes,
services installed by the package are available (tested after restart with
wordpress and claibre). Services tweaked by the package have the changed
configuration reflected as shown by systemctl show
{service-name}.service (tested after restart with quassel).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- TLS configuration as recommended by Mozilla's SSL Configuration Generator with
'Intermediate' configuration. See:
https://wiki.mozilla.org/Security/Server_Side_TLS
- Disable ciphers that are weak or without forward secrecy.
- Allow client to choose ciphers as they will know best if they have support for
hardware-accelerated AES.
- TLS session tickets (RFC 5077) require restarting web server with an
appropriate frequency. See:
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
- Send OCSP responses to the client and reduce their round trips.
- No need to increment apache app version number as it has already been
incremented in this release cycle for enabling HTTP/2 module.
Tests:
- FreedomBox interface is reachable with the changes.
- ssllabs.com gives an A+ rating on a server with these changes.
- All ciphers are shown as secure.
- Forward Secrecy rating is ROBUST.
- OCSP stapling shows as enabled.
- Client support seems to match the expected after dropping <= TLS1.1.
- Session resumption with tickets shows as disabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- We have switched to mod_ssl long time ago and are no longer using mod_gnutls.
- It is additional effort configure and test mod_gnutls.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- As recommended by Mozilla SSL Configuration Generator for 'intermediate'
compatibility configuration: https://ssl-config.mozilla.org/
- As recommended by IETF RFC 7525:
https://datatracker.ietf.org/doc/html/rfc7525#section-3.1.1
- As recommended by NIST: Guidelines for the Selection, Configuration, and Use
of Transport Layer Security (TLS) Implementations:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
- The following are now the client version requirements for FreedomBox web
interface: Firefox: 27, Android: 4.4.2, Chrome: 31, Edge: 12, IE: 11 (Win7),
Java: 8u31, OpenSSL: 1.0.1, Opera: 20, Safari: 9
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Drop SSLv2, it is not valid anymore as per Apache manual]
[sunil: More detailed commit message and comments]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Since security app manages fail2ban, it makes sense to set the default
configuration in this app.
Tests performed:
- `./setup.py install` installs the file in the correct place.
- Only 10 incorrect SSH login attempts as noticed in the fail2ban log will
result in ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- This allows disabling syslog daemons.
- Fall back to using file based monitoring for Apache.
Tests performed:
- Before and after the patch, connecting via SSH and typing in incorrect
password leads to a entry in fail2ban.log. 10 incorrect attempts result in a 10
minute ban.
- Before and after the patch, typing in incorrect password for radicale leads to
a entry in fail2ban.log. 10 incorrect attempts result in a 10 minute ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Allow plinth service to restart an unlimited number of times, with 5
seconds delay.
Test:
- After introducing an error in plinth startup code, the service is
restarted every 5 seconds without limit.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests performed:
- Fonts Lato is properly and displayed.
- No <frame>, <iframe>, <video>, <audio>, <track>, <embed>, <object>, <applet>
tags are used in FreedomBox source code.
- Checked that there are no images referring to external URLs. Most of the
common images such as apps lists, system list, networks and manual show images
properly.
- Styles specified in main.css work as well as page specific styles such as in
networks. Firefox developer console shows inline styles loaded.
- JSXC is able to make XHR requests to ejabberd.
- Able to launch <a> links with _target='blank' such as in /help/support/.
- When visiting external websites, such as in donate page, Referer header is not
sent. When visiting page within FreedomBox interface, Referer header is sent
with path.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
data/var/log and data/var/run were not being used for a while.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Installing an empty file in /etc/ that is meant to be modified is an unnecessary
invitation to upgrade issues.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The configuration module defaults to values in the production configuration
file.
- If the file is found, it is read and the read values overwrite the defaults.
If the file is not found, no error is raised. This allows us to not ship the
configuration file. User may create the configuration if they want to change the
defaults. This eases upgrades when configuration is edited. This also make
FreedomBox robust to deployments where /etc/ is not populated by default such as
OSTree. It is also a good practice for daemons as followed by the likes of
systemd.
- If the file partly populated only the values read override the defaults and
the remaining values don't change. This allows the user to write simpler
configuration file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- When there are multiple binary packages, a common practice is to install into
debian/tmp using the Makefile and then use dh_install and .install files. This
splits the contents installed into debian/tmp to various package directories
debian/{package}.
- Install documentation in to /usr/share/freedombox instead of
/usr/share/doc/freedombox. Then create a link to /usr/share/doc/freedombox/.
This approach is recommended Debian Policy Manual in section 12.3[1] because
it should safe for administrator to delete files in /usr/share/doc safely
without breaking the application functionality. The doc-base must refer to the
documentation in /usr/share/doc as per doc-base documentation.
Links
1) https://www.debian.org/doc/debian-policy/ch-docs.html#additional-documentation
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
None of the files are installed into /etc/. They will unconditionally override
older versions of themselves. They are not likely to cause any configuration
file prompts.
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- The code was never used by end users.
- The code was expected to be used long back but the plans didn't materialize.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Without this fix, the daemon plinth will not able to acquire a DBus connection
and listen for the FreedomBox DBus service when running as user plinth user.
This is the case for production FreedomBox machines.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- There is no compelling reason to make the file configurable. Simplifies
configuration file if we make it relative to FreedomBox data directory.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
- SVG is not one of the formats for which compress is turned on automatically by
Apache configuration.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
The changes made to freedombox.conf in moving the apache homepage configuration
to an external file freedombox-apache-homepage.conf will cause a conffile prompt
when upgrading to freedombox 19.2. Reverting changes in freedombox.conf to avoid
this.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
As confirmed by multiple users, Coquelicot is no longer useful for uploading
files, which makes it useless as a file sharing application.
We might enable it in the future if it's actively maintained once again, or find
an alternative.
- Skip functional tests
- Disable modules-enabled file
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
