This is a regression from commit 9b6774f279e2c8af588609c2413aa9804fd48cfa. When
change the view to use AppView, the condition to check for non-btrfs filesystems
and show an unsupported message instead of the actual view was accidentally
removed. Restore the check and show a different view when on non-btrfs
filesystems.
Fixes: #2268.
Tests:
- On non-btrfs filesystem, snapshots view is shown as expected.
- On ext4 filesystem, a message that snapshots are not supported is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
MiniDLNA's TCP service has been incorrectly marked as needing to be protected
from local users. This leads to service not being accessible from local network.
Fix this by removing local protection.
As reported on https://discuss.freedombox.org/t/minidlna-on-22-26/2386
Tests:
- With MiniDLNA installed, apply the changes and restart service. 'nft list
ruleset ip', 'nft list ruleset ip6' and 'cat /etc/firewalld/direct.xml' confirm
that port 8200 is no longer protected as a local service.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2276.
Functionality all over the system keeps failing due this approach. The latest is
changing hostname in ejabberd Mnesia database fails (#2276). Further, users
connecting FreedomBox to a monitor can't use a GUI.
Tests:
- Without patches, enable restricted access. Apply patches and setup.py install.
Security app is updated. Restricted access is disabled and
/etc/security/access.d/{50freedombox.conf, 10freedombox-security.conf,
10freedombox-performance.conf} are removed. It is possible to login into
non-admin account via SSH.
- On a fresh install, the configuration files are not found.
- Security page does not show 'restrict console logins' option.
- Updating security app setting works. Message 'Configuration updated.' is
shown.
- First boot succeeds. Restrict console login is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Disable the checkbox. Non-admin user who is not part freedombox-ssh group
fails to login. Admin user can login.
- Enable the checkbox and both non-admin user and admin user can login via SSH.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Remove restricted console logins. Try to login via SSH with non-admin and note
that it fails. sudo into the user succeeds.
- Add a user to freedombox-ssh group from Users & Groups app. Login with SSH
succeeds.
- Login with admin user succeeds with and without adding to freedombox-ssh
group.
- On a fresh install, non-admin users are not restricted.
- On an upgrade from a version with the patch, non-admin users are restricted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- When app is upgraded from older version, nft rules are inserted.
- When app is enabled/disabled, nft rules are added/removed.
- When app is uninstalled, rules are removed
- Inserted rules are after the basic setup rules inserted firewall app.
- Trying to connect to local daemon from fbx user fails. Trying to access as
root user or apache succeeds. Test connecting with 'nc localhost <port>'.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Automatically handle a setup of the component getting added to an existing
app.
Tests:
- Run unit tests
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- On a fresh container, run FreedomBox service. Notice that firewall app setup
succeeds. Base setup rules are inserted into the nftables as checked with 'nft
list ruleset ip' and 'nft list ruleset ipv6'.
- When firewalld is restarted or reloaded, the rules are still present.
- When machine is restarted, the rules are still present.
- Without the patch, setup a container. Then apply patches and restart
FreedomBox service. App setup runs again however, duplicate rules are listed in
nftables as checked with 'nft list ruleset ip' and 'nft list ruleset ipv6'.
- Increment setup version of the firewall app manually and repeat the test.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When the security access restrictions are removed from /etc/security/access.d,
we don't want users to bypass Apache access control and directly access the app.
Tests:
- Without the patch, the uwsgi socket file is with permissions 666 in
/run/uwsgi/apps/searx/socket. nc -U <socket> succeeds as non-admin user on the
system.
- Apply the patch and restart FreedomBox. searx set is run and uwsgi service is
restarted and permissions are 660 on /run/uwsgi/apps/searx/socket. nc -U
<socket> fails as non-admin user on the system.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Upgrade existing config.
Tests:
- Install ejabberd. Configuration is set as expected and ejabberd is
running.
- Upgrade from existing ejabberd install. Configuration is set as
expected and ejabberd is running.
- Send a file between two users in dino-im and Conversations app.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
I tested this patch on a production server. When trying to authenticate with
Thunderbird, the program will try to log in three times, then disconnect from
the server. This means that one failed login attempt will be logged as four
attempts. For this reason, set maxretry to be 30.
The IP block only affects dovecot, other services are still reachable.
Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Add bind9, minetest-server, minidlna.
This matches the set of apps that implement force_upgrade.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2134.
Tests:
1. In testing container, install Minetest and change the
configuration.
2. Manually downgrade minetest-server and minetest-data to a slightly
older version (5.5.0+dfsg+~1.9.0mt4+dfsg-1).
3. In /var/lib/dpkg/status, change the hash for
/etc/minetest/minetest.conf.
4. Run "apt update".
- minetest-server package is upgraded.
- Configuration changes are kept.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Originally there was a separate module for udiskie, which later got
merged into storage module. Since storage is an essential module,
skip_recommends has no effect. (Recommends are never installed for
essential modules.)
Closes: #2203.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2295.
_assert_managed_path() expects pathlib.Path. Due to a typo, a string is being
sent instead.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
These modifications are copied after the wordpress
public access configurator.
Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Skip running unattended-upgrade due to it getting stuck in endless
loop. See #2266.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes: #2294.
Tests:
- In stable container, when frequent feature updates option is
enabled, /etc/apt/sources.list.d/freedombox2.list exists as expected.
- Matrix Synapse can be installed.
- Shaarli can be installed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- This changes sets the default dpkg vendor as FreedomBox. 'Debian' is still the
parent of the vendor.
- This results in popcon setting the Vendor as FreedomBox. This allows measuring
the popular of FreedomBox distribution itself as against other Debian
derivatives in the section 'Statistics per distributions reporting to Debian' of
https://popcon.debian.org
Tests:
- Run `sudo ./setup.py install` and freedombox service. Privacy app will be
setup for the first time. In /etc/dpkg/origins/ the file default is a symlink
pointing to /etc/dpkg/origins/fredombox. Running 'sudo sh +x
/etc/cron.daily/popularity' runs successfully. Remove files
/var/lib/popularity-contest/lastsub /var/log/popularity-contest* if necessary.
The file /etc/log/popularity-contest shows VENDOR:FreedomBox in the first line.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Keep the description about app generic
- Remove enable/disable option
- Create a booleanfield to turn on/off popcon
- Don't re-enable popcon during an update
Tests:
- When enabling/disabling the option, the `"PARTICIPATE"` value in
`/etc/popularity-contest.conf` is changed to yes/no as expected. For reference
see `/var/lib/dpkg/info/popularity-contest.templates`
- When popcon option is enabled, running sudo sh -x
/etc/cron.daily/popularity-context shows that execution was successful and data
was submitted. Remove files /var/log/popularity-contest* and
/var/lib/popularity-contest/lastsub if necessary. Gpg is used and encrypted data
is what was submitted.
- When popcon option is disabled, running sudo sh -x
/etc/cron.daily/popularity-context shows that execution stopped because the
option is disabled.
Signed-off-by: nbenedek <contact@nbenedek.me>
[sunil: Add a notification to tell users about privacy app]
[sunil: Correct the URL to /sys]
[sunil: Minor code styling changes and updates to description, icon]
[sunil: Ensure that popcon works with encryption]
[sunil: Write configuration to a separate file]
[sunil: Use Shellvars lens instead of Php lns]
[sunil: Add functional tests]
[sunil: Backup/restore the configuration file]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Test:
- Setup Matrix on a VPS with a FQDN and a valid LE certificate, then add these
configs to fail2ban.
- On a production server apply the changes of MR !2296
- Setup the fail2ban filter and jail, then restart fail2ban
- Trying to log in unsuccessfully from FluffyChat leads to a 10 min ban
Result:
`sudo fail2ban-client status matrix-synapse-auth-freedombox` returns the
following output, but the server actually remains accessible in every way.
```
Status for the jail: matrix-synapse-auth-freedombox
|- Filter
| |- Currently failed: 1
| |- Total failed: 11
| `- Journal matches:
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: MY IP
```
Signed-off-by: nbenedek <contact@nbenedek.me>
- Recommendation to use 'sysout' as log target in order to log to systemd
journal comes from the fail2ban.service file.
Tests:
- Install the changes and restart fail2ban. Notice that journalctl shows new
log lines.
- Logged to /var/log/fail2ban.log has stopped.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Name of the jail has to be less than 29 characters for an iptables/nft chain
to be created.
- Make the regular expressions more specific to avoid matching incorrect fields
for <HOST>.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- Run setup.py, remove the old jail and filter files. Restart fail2ban and make
10 incorrect login attempts. The IP address gets banned for 10 minutes.
- Not run: Build new freedombox package and upgrade from older version to see
that old configuration files have been removed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2264.
- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.
- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.
- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.
- There is also file with CustomLog directive that logs for other vhosts.
- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.
- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.
- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- There hasn't been a need for this for a long time. non-systemd environments
haven't been worked on or tested for in a long time.
- Keep the is_systemd_running() method for future use.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Initial implementation of home page setting used the file
/etc/apache2/conf-available/freedombox.conf and edited the file. Since this file
is shipped by the freedombox package, it lead to package getting stuck with
conf-file prompt. FreedomBox v19.10 first fix this by carefully undoing the
edits in this file and making them elsewhere.
- This fix is present in Debian present old stable (with backports) and current
stable, the migration is not needed in almost all the of cases.
Tests:
- First setup of FreedomBox works.
- Setting home page works are expected.
- Functional tests for config module works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- As of bind 9.16, the option to enable DNSSEC 'dnssec-enable' is obsolete and
has no effect[1]. The option 'dnssec-validation' controls DNSSEC validation and
is set to 'auto' by default. 'auto' means that DNSSEC validation is enabled and
default trust anchor is used for DNS root zone. DNSSEC signatures are also
passed onto a client whenever available. Current stable, Debian Buster, has
version 9.16[3].
- As of bind 9.18, the option to enable DNSSEC 'dnssec-enable' is not recognized
and causes the daemon to fail to start[2]. Debian next, Debian Bookworm, has
version 9.18[3]. Therefore, in testing and unstable, bind fails to start of
installation from FreedomBox.
- There is no use-case for changing the current default behavior.
Links:
1)
https://bind9.readthedocs.io/en/v9_16_32/reference.html#dnssec-validation-option
2) https://bind9.readthedocs.io/en/v9_18_6/reference.html
3) https://tracker.debian.org/pkg/bind9
Tests:
- Run functional and unit tests.
- Option to enable/disable DNSSEC is removed.
- When bind is installed on testing without the patch, it fails to start. When
the patch is applied, bind will be upgraded, the dnssec-enable option is removed
from the configuration file /etc/bind/named.conf.options and bind is running.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- DONE: Check if package manager is busy works
- DONE: Power app shows status in app/restart/shutdown pages
- DONE: Upgrades app shows in app page and first boot wizard page
- DONE: When attempting force upgrade, busy state results in a back-off
- DONE: An app's packages can be installed/uninstalled successfully
- DONE: apt update is run before install
- DONE: If network is not available during package install, error message is shown
- DONE: Filtering packages with configuration file prompts works. Tested with
firewall 1.0.3 to 1.2.1.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- DONE: Functional tests works
- DONE: Initial setup works
- DONE: Borg repository is created at /var/lib/freedombox/borgbackup
- DONE: With regular and with encrypted repository
- DONE: Creating a repository works
- DONE: Getting information works. When adding a existing location, incorrect
password leads to error in the add form.
- DONE: Listing archives works
- DONE: Creating/restoring an archive works
- DONE: Backup manifest is created in /var/lib/plinth/backups-manifests/
- DONE: Including an app that dumps/restores its settings works
- DONE: Exporting an archive as tar works
- DONE: Exporting a large archive yields reasonable download speeds. 31
MB/s. 1GB file in about 30 seconds.
- DONE: Restoring from an uploaded archive works
- DONE: Listing the apps inside an archive works before restore
- DONE: Errors during operations are re-raises as simpler errors
- DONE: Get info
- DONE: List archives
- DONE: Delete archive (not handled)
- FAIL: Export tar
- DONE: Init repo
- DONE: Get archive apps (not handled)
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- DONE: Unit tests work
- DONE: Transmission
- DONE: Enabling/disabling an app with a daemon works: transmission
- DONE: Showing the status of whether the app is enabled with daemon
is-enabled works.
- DONE: A message is shown if app is enabled and service is not running
- DONE: Service is stopped and re-started during backup
- DONE: Adding user to share group during initial setup restarts the service
- Not tested: Enabling/disabling a service with alias works (no such apps)
- DONE: Restarting/try-restarting a service works
- DONE: Masking/unmasking works
- DONE: rsyslog is masked after initial setup
- DONE: systemd-journald is try-restarted during initial setup
- DONE: Avahi, email, security initial setup works
- DONE: Fail2ban is unmasked and enabled
- DONE: Enabling/disabling fail2ban is security app works
- DONE: Enabling/disabling password authentication in SSH works
- ?? Let's encrypt
- Services are try-restarted during certificate setup, obtain, renew
- Not tested: upgrade pagekite from version 1
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work (failing already)
- DONE: Showing front page shortcuts according to user groups works
- DONE: Only user who is party of syncthing group is shown syncthing
- DONE: Admin users are always shown all the apps
- DONE: Syncthing:
- Not tested: When upgrading from version 2 or below, renaming group works
- DONE: Syncthing is added to freedombox-share group
- DONE: Initial setup of users app works
- DONE: freedombox-share group is created
- DONE: Retriving last admin user works
- DONE: Last admin is not allowed to delete account
- DONE: Creating a new user works
- DONE: Password is set properly (user can login with 'su - user' after)
- DONE: Incorrect confirmation password leads to error
- DONE: Adding the user to groups works (edit page shows correct list of groups)
- DONE: Editing a user works
- DONE: User is renamed properly
- DONE: Removing user from groups works
- DONE: Adding user to new groups works
- DONE: Providing incorrect auth password results in error message
- DONE: Enabling/disabling account work (confirm with 'su - user'). See #2277.
- DONE: Updating user password works
- DONE: New password is set (confirm with 'su - user')
- DONE: Providing incorrect auth password results in error message
- DONE: Initial user account creation works
- DONE: User account can be used (confirm with 'su - user')
- DONE: User is added to admin group
- DONE: Exception while getting SSH keys results in showing empty field
- DONE: Removing a user works
- DONE: Command provided in a message in users_firstboot.html works for
deleting users.
- DONE: If an admin users exists when running first wizard, list of admin users
is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- SKIPPED: Functional tests work
- DONE: Initial setup works
- DONE: Root partition is expanded when space is available
- DONE: When there is free space for root partition it shows up in the interface
- DONE: Expand partition from user interface works
- DONE: Getting storage usage information works
- DONE: Disks and free space shown in app page
- DONE: Showing share mounts in samba works
- DONE: Backups add repository form shows disk choices
- DONE: Samba shows proper list of mounted shares and unavailable shares
- DONE: Directory validator works
- DONE: In deluge and transmission
- DONE: Auto-mounting a device works
- DONE: Ejecting a mounted disk from UI works
- DONE: Error are graciously handled
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work (uninstall fails)
- Initial setup works
- File /etc/default/samba is updated
- Dump and restore share during backup/restore works
- Setup run successfully during restore
- /var/lib/plinth/backups-data/samba-shares-dump.conf
- Adding/deleting a share works
- Not tested: Add a share on ntfs or vfat file system works
- Showing list of shares in app view works
- Getting list of samba users in app view works
- Handling errors during add/delete share works
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Mounting an SSH repository works
- If an known error is thrown during mounting, a simplified error is shown.
- Unmounting an SSH repository works
- If an known error is thrown during mounting, a simplified error is shown.
- Correct status of whether the repository is mounted is shown.
- If an known error is thrown during mounting, a simplified error is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work
- Dump/restore of database works
- Initial setup works
- MySQL Database is created
- Configuration options are set
- OSM is enabled by default
- User who installed the app becomes admin
- Setting configuration works
- Enabling OSM
- Setting admin user
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work (when libpam-tmpdir is removed)
- Backup and restore of database works
- Initial setup work
- Configuration file is created
- Database is created
- Website is accessible
- Enabling/disabling public access works
- Configuration file created/deleted
- App page show proper status
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work (uninstall test fails to no backup component,
intermittent failure)
- Showing status information works
- In the main app page for server and clients
- When showing server details
- When showing client details
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
