This is a regression from commit 9b6774f279e2c8af588609c2413aa9804fd48cfa. When
change the view to use AppView, the condition to check for non-btrfs filesystems
and show an unsupported message instead of the actual view was accidentally
removed. Restore the check and show a different view when on non-btrfs
filesystems.
Fixes: #2268.
Tests:
- On non-btrfs filesystem, snapshots view is shown as expected.
- On ext4 filesystem, a message that snapshots are not supported is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
MiniDLNA's TCP service has been incorrectly marked as needing to be protected
from local users. This leads to service not being accessible from local network.
Fix this by removing local protection.
As reported on https://discuss.freedombox.org/t/minidlna-on-22-26/2386
Tests:
- With MiniDLNA installed, apply the changes and restart service. 'nft list
ruleset ip', 'nft list ruleset ip6' and 'cat /etc/firewalld/direct.xml' confirm
that port 8200 is no longer protected as a local service.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit alone doesn't fix the problem of our functional tests timing
out. It is harmless to increase the timeout.
The maximum timeout for shared runners in Salsa is 3h according to this:
https://salsa.debian.org/salsa-ci-team/pipeline/-/blob/master/README.md#set-build-timeout
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2276.
Functionality all over the system keeps failing due this approach. The latest is
changing hostname in ejabberd Mnesia database fails (#2276). Further, users
connecting FreedomBox to a monitor can't use a GUI.
Tests:
- Without patches, enable restricted access. Apply patches and setup.py install.
Security app is updated. Restricted access is disabled and
/etc/security/access.d/{50freedombox.conf, 10freedombox-security.conf,
10freedombox-performance.conf} are removed. It is possible to login into
non-admin account via SSH.
- On a fresh install, the configuration files are not found.
- Security page does not show 'restrict console logins' option.
- Updating security app setting works. Message 'Configuration updated.' is
shown.
- First boot succeeds. Restrict console login is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Disable the checkbox. Non-admin user who is not part freedombox-ssh group
fails to login. Admin user can login.
- Enable the checkbox and both non-admin user and admin user can login via SSH.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Remove restricted console logins. Try to login via SSH with non-admin and note
that it fails. sudo into the user succeeds.
- Add a user to freedombox-ssh group from Users & Groups app. Login with SSH
succeeds.
- Login with admin user succeeds with and without adding to freedombox-ssh
group.
- On a fresh install, non-admin users are not restricted.
- On an upgrade from a version with the patch, non-admin users are restricted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- Trying to connect to local daemon from fbx user fails.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When app is freshly installed, nft rules are inserted.
- When app is upgraded from older version, nft rules are inserted.
- When app is enabled/disabled, nft rules are added/removed.
- When app is uninstalled, rules are removed
- Inserted rules are after the basic setup rules inserted firewall app.
- Trying to connect to local daemon from fbx user fails. Trying to access as
root user or apache succeeds. Test connecting with 'nc localhost <port>'.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Automatically handle a setup of the component getting added to an existing
app.
Tests:
- Run unit tests
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- On a fresh container, run FreedomBox service. Notice that firewall app setup
succeeds. Base setup rules are inserted into the nftables as checked with 'nft
list ruleset ip' and 'nft list ruleset ipv6'.
- When firewalld is restarted or reloaded, the rules are still present.
- When machine is restarted, the rules are still present.
- Without the patch, setup a container. Then apply patches and restart
FreedomBox service. App setup runs again however, duplicate rules are listed in
nftables as checked with 'nft list ruleset ip' and 'nft list ruleset ipv6'.
- Increment setup version of the firewall app manually and repeat the test.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When the security access restrictions are removed from /etc/security/access.d,
we don't want users to bypass Apache access control and directly access the app.
Tests:
- Without the patch, the uwsgi socket file is with permissions 666 in
/run/uwsgi/apps/searx/socket. nc -U <socket> succeeds as non-admin user on the
system.
- Apply the patch and restart FreedomBox. searx set is run and uwsgi service is
restarted and permissions are 660 on /run/uwsgi/apps/searx/socket. nc -U
<socket> fails as non-admin user on the system.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Upgrade existing config.
Tests:
- Install ejabberd. Configuration is set as expected and ejabberd is
running.
- Upgrade from existing ejabberd install. Configuration is set as
expected and ejabberd is running.
- Send a file between two users in dino-im and Conversations app.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
I tested this patch on a production server. When trying to authenticate with
Thunderbird, the program will try to log in three times, then disconnect from
the server. This means that one failed login attempt will be logged as four
attempts. For this reason, set maxretry to be 30.
The IP block only affects dovecot, other services are still reachable.
Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Add bind9, minetest-server, minidlna.
This matches the set of apps that implement force_upgrade.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2134.
Tests:
1. In testing container, install Minetest and change the
configuration.
2. Manually downgrade minetest-server and minetest-data to a slightly
older version (5.5.0+dfsg+~1.9.0mt4+dfsg-1).
3. In /var/lib/dpkg/status, change the hash for
/etc/minetest/minetest.conf.
4. Run "apt update".
- minetest-server package is upgraded.
- Configuration changes are kept.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Originally there was a separate module for udiskie, which later got
merged into storage module. Since storage is an essential module,
skip_recommends has no effect. (Recommends are never installed for
essential modules.)
Closes: #2203.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
