Passwords will be automatically upgraded for each user on login.
Usernames not yet upgraded are vulnerable to user enumeration attack due to
difference in password check timing.
No need to add build dependency on python3-argon2 because tests use a different
Django configuration which does not use argon2 hash.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is necessary to avoid errors when installing freedombox with older plinth
already installed. Also make plinth depend on latest freedombox to ensure
upgrades go smoothly.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
All the packages that are removed as dependencies in freedombox-setup and are
not essential for the operation of FreedomBox/Plinth have been moved to
Recommends .
The following packages were *moved* from freedombox-setup directly as is:
- bridge-utils
- curl
- devio
- dnsutils
- dosfstools
- haveged
- htop
- iftop
- iputils-ping
- iw
- libnss-gw-name
- libnss-mdns
- libnss-myhostname
- libpam-tmpdir
- libpam-abl
- locales
- locales-all
- lsof
- netcat-openbsd
- psmisc
- resolvconf
- rfkill
- tcpdump
- vim-tiny
- wget
- wireless-tools
- zile
The following packages have been *added* as they are part of standard system
utilities present in a Debian system:
- bzip2
- file
- openssh-client
- pciutils
- whois
The following packages were *dropped* as dependencies from freedombox-setup:
- dialog: no utility to an admin on command line. No scripts are currently using
it. Any script using it should have a dependency on it.
- dnsmasq-base: network-manager is one that uses it and it already recommends
it.
- parted: Added as dependency for the storage module which uses it.
- ssl-cert: apache2 and other packages that use it already recommend it.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Remove access/error log references in configuration files and tests.
- Ensure that /var/log/plinth directory is not created anymore.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
While capturing stdout and stderr and automatically logging that to system
logging daemon provides basic information, a lot of information lost in the
process.
This change logs to systemd journal directly so that rich information such as
code file, code function, code line, etc, can be captured in a structured way.
To avoid double logging, discard stdout and stderr in the systemd unit file.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Load scripts in the head with `defer` instead of at the end of the body
- Disable turbolinks for application shortcuts and manual download
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- A freshly installed FreedomBox can be hijacked by a third party and an admin
account can be created which can be used to inject malware or simply take over
the instance. Password protecting the firstboot step is a good way to avoid
this. A secret will be displayed to the user as soon as the Plinth package
is installed, which they have to enter during firstboot welcome step. Also,
writing this to a file in plinth's home in case the user loses it.
- This protection is not applicable for images built by freedom-maker and for
Amazon Machine Images.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
