From 6d47bf00bd1f6b5c33a54cbbbe776ff17b44f64f Mon Sep 17 00:00:00 2001 From: Ken Moore Date: Fri, 29 Apr 2016 13:41:25 -0400 Subject: [PATCH 1/2] oops. fix a typo. --- src/server/LogManager.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/server/LogManager.cpp b/src/server/LogManager.cpp index 03183f5..db4d986 100644 --- a/src/server/LogManager.cpp +++ b/src/server/LogManager.cpp @@ -18,9 +18,9 @@ void LogManager::checkLogDir(){ QDir dir(logd); dir.mkpath(logd); } - int daysold = CONFIG->value("prune_log_days_old",90); //90 days by default + int daysold = CONFIG->value("prune_log_days_old",90).toInt(); //90 days by default if(daysold>0){ - LogManager::pruneLogs(QDate::currentDate().addDays(-daysold)); + LogManager::pruneLogs(QDate::currentDate().addDays(0-daysold)); } } From b27166d1d4c44fa1c06e29ace4343fc792a95a42 Mon Sep 17 00:00:00 2001 From: Ken Moore Date: Fri, 29 Apr 2016 14:37:55 -0400 Subject: [PATCH 2/2] Add a couple new settings: auth/allowUserPassAuth [bool]: Enable username/password combinations for authentication (default value: true) auth/allowServiceAuth [bool]: Allow local services to connect to the server with reduced priviledges (default value: false) --- src/server/AuthorizationManager.cpp | 37 +++++++++++++++-------------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/src/server/AuthorizationManager.cpp b/src/server/AuthorizationManager.cpp index 83133ba..89449a2 100644 --- a/src/server/AuthorizationManager.cpp +++ b/src/server/AuthorizationManager.cpp @@ -135,26 +135,27 @@ int AuthorizationManager::checkAuthTimeoutSecs(QString token){ // == Token Generation functions QString AuthorizationManager::LoginUP(QHostAddress host, QString user, QString pass){ - //Login w/ username & password + //Login w/ username & password bool localhost = ( (host== QHostAddress::LocalHost) || (host== QHostAddress::LocalHostIPv6) || (host.toString()=="::ffff:127.0.0.1") ); bool ok = false; - //First check that the user is valid on the system and part of the operator group bool isOperator = false; - if(user!="root" && user!="toor"){ - QStringList groups = getUserGroups(user); - if(groups.contains("wheel")){ isOperator = true; } //full-access user - else if(!groups.contains("operator")){ - return ""; //user not allowed access if not in either of the wheel/operator groups + //First check that the user is valid on the system and part of the operator group + if( CONFIG->value("auth/allowUserPassAuth",true).toBool() ){ + if(user!="root" && user!="toor"){ + QStringList groups = getUserGroups(user); + if(groups.contains("wheel")){ isOperator = true; } //full-access user + else if(!groups.contains("operator")){ + return ""; //user not allowed access if not in either of the wheel/operator groups + } + }else{ isOperator = true; } + //qDebug() << "Check username/password" << user << pass << localhost; + //Need to run the full username/password through PAM + if(!localhost || user=="root" || user=="toor"){ + ok = pam_checkPW(user,pass); + }else{ + ok = true; //allow local access for users without password } - }else{ isOperator = true; } - //qDebug() << "Check username/password" << user << pass << localhost; - //Need to run the full username/password through PAM - if(!localhost || user=="root" || user=="toor"){ - ok = pam_checkPW(user,pass); - }else{ - ok = true; //allow local access for users without password } - qDebug() << "User Login Attempt:" << user << " Success:" << ok << " IP:" << host.toString(); LogManager::log(LogManager::HOST, QString("User Login Attempt: ")+user+" Success: "+(ok?"true":"false")+" IP: "+host.toString() ); if(!ok){ @@ -172,13 +173,13 @@ QString AuthorizationManager::LoginUP(QHostAddress host, QString user, QString p QString AuthorizationManager::LoginService(QHostAddress host, QString service){ bool localhost = ( (host== QHostAddress::LocalHost) || (host== QHostAddress::LocalHostIPv6) || (host.toString()=="::ffff:127.0.0.1") ); - + //Login a particular automated service qDebug() << "Service Login Attempt:" << service << " Success:" << localhost; if(!localhost){ return ""; } //invalid - services must be local for access //Check that the service is valid on the system - bool isok = false; - if(service!="root" && service!="toor" && localhost){ + bool isok = localhost && CONFIG->value("auth/allowServiceAuth",false).toBool( ); + if(service!="root" && service!="toor" && isok){ QStringList groups = getUserGroups(service); isok = (groups.contains(service) && !groups.contains("wheel") && !groups.contains("operator")); }