| Cheshire Cat Computing http://www.steveshipway.org/forum/ |
|
| Security in Routers.cgi http://www.steveshipway.org/forum/viewtopic.php?f=2&t=100 |
Page 1 of 1 |
| Author: | BigDaddy [ Wed Dec 24, 2003 11:48 am ] |
| Post subject: | Security in Routers.cgi |
Howdy... I was wondering, I'm trying to create external scripts to use with Routers.cgi, but I want them to only be avaliable when you've logged into routers.cgi. (user-usera) etc. Is this possible? Right now they are in the mrtg.cfg file, for each interface. Something like allowscript = extension.cgi or something. BTW, I love the new rev. twinmenu is a godsend. |
|
| Author: | stevesh [ Wed Dec 24, 2003 9:02 pm ] |
| Post subject: | |
Difficult. If you use the webserver for authentication, then you can just use your .htaccess file to extend this authentication to your new scripts, but if you use routers.cgi's internal authentication then it has no control over the other scripts. Of course the pages containing the links will not be displayed until the user has logged in with sufficient rights to see the device, but this will not prevent someone from calling the script directly, since then it is completely out of the control of routers.cgi. The only way to achieve this is to incorporate the authuser code from routers.cgi into your extension script, and have it exit if there is not a valid cookie attached to the request. This would also require a slight mod to the routers.cgi script itself to make the security cookie directory-wide or site-wide, rather than only for the routers.cgi script itself. Maybe a future version of routers.cgi should pass the auth token to the script for verification? Maybe better to extend the cookie system, though. Thoughts, anyone? |
|
| Author: | BigDaddy [ Sun Dec 28, 2003 9:44 am ] |
| Post subject: | 2nd Attempt at this post. |
How about this. Example 1 +/- line 1500 of routers.cgi if( $buf =~ /^\s*routers\.cgi\*Extensions?\s*:\s*(\S.*)/i and !$readinrouters and $usersec) { Example 2 or in MRTG.cfg routers.cgi*Extension[xyz]: "Show current interface status" /mrtg/cgi/ifstatus.cgi camera2-sm.gif 3 <--$security in cgi and in routers.cgi if( $buf =~ /^\s*routers\.cgi\*Extensions?\s*:\s*(\S.*)/i and !$readinrouters and $security >2) { Example 3 in routers.conf [user-usera] securitylevel=2 [user-admin] securitylevel=5 in MRTG.cfg routers.cgi*Extension[xyz]: "Show current interface status" /mrtg/cgi/ifstatus.cgi camera2-sm.gif 3 <--$security in cgi and in routers.cgi if( $buf =~ /^\s*routers\.cgi\*Extensions?\s*:\s*(\S.*)/i and !$readinrouters and ($securitylevel >= $security)) { usera doesn't see it, but admin does. |
|
| Author: | stevesh [ Sun Dec 28, 2003 1:56 pm ] |
| Post subject: | |
Aha, I see what you are after -- disable the extension being shown unless you are logged in as a particular user. Note that this will only provide 'security via obscurity' unless the authentication method is carried through to the extension plugin, though. I'll look into implementing this (or somethnig similar) for the next release... I'll also see if I can make the Extension template include the authentication and routers2.conf-reading code. Steve |
|
| Author: | BigDaddy [ Tue Dec 30, 2003 6:52 am ] |
| Post subject: | Best to keep a backup handy. :) |
After a couple of tries. This is what i've come up with. Let me know what you think. This does what I need it to do. Only shows extensions with a security of 0 if you are not logged in, and shows extensions up to your security level if you are logged in. added to routers2.cgi at +/- 1162, 1500, and 1522 (the 3 stops searching for Extensions) ( $security, $desc, $url, $icon, $targ ) = quotewords('\s+',0,$arg); next if ($config{'routers.cgi-securitylevel'} <= $security); The $security was added before the $desc as not to play with $targ see below. of course -> my ($security) = '0';<- was added to the top of the script. routers.cgi*Extension[acsrtr1_to2_0]: 3 "Show current interface status" /mrtg/cgi/ifstatus.cgi camera2-sm.gif A security number of 0 will show all the time. Then to routers.conf [user-admin] archive = yes routingtableurl = /mrtg/cgi/routingtable.cgi securitylevel = 5 |
|
| Page 1 of 1 | All times are UTC + 12 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|