Cheshire Cat Computing

Howdy...

I was wondering, I'm trying to create external scripts to use with Routers.cgi, but I want them to only be avaliable when you've logged into routers.cgi. (user-usera) etc. Is this possible?

Right now they are in the mrtg.cfg file, for each interface.

Something like allowscript = extension.cgi or something.

BTW, I love the new rev. twinmenu is a godsend.

Difficult.

If you use the webserver for authentication, then you can just use your .htaccess file to extend this authentication to your new scripts, but if you use routers.cgi's internal authentication then it has no control over the other scripts.

Of course the pages containing the links will not be displayed until the user has logged in with sufficient rights to see the device, but this will not prevent someone from calling the script directly, since then it is completely out of the control of routers.cgi.

The only way to achieve this is to incorporate the authuser code from routers.cgi into your extension script, and have it exit if there is not a valid cookie attached to the request. This would also require a slight mod to the routers.cgi script itself to make the security cookie directory-wide or site-wide, rather than only for the routers.cgi script itself.

Maybe a future version of routers.cgi should pass the auth token to the script for verification? Maybe better to extend the cookie system, though.

Thoughts, anyone?

How about this.

Example 1
+/- line 1500 of routers.cgi

if( $buf =~ /^\s*routers\.cgi\*Extensions?\s*:\s*(\S.*)/i
and !$readinrouters and $usersec) {

Example 2
or in MRTG.cfg

routers.cgi*Extension[xyz]: "Show current interface status" /mrtg/cgi/ifstatus.cgi camera2-sm.gif 3 <--$security in cgi

and in routers.cgi

if( $buf =~ /^\s*routers\.cgi\*Extensions?\s*:\s*(\S.*)/i
and !$readinrouters and $security >2) {

Example 3
in routers.conf

[user-usera]

securitylevel=2

[user-admin]

securitylevel=5


in MRTG.cfg

routers.cgi*Extension[xyz]: "Show current interface status" /mrtg/cgi/ifstatus.cgi camera2-sm.gif 3 <--$security in cgi

and in routers.cgi

if( $buf =~ /^\s*routers\.cgi\*Extensions?\s*:\s*(\S.*)/i
and !$readinrouters and ($securitylevel >= $security)) {

usera doesn't see it, but admin does.

Aha, I see what you are after -- disable the extension being shown unless you are logged in as a particular user. Note that this will only provide 'security via obscurity' unless the authentication method is carried through to the extension plugin, though.

I'll look into implementing this (or somethnig similar) for the next release... I'll also see if I can make the Extension template include the authentication and routers2.conf-reading code.

Steve

After a couple of tries. This is what i've come up with. Let me know what you think. This does what I need it to do. Only shows extensions with a security of 0 if you are not logged in, and shows extensions up to your security level if you are logged in.

added to routers2.cgi at +/- 1162, 1500, and 1522 (the 3 stops searching for Extensions)

( $security, $desc, $url, $icon, $targ ) = quotewords('\s+',0,$arg);
next if ($config{'routers.cgi-securitylevel'} <= $security);

The $security was added before the $desc as not to play with $targ see below. of course -> my ($security) = '0';<- was added to the top of the script.

routers.cgi*Extension[acsrtr1_to2_0]: 3 "Show current interface status" /mrtg/cgi/ifstatus.cgi camera2-sm.gif

A security number of 0 will show all the time.

Then to routers.conf

[user-admin]
archive = yes
routingtableurl = /mrtg/cgi/routingtable.cgi
securitylevel = 5