From 275c08b156ca0320a9b3d48bbddccb7963196817 Mon Sep 17 00:00:00 2001 From: Fred Gleason Date: Mon, 3 Apr 2017 18:15:07 -0400 Subject: [PATCH] 2017-04-03 Fred Gleason * Added a 'USERS.LOCAL_AUTH' field to the database. * Added a 'USERS.PAM_SERVICE' field to the database. * Added an index on 'STATIONS.IPV4_ADDRESS' to the database. * Incremented the database version to 262. * Added 'RDUser::localAuthentication()', 'RDUser::setLocalAuthentication()', 'RDUser::pamService()' and 'RDUser::setPamService()' methods in 'lib/rduser.cpp' and 'lib/rduser.h'. * Added 'PAM Service' and 'Authenticate This User Locally' controls to the Edit User dialog in 'rdadmin/edit_user.cpp' and 'rdadmin/edit_user.h'. * Added a PAM service configuration in 'conf/rivendell.pam'. --- ChangeLog | 13 ++++++ conf/Makefile.am | 4 ++ conf/rivendell.pam | 5 +++ docs/tables/users.txt | 2 + lib/dbversion.h | 2 +- lib/rduser.cpp | 52 +++++++++++++++++++---- lib/rduser.h | 4 ++ rdadmin/createdb.cpp | 25 ++++++++++- rdadmin/edit_user.cpp | 84 +++++++++++++++++++++++++++---------- rdadmin/edit_user.h | 6 +++ rdadmin/rdadmin_cs.ts | 8 ++++ rdadmin/rdadmin_de.ts | 8 ++++ rdadmin/rdadmin_es.ts | 8 ++++ rdadmin/rdadmin_fr.ts | 8 ++++ rdadmin/rdadmin_nb.ts | 8 ++++ rdadmin/rdadmin_nn.ts | 8 ++++ rdadmin/rdadmin_pt_BR.ts | 8 ++++ rivendell.spec.in | 1 + utils/rdrevert/rdrevert.cpp | 27 +++++++++++- utils/rdrevert/rdrevert.h | 1 + web/rdxport/rdxport.cpp | 50 ++++++++++++++++------ 21 files changed, 283 insertions(+), 49 deletions(-) create mode 100644 conf/rivendell.pam diff --git a/ChangeLog b/ChangeLog index f26f1387..1c335c9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15696,3 +15696,16 @@ 2017-04-03 Fred Gleason * Changed all instances of authorization failure in the rdxport service to return code 404. +2017-04-03 Fred Gleason + * Added a 'USERS.LOCAL_AUTH' field to the database. + * Added a 'USERS.PAM_SERVICE' field to the database. + * Added an index on 'STATIONS.IPV4_ADDRESS' to the database. + * Incremented the database version to 262. + * Added 'RDUser::localAuthentication()', + 'RDUser::setLocalAuthentication()', 'RDUser::pamService()' and + 'RDUser::setPamService()' methods in 'lib/rduser.cpp' and + 'lib/rduser.h'. + * Added 'PAM Service' and 'Authenticate This User Locally' controls + to the Edit User dialog in 'rdadmin/edit_user.cpp' and + 'rdadmin/edit_user.h'. + * Added a PAM service configuration in 'conf/rivendell.pam'. diff --git a/conf/Makefile.am b/conf/Makefile.am index 85b24f0b..c6f3ac38 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -23,9 +23,12 @@ install-exec-am: mkdir -p $(DESTDIR)/$(sysconfdir) cp rd-bin.conf $(DESTDIR)/$(sysconfdir)/ + mkdir -p $(DESTDIR)/etc/pam.d + cp rivendell.pam $(DESTDIR)/etc/pam.d/rivendell uninstall: rm -f $(DESTDIR)/$(sysconfdir)/rd-bin.conf + rm -f $(DESTDIR)/etc/pam.d/rivendell EXTRA_DIST = my.cnf-master\ my.cnf-standby\ @@ -33,6 +36,7 @@ EXTRA_DIST = my.cnf-master\ rd.conf-sample\ rd.conf-slax\ rd-sample.ini\ + rivendell.pam\ rlm_ando.conf\ rlm_facebook.conf\ rlm_filewrite.conf\ diff --git a/conf/rivendell.pam b/conf/rivendell.pam new file mode 100644 index 00000000..a93170ea --- /dev/null +++ b/conf/rivendell.pam @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth substack system-auth +account required pam_deny.so +password required pam_deny.so +session required pam_deny.so diff --git a/docs/tables/users.txt b/docs/tables/users.txt index 69f99422..6a411068 100644 --- a/docs/tables/users.txt +++ b/docs/tables/users.txt @@ -13,6 +13,8 @@ DESCRIPTION char(255) PASSWORD char(32) Not-NULL, Hashed WEBAPI_AUTH_TIMEOUT int(11) signed Seconds ENABLE_WEB enum('N','Y') +LOCAL_AUTH enum('N','Y') +PAM_SERVICE char(32) ADMIN_USERS_PRIV enum('N','Y') Retired ADMIN_CONFIG_PRIV enum('N','Y') CREATE_CARTS_PRIV enum('N','Y') diff --git a/lib/dbversion.h b/lib/dbversion.h index 1ad09a0a..15271ed6 100644 --- a/lib/dbversion.h +++ b/lib/dbversion.h @@ -24,7 +24,7 @@ /* * Current Database Version */ -#define RD_VERSION_DATABASE 261 +#define RD_VERSION_DATABASE 262 #endif // DBVERSION_H diff --git a/lib/rduser.cpp b/lib/rduser.cpp index ce412f57..f58388ca 100644 --- a/lib/rduser.cpp +++ b/lib/rduser.cpp @@ -19,6 +19,7 @@ // #include +#include #include #include #include @@ -49,19 +50,27 @@ bool RDUser::authenticated(bool webuser) const RDSqlQuery *q; QString sql; - sql=QString().sprintf("select LOGIN_NAME,ENABLE_WEB from USERS \ - where LOGIN_NAME=\"%s\" \ + if(localAuthentication()) { + sql=QString().sprintf("select LOGIN_NAME,ENABLE_WEB from USERS \ + where LOGIN_NAME=\"%s\" \ && PASSWORD=\"%s\"", - (const char *)RDEscapeString(user_name), - (const char *)RDEscapeString(user_password)); - q=new RDSqlQuery(sql); - if(q->first()) { - bool ret=RDBool(q->value(1).toString())|| - ((!RDBool(q->value(1).toString()))&&(!webuser)); + (const char *)RDEscapeString(user_name), + (const char *)RDEscapeString(user_password)); + q=new RDSqlQuery(sql); + if(q->first()) { + bool ret=RDBool(q->value(1).toString())|| + ((!RDBool(q->value(1).toString()))&&(!webuser)); + delete q; + return ret; + } delete q; + } + else { + RDPam *pam=new RDPam(pamService()); + bool ret=pam->authenticate(user_name,user_password); + delete pam; return ret; } - delete q; return false; } @@ -100,6 +109,31 @@ void RDUser::setEnableWeb(bool state) const } +bool RDUser::localAuthentication() const +{ + return RDBool(RDGetSqlValue("USERS","LOGIN_NAME",user_name,"LOCAL_AUTH"). + toString()); +} + + +void RDUser::setLocalAuthentication(bool state) const +{ + SetRow("LOCAL_AUTH",RDYesNo(state)); +} + + +QString RDUser::pamService() const +{ + return RDGetSqlValue("USERS","LOGIN_NAME",user_name,"PAM_SERVICE").toString(); +} + + +void RDUser::setPamService(const QString &str) const +{ + SetRow("PAM_SERVICE",str); +} + + QString RDUser::fullName() const { return RDGetSqlValue("USERS","LOGIN_NAME",user_name,"FULL_NAME").toString(); diff --git a/lib/rduser.h b/lib/rduser.h index 0a0c4556..52a04c1f 100644 --- a/lib/rduser.h +++ b/lib/rduser.h @@ -35,6 +35,10 @@ class RDUser void setPassword(const QString &password); bool enableWeb() const; void setEnableWeb(bool state) const; + bool localAuthentication() const; + void setLocalAuthentication(bool state) const; + QString pamService() const; + void setPamService(const QString &str) const; QString fullName() const; void setFullName(const QString &name) const; QString description() const; diff --git a/rdadmin/createdb.cpp b/rdadmin/createdb.cpp index 76e83f1a..460f2a54 100644 --- a/rdadmin/createdb.cpp +++ b/rdadmin/createdb.cpp @@ -2,7 +2,7 @@ // // Create, Initialize and/or Update a Rivendell Database // -// (C) Copyright 2002-2016 Fred Gleason +// (C) Copyright 2002-2017 Fred Gleason // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License version 2 as @@ -578,6 +578,8 @@ bool CreateDb(QString name,QString pwd) PASSWORD CHAR(32),\ WEBAPI_AUTH_TIMEOUT int not null default 3600,\ ENABLE_WEB enum('N','Y') default 'N',\ + LOCAL_AUTH enum('N','Y') default 'Y',\ + PAM_SERVICE char(32) default \"rivendell\",\ ADMIN_USERS_PRIV ENUM('N','Y') NOT NULL DEFAULT 'N',\ ADMIN_CONFIG_PRIV ENUM('N','Y') NOT NULL DEFAULT 'N',\ CREATE_CARTS_PRIV ENUM('N','Y') NOT NULL DEFAULT 'N',\ @@ -679,7 +681,8 @@ bool CreateDb(QString name,QString pwd) CARD7_NAME char(64),\ CARD7_INPUTS int default -1,\ CARD7_OUTPUTS int default -1,\ - INDEX DESCRIPTION_IDX (DESCRIPTION))"); + INDEX DESCRIPTION_IDX (DESCRIPTION),\ + index IPV4_ADDRESS_IDX (IPV4_ADDRESS))"); if(!RunQuery(sql)) { return false; } @@ -8360,6 +8363,24 @@ int UpdateDb(int ver) } } + if(ver<262) { + sql=QString("alter table USERS add column ")+ + "LOCAL_AUTH enum('N','Y') default 'Y' after ENABLE_WEB"; + if(!RunQuery(sql)) { + return false; + } + + sql=QString("alter table USERS add column ")+ + "PAM_SERVICE char(32) default \"rivendell\" after LOCAL_AUTH"; + if(!RunQuery(sql)) { + return false; + } + + sql=QString("create index IPV4_ADDRESS_IDX on STATIONS (IPV4_ADDRESS)"); + if(!RunQuery(sql)) { + return false; + } + } // diff --git a/rdadmin/edit_user.cpp b/rdadmin/edit_user.cpp index 2d04e3f1..cccf723d 100644 --- a/rdadmin/edit_user.cpp +++ b/rdadmin/edit_user.cpp @@ -105,15 +105,49 @@ EditUser::EditUser(const QString &user,QWidget *parent) user_description_label->setFont(font); user_description_label->setAlignment(AlignRight|AlignVCenter|ShowPrefix); + // + // Local Authentication + // + user_localauth_check=new QCheckBox(this); + user_localauth_check->setGeometry(20,75,15,15); + connect(user_localauth_check,SIGNAL(toggled(bool)), + this,SLOT(localAuthToggledData(bool))); + user_localauth_label=new QLabel(user_localauth_check, + tr("Authenticate This User Locally"),this); + user_localauth_label->setGeometry(40,75,180,19); + user_localauth_label->setFont(font); + user_localauth_label->setAlignment(AlignLeft|AlignVCenter|ShowPrefix); + + // + // PAM Service + // + user_pamservice_edit=new QLineEdit(this); + user_pamservice_edit->setGeometry(120,97,150,19); + user_pamservice_edit->setMaxLength(32); + user_pamservice_label= + new QLabel(user_pamservice_edit,tr("PAM Service")+":",this); + user_pamservice_label->setGeometry(10,97,105,19); + user_pamservice_label->setFont(font); + user_pamservice_label->setAlignment(AlignRight|AlignVCenter|ShowPrefix); + + // + // Change Password Button + // + user_password_button=new QPushButton(this); + user_password_button->setGeometry(sizeHint().width()-90,75,80,50); + user_password_button->setFont(font); + user_password_button->setText(tr("Change\n&Password")); + connect(user_password_button,SIGNAL(clicked()),this,SLOT(passwordData())); + // // User Phone // user_phone_edit=new QLineEdit(this); - user_phone_edit->setGeometry(120,75,120,19); + user_phone_edit->setGeometry(120,119,120,19); user_phone_edit->setMaxLength(20); user_phone_edit->setValidator(validator); QLabel *user_phone_label=new QLabel(user_phone_edit,tr("&Phone:"),this); - user_phone_label->setGeometry(10,75,105,19); + user_phone_label->setGeometry(10,119,105,19); user_phone_label->setFont(font); user_phone_label->setAlignment(AlignRight|AlignVCenter|ShowPrefix); @@ -121,12 +155,12 @@ EditUser::EditUser(const QString &user,QWidget *parent) // WebAPI Authorization Timeout // user_webapi_auth_spin=new QSpinBox(this); - user_webapi_auth_spin->setGeometry(120,97,80,19); + user_webapi_auth_spin->setGeometry(120,141,80,19); user_webapi_auth_spin->setRange(0,86400); user_webapi_auth_spin->setSpecialValueText(tr("Disabled")); QLabel *user_webapi_auth_label= new QLabel(user_webapi_auth_spin,tr("WebAPI Timeout:"),this); - user_webapi_auth_label->setGeometry(10,97,105,19); + user_webapi_auth_label->setGeometry(10,141,105,19); user_webapi_auth_label->setFont(font); user_webapi_auth_label->setAlignment(AlignRight|AlignVCenter|ShowPrefix); @@ -134,26 +168,17 @@ EditUser::EditUser(const QString &user,QWidget *parent) // Enable Web Login // user_web_box=new QCheckBox(this); - user_web_box->setGeometry(20,118,15,15); + user_web_box->setGeometry(20,162,15,15); user_web_label=new QLabel(user_web_box,tr("Allow Web Logins"),this); - user_web_label->setGeometry(40,118,180,19); + user_web_label->setGeometry(40,162,180,19); user_web_label->setFont(font); user_web_label->setAlignment(AlignLeft|AlignVCenter|ShowPrefix); - // - // Change Password Button - // - QPushButton *password_button=new QPushButton(this); - password_button->setGeometry(sizeHint().width()-90,75,80,50); - password_button->setFont(font); - password_button->setText(tr("Change\n&Password")); - connect(password_button,SIGNAL(clicked()),this,SLOT(passwordData())); - // // Administrative Group Priviledges // user_admin_group=new QButtonGroup(tr("Administrative Rights"),this); - user_admin_group->setGeometry(10,147,355,45); + user_admin_group->setGeometry(10,191,355,45); user_admin_group->setFont(font); user_admin_config_button=new QCheckBox(user_admin_group); @@ -172,7 +197,7 @@ EditUser::EditUser(const QString &user,QWidget *parent) // Production Group Priviledges // user_prod_group=new QButtonGroup(tr("Production Rights"),this); - user_prod_group->setGeometry(10,202,355,85); + user_prod_group->setGeometry(10,246,355,85); user_prod_group->setFont(font); user_create_carts_button=new QCheckBox(user_prod_group); @@ -229,7 +254,7 @@ EditUser::EditUser(const QString &user,QWidget *parent) // Traffic Group Priviledges // user_traffic_group=new QButtonGroup(tr("Traffic Rights"),this); - user_traffic_group->setGeometry(10,297,355,66); + user_traffic_group->setGeometry(10,341,355,66); user_traffic_group->setFont(font); user_create_log_button=new QCheckBox(user_traffic_group); @@ -270,7 +295,7 @@ EditUser::EditUser(const QString &user,QWidget *parent) // OnAir Group Priviledges // user_onair_group=new QButtonGroup(tr("OnAir Rights"),this); - user_onair_group->setGeometry(10,373,355,85); + user_onair_group->setGeometry(10,417,355,85); user_onair_group->setFont(font); user_playout_log_button=new QCheckBox(user_onair_group); @@ -320,7 +345,7 @@ EditUser::EditUser(const QString &user,QWidget *parent) // Podcast Group Priviledges // user_podcast_group=new QButtonGroup(tr("Podcasting Rights"),this); - user_podcast_group->setGeometry(10,468,355,66); + user_podcast_group->setGeometry(10,512,355,66); user_podcast_group->setFont(font); user_add_podcast_button=new QCheckBox(user_podcast_group); @@ -353,7 +378,7 @@ EditUser::EditUser(const QString &user,QWidget *parent) // Group Permissions Button // user_assign_perms_button=new QPushButton(this); - user_assign_perms_button->setGeometry(10,538,sizeHint().width()/2-20,50); + user_assign_perms_button->setGeometry(10,582,sizeHint().width()/2-20,50); user_assign_perms_button->setFont(font); user_assign_perms_button->setText(tr("Assign Group\nPermissions")); connect(user_assign_perms_button,SIGNAL(clicked()),this,SLOT(groupsData())); @@ -363,7 +388,7 @@ EditUser::EditUser(const QString &user,QWidget *parent) // user_assign_feeds_button=new QPushButton(this); user_assign_feeds_button-> - setGeometry(sizeHint().width()/2+10,538,sizeHint().width()/2-20,50); + setGeometry(sizeHint().width()/2+10,582,sizeHint().width()/2-20,50); user_assign_feeds_button->setFont(font); user_assign_feeds_button->setText(tr("Assign Podcast Feed\nPermissions")); connect(user_assign_feeds_button,SIGNAL(clicked()),this,SLOT(feedsData())); @@ -396,6 +421,9 @@ EditUser::EditUser(const QString &user,QWidget *parent) user_full_name_edit->setText(user_user->fullName()); user_description_edit->setText(user_user->description()); user_phone_edit->setText(user_user->phone()); + user_localauth_check->setChecked(user_user->localAuthentication()); + user_pamservice_edit->setText(user_user->pamService()); + localAuthToggledData(user_localauth_check->isChecked()); user_webapi_auth_spin->setValue(user_user->webapiAuthTimeout()); user_web_box->setChecked(user_user->enableWeb()); if(user_user->adminConfig()) { @@ -451,7 +479,7 @@ EditUser::~EditUser() QSize EditUser::sizeHint() const { - return QSize(375,658); + return QSize(375,702); } @@ -461,6 +489,14 @@ QSizePolicy EditUser::sizePolicy() const } +void EditUser::localAuthToggledData(bool state) +{ + user_password_button->setEnabled(state); + user_pamservice_label->setDisabled(state); + user_pamservice_edit->setDisabled(state); +} + + void EditUser::passwordData() { QString password; @@ -539,6 +575,8 @@ void EditUser::okData() user_user->setFullName(user_full_name_edit->text()); user_user->setDescription(user_description_edit->text()); user_user->setPhone(user_phone_edit->text()); + user_user->setLocalAuthentication(user_localauth_check->isChecked()); + user_user->setPamService(user_pamservice_edit->text()); user_user->setWebapiAuthTimeout(user_webapi_auth_spin->value()); user_user->setEnableWeb(user_web_box->isChecked()); user_user->setAdminConfig(user_admin_config_button->isChecked()); diff --git a/rdadmin/edit_user.h b/rdadmin/edit_user.h index 3c800f2e..56e580a4 100644 --- a/rdadmin/edit_user.h +++ b/rdadmin/edit_user.h @@ -44,6 +44,7 @@ class EditUser : public QDialog QSizePolicy sizePolicy() const; private slots: + void localAuthToggledData(bool state); void passwordData(); void groupsData(); void feedsData(); @@ -55,6 +56,11 @@ class EditUser : public QDialog QLineEdit *user_name_edit; QLineEdit *user_full_name_edit; QLineEdit *user_description_edit; + QCheckBox *user_localauth_check; + QLabel *user_localauth_label; + QLineEdit *user_pamservice_edit; + QLabel *user_pamservice_label; + QPushButton *user_password_button; QLineEdit *user_phone_edit; QSpinBox *user_webapi_auth_spin; QCheckBox *user_web_box; diff --git a/rdadmin/rdadmin_cs.ts b/rdadmin/rdadmin_cs.ts index b17229a6..ca66c353 100644 --- a/rdadmin/rdadmin_cs.ts +++ b/rdadmin/rdadmin_cs.ts @@ -4135,6 +4135,14 @@ pro přívod pro podcast WebAPI Timeout: + + Authenticate This User Locally + + + + PAM Service + + EditUserPerms diff --git a/rdadmin/rdadmin_de.ts b/rdadmin/rdadmin_de.ts index c82ab464..474d8cd4 100644 --- a/rdadmin/rdadmin_de.ts +++ b/rdadmin/rdadmin_de.ts @@ -4092,6 +4092,14 @@ zuweisen WebAPI Timeout: + + Authenticate This User Locally + + + + PAM Service + + EditUserPerms diff --git a/rdadmin/rdadmin_es.ts b/rdadmin/rdadmin_es.ts index 0520dc13..eb45cc88 100644 --- a/rdadmin/rdadmin_es.ts +++ b/rdadmin/rdadmin_es.ts @@ -4080,6 +4080,14 @@ Feeds para Podcasts WebAPI Timeout: + + Authenticate This User Locally + + + + PAM Service + + EditUserPerms diff --git a/rdadmin/rdadmin_fr.ts b/rdadmin/rdadmin_fr.ts index a023cd81..9f8fad62 100644 --- a/rdadmin/rdadmin_fr.ts +++ b/rdadmin/rdadmin_fr.ts @@ -3710,6 +3710,14 @@ Permissions WebAPI Timeout: + + Authenticate This User Locally + + + + PAM Service + + EditUserPerms diff --git a/rdadmin/rdadmin_nb.ts b/rdadmin/rdadmin_nb.ts index c8b4b4b6..8ed07899 100644 --- a/rdadmin/rdadmin_nb.ts +++ b/rdadmin/rdadmin_nb.ts @@ -4082,6 +4082,14 @@ tilgangsrettar WebAPI Timeout: + + Authenticate This User Locally + + + + PAM Service + + EditUserPerms diff --git a/rdadmin/rdadmin_nn.ts b/rdadmin/rdadmin_nn.ts index c8b4b4b6..8ed07899 100644 --- a/rdadmin/rdadmin_nn.ts +++ b/rdadmin/rdadmin_nn.ts @@ -4082,6 +4082,14 @@ tilgangsrettar WebAPI Timeout: + + Authenticate This User Locally + + + + PAM Service + + EditUserPerms diff --git a/rdadmin/rdadmin_pt_BR.ts b/rdadmin/rdadmin_pt_BR.ts index 1feb6f53..30b1ca7a 100644 --- a/rdadmin/rdadmin_pt_BR.ts +++ b/rdadmin/rdadmin_pt_BR.ts @@ -4085,6 +4085,14 @@ Feeds de Podcasts WebAPI Timeout: + + Authenticate This User Locally + + + + PAM Service + + EditUserPerms diff --git a/rivendell.spec.in b/rivendell.spec.in index a21b6788..65580daf 100644 --- a/rivendell.spec.in +++ b/rivendell.spec.in @@ -285,6 +285,7 @@ rm -rf $RPM_BUILD_ROOT %attr(6755,root,root) @libexecdir@/rdxport.cgi @sysconfdir@/rd-bin.conf @WIN32_PATH@ +/etc/pam.d/rivendell /etc/pam.d/rdalsaconfig-root /etc/security/console.apps/rdalsaconfig-root %{_mandir}/man1/rdexport.1.gz diff --git a/utils/rdrevert/rdrevert.cpp b/utils/rdrevert/rdrevert.cpp index 072ef79d..c20b4a21 100644 --- a/utils/rdrevert/rdrevert.cpp +++ b/utils/rdrevert/rdrevert.cpp @@ -202,6 +202,10 @@ void MainObject::Revert(int schema) const case 261: Revert261(); break; + + case 262: + Revert262(); + break; } } @@ -567,6 +571,27 @@ void MainObject::Revert261() const } +void MainObject::Revert262() const +{ + QString sql; + QSqlQuery *q; + + sql=QString("alter table USERS drop column LOCAL_AUTH"); + q=new QSqlQuery(sql); + delete q; + + sql=QString("alter table USERS drop column PAM_SERVICE"); + q=new QSqlQuery(sql); + delete q; + + sql=QString("drop index IPV4_ADDRESS_IDX on STATIONS"); + q=new QSqlQuery(sql); + delete q; + + SetVersion(261); +} + + int MainObject::GetVersion() const { QString sql; @@ -609,7 +634,7 @@ int MainObject::MapSchema(const QString &ver) version_map["2.13"]=255; version_map["2.14"]=258; version_map["2.15"]=259; - version_map["2.16"]=261; + version_map["2.16"]=262; // // Normalize String diff --git a/utils/rdrevert/rdrevert.h b/utils/rdrevert/rdrevert.h index 062e0311..836cc4a5 100644 --- a/utils/rdrevert/rdrevert.h +++ b/utils/rdrevert/rdrevert.h @@ -57,6 +57,7 @@ class MainObject : public QObject void Revert259() const; void Revert260() const; void Revert261() const; + void Revert262() const; int GetVersion() const; void SetVersion(int schema) const; int MapSchema(const QString &ver); diff --git a/web/rdxport/rdxport.cpp b/web/rdxport/rdxport.cpp index 1a391e90..526d9f23 100644 --- a/web/rdxport/rdxport.cpp +++ b/web/rdxport/rdxport.cpp @@ -52,19 +52,6 @@ Xport::Xport(QObject *parent) xport_config=new RDConfig(); xport_config->load(); - // - // Drop Root Perms - // - if(setgid(xport_config->gid())<0) { - XmlExit("Unable to set Rivendell group",500); - } - if(setuid(xport_config->uid())<0) { - XmlExit("Unable to set Rivendell user",500); - } - if(getuid()==0) { - XmlExit("Rivendell user should never be \"root\"!",500); - } - // // Open Database // @@ -139,6 +126,19 @@ Xport::Xport(QObject *parent) XmlExit("Invalid User",403); } + // + // Drop root permissions + // + if(setgid(xport_config->gid())<0) { + XmlExit("Unable to set Rivendell group",500); + } + if(setuid(xport_config->uid())<0) { + XmlExit("Unable to set Rivendell user",500); + } + if(getuid()==0) { + XmlExit("Rivendell user should never be \"root\"!",500); + } + // // Read Command Variable and Dispatch // @@ -291,6 +291,9 @@ bool Xport::Authenticate() unsigned char rawstr[1024]; unsigned char sha1[SHA_DIGEST_LENGTH]; + // + // First, attempt ticket authentication + // if(xport_post->getValue("TICKET",&ticket)) { sql=QString("select LOGIN_NAME from WEBAPI_AUTHS where ")+ "(TICKET=\""+RDEscapeString(ticket)+"\")&&"+ @@ -305,6 +308,9 @@ bool Xport::Authenticate() delete q; } + // + // Next, check the whitelist + // if(!xport_post->getValue("LOGIN_NAME",&name)) { return false; } @@ -312,6 +318,24 @@ bool Xport::Authenticate() return false; } xport_user=new RDUser(name); + if(!xport_user->exists()) { + return false; + } + if((xport_post->clientAddress().toIPv4Address()>>24)==127) { // Localhost + return true; + } + sql=QString("select NAME from STATIONS where ")+ + "IPV4_ADDRESS=\""+xport_post->clientAddress().toString()+"\""; + q=new RDSqlQuery(sql); + if(q->first()) { + delete q; + return true; + } + delete q; + + // + // Finally, try password + // if(!xport_user->checkPassword(passwd,false)) { return false; }