ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001639 | ClearOS | app-base - Base System | public | 2014-03-29 18:23 | 2020-01-13 04:44 |
|
| Reporter | ja391045 | |
| Assigned To | | |
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | closed | Resolution | won't fix | |
| Platform | Profiles | OS | Are | OS Version | Not Used |
| Product Version | 6.5.0 | |
| Target Version | | Fixed in Version | | |
|
| Summary | 0001639: Non-root users may not use webconsole apps on non-default port |
| Description | Some of my users have desktop security software that will not allow them to make SSL connections on port 81, as their security software has decided this port is for cleartext http traffic. So, by altering framework.conf(1) and adding "_default_:8443" to the VirtualHost directive for the "Secure HTTPS on port 81" I've opened the webconsole up to listen on https/8443. This makes my user's security software happy, and they can connect and login. However, once they login, they see what is shown in "homescreen_optional_port.jpg". However, if I login as thier user, using port 81, I am able to access the password and certificates user apps that these user are allowed to access.
If, after logging in as a non-root user, I manually browse to the /app/user_profile I see what is shown in "homescreen_optional_port_manual_user_app.jpg" . When logging in as root on port 8443, everything works as expected.
(1) = /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf, it also required modifying /usr/clearos/sandbox/etc/httpd/conf/httpd.conf, and adding a "Listen 8443" directive. |
| Steps To Reproduce | Install a ClearOS system. Add a non-root user, and give that user access to apps, such as Certificates.
Modify /usr/clearos/sandbox/etc/httpd/conf/httpd.conf and add "Listen 8443" at or near line 137 with the other Listen directives.
Modify /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf and add _default_:8443 next to _default_:81 in the first VirtualHost directive.
Browse to your ClearOS installation on port 81, and login with the non-root user, things will work as expected.
Logout, clear your browser cookies, and browse to your ClearOS webconsole on port 8443, and login as the non-root user. Things will not work at all.
|
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files |  homescreen_optional_port_manual_user_app.jpg (70,766) 2014-03-29 18:23
https://tracker.clearos.com/file_download.php?file_id=26&type=bug
homescreen_optional_port.jpg (28,837) 2014-03-29 18:24
https://tracker.clearos.com/file_download.php?file_id=27&type=bug
 firebug-normal-port.html (20,835) 2014-03-29 18:24
https://tracker.clearos.com/file_download.php?file_id=28&type=bug
firebug-optional-port.html (42,750) 2014-03-29 18:24
https://tracker.clearos.com/file_download.php?file_id=29&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2014-03-29 18:23 | ja391045 | New Issue | |
| 2014-03-29 18:23 | ja391045 | File Added: homescreen_optional_port_manual_user_app.jpg | |
| 2014-03-29 18:24 | ja391045 | File Added: homescreen_optional_port.jpg | |
| 2014-03-29 18:24 | ja391045 | File Added: firebug-normal-port.html | |
| 2014-03-29 18:24 | ja391045 | File Added: firebug-optional-port.html | |
| 2014-03-29 18:25 | ja391045 | Note Added: 0001163 | |
| 2014-03-29 18:32 | ja391045 | Note Added: 0001164 | |
| 2014-03-31 08:27 | user2 | Note Added: 0001165 | |
| 2014-03-31 08:27 | user2 | Severity | minor => feature |
| 2014-03-31 08:27 | user2 | Status | new => confirmed |
| 2014-03-31 08:27 | user2 | Category | webconfig-php => app-base - Base System |
| 2014-04-01 07:36 | bchambers | Assigned To | => bchambers |
| 2014-04-01 07:36 | bchambers | Status | confirmed => assigned |
| 2014-04-01 07:39 | bchambers | Note Added: 0001166 | |
| 2014-04-02 02:20 | ja391045 | Note Added: 0001169 | |
| 2020-01-13 04:44 | NickH | Status | assigned => closed |
| 2020-01-13 04:44 | NickH | Assigned To | bchambers => |
| 2020-01-13 04:44 | NickH | Resolution | open => won't fix |
|
Notes |
|
|
|
|
I'm going to try and create a duplicate VirtualHost to listen on port 8443, instead of "sharing" the existing VirtualHost on port 81 & 8443, and see if that makes a difference. |
|
|
|
|
|
Using a seperate VirtualHost directive for port 8443 didn't change the outcome. |
|
|
|
(0001165)
|
|
user2
|
|
2014-03-31 08:27
|
|
The "Access Control" system needs to be updated as well. Anything on an unknown port is disallowed for non-root users. Search for "81" in /usr/clearos/apps/base/libraries/Access_Control.php
To implement this as a command line feature, this is the recommended approach :-)
1) Create a new configuration file /etc/clearos/base.d/framework.conf with:
additional_ports = 8443
2) Update the Access_Control.php to read from the new configuration file. Since "Access Control" is used on every controller (i.e. 1 to 5-ish times per webconfig page view), this information should probably be cached.
3) To avoid changing existing configuration files (/usr/clearos/sandbox/etc/httpd/conf/httpd.conf and /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf), generate an new Apache configlet file called /etc/clearos/base.d/my_framework.conf:
Listen 8443
<VirtualHost _default_:8443>
DocumentRoot "/usr/clearos/framework/htdocs"
... snip ...
</VirtualHost> |
|
|
|
|
To support adding alternate port, for now, you'll need to hack:
/usr/clearos/apps/base/libraries/Access_Control.php
Line 187, change:
if ($_SERVER['SERVER_PORT'] == 81) {
To:
if ($_SERVER['SERVER_PORT'] == 81 || $_SERVER['SERVER_PORT'] == 8443) {
There's not a huge demand for running webconfig on alternate port 81, but if we implement the ability to change, we'll need to pull port into a configuration file and have various libraries/configs pull it in. |
|
|
|
|
|
Thanks for the workaround, I have it implemented and it's doing the job. |
|