ClearOS Bug Tracker

Main | My View | View Issues | Change Log | Roadmap | Repositories
  

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001639ClearOSapp-base - Base Systempublic2014-03-29 18:232020-01-13 04:44
Reporterja391045 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
StatusclosedResolutionwon't fix 
PlatformProfilesOSAreOS VersionNot Used
Product Version6.5.0 
Target VersionFixed in Version 
Summary0001639: Non-root users may not use webconsole apps on non-default port
DescriptionSome of my users have desktop security software that will not allow them to make SSL connections on port 81, as their security software has decided this port is for cleartext http traffic. So, by altering framework.conf(1) and adding "_default_:8443" to the VirtualHost directive for the "Secure HTTPS on port 81" I've opened the webconsole up to listen on https/8443. This makes my user's security software happy, and they can connect and login. However, once they login, they see what is shown in "homescreen_optional_port.jpg". However, if I login as thier user, using port 81, I am able to access the password and certificates user apps that these user are allowed to access.

If, after logging in as a non-root user, I manually browse to the /app/user_profile I see what is shown in "homescreen_optional_port_manual_user_app.jpg" . When logging in as root on port 8443, everything works as expected.


(1) = /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf, it also required modifying /usr/clearos/sandbox/etc/httpd/conf/httpd.conf, and adding a "Listen 8443" directive.
Steps To ReproduceInstall a ClearOS system. Add a non-root user, and give that user access to apps, such as Certificates.

Modify /usr/clearos/sandbox/etc/httpd/conf/httpd.conf and add "Listen 8443" at or near line 137 with the other Listen directives.

Modify /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf and add _default_:8443 next to _default_:81 in the first VirtualHost directive.

Browse to your ClearOS installation on port 81, and login with the non-root user, things will work as expected.

Logout, clear your browser cookies, and browse to your ClearOS webconsole on port 8443, and login as the non-root user. Things will not work at all.

TagsNo tags attached.
Attached Filesjpg file icon homescreen_optional_port_manual_user_app.jpg [^] (70,766 bytes) 2014-03-29 18:23


jpg file icon homescreen_optional_port.jpg [^] (28,837 bytes) 2014-03-29 18:24


html file icon firebug-normal-port.html [^] (20,835 bytes) 2014-03-29 18:24
html file icon firebug-optional-port.html [^] (42,750 bytes) 2014-03-29 18:24

- Relationships

-  Notes
(0001163)
ja391045 (reporter)
2014-03-29 18:25

 I'm going to try and create a duplicate VirtualHost to listen on port 8443, instead of "sharing" the existing VirtualHost on port 81 & 8443, and see if that makes a difference.
(0001164)
ja391045 (reporter)
2014-03-29 18:32

 Using a seperate VirtualHost directive for port 8443 didn't change the outcome.
(0001165)
user2
2014-03-31 08:27

 The "Access Control" system needs to be updated as well. Anything on an unknown port is disallowed for non-root users. Search for "81" in /usr/clearos/apps/base/libraries/Access_Control.php

To implement this as a command line feature, this is the recommended approach :-)


1) Create a new configuration file /etc/clearos/base.d/framework.conf with:

additional_ports = 8443


2) Update the Access_Control.php to read from the new configuration file. Since "Access Control" is used on every controller (i.e. 1 to 5-ish times per webconfig page view), this information should probably be cached.


3) To avoid changing existing configuration files (/usr/clearos/sandbox/etc/httpd/conf/httpd.conf and /usr/clearos/sandbox/etc/httpd/conf.d/framework.conf), generate an new Apache configlet file called /etc/clearos/base.d/my_framework.conf:


Listen 8443

<VirtualHost _default_:8443>
    DocumentRoot "/usr/clearos/framework/htdocs"
    ... snip ...
</VirtualHost>
(0001166)
bchambers (administrator)
2014-04-01 07:39

 To support adding alternate port, for now, you'll need to hack:

/usr/clearos/apps/base/libraries/Access_Control.php

Line 187, change:

if ($_SERVER['SERVER_PORT'] == 81) {

To:

if ($_SERVER['SERVER_PORT'] == 81 || $_SERVER['SERVER_PORT'] == 8443) {

There's not a huge demand for running webconfig on alternate port 81, but if we implement the ability to change, we'll need to pull port into a configuration file and have various libraries/configs pull it in.
(0001169)
ja391045 (reporter)
2014-04-02 02:20

 Thanks for the workaround, I have it implemented and it's doing the job.

- Issue History
Date Modified Username Field Change
2014-03-29 18:23 ja391045 New Issue
2014-03-29 18:23 ja391045 File Added: homescreen_optional_port_manual_user_app.jpg
2014-03-29 18:24 ja391045 File Added: homescreen_optional_port.jpg
2014-03-29 18:24 ja391045 File Added: firebug-normal-port.html
2014-03-29 18:24 ja391045 File Added: firebug-optional-port.html
2014-03-29 18:25 ja391045 Note Added: 0001163
2014-03-29 18:32 ja391045 Note Added: 0001164
2014-03-31 08:27 user2 Note Added: 0001165
2014-03-31 08:27 user2 Severity minor => feature
2014-03-31 08:27 user2 Status new => confirmed
2014-03-31 08:27 user2 Category webconfig-php => app-base - Base System
2014-04-01 07:36 bchambers Assigned To => bchambers
2014-04-01 07:36 bchambers Status confirmed => assigned
2014-04-01 07:39 bchambers Note Added: 0001166
2014-04-02 02:20 ja391045 Note Added: 0001169
2020-01-13 04:44 NickH Status assigned => closed
2020-01-13 04:44 NickH Assigned To bchambers =>
2020-01-13 04:44 NickH Resolution open => won't fix