[ previous ] [ next ] [ threads ]
 
 From:  "Rob Whyte" <rob at g dash labs dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  patch to make password encrypted in config.xml
 Date:  Tue, 7 Oct 2003 14:26:20 -0700
Hey everyone,

After noticing the other day that the password to the system sits in the
config.xml file as plain text, I decided to make it encrypted. I am
attaching the patch file which makes changes to 2 files,
"/etc/inc/system.inc" and "/usr/local/www/system.php".. If you have a dev
environment you can patch it rom the root of your source tree, it will take
a

"patch -p2 < /path.to.update.patch"

Please note that on your first reboot with these changes you will have to do
a "Reset webGUI password" from the console screen, login to your m0n0wall
from your browser, and change the password.. I have been using this for a
couple days with no issues, but encourage anyone intending to use it to
review and test my changes. I don't know the proper way to send in a patch
file, so I will just paste the text below..


Rob Whyte


patch starts below the --- line
-------------------------------------------------
diff -cr /m0n0-orig/etc/inc/system.inc /mnt/etc/inc/system.inc
*** /m0n0-orig/etc/inc/system.inc       Sun Sep 28 07:53:21 2003
--- /mnt/etc/inc/system.inc     Tue Oct  7 13:44:29 2003
***************
*** 336,362 ****
  function system_password_configure() {
        global $config, $g;

!       /* generate a httpd password file */
!       $pfd = popen("/usr/local/bin/htpasswd -c
{$g['varrun_path']}/htpasswd admin > /dev/null 2>&1", "w");
!       if (!$pfd) {
!               printf("Error: cannot open htpasswd in
system_password_configure().\n");
!               return 1;
!       }

!       fwrite($pfd, $config['system']['password']);
!       pclose($pfd);

!       chmod("{$g['varrun_path']}/htpasswd", 0600);

!       /* update password for 'admin' user */
!       $pfd = popen("/usr/sbin/pw usermod admin -h 0 > /dev/null 2>&1",
"w");
!       if (!$pfd) {
!               printf("Error: cannot open pw in
system_password_configure().\n");
                return 1;
        }

!       fwrite($pfd, $config['system']['password']);
!       pclose($pfd);

        return 0;
  }
--- 336,435 ----
  function system_password_configure() {
        global $config, $g;

!
!       if (!$g['booting'])   /*  we aren't booting, must be updating a
password */
!       {

!               /* update password for 'admin' user */
!               $pfd = popen("/usr/sbin/pw usermod admin -h 0 > /dev/null
2>&1", "w");
!               if (!$pfd)
!               {
!                       printf("Error: cannot open pw in
system_password_configure().\n");
!                       return 1;
!               }

!               fwrite($pfd, $config['system']['password']);
!               pclose($pfd);
!
!       }
!       else    /* booting, we have a few things to set up */
!       {
!
!               /* we will use /etc/master.passwd as a template to grab the
"admin" user */
!               $pfi = fopen("/etc/master.passwd", "r");
!               if(!$pfi)
!               {
!                       printf("Error: cannot open master.passwd in
system_password_configure().\n");
!                       return 1;
!               }
!
!               /* create a tmp file for pwd_mkdb to use, it will delete
after processing */
!                 $pfo = fopen("/etc/master.passwd.new", "w");
!                 if(!$pfo)
!                 {
!                         printf("Error: cannot open master.passwd.new for
writing in system_password_configure().\n");
!                         return 1;
!                 }
!
!               /* read/write records from /etc/master.paswd to
/etc/master.passwd.new */
!                 while( !feof($pfi))
!                 {
!                       /* read a line from /etc/master.passwd */
!                         $buffer = fgets($pfi, 1024);
!                         if(!$buffer)
!                           break;
!
!                       /* look for the "admin" user, replace the "*" in the
password field with encrypted one */
!                         if( ereg("^admin", $buffer))
!                         {
!                                 $buffer = str_replace("*",
$config['system']['password'], $buffer);
!                         }
!
!                       /* write a line to master.passwd.new */
!                         if(!fwrite($pfo, $buffer, strlen($buffer)))
!                         {
!                                 printf("Error: cannot write to
master.passwd.new in system_password_configure().\n");
!                                 fclose($pfi);
!                                 fclose($pfo);
!                               return 1;
!                         }
!
!                 }
!               /* not sure if we really have to flush(), I'll leave it for
now */
!                 flush();
!
!               /* close em up */
!                 fclose($pfi);
!                 fclose($pfo);
!
!               /* run pwd_mkdb to update all password databases &
master.passwd */
!               system("/usr/sbin/pwd_mkdb -u admin
/etc/master.passwd.new");

!       }
!
!       /* pull the pwd struct from the password database, we are interested
in the pwd['password'] */
!       $pwd = posix_getpwnam("admin");
!         if($pwd == NULL){
!                 printf("Error: cannot get encrypted password for user
'admin' in system_password_configure().");
!                 return 1;
!         }
!
!       /* set our $config['system']['password'] = to the encrypted pass */
!       $config['system']['password'] = $pwd[passwd];
!
!       /* update the /var/run/htpasswd file so we can get to the web server
*/
!       $pfd = fopen("{$g['varrun_path']}/htpasswd", "w");
!       if(!$pfd) {
!               printf("Error: cannot open htpasswd for writing in
system_password_configure().\n");
                return 1;
        }
+
+       /* construct the entry */
+       $pass_string = sprintf("admin:%s\n", $pwd[passwd]);
+       fwrite($pfd, $pass_string);
+       fclose($pfd);

!       chmod("{$g['varrun_path']}/htpasswd", 0600);

        return 0;
  }
diff -cr /m0n0-orig/usr/local/www/system.php /mnt/usr/local/www/system.php
*** /m0n0-orig/usr/local/www/system.php Wed Oct  1 23:16:09 2003
--- /mnt/usr/local/www/system.php       Tue Oct  7 13:01:52 2003
***************
*** 109,128 ****
                if ($_POST['dns2'])
                        $config['system']['dnsserver'][] = $_POST['dns2'];

                if ($_POST['password'])
                        $config['system']['password'] = $_POST['password'];

                write_config();

                if ($oldwebguiproto !=
$config['system']['webgui']['protocol'])
                        touch($d_sysrebootreqd_path);

-               $retval = 0;
                if (!file_exists($d_sysrebootreqd_path)) {
!                       $retval = system_hostname_configure();
                        $retval |= system_hosts_generate();
                        $retval |= system_resolvconf_generate();
!                       $retval |= system_password_configure();
                        $retval |= services_dnsmasq_configure();
                        $retval |= system_timezone_configure();
                        $retval |= system_ntp_configure();
--- 109,131 ----
                if ($_POST['dns2'])
                        $config['system']['dnsserver'][] = $_POST['dns2'];

+               $retval = 0;
                if ($_POST['password'])
+               {
                        $config['system']['password'] = $_POST['password'];
+                       $retval = system_password_configure();
+               }

                write_config();

                if ($oldwebguiproto !=
$config['system']['webgui']['protocol'])
                        touch($d_sysrebootreqd_path);

                if (!file_exists($d_sysrebootreqd_path)) {
!                       $retval |= system_hostname_configure();
                        $retval |= system_hosts_generate();
                        $retval |= system_resolvconf_generate();
!               /*      $retval |= system_password_configure(); */
                        $retval |= services_dnsmasq_configure();
                        $retval |= system_timezone_configure();
                        $retval |= system_ntp_configure();