Hey everyone,
After noticing the other day that the password to the system sits in the
config.xml file as plain text, I decided to make it encrypted. I am
attaching the patch file which makes changes to 2 files,
"/etc/inc/system.inc" and "/usr/local/www/system.php".. If you have a dev
environment you can patch it rom the root of your source tree, it will take
a
"patch -p2 < /path.to.update.patch"
Please note that on your first reboot with these changes you will have to do
a "Reset webGUI password" from the console screen, login to your m0n0wall
from your browser, and change the password.. I have been using this for a
couple days with no issues, but encourage anyone intending to use it to
review and test my changes. I don't know the proper way to send in a patch
file, so I will just paste the text below..
Rob Whyte
patch starts below the --- line
-------------------------------------------------
diff -cr /m0n0-orig/etc/inc/system.inc /mnt/etc/inc/system.inc
*** /m0n0-orig/etc/inc/system.inc Sun Sep 28 07:53:21 2003
--- /mnt/etc/inc/system.inc Tue Oct 7 13:44:29 2003
***************
*** 336,362 ****
function system_password_configure() {
global $config, $g;
! /* generate a httpd password file */
! $pfd = popen("/usr/local/bin/htpasswd -c
{$g['varrun_path']}/htpasswd admin > /dev/null 2>&1", "w");
! if (!$pfd) {
! printf("Error: cannot open htpasswd in
system_password_configure().\n");
! return 1;
! }
! fwrite($pfd, $config['system']['password']);
! pclose($pfd);
! chmod("{$g['varrun_path']}/htpasswd", 0600);
! /* update password for 'admin' user */
! $pfd = popen("/usr/sbin/pw usermod admin -h 0 > /dev/null 2>&1",
"w");
! if (!$pfd) {
! printf("Error: cannot open pw in
system_password_configure().\n");
return 1;
}
! fwrite($pfd, $config['system']['password']);
! pclose($pfd);
return 0;
}
--- 336,435 ----
function system_password_configure() {
global $config, $g;
!
! if (!$g['booting']) /* we aren't booting, must be updating a
password */
! {
! /* update password for 'admin' user */
! $pfd = popen("/usr/sbin/pw usermod admin -h 0 > /dev/null
2>&1", "w");
! if (!$pfd)
! {
! printf("Error: cannot open pw in
system_password_configure().\n");
! return 1;
! }
! fwrite($pfd, $config['system']['password']);
! pclose($pfd);
!
! }
! else /* booting, we have a few things to set up */
! {
!
! /* we will use /etc/master.passwd as a template to grab the
"admin" user */
! $pfi = fopen("/etc/master.passwd", "r");
! if(!$pfi)
! {
! printf("Error: cannot open master.passwd in
system_password_configure().\n");
! return 1;
! }
!
! /* create a tmp file for pwd_mkdb to use, it will delete
after processing */
! $pfo = fopen("/etc/master.passwd.new", "w");
! if(!$pfo)
! {
! printf("Error: cannot open master.passwd.new for
writing in system_password_configure().\n");
! return 1;
! }
!
! /* read/write records from /etc/master.paswd to
/etc/master.passwd.new */
! while( !feof($pfi))
! {
! /* read a line from /etc/master.passwd */
! $buffer = fgets($pfi, 1024);
! if(!$buffer)
! break;
!
! /* look for the "admin" user, replace the "*" in the
password field with encrypted one */
! if( ereg("^admin", $buffer))
! {
! $buffer = str_replace("*",
$config['system']['password'], $buffer);
! }
!
! /* write a line to master.passwd.new */
! if(!fwrite($pfo, $buffer, strlen($buffer)))
! {
! printf("Error: cannot write to
master.passwd.new in system_password_configure().\n");
! fclose($pfi);
! fclose($pfo);
! return 1;
! }
!
! }
! /* not sure if we really have to flush(), I'll leave it for
now */
! flush();
!
! /* close em up */
! fclose($pfi);
! fclose($pfo);
!
! /* run pwd_mkdb to update all password databases &
master.passwd */
! system("/usr/sbin/pwd_mkdb -u admin
/etc/master.passwd.new");
! }
!
! /* pull the pwd struct from the password database, we are interested
in the pwd['password'] */
! $pwd = posix_getpwnam("admin");
! if($pwd == NULL){
! printf("Error: cannot get encrypted password for user
'admin' in system_password_configure().");
! return 1;
! }
!
! /* set our $config['system']['password'] = to the encrypted pass */
! $config['system']['password'] = $pwd[passwd];
!
! /* update the /var/run/htpasswd file so we can get to the web server
*/
! $pfd = fopen("{$g['varrun_path']}/htpasswd", "w");
! if(!$pfd) {
! printf("Error: cannot open htpasswd for writing in
system_password_configure().\n");
return 1;
}
+
+ /* construct the entry */
+ $pass_string = sprintf("admin:%s\n", $pwd[passwd]);
+ fwrite($pfd, $pass_string);
+ fclose($pfd);
! chmod("{$g['varrun_path']}/htpasswd", 0600);
return 0;
}
diff -cr /m0n0-orig/usr/local/www/system.php /mnt/usr/local/www/system.php
*** /m0n0-orig/usr/local/www/system.php Wed Oct 1 23:16:09 2003
--- /mnt/usr/local/www/system.php Tue Oct 7 13:01:52 2003
***************
*** 109,128 ****
if ($_POST['dns2'])
$config['system']['dnsserver'][] = $_POST['dns2'];
if ($_POST['password'])
$config['system']['password'] = $_POST['password'];
write_config();
if ($oldwebguiproto !=
$config['system']['webgui']['protocol'])
touch($d_sysrebootreqd_path);
- $retval = 0;
if (!file_exists($d_sysrebootreqd_path)) {
! $retval = system_hostname_configure();
$retval |= system_hosts_generate();
$retval |= system_resolvconf_generate();
! $retval |= system_password_configure();
$retval |= services_dnsmasq_configure();
$retval |= system_timezone_configure();
$retval |= system_ntp_configure();
--- 109,131 ----
if ($_POST['dns2'])
$config['system']['dnsserver'][] = $_POST['dns2'];
+ $retval = 0;
if ($_POST['password'])
+ {
$config['system']['password'] = $_POST['password'];
+ $retval = system_password_configure();
+ }
write_config();
if ($oldwebguiproto !=
$config['system']['webgui']['protocol'])
touch($d_sysrebootreqd_path);
if (!file_exists($d_sysrebootreqd_path)) {
! $retval |= system_hostname_configure();
$retval |= system_hosts_generate();
$retval |= system_resolvconf_generate();
! /* $retval |= system_password_configure(); */
$retval |= services_dnsmasq_configure();
$retval |= system_timezone_configure();
$retval |= system_ntp_configure(); | 