Discussion on Luci multi-user features

[hnyman]

@Hostle has created a functional system for enabling handling multiple users in Luci.

• User creation, removal and provisioning work.
• Two user classes: admin and user. (root has always full access.)
• Possibility to adjust access on menu-item level
• Possibility to deny ssh access

@Hostle has actually created two alternative methods for a year-old Luci (from March 2015, CC15.05 development cycle) into his Github repo. I have imported the changes into up-to-date DD trunk and have also squashed and polished the commits for discussion purposes to have minimal diffs.

Hostle thinks that the newer method is better, so I will present that here.

Original discussion at forum: https://forum.openwrt.org/viewtopic.php?id=54593 Discussion also at: https://github.com/Hostle/luci/commit/c1ba7d780fbafba1d882e3d05ff96baeaee131f3#commitcomment-15451559

"New method":

"New" original, commits from Hostle, updated in April 2017: https://github.com/Fire-WRT/luci/commits/multi4

"New" cleaned-up version from my repo, "multi4-clean" branch, contains four squashed commits targeting LEDE & Openwrt DD trunk/master: https://github.com/hnyman/luci/commits/multi4-clean (March2018: I have rebased multi4 branch history with the LuCI of June 2017.)

Trying the code:

If you want to try the multi-user code, you can easily add my Luci repo as a remote to your own git and then pull from "multi4-clean" branch. The multi4-clean branch contains up-to-date LuCI of 26 June 2017.

I used these commands to import this to my own Openwrt build. (I also created a new branch "multiuser" at my local feed repo so that I easily push the changes aside by "git checkout master"):

 cd feeds/luci
 git checkout 6047dacb6253c
 git checkout -b multiuser
 git remote add hnyman https://github.com/hnyman/luci.git
 git pull hnyman multi4-clean
 git log --oneline

Alternatively, you can download the 4 commits as patches from github and apply them manually. (just add .patch to the end of the commit's page address and you get a patch that can be download with wget.)

Identified problems/challenges:

NOTE: old, reflects 2015 observations

• Both methods have the drawback that the permission settings only work for previously known pages or menu tabs. E.g. new page system / Custom commands from luci-app-command is not handled. It would be better, if the system somehow sniffed the pages and then decided the permissions based on the main menu tab.
• "new" method required editing existing pages to have permission-checking wrappers around each menu item. E.g. in status, system and network. E.g. https://github.com/hnyman/luci/commit/d56fe7a4aebb10286b8be04234fd6a225a543aee
• system Menu issue (visible although should not be, probably due to other Luci applications): https://github.com/Hostle/luci/commit/c1ba7d780fbafba1d882e3d05ff96baeaee131f3#commitcomment-15454445 that is a weakness in this approach, as 1) all packages would need the modified index() function, and 2) the /model/cbi/admin_users/users.lua module would need to have all available package options available and enabled/disabled by some short of switch
• I compiled "new" for my own ar71xx build and it worked to large extent, but not quite fully with Firefox. Might be cache problems or something. Hostle himself compiled "new" from my repo to his trunk and says that it worked perfectly. https://github.com/Hostle/luci/commit/c1ba7d780fbafba1d882e3d05ff96baeaee131f3#commitcomment-15451559

Screenshot from trunk Designated Driver r48235:

[VitorDiToro]

@Hostle Sorry to insist, but try change the "Router Password" (root password). Access: System>>Administration, put the Password, press Tab, put the Confirmation and press Enter.

The system return "Password successfully changed!" and the password is actually changed.

[zinonino]

Hi, someone any guide or step how to compile and install this multi4-clean to my router ? Because default with opkg install is use, but this ?

Regards

[hnyman]

@zinonino

someone any guide or step how to compile and install this multi4-clean to my router

The guide is in the first message of this thread. Section "Trying the code".

As this requires changes to the basic LuCI, you need to compile the whole luci in your build environment. transfer the package to router's /tmp e.g. with scp, and then install the new Luci packages with opkg.

[zinonino]

Thanks, but this is only one part of compile, i try but a get many errors during compile and fail to finish on Debian 8, how can only compile Luci , do you have already compiled for ar71xx .

Thanks

[Mahone-hzm]

@hnyman I compile the whole luci in my build environment. when I install "luci-lib-nixio luci-base luci-mod-admin-full", the system prompt that those packages version has no valid architecture, ignoring, and install packages from official library. my system version is trunk, CPU is MT7620a. I don't know why?

[Mahone-hzm]

I compile the LuCI and the luci-app-multi-user...into my firmware, and the multi-user works. before I tried to install the multi-userXX.ipk in the official firmware and my compiled firmware, both of them failed. Don't know why. Here is a small bug.

[XaTTa6bl4]

@hnyman I've compiled multi4-clean with 15.05.1 and after installing I have error:

/usr/lib/lua/luci/dispatcher.lua:673: attempt to call global 'get_user' (a nil value)
stack traceback:
    /usr/lib/lua/luci/dispatcher.lua:673: in function 'entry'
    /usr/lib/lua/luci/controller/firewall.lua:27: in function 'v'
    /usr/lib/lua/luci/dispatcher.lua:563: in function 'createtree'
    /usr/lib/lua/luci/dispatcher.lua:220: in function 'dispatch'
    /usr/lib/lua/luci/dispatcher.lua:141: in function </usr/lib/lua/luci/dispatcher.lua:140>

[hnyman]

I've compiled multi4-clean with 15.05.1 and after installing I have error:

Well, that code in multi4-clean is trunk LuCI, not for 15.05.1. I haven't tested in on the ancient 15.05 branch.

(And note that you need to replace the whole LuCI, not just the multi-user app.

[XaTTa6bl4]

Thanks for answer.

And note that you need to replace the whole LuCI, not just the multi-user app

Yes, I replaced the whole LuCI.

I haven't tested in on the ancient 15.05 branch.

And whould you planning to test it with Chaos Calmer stable branch?

[Hostle]

@hnyman , I have updated my firewrt multi4 branch with the latest code. This should be the final update,there are substantial changes. This update will handle and menu in any luci app and offers complete menu control including leafs. Any changes from here on will be strictly for aesthetics. Have a look and let me know if you spot any errors. I have tested and updated the trunk version, there should be no issues applying the necessary code to the cc15.05 branch. I will complete the 15.05 version this week if I have time.

Hostle

[jack338c]

@Hostle awesome! thank you !

[XaTTa6bl4]

@Hostle @hnyman, where can I try the latest multi-user luci app? There is no new commits in multi4-clean on @hnyman repos. I want to test it on OpenWRT stable, or LEDE stable.

[Hostle]

@XaTTa6bl4, Latest commits can be found in my multi4 branch here ... https://github.com/Fire-WRT/luci/tree/multi4

Hostle

[XaTTa6bl4]

@Hostle Thak you! I'll try

[XaTTa6bl4]

@Hostle, unfortunately I could not adapt your code for 15.01 :( May be you have any working multiuser version for stable openwrt branch?

[XaTTa6bl4]

@Hostle and I've just tried to install it on Openwrt trunk, and I was received errors:

/usr/lib/lua/luci/dispatcher.lua:511: module 'luci.users' not found:
    no field package.preload['luci.users']
    no file './luci/users.lua'
    no file '/usr/share/lua/luci/users.lua'
    no file '/usr/share/lua/luci/users/init.lua'
    no file '/usr/lib/lua/luci/users.lua'
    no file '/usr/lib/lua/luci/users/init.lua'
    no file './luci/users.so'
    no file '/usr/lib/lua/luci/users.so'
    no file '/usr/lib/lua/loadall.so'
    no file './luci.so'
    no file '/usr/lib/lua/luci.so'
    no file '/usr/lib/lua/loadall.so'
stack traceback:
    [C]: in function 'require'
    /usr/lib/lua/luci/dispatcher.lua:511: in function 'i'
    /usr/lib/lua/luci/dispatcher.lua:527: in function '_create_node'
    /usr/lib/lua/luci/dispatcher.lua:505: in function 'node'
    /usr/lib/lua/luci/dispatcher.lua:494: in function 'entry'
    /usr/lib/lua/luci/controller/firewall.lua:22: in function 'e'
    /usr/lib/lua/luci/dispatcher.lua:464: in function 'createtree'
    /usr/lib/lua/luci/dispatcher.lua:171: in function 'dispatch'
    /usr/lib/lua/luci/dispatcher.lua:109: in function </usr/lib/lua/luci/dispatcher.lua:108>

Please, explain, what I am doing wrong?

[Hostle]

Something has gone wrong with your install, you are missing the users.lua module. It should be located in the /usr/lib/lua/luci/ directory. How are you installing the package, as an ipk?

[XaTTa6bl4]

No, I was compiled the whole trunk firmware with multiuser luci (by replacing src-git luci https://github.com/openwrt/luci.git to src-git luci https://github.com/Fire-WRT/luci.git;multi4 in feeds.conf.default)

[Hostle]

I have backported latest commits to the Chaos Calmer 15.05.1 branch. Latest code for CC 15.05.1 can by grabbed by adding this path to your feeds.conf.default ... src-git luci https://github.com/Fire-WRT/luci.git;for-15.01-multi4.

Hostle

[XaTTa6bl4]

@Hostle Thanks, awesome! I've just compiled and it works. Found some bugs with Wi-Fi and users menu.

[XaTTa6bl4]

I've made user "admin" for testing. Wrong URL on username link:

/usr/lib/lua/luci/dispatcher.lua:433: Failed to execute arcombine dispatcher target for entry '/admin/users/users/admin'.
The called action terminated with an exception:
/usr/lib/lua/luci/dispatcher.lua:1092: attempt to perform arithmetic on a nil value
stack traceback:
    [C]: in function 'assert'
    /usr/lib/lua/luci/dispatcher.lua:433: in function 'dispatch'
    /usr/lib/lua/luci/dispatcher.lua:168: in function </usr/lib/lua/luci/dispatcher.lua:167>

And can't operate with WiFi interfaces (on/off, status, etc, but can change ESSID and other parameters):

[Hostle]

@XaTTa6bl4 These issues should e fixed with latest commits. I could not replicate your errors with the wifi menus, could you elaborate a little more as to how and when these issues occur?

[XaTTa6bl4]

@Hostle wrong URL on username link fixed, thank you!

About Wi-Fi look at screenshots (my config).

1. Added user admin:

2.with settings:

3.when logged with admin:

[laoshaw]

this is awesome, a newbie question, how is this luci-multiuser related to the typical command line normal linux users (/etc/passwd), I think they're totally unrelated here? can they related to each other? otherwise I will have to maintain two set of users, one for ssh/CLI etc, another for the luci UI.

[VannVann1992]

Hello, I compile OpenWRT Trunk today, using the source for luci multi4: src-git luci https://github.com/Fire-WRT/luci.git;multi4 But i got error

/usr/lib/lua/luci/controller/firewall.lua:16: attempt to call field 'hide_menus' (a nil value) stack traceback: /usr/lib/lua/luci/controller/firewall.lua:16: in function 'user' /usr/lib/lua/luci/controller/firewall.lua:26: in function 'v' /usr/lib/lua/luci/dispatcher.lua:563: in function 'createtree' /usr/lib/lua/luci/dispatcher.lua:220: in function 'dispatch' /usr/lib/lua/luci/dispatcher.lua:141: in function </usr/lib/lua/luci/dispatcher.lua:140>

@Hostle : can you please help me to check and fix this. Thank you !

[XaTTa6bl4]

I've got the same error as @VannVann1992 with the LEDE SNAPSHOT sources. @Hostle, please help to find errors in code

[XaTTa6bl4]

@laoshaw luci-multiuser uses /etc/passwd, so you will have one user for CLI and WEB with the same password

[juliobrito1]

Hello, I Have 3 days using Open Wrt. How I can install this package in my GL-MT300A Mini Router?. I have a Windows PC.

Thank you

[jack338c]

Dear @hnyman

I was trying use your mutil user project on the newest openwrt trunk everything is ok,except got the flollowing warings,is that ok? thanks

WARNING: Makefile 'package/feeds/luci/freifunk-p2pblock/Makefile' has a dependency on 'l7-protocols', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-diag-devinfo/Makefile' has a dependency on 'smap', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-diag-devinfo/Makefile' has a dependency on 'mac-to-devinfo', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-diag-devinfo/Makefile' has a dependency on 'smap-to-devinfo', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-diag-devinfo/Makefile' has a dependency on 'netdiscover-to-devinfo', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-mmc-over-gpio/Makefile' has a dependency on 'kmod-mmc-over-gpio', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-multiwan/Makefile' has a dependency on 'multiwan', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-app-authenticate', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-app-disa', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-app-setcallerid', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-app-system', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-chan-gtalk', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-codec-a-mu', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-codec-alaw', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-func-cut', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-res-clioriginate', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-func-channel', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-chan-local', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-app-record', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-app-senddtmf', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx/Makefile' has a dependency on 'asterisk18-res-crypto', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-pbx-voicemail/Makefile' has a dependency on 'asterisk18', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-radvd/Makefile' has a dependency on 'radvd', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-shairport/Makefile' has a dependency on 'shairport', which does not exist WARNING: Makefile 'package/feeds/luci/luci-app-ushare/Makefile' has a dependency on 'ushare', which does not exist

[hnyman]

@jack338c Those warnings were due to the fact that the multi4-clean branch was almost a year-old, so the newer changes i LuCI were not reflected.

I have now rebased multi4-clean branch on top of the current LuCI master, so the warnings should go away if you pull the branch.

But I have not tested multi-user since April 2017, so you might be better off with hostle's current work, if there have been new change to the multi-user stuff.

[jack338c]

@hnyman Wow You always make me happy although the wether is not good in my place thank you Hnyman !

[jack338c]

@hnyman Hi,hnyman ,something may is wrong yesterday I updated it ,but get the following erros when login,then I deleted verything and rebuit it ,but got same erros yet

thanks edit: I use on openwrt trunk

/usr/lib/lua/luci/dispatcher.lua:363: Access Violation The page at 'admin/network/wireless/' has no parent node so the access to this location has been denied. This is a software bug, please report this message at https://github.com/openwrt/luci/issues stack traceback: [C]: in function 'assert' /usr/lib/lua/luci/dispatcher.lua:363: in function 'dispatch' /usr/lib/lua/luci/dispatcher.lua:121: in function </usr/lib/lua/luci/dispatcher.lua:120>

[melonwuhan]

---

发件人: jack338c [notifications@github.com] 发送时间: 2018年2月26日 9:45 收件人: openwrt/luci 抄送: Subscribed 主题: Re: [openwrt/luci] Discussion on Luci multi-user features (#623)

@hnymanhttps://github.com/hnyman Hi,hnyman ,something may is wrong yesterday I updated it ,but get the following erros when login,then I deleted verything and rebuit it ,but got same erros yet

thanks

/usr/lib/lua/luci/dispatcher.lua:363: Access Violation The page at 'admin/network/wireless/' has no parent node so the access to this location has been denied. This is a software bug, please report this message at https://github.com/openwrt/luci/issues stack traceback: [C]: in function 'assert' /usr/lib/lua/luci/dispatcher.lua:363: in function 'dispatch' /usr/lib/lua/luci/dispatcher.lua:121: in function </usr/lib/lua/luci/dispatcher.lua:120>

― You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/openwrt/luci/issues/623#issuecomment-368367330, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AIqUhm1hWblKfAYynKogXVWNOjGIdJZ-ks5tYgytgaJpZM4HFCc0.

---

This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. [Delta Electronics, INC. China]

---

[jack338c]

@hnyman Hi hnyman Could you tell me how to revert multi4-clean before you last update it Can't say thank you enought for you did for me

[phx135]

hi @jack338c @hnyman

I also get this error on Openwrt DD trunk/master

/usr/lib/lua/luci/users.lua:128: bad argument #2 to 'get' (string expected, got nil) stack traceback: [C]: in function 'get' /usr/lib/lua/luci/users.lua:128: in function 'get_menu_status' /usr/lib/lua/luci/users.lua:138: in function 'hide_menus' /usr/lib/lua/luci/dispatcher.lua:669: in function 'chk_access' /usr/lib/lua/luci/dispatcher.lua:685: in function 'entry' /usr/lib/lua/luci/controller/n2n_v2.lua:9: in function 'v' /usr/lib/lua/luci/dispatcher.lua:590: in function 'createtree' /usr/lib/lua/luci/dispatcher.lua:256: in function 'dispatch' /usr/lib/lua/luci/dispatcher.lua:121: in function </usr/lib/lua/luci/dispatcher.lua:120>

[hnyman]

There is apparently some incompatibility with the quite current LuCI, so I rebased the multi4-clean branch back to June 2017 to start from commit 6047dacb6253c . (There are maybe some authentication and/or rpcd related changes later that break the multi-user functionality. This has always been experimental and the code has not been imported into the main LuCI.)

I built and tested that, and it works ok: I compiled and installed luci-base, luci-mod-admin-fill, luci-app-firewall and luci-app-multi-user Reboot the router... Then I was able to add users and set rights for users. (default password for new users is openwrt)

Depending on your git settings and changes done, the needed commands may vary a bit, but in essence I first reseted my local repo to that commit 6047dacb6253c , and then pulled the four needed new multi-user commits from multi4-clean branch of this github repo:

git checkout 6047dacb6253c git checkout -b multiuser git remote add hnyman https://github.com/hnyman/luci.git git pull hnyman multi4-clean

Then make

[jack338c]

@hnyman thanks for your hard work on this.I'm so glad to get your answer I will try it soon by the way,How to remove this,I mean switch to official luci thank you Hnyman

[jack338c]

Dear @hnyman I found the follwong on both new fresh openwrt master and lede1701

jack@jack-R478-R429:~/openwrt/feeds/luci$ git checkout 6047dacb6253c error: pathspec '6047dacb6253c' did not match any file(s) known to git.

then I try use patch way and got this ,others are ok

patching file applications/luci-app-multi-user/root/etc/uci-defaults/09_users File applications/luci-app-multi-user/root/www/luci-static/resources/icons/user.png: git binary diffs are not supported.

I'm building it now ,and will be back after done

thanks

[hnyman]

error: pathspec '6047dacb6253c' did not match any file(s) known to git.

If you have a recently cloned git repo, it may be missing old history. Openwrt clones shallow repos without history. That limits the historical perspective initially.

first "git pull --depth=500" to deepen git history (shallow)

And that commit is naturally only on master, not 17.01

[jack338c]

@hnyman I just tested on 17.01,use patch way is ok,it works

I will try it according your instruction

many thanks

[tcpipchip]

Sir, is it working to LEDE ? Where can i download the the updated version ? Must i include only src-git http://github.com/Hostle/luci-multi-user.git in the feeds.conf ?

[longncn]

@hnyman git clone -b multi4-clean https://github.com/hnyman/luci.git

And config /etc/config/users

config user 'admin' option name 'admin' option group 'admin' option shell 'Disabled' option network_menus 'Network_menus' option network_subs 'Interfaces Firewall' option status_menus 'disabled' option system_menus 'disabled' option services_menus 'disabled'

config user 'new'

But I only see Interfaces, no Firewall Can you check again? many thanks

[hnyman]

Sorry, I have not really used multi-user stuff for ages. I tested it when hostle was actively developing it, and cleaned up the several commits into sensible content. But as the package did not make it to the mainstream LuCI, it would need constant maintaining.

The current (old) multi-user code will not be compatible with the currenl LuCI in the forthcoming 18.06 release. LuCI itself has recently changed a bit (and will soon change more due to the config rollback thing), so having the old code of mid-2017 does not make much sense.

So, from my perspective, this is mostly a historical archive.

[RJRvdMeer]

@hnyman, @Hostle

So, from my perspective, this is mostly a historical archive.

That would be sad. What must be done in your opinion and how can I help?

[guipoletto]

Sorry to hijack the thread, but are there any supported Multi-User methods for LuCi? (as of OWRT 18.06)

[jack338c]

It works on previous lede 1701,I did not try it on 18.06

[Hostle]

I will update the code for 18.06 ...

@hnyman The new code only modifies the dispatcher.lua. Aside from updating the user.lua control module I can't forsee why the new code will not work fine with the recent changes to LuCI. Perhaps you can enlighten us as to why you feel it will not work?

hostle

[hnyman]

I haven't really evaluated it, but I was mainly thinking about the changes made in master after the 18.06 branching, related to rollback etc.

Might well be that it works ok.

Great if you can update your original code and publish it somewhere.

[jwbrack]

@Hostle - I've been using your luci-app-multi-user on LEDE 17.01.XX for better part of a year now with no issue. However, it's time to re-base the project to 18.06, and there are enough changes (as specified by @hnyman) that it no longer patches cleanly. Like for example, servicectl being removed altogether from luci-base.

Any ideas on when / where you might have something I can take a look at for 18.06? Additionally, I'd like to help make sure that this feature makes it into the trunk going forward - it's critical to my projects to have multi-user rights and access from a GUI and SSH perspective.

[shawnchain]

@hnyman I have managed run the multi-user supported luci with LEDE 17.01.5 sdk. But I also found luci version on your fork is older than that on the Luci@17.01 branch. Any chance to move forward to the 17.01.5 release ?