search

openwrt / luci

LuCI - OpenWrt Configuration Interface
Apache License 2.0
6.38k stars 2.53k forks source link

[luci-mod-system] I get RPCError call to rc/list failed with error -32002: Access denied #7192

Closed mitodeboa closed 3 months ago

mitodeboa commented 4 months ago

Steps to reproduce:

  1. go to: System → System
  2. I get RPCError call to rc/list failed with error -32002: Access denied imagen

Additional Information:

OpenWrt version information from system /etc/openwrt_release

DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='23.05.3'
DISTRIB_REVISION='r23809-234f1a2efa'
DISTRIB_TARGET='mediatek/filogic'
DISTRIB_ARCH='aarch64_cortex-a53'
DISTRIB_DESCRIPTION='OpenWrt 23.05.3 r23809-234f1a2efa'
DISTRIB_TAINTS=''

/etc/config/system

config system
    option hostname 'R1'
    option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
    option ttylogin '0'
    option log_size '64'
    option urandom_seed '0'
    option cronloglevel '5'
    option zonename 'Europe/Madrid'
    option log_proto 'udp'
    option conloglevel '8'

config timeserver 'ntp'
    list server '0.openwrt.pool.ntp.org'
    list server '1.openwrt.pool.ntp.org'
    list server '2.openwrt.pool.ntp.org'
    list server '3.openwrt.pool.ntp.org'

/etc/config/rpcd

config rpcd
    option socket /var/run/ubus/ubus.sock
    option timeout 30

config login
    option username 'root'
    option password '$p$root'
    list read '*'
    list write '*'

/usr/share/rpcd/acl.d/luci-mod-system.json

{
    "luci-mod-system-config": {
        "description": "Grant access to system configuration",
        "read": {
            "ubus": {
                "luci": [ "getInitList", "getLEDs", "getTimezones", "getUSBDevices" ],
                "system": [ "info" ]
            },
            "uci": [ "luci", "system" ]
        },
        "write": {
            "ubus": {
                "luci": [ "setInitAction", "setLocaltime", "setPassword" ]
            },
            "uci": [ "luci", "system" ]
        }
    },

    "luci-mod-system-ssh": {
        "description": "Grant access to SSH configuration",
        "read": {
            "file": {
                "/etc/dropbear/authorized_keys": [ "read" ]
            },
            "ubus": {
                "file": [ "read" ]
            },
            "uci": [ "dropbear" ]
        },
        "write": {
            "file": {
                "/etc/dropbear/authorized_keys": [ "write" ]
            },
            "ubus": {
                "file": [ "write" ],
                "luci": [ "setInitAction", "setLocaltime" ]
            },
            "uci": [ "dropbear" ]
        }
    },

    "luci-mod-system-uhttpd": {
        "description": "Grant access to uHTTPd configuration",
        "read": {
            "uci": [ "uhttpd" ]
        },
        "write": {
            "ubus": {
                "luci": [ "setInitAction" ]
            },
            "uci": [ "uhttpd" ]
        }
    },

    "luci-mod-system-init": {
        "description": "Grant access to startup configuration",
        "read": {
            "file": {
                "/etc/rc.local": [ "read" ]
            },
            "ubus": {
                "file": [ "read" ],
                "luci": [ "getInitList" ]
            }
        },
        "write": {
            "file": {
                "/etc/rc.local": [ "write" ]
            },
            "ubus": {
                "file": [ "write" ],
                "luci": [ "setInitAction" ]
            }
        }
    },

    "luci-mod-system-cron": {
        "description": "Grant access to crontab configuration",
        "read": {
            "file": {
                "/etc/crontabs/root": [ "read" ]
            },
            "ubus": {
                "file": [ "read" ]
            }
        },
        "write": {
            "file": {
                "/etc/crontabs/root": [ "write" ],
                "/etc/init.d/cron reload": [ "exec" ]
            },
            "ubus": {
                "file": [ "write" ]
            }
        }
    },

    "luci-mod-system-mounts": {
        "description": "Grant access to mount configuration",
        "read": {
            "file": {
                "/etc/filesystems": [ "read" ],
                "/proc/filesystems": [ "read" ],
                "/usr/bin/btrfsck": [ "list" ],
                "/usr/bin/ntfsfix": [ "list" ],
                "/usr/sbin/e2fsck": [ "list" ],
                "/usr/sbin/fsck.f2fs": [ "list" ],
                "/usr/sbin/fsck.fat": [ "list" ]
            },
            "ubus": {
                "file": [ "read", "stat" ],
                "luci": [ "getBlockDevices", "getMountPoints" ]
            },
            "uci": [ "fstab" ]
        },
        "write": {
            "file": {
                "/etc/crontabs/root": [ "write" ],
                "/bin/umount": [ "exec" ],
                "/sbin/block": [ "exec" ]
            },
            "ubus": {
                "file": [ "exec", "write" ],
                "luci": [ "setBlockDetect" ]
            },
            "uci": [ "fstab" ]
        }
    },

    "luci-mod-system-flash": {
        "description": "Grant access to flash operations",
        "read": {
            "cgi-io": [ "backup", "download" ],
            "file": {
                "/dev/mtdblock[0-9]*": [ "read" ],
                "/etc/sysupgrade.conf": [ "read" ],
                "/lib/upgrade/platform.sh": [ "list" ],
                "/proc/mounts": [ "read" ],
                "/proc/mtd": [ "read" ],
                "/proc/partitions": [ "read" ],
                "/proc/sys/kernel/hostname": [ "read" ],
                "/sbin/sysupgrade --list-backup": [ "exec" ]
            },
            "ubus": {
                "file": [ "exec", "read", "stat" ]
            }
        },
        "write": {
            "cgi-io": [ "upload" ],
            "file": {
                "/bin/tar -tzf /tmp/backup.tar.gz": [ "exec" ],
                "/etc/sysupgrade.conf": [ "write" ],
                "/sbin/firstboot -r -y": [ "exec" ],
                "/sbin/reboot": [ "exec" ],
                "/sbin/sysupgrade --force /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade -n --force /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade --force -k /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade --force -u /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade --force -u -k /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade -n /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade -k /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade -u /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade -u -k /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade --restore-backup /tmp/backup.tar.gz": [ "exec" ],
                "/sbin/sysupgrade --test /tmp/firmware.bin": [ "exec" ],
                "/sbin/sysupgrade /tmp/firmware.bin": [ "exec" ],
                "/tmp/backup.tar.gz": [ "write" ],
                "/tmp/firmware.bin": [ "write" ]
            },
            "ubus": {
                "file": [ "exec", "remove", "write" ],
                "system": [ "validate_firmware_image" ]
            }
        }
    },

    "luci-mod-system-reboot": {
        "description": "Allow rebooting the device",
        "write": {
            "file": {
                "/sbin/reboot": [ "exec" ]
            },
            "ubus": {
                "file": [ "exec" ],
                "system": [ "reboot" ]
            }
        }
    }
}
jow- commented 3 months ago

LuCI in the openwrt-23.05 branch does not use the rc.list procedure, only LuCI master does. This is either a browser cache artifact or you somehow mixed versions or locally altered sources.

See system.js @ cd7e519 - it uses luci.getInitList

Another possible, although obscure reason is having multiple OpenWrt devices with the same IP address but different LuCI versions in the network and the browser flip-flapping between the different devices.