search

recalbox / recalbox-manager

Django project to manage a Recalbox from a web interface
MIT License
14 stars 54 forks source link

secure recalbox-manager #63

Open nadenislamarre opened 8 years ago

nadenislamarre commented 8 years ago

Starting with recalbox 4.1, recalbox.conf has a variable : system.security.enabled if this is one, the recalbox manager (among others) must not be open.

It must be secured. 1) at minimum by a basic http password 2) if possible, via ssl while the aim is to secure from network attacks

the login is what you want, but the password to use is the one provided by /etc/init.d/S35rootpasswd it's in this starting script that you must generate a password file in the temporary location.

I don't manage to do it by myself. I don't known django and i don't see in recalbox the same configuration files that i found in django documentation (like httpd.conf for example).

The current script content is :


# /etc/shadow is dynamically generated from the password found in /boot/recalbox-boot.conf
# the password is visible only in the es interface
# or to people having already a ssh password via the command : /recalbox/scripts/recalbox-config.sh setRootPassword xyz
MASTERPASSWD=$(/recalbox/scripts/recalbox-config.sh getRootPassword)
if test -z "${MASTERPASSWD}"
then
    # generate a new one
    # hum, in case of error, what to do ? nothing.
    /recalbox/scripts/recalbox-config.sh setRootPassword
    MASTERPASSWD=$(/recalbox/scripts/recalbox-config.sh getRootPassword)
fi

# secure ssh
# write the /etc/shadow file
SHADOWPASSWD=$(openssl passwd -1 "${MASTERPASSWD}")
echo "root:${SHADOWPASSWD}:::::::" > /run/recalbox.shadow

# secure samba
mkdir -p "/var/lib/samba/private"
(echo "${MASTERPASSWD}"; echo "${MASTERPASSWD}") | smbpasswd -a root

#
sveetch commented 8 years ago

If you want security with the manager, Recalbox will have to ship and launch a real webserver.

But remember, even something lightweight like lighttpd or nginx have a big cost on the few rpi ressources. It's the reason why actually the Django instance is served by its "development server", that is not a real webserver.

We may talk more about this.

nadenislamarre commented 8 years ago

hum, the number of served pages remains limited. Do you advise to disable the manager when recalbox is running on an open network ? or do you have an other idea ?

sveetch commented 8 years ago

There is no other choices, either we have a real webserver in front of Django either shut it down on opened network.

Sure, i could code something tricky, but if we are talking about real security than can be trusted, this is huge work to accomplish and maintain, too many work time for me.

Or maybe Recalbox system including something like ipban rules to reject all request to the Django server port except some IP from a whitelist to manually configure in some recalbox config file.

nadenislamarre commented 8 years ago

ok, i understand. i will disable in secure mode for the moment.

is it complex to put a lighttpd in front of the application ?

Nicolas

sveetch commented 8 years ago

It's not very complex but not the easiest.

You know webservers are not application servers, you need something between the webserver and the webapp, for Apache or lighttpd it's "Fastcgi" protocole, for more "recent" webserver it's wscgi, this last solution could be considered easier and lighter. This also a more natural way with Django.