diff --git a/README.md b/README.md index db4388e..a8afc4b 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,16 @@ to configure `supervisord`, and restart it Now you should have access to a basic info web page (on port `80`) and to `supervisord` web interface (on port `9001`). -The "Further info and configuration" webpage, as well as access to `supervisord`, is password protected (don't feel protected by this, it's not really secure). The name:pass is `admin:muflon`. If you want to change this, you need to edit two places: `/etc/supervisor/conf.d/daemons.conf` and `/opt/gps-timekeep/auth`. They need to match! +## Password protection + +The "Further info and configuration" webpage, as well as access to `supervisord`, is password protected (don't feel protected by this, it's not really secure). The name:pass is `admin:muflon`. There is a web form to change this, but making it work is another privilege escalation (see also "Optional extras" below), so requires making two files writable by the `lighttpd` process. So: + + sudo chgrp www-data /etc/supervisor/conf.d/daemons.conf + sudo chown g+w /etc/supervisor/conf.d/daemons.conf + +The other file, `/opt/gps-timekeep/auth` should be set up OK already, but just in case it isn't: + + chmod 0666 /opt/gps-timekeep/auth If you want to remove the password protection: diff --git a/cgi-bin/password.py b/cgi-bin/password.py new file mode 100755 index 0000000..545dd24 --- /dev/null +++ b/cgi-bin/password.py @@ -0,0 +1,107 @@ +#!/usr/bin/python + +import subprocess +import sys +import os + +import cgi +import cgitb; cgitb.enable() # for troubleshooting + +# constants +SUPERVISOR_CONF = "/etc/supervisor/conf.d/daemons.conf" +AUTH_FILE = "/opt/gps-timekeep/auth" + +PERMISSIONS_S = """ +

Can't change password via web interface: permissions problem

+

Change password "manually"

+ +

Alternatively, fix the permissions

+The two files above need to be write-accessible by the lighttpd process, so you can for instance (after SSHing into the machine): +
+sudo chgrp www-data /opt/gps-timekeep/auth
+sudo chmod g+w /opt/gps-timekeep/auth
+
+and the same with the other file. + +""" + +print "Content-Type: text/html" # HTML is following +print # blank line, end of headers + +# print html header +print """ + +ntpi: change password + +

ntpi: change password

+""" + +# get the submitted form contents +form = cgi.FieldStorage() + +# if rebooting requested, just print a message and exit +if "reboot-button" in form: + print "

Rebooting now!

" + subprocess.Popen(["/sbin/reboot"]) + sys.exit() + +# check if the appropriate files are writable +if (not os.access(SUPERVISOR_CONF, os.W_OK | os.R_OK)) or (not os.access(AUTH_FILE, os.W_OK | os.R_OK)): + print PERMISSIONS_S + sys.exit() + +# change of password requested +if "submit-button" in form: + username = form.getvalue("username") + password = form.getvalue("password") + with open(AUTH_FILE, "w") as f: + f.write(username+":"+password+"\n") + with open(SUPERVISOR_CONF) as f: + lines = f.readlines() + with open(SUPERVISOR_CONF, "w") as f: + for line in lines: + if line.startswith("username "): + f.write("username = " + username + "\n") + elif line.startswith("password "): + f.write("password = " + password + "\n") + else: + f.write(line) + print """ +
+

Message: Username and password changed. You should + now. +

+ """ + +# read username and password +username = "some error" +password = "has occured" +with open(AUTH_FILE) as f: + username, password = f.readline().strip().split(':') + +# print the form +print """ +
+
+

+Username:
+Password:
+

+
+Note: No sanity checking is done, so be careful! +
+

+Go back. +

+ +""" % (username, password) + diff --git a/cgi-bin/serverconfig.py b/cgi-bin/serverconfig.py index eae4e36..ba20a03 100755 --- a/cgi-bin/serverconfig.py +++ b/cgi-bin/serverconfig.py @@ -111,6 +111,9 @@ print """ # password instructions print """

Changing the password ...

+
+

... can be done here.

+
""" # reboot button