Add a basic password protection.

9 years ago · 9e37264461
parent fc70aceb9e
commit 9e37264461
8 changed files with 52 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -82,6 +82,14 @@ to configure `supervisord`, and restart it

 Now you should have access to a basic info web page (on port `80`) and to `supervisord` web interface (on port `9001`).

+The "Further info and configuration" webpage, as well as access to `supervisord`, is password protected (don't feel protected by this, it's not really secure). The name:pass is `admin:muflon`. If you want to change this, you need to edit two places: `/etc/supervisor/conf.d/daemons.conf` and `/opt/gps-timekeep/auth`. They need to match!
+
+If you want to remove the password protection:
+
+ + Edit `/etc/supervisor/conf.d/daemons.conf` and remove the two lines (`username` and `password`).
+ + Remove `/opt/gps-timekeep/auth`.
+ + Edit `/opt/gps-timekeep/configs/lighttpd.conf` and comment out the `auth.require` block.
+
 ## Optional extras

 Some actions from the web interface require privilege escalation (I couldn't convince `lighttpd` to run as root), so:
@ -123,10 +131,6 @@ Similarly, if you want to be able to reboot from the web interface, you need to
   + `supervisord` runs its own web interface on port 9001.
   + One python CGI script is provided (`serverconfig.py`), which gives more system info, and lets you edit `/etc/network/interfaces` and reboot the Pi (see "Optional Extras" for what's needed to make this work).

-#### Warning
-
-The setup is completely insecure: everything is accessible, no attempt has been done to lock things down. So, please, **don't** put a Pi set up like this on the net (or baaad things will happen)!
-
 #### Other notes (about configuration, etc...)

 + `gpsd` parameters should contain `-n`. This is so that gpsd starts listening to the GPS device even before a client (like cgps or such) asks for it. we need this so that the timekeeping starts right away on boot.
--- a/1
+++ b/1
@ -0,0 +1 @@
+admin:muflon
--- a/cgi-bin/serverconfig.py
+++ b/cgi-bin/serverconfig.py
@ -108,6 +108,11 @@ print """
 """ % (interfaces_contents)
 # cgi.escape(message)

+# password instructions
+print """
+<h3>Changing the password ...</h3>
+"""
+
 # reboot button
 print """
 <h3>Reboot the machine</h3>
--- a/configs/lighttpd.conf
+++ b/configs/lighttpd.conf
@ -2,8 +2,9 @@ server.modules = (
 	"mod_access",
 	"mod_alias",
 	"mod_compress",
- 	"mod_redirect",
-  "mod_cgi",
+	"mod_redirect",
+	"mod_cgi",
+	"mod_auth",
 )

 server.document-root        = "/run/www"
@ -21,6 +22,15 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".py" )
 compress.cache-dir          = "/var/cache/lighttpd/compress/"
 compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

+auth.backend                = "plain"
+auth.backend.plain.userfile = "/opt/gps-timekeep/auth"
+
+auth.require = ( "/cgi-bin/" =>
+  ( "method" => "basic",
+    "realm" => "Admin Realm",
+    "require" => "valid-user",
+  ))
+
 # redirect cgi-bin to /opt/gps-timekeep
 $HTTP["url"] =~ "/cgi-bin/" { cgi.assign = ( "" => "" ) }
 alias.url = ( "/cgi-bin/" => "/opt/gps-timekeep/cgi-bin/" )
--- a/time-from-gps/auth
+++ b/time-from-gps/auth
@ -0,0 +1 @@
+../auth
--- a/time-from-gps/time-from-gps.py
+++ b/time-from-gps/time-from-gps.py
@ -7,6 +7,8 @@ import time
 #import datetime
 #import dateutil.parser

+SUPERVISOR_AUTH = "auth"
+
 # write a temporary html report
 HTML_OUTPUT_DIR = "/run/www"
 HTML_OUTPUT_FILE = "/index.html"
@ -34,6 +36,14 @@ time.sleep(1)
 session = gps.gps("localhost", "2947")
 session.stream(gps.WATCH_ENABLE | gps.WATCH_NEWSTYLE)

+# preparation: read the supervisor user and pass
+if os.path.isfile(SUPERVISOR_AUTH):
+    with open(SUPERVISOR_AUTH) as f:
+        supervisor_namepass = f.readline().strip() + "@"
+else:
+    supervisor_namepass = ""
+
+
 # main loop: wait for a time report from GPS
 while True:
    try:
@ -52,7 +62,7 @@ while True:
                #print gpstime.isoformat('T')
                #print datetime.datetime.now().isoformat('T')
                # connect to supervisor
-                supervisord = xmlrpclib.Server('http://localhost:9001/RPC2')
+                supervisord = xmlrpclib.Server("http://"+supervisor_namepass+"localhost:9001/RPC2")
                # start the watcher daemon
                supervisord.supervisor.startProcess('gps-watcher')
                break
--- a/watcher-daemon/auth
+++ b/watcher-daemon/auth
@ -0,0 +1 @@
+../auth
--- a/watcher-daemon/gps-watcher.py
+++ b/watcher-daemon/gps-watcher.py
@ -25,6 +25,8 @@ HTML_OUTPUT_DIR = "/run/www"
 HTML_OUTPUT_FILE = "/index.html"
 HTML_TEMPLATE_FILE = "index.template.html"

+SUPERVISOR_AUTH = "auth"
+
 # auxiliary functions: for supervisord
 supervisor_states = {
        0: False,   # stopped
@ -55,9 +57,8 @@ if not os.path.exists(HTML_OUTPUT_DIR):
    os.makedirs(HTML_OUTPUT_DIR)

 # preparation: read the html template file
-fin = open(HTML_TEMPLATE_FILE)
-html_template = fin.read()
-fin.close()
+with open(HTML_TEMPLATE_FILE) as f:
+    html_template = f.read()

 # auxiliary function: generate a webpage with basic gps/ntpd info
 def generate_html_file():
@ -72,8 +73,16 @@ def generate_html_file():
    fout.write(html_template.format(**locals()))
    fout.close()

+# preparation: read the supervisor user and pass
+if os.path.isfile(SUPERVISOR_AUTH):
+    with open(SUPERVISOR_AUTH) as f:
+        supervisor_namepass = f.readline().strip() + "@"
+    print "is"
+else:
+    supervisor_namepass = ""
+
 # connect to supervisor
-supervisord = xmlrpclib.Server('http://localhost:9001/RPC2')
+supervisord = xmlrpclib.Server("http://"+supervisor_namepass+"localhost:9001/RPC2")

 # this class does the threaded polling of the gpsd daemon
 class GpsPoller(threading.Thread):