From 5260f1ecfba760ef22478437c99fe759b3bc44b6 Mon Sep 17 00:00:00 2001 From: Jakob Olsson Date: Mon, 15 Oct 2018 16:38:01 +0200 Subject: [PATCH] security fixes: change _access_r to _access_w ice-client: perform del_list prior to add_list _access_w --- ice-client/files/ice-client.uci_default | 5 +++-- netmode/files/lib/functions/netmode.sh | 3 ++- voice-client/files/etc/uci-defaults/99-voice_client | 2 ++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ice-client/files/ice-client.uci_default b/ice-client/files/ice-client.uci_default index 14f216ee6..d66cf8e9c 100644 --- a/ice-client/files/ice-client.uci_default +++ b/ice-client/files/ice-client.uci_default @@ -7,7 +7,8 @@ grep -rq "^ice:" /etc/passwd || { uci -q delete passwords.ice uci -q set passwords.ice=usertype uci -q set passwords.ice.password="\$WPAKEY" -uci -q add_list passwords.ice._access_r=root +uci -q del_list passwords.ice._access_w=root +uci -q add_list passwords.ice._access_w=root uci -q commit passwords uci show rpcd | grep username=.*ice.* >/dev/null || { @@ -16,7 +17,7 @@ cat >> /etc/config/rpcd << EOF config login option username 'ice' option password '\$p\$ice' - list _access_r 'none' + list _access_w 'none' list write 'user-user' list write 'juci-broadcom-dsl' list write 'juci-broadcom-dsl-admin' diff --git a/netmode/files/lib/functions/netmode.sh b/netmode/files/lib/functions/netmode.sh index cc6d6aaf6..8f2fd4744 100644 --- a/netmode/files/lib/functions/netmode.sh +++ b/netmode/files/lib/functions/netmode.sh @@ -377,7 +377,8 @@ populate_netmodes() { if json_select acl; then _i=1 while json_get_var user $_i; do - uci add_list netmode.$mode._access_r="$user" + uci del_list netmode.$mode._access_w="$user" + uci add_list netmode.$mode._access_w="$user" _i=$((_i+1)) done json_select .. diff --git a/voice-client/files/etc/uci-defaults/99-voice_client b/voice-client/files/etc/uci-defaults/99-voice_client index d2694629f..dedbf0a11 100755 --- a/voice-client/files/etc/uci-defaults/99-voice_client +++ b/voice-client/files/etc/uci-defaults/99-voice_client @@ -53,6 +53,8 @@ uci -q batch <<-EOT set firewall.sip=include set firewall.sip.path=/etc/firewall.sip set firewall.sip.reload=1 + uci del_list firewall.sip._access_w="root" + uci add_list firewall.sip._access_w="root" commit firewall EOT