diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2015-12-09 20:32:12 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2016-01-11 15:21:46 +0100 |
commit | 81e80c4b876e8e68bb8b022c39d0941e2c1ccb56 (patch) | |
tree | a4563027598b84db3e86996b402e6d75ce5e6993 | |
parent | 6619e66fc9de32e7bf911b929e320ab17a414697 (diff) |
luci-base: properly handle ubus connections for non-root (#570, #571)
Instead of relying on the connect-before-setuid hack, ship a proper
acl definition file whitelisting the procedures that LuCI requires
on its non-root pages.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
-rw-r--r-- | modules/luci-base/luasrc/dispatcher.lua | 3 | ||||
-rw-r--r-- | modules/luci-base/root/usr/share/acl.d/luci-base.json | 8 |
2 files changed, 8 insertions, 3 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua index cd5d77a12..2fbc2c96f 100644 --- a/modules/luci-base/luasrc/dispatcher.lua +++ b/modules/luci-base/luasrc/dispatcher.lua @@ -402,9 +402,6 @@ function dispatch(request) end if track.setuser then - -- trigger ubus connection before dropping root privs - util.ubus() - sys.process.setuser(track.setuser) end diff --git a/modules/luci-base/root/usr/share/acl.d/luci-base.json b/modules/luci-base/root/usr/share/acl.d/luci-base.json new file mode 100644 index 000000000..4d582366f --- /dev/null +++ b/modules/luci-base/root/usr/share/acl.d/luci-base.json @@ -0,0 +1,8 @@ +{ + "user": "nobody", + "access": { + "system": { + "methods": [ "board", "info" ] + } + } +} |