treewide: reorganize base ACLs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 14 insertions, 97 deletions

diff --git a/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json b/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json
index 8b8481b1cb..f2534f8ed6 100644
--- a/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json
+++ b/modules/luci-base/root/usr/share/rpcd/acl.d/luci-base.json
@@ -8,122 +8,39 @@
 		}
 	},
 
-	"uci-access": {
-		"description": "Grant uci write access to all configurations",
-		"read": {
-			"uci": [ "*" ]
-		},
-		"write": {
-			"uci": [ "*" ]
-		}
-	},
-	"luci-access": {
+	"luci-base": {
 		"description": "Grant access to basic LuCI procedures",
 		"read": {
-			"cgi-io": [ "backup", "download", "exec" ],
 			"file": {
 				"/": [ "list" ],
-				"/*": [ "list" ],
-				"/dev/mtdblock*": [ "read" ],
-				"/etc/crontabs/root": [ "read" ],
-				"/etc/dropbear/authorized_keys": [ "read" ],
-				"/etc/filesystems": [ "read" ],
-				"/etc/rc.local": [ "read" ],
-				"/etc/sysupgrade.conf": [ "read" ],
-				"/etc/passwd": [ "read" ],
-				"/etc/group": [ "read" ],
-				"/proc/filesystems": [ "read" ],
-				"/proc/mtd": [ "read" ],
-				"/proc/partitions": [ "read" ],
-				"/proc/sys/kernel/hostname": [ "read" ],
-				"/proc/sys/net/netfilter/nf_conntrack_*": [ "read" ],
-				"/proc/mounts": [ "read" ],
-				"/usr/lib/lua/luci/version.lua": [ "read" ],
-				"/bin/dmesg -r": [ "exec" ],
-				"/bin/ping *": [ "exec" ],
-				"/bin/ping6 *": [ "exec" ],
-				"/bin/traceroute *": [ "exec" ],
-				"/bin/traceroute6 *": [ "exec" ],
-				"/sbin/ip -4 neigh show": [ "exec" ],
-				"/sbin/ip -4 route show table all": [ "exec" ],
-				"/sbin/ip -6 neigh show": [ "exec" ],
-				"/sbin/ip -6 route show table all": [ "exec" ],
-				"/sbin/logread -e ^": [ "exec" ],
-				"/usr/sbin/logread -e ^": [ "exec" ],
-				"/usr/bin/ping *": [ "exec" ],
-				"/usr/bin/ping6 *": [ "exec" ],
-				"/usr/bin/traceroute *": [ "exec" ],
-				"/usr/bin/traceroute6 *": [ "exec" ],
-				"/usr/bin/nslookup *": [ "exec" ],
-				"/usr/libexec/luci-peeraddr": [ "exec" ],
-				"/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ],
-				"/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ]
+				"/*": [ "list" ]
 			},
 			"ubus": {
-				"file": [ "list", "read", "stat" ],
-				"iwinfo": [ "assoclist", "freqlist", "txpowerlist", "countrylist" ],
-				"luci": [ "getConntrackList", "getInitList", "getLocaltime", "getProcessList", "getRealtimeStats", "getTimezones", "getLEDs", "getUSBDevices", "getSwconfigFeatures", "getSwconfigPortState", "getBlockDevices", "getMountPoints" ],
-				"luci-rpc": [ "getBoardJSON", "getDHCPLeases", "getDSLStatus", "getDUIDHints", "getHostHints", "getNetworkDevices", "getWirelessDevices" ],
-				"network.interface": [ "dump" ],
-				"network.rrdns": [ "lookup" ],
-				"network": [ "get_proto_handlers" ],
-				"system": [ "board", "info", "validate_firmware_image" ],
+				"file": [ "list" ],
 				"uci": [ "changes", "get" ]
-			},
-			"uci": [ "*" ]
+			}
 		},
 		"write": {
 			"cgi-io": [ "upload" ],
 			"file": {
-				"/etc/crontabs/root": [ "write" ],
-				"/etc/dropbear/authorized_keys": [ "write" ],
-				"/etc/init.d/firewall restart": [ "exec" ],
 				"/etc/luci-uploads/*": [ "write" ],
-				"/etc/rc.local": [ "write" ],
-				"/etc/sysupgrade.conf": [ "write" ],
-				"/sbin/block": [ "exec" ],
-				"/sbin/firstboot": [ "exec" ],
-				"/sbin/ifdown": [ "exec" ],
-				"/sbin/ifup": [ "exec" ],
-				"/sbin/reboot": [ "exec" ],
-				"/sbin/sysupgrade": [ "exec" ],
-				"/sbin/wifi": [ "exec" ],
-				"/bin/kill": [ "exec" ],
-				"/bin/tar": [ "exec" ],
-				"/bin/umount": [ "exec" ],
-				"/tmp/backup.tar.gz": [ "write" ],
-				"/tmp/firmware.bin": [ "write" ],
-				"/tmp/upload.ipk": [ "write" ],
-				"/usr/sbin/iptables -Z": [ "exec" ],
-				"/usr/sbin/ip6tables -Z": [ "exec" ]
 			},
 			"ubus": {
-				"file": [ "write", "remove", "exec" ],
-				"hostapd.*": [ "del_client" ],
-				"iwinfo": [ "scan" ],
-				"luci": [ "setInitAction", "setLocaltime", "setPassword", "setBlockDetect" ],
-				"uci": [ "add", "apply", "confirm", "delete", "order", "set", "rename" ]
-			},
-			"uci": [ "*" ]
+				"file": [ "remove" ],
+				"uci": [ "add", "apply", "confirm", "delete", "order", "set" ]
+			}
 		}
 	},
-	"luci-app-firewall": {
-		"description": "Grant access to firewall procedures",
+
+	"luci-base-network-status": {
+		"description": "Grant access to network status information",
 		"read": {
-			"file": {
-				"/etc/firewall.user": [ "read" ]
-			},
 			"ubus": {
-				"luci": [ "getConntrackHelpers" ]
-			},
-			"uci": [ "firewall" ]
-		},
-		"write": {
-			"file": {
-				"/etc/firewall.user": [ "write" ],
-				"/etc/init.d/firewall": [ "exec" ]
+				"luci-rpc": [ "getBoardJSON", "getHostHints", "getNetworkDevices", "getWirelessDevices" ],
+				"network": [ "get_proto_handlers" ],
+				"network.interface": [ "dump" ]
 			},
-			"uci": [ "firewall" ]
+			"uci": [ "luci", "network", "wireless" ]
 		}
 	}
 }