summaryrefslogtreecommitdiffhomepage
path: root/modules/luci-base
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2015-12-09 20:32:12 +0100
committerJo-Philipp Wich <jow@openwrt.org>2016-01-11 15:21:46 +0100
commit81e80c4b876e8e68bb8b022c39d0941e2c1ccb56 (patch)
treea4563027598b84db3e86996b402e6d75ce5e6993 /modules/luci-base
parent6619e66fc9de32e7bf911b929e320ab17a414697 (diff)
luci-base: properly handle ubus connections for non-root (#570, #571)
Instead of relying on the connect-before-setuid hack, ship a proper acl definition file whitelisting the procedures that LuCI requires on its non-root pages. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'modules/luci-base')
-rw-r--r--modules/luci-base/luasrc/dispatcher.lua3
-rw-r--r--modules/luci-base/root/usr/share/acl.d/luci-base.json8
2 files changed, 8 insertions, 3 deletions
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index cd5d77a12b..2fbc2c96f5 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -402,9 +402,6 @@ function dispatch(request)
end
if track.setuser then
- -- trigger ubus connection before dropping root privs
- util.ubus()
-
sys.process.setuser(track.setuser)
end
diff --git a/modules/luci-base/root/usr/share/acl.d/luci-base.json b/modules/luci-base/root/usr/share/acl.d/luci-base.json
new file mode 100644
index 0000000000..4d582366ff
--- /dev/null
+++ b/modules/luci-base/root/usr/share/acl.d/luci-base.json
@@ -0,0 +1,8 @@
+{
+ "user": "nobody",
+ "access": {
+ "system": {
+ "methods": [ "board", "info" ]
+ }
+ }
+}