1459 replies to this topic

[SpaceRat]

I've added an option to disallow logins as user "root".

This makes it impossible for an attacker to abuse the Webif for probing the root password.
Attempts to login as root are intentionally no answered with any meaningful error message but just "401 - Authentication required", just as if you entered wrong credentials.

In order to use this feature, you first have to telnet/ssh to your box and enter (for example):

adduser admin -h /dev/null -H -s /bin/false -G root

plus a password for this new user (twice).

This will create a new user
- named "admin"
- with /dev/null as his home dir (Does not exist)
- with /bin/false as shell (can not login to shell ...)
- being a member of the group "root" (Doesn't mean anything without the ability to get to a shell)
and the password as chosen by you ... (Preferably NOT the same as that for user "root").

Group "users" or any other existing group should work as well.

After creating one (or multiple) users != "root", you can use their credentials for login and disable root logins.

[AxManDream]

Hi SpaceRat,

 

that's quite cool, I was looking for something like that :-)

Just one question (as I'm quite new in that field): How do I disable root logins after creating one or more users the way you described? Is "root" then disabled just for WebIf or also for ssh-login?

[SpaceRat]

that's quite cool, I was looking for something like that :-)
Just one question (as I'm quite new in that field): How do I disable root logins after creating one or more users the way you described?

It's a plain setting inside the OpenWebif options (Go to plugins -> OpenWebif using your remote control).
Alternatively, you can simply set

config.OpenWebif.no_root_access=true

inside /etc/enigma2/settings

Is "root" then disabled just for WebIf or also for ssh-login?

Just for the webif.

It's just enough to prevent the root password from being probed or being sniffed:
If for example ssh is opened to the outside using password logins, it's still quite annoying to probe the root password on ssh (Three attempts, delay, then disconnect), however it was easy on the webif (Unlimited attemps, no delay).
So an attacker could have used the webif for comfortable probing of the root pwd and then use it with ssh.
If you disable "root" logins on the webif, probing the root pwd there can not succeed while root can still login to ssh.

Note that OpenPLi's built-in streaming and transcoded streaming (On Vu+) still allow probing however.

[AxManDream]

that's quite cool, I was looking for something like that :-)
Just one question (as I'm quite new in that field): How do I disable root logins after creating one or more users the way you described?

It's a plain setting inside the OpenWebif options (Go to plugins -> OpenWebif using your remote control).
Alternatively, you can simply set

config.OpenWebif.no_root_access=true

inside /etc/enigma2/settings

>Is "root" then disabled just for WebIf or also for ssh-login?

Just for the webif.

It's just enough to prevent the root password from being probed or being sniffed:
If for example ssh is opened to the outside using password logins, it's still quite annoying to probe the root password on ssh (Three attempts, delay, then disconnect), however it was easy on the webif (Unlimited attemps, no delay).
So an attacker could have used the webif for comfortable probing of the root pwd and then use it with ssh.
If you disable "root" logins on the webif, probing the root pwd there can not succeed while root can still login to ssh.

Note that OpenPLi's built-in streaming and transcoded streaming (On Vu+) still allow probing however.

 

 

Perfect, thank you! :-)

[h.udo]

Hi folks!

 

A question to the developers of OpenWebif:

 

Is there any way to get the HDD capacity and free space in bytes? Any modifier i can use in web/about or web/deviceinfo?

 

I'm developing a frontend for a known media center software and I need it in bytes instead of GB or MB.

 

That way I can avoid doing the math (freeSpace * 1024* 1024 * etc) to get bytes and lose some accuracy.

 

Thanks for the great work you guys done!

 

h.udo

[Robertooo]

Hi,

 

Have somebody any idea why openwebif doesn't work on my PC with Win 7? The channels don't visible in the list but with Win XP they work perfectly.

 

Other things work OK with Win 7 too.

[Kosh]

Try to use an alternative browser, not I.E.

[WanWizard]

No problem here. I've seen reports that you may have to flush your cache or force a reload (using Ctrl-F5), due to changes in the ajax scripts.

[Robertooo]

I've tried it Chrome, not I.E.

[Dr. Hannibal]

I have one problem with the webif. I flashed the newest openpli and i restored the settings, but now I have no access to the webif. I reveive a message: unauthoized!

can anybody help me out?

[SpaceRat]

I have one problem with the webif. I flashed the newest openpli and i restored the settings, but now I have no access to the webif. I reveive a message: unauthoized!
can anybody help me out?

Restoring the settings doesn't recover your Linux users or their passwords, afair.
So if you enabled "disallow root logins" in OpenWebif, your additionally created user for OWIF might be missing.
or
Your root user still has the OpenPli default password (none at all) as flashed and you are trying to use your previous root password (as set before flashing).

[Dr. Hannibal]

I tried to change the password with a plugin from the feed, but still no access... what is the default name in the new webif? or how can I creat a user? or change the name?

[SpaceRat]

I tried to change the password with a plugin from the feed, but still no access... what is the default name in the new webif? or how can I creat a user? or change the name?

If you haven't had done this before the re-flash of your box, you shouldn't need to do it now.

However, for your information:

adduser admin -h /dev/null -s /bin/false -H

(you will be asked for the new user's password) would create the user "admin" which can be used to login into OWIF.
As this new user has no valid shell, unlike the user "root" he can't be abused for anything else but what can be done through the OWIF itself.

After successful creation and testing of such an additional user, you can disable root access to the openwebif inside its E2 configuration.
This will keep the OWIF from serving as a nice helper for probing the root password.


The password for user "root" (or any other user) can be changed after logging in to the box using telnet/ssh by entering

passwd

-> will change the password for the current user (= root)

or

passwd <user>

e.g.

passwd admin

will change the password for some other user (here: "admin").

Edited by SpaceRat, 5 August 2014 - 18:31.

[Dr. Hannibal]

Thank you very much! Now it works again!

[TheMystery]

I've added an option to disallow logins as user "root".

This makes it impossible for an attacker to abuse the Webif for probing the root password.
Attempts to login as root are intentionally no answered with any meaningful error message but just "401 - Authentication required", just as if you entered wrong credentials.

In order to use this feature, you first have to telnet/ssh to your box and enter (for example):

adduser admin -h /dev/null -H -s /bin/false -G root

plus a password for this new user (twice).

This will create a new user
- named "admin"
- with /dev/null as his home dir (Does not exist)
- with /bin/false as shell (can not login to shell ...)
- being a member of the group "root" (Doesn't mean anything without the ability to get to a shell)
and the password as chosen by you ... (Preferably NOT the same as that for user "root").

Group "users" or any other existing group should work as well.

After creating one (or multiple) users != "root", you can use their credentials for login and disable root logins.

 

I created a new user as descript, and i can login with the new user in the webinterface.

I disabled root logins within enigma2 and rebooted te box.

But i can stil login with my root account, what could be wrong?

Also if i enable stream authentication i can normaly stream without password.

 

I have already installed a clean image and configured everything again but with no result.

Edited by TheMystery, 6 August 2014 - 16:07.

[SpaceRat]

I disabled root logins within enigma2 and rebooted te box.
But i can stil login with my root account, what could be wrong?

Re-Check the settings:
If E2 crashes (even invisibly) during reboot (and it does that quite frequently) it might forget to save the settings.

If this is the case and you can't get your settings saved, perform the following steps from shell (telnet/ssh):

1. Enter "init 4" in order to quit E2
2. Open "/etc/enigma2/settings" inside an editor (e.g. mcedit from mc) or a lame excuse for an editor (vi)
3. Find the line saying "config.OpenWebif.no_root_access=" and change the value after the "=" to "true".
4. Save the file and reboot the box

Also if i enable stream authentication i can normaly stream without password.

Streaming and stream auth isn't handled by OpenWebif in OpenPli images, so there's nothing OpenWebif can do about it in this case.

[TheMystery]

I disabled root logins within enigma2 and rebooted te box.
But i can stil login with my root account, what could be wrong?

Re-Check the settings:
If E2 crashes (even invisibly) during reboot (and it does that quite frequently) it might forget to save the settings.

If this is the case and you can't get your settings saved, perform the following steps from shell (telnet/ssh):

1. Enter "init 4" in order to quit E2
2. Open "/etc/enigma2/settings" inside an editor (e.g. mcedit from mc) or a lame excuse for an editor (vi)
3. Find the line saying "config.OpenWebif.no_root_access=" and change the value after the "=" to "true".
4. Save the file and reboot the box

>>Also if i enable stream authentication i can normaly stream without password.

Streaming and stream auth isn't handled by OpenWebif in OpenPli images, so there's nothing OpenWebif can do about it in this case.

 

 

This are the settings of openwebif in /etc/enigma2/settings:

config.OpenWebif.auth_for_streaming=true (not working)

config.OpenWebif.auth=true (works)

config.OpenWebif.no_root_access=true (not working)

 

So values are saved good

Edited by TheMystery, 6 August 2014 - 16:55.

[SpaceRat]

TheMystery, on 06 Aug 2014 - 17:52, said:
But i can stil login with my root account, what could be wrong?

Now I remember:
That setting is overridden for local connections using IPv4.
This was implemented in order to avoid hassle with legacy E2 Bouquet Editors and stuff like that which allow only one set of login/pass for all services (ftp/telnet/http) used by them.

So in order to test you would have to try a remote connection.

[TheMystery]

TheMystery, on 06 Aug 2014 - 17:52, said:
But i can stil login with my root account, what could be wrong?

Now I remember:
That setting is overridden for local connections using IPv4.
This was implemented in order to avoid hassle with legacy E2 Bouquet Editors and stuff like that which allow only one set of login/pass for all services (ftp/telnet/http) used by them.

So in order to test you would have to try a remote connection.

 

Oke, i 'am gonna try it tommorow on my work.

 

Is it for streaming the same?

Edited by TheMystery, 6 August 2014 - 20:11.

[TheMystery]

 

TheMystery, on 06 Aug 2014 - 17:52, said:
But i can stil login with my root account, what could be wrong?

Now I remember:
That setting is overridden for local connections using IPv4.
This was implemented in order to avoid hassle with legacy E2 Bouquet Editors and stuff like that which allow only one set of login/pass for all services (ftp/telnet/http) used by them.

So in order to test you would have to try a remote connection.

 

Oke, i 'am gonna try it tommorow on my work.

 

Is it for streaming the same?

 

From a remote connection it works indeed.

stream authentication not yet tested.