HCoop / hcoop / portal.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Include Peer 1 contact info in contact report
[hcoop/portal.git] / sec.mlt
CommitLineData
dfb0d0d7
AC		 1<% val you = Init.getUserId ();
2val yourname = Init.getUserName ();
3
3d2ed222
AC		 4val nodeNum = case $"node" of
5 "" => 2
6 | node => Web.stoi node;
7val nodeName = Init.nodeName nodeNum;
8
dfb0d0d7
AC		 9val uname = case $"uname" of
10 "" => yourname
11 | uname => uname;
12
3d2ed222
AC		 13val socks = Sec.socketPerms {node = nodeNum, uname = uname};
14val tpe = Sec.isTpe {node = nodeNum, uname = uname};
15val cron = Sec.cronAllowed {node = nodeNum, uname = uname};
16val ftp = Sec.ftpAllowed {node = nodeNum, uname = uname};
dfb0d0d7
AC		 17
18ref showNormal = true;
19
20@header [("title", ["Security settings"])];
21
22if $"cmd" = "socks" then
23 showNormal := false;
24 val socks = $"socks";
3d2ed222
AC		 25 %>Are you sure you want to request that socket permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be changed to <b><% Web.html socks %></b>?<br>
26 <a href="sec?cmd=socks2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&socks=<% Web.urlEncode socks %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
dfb0d0d7 27elseif $"cmd" = "socks2" then
3d2ed222 28 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": change socket permissions to ", $"socks"], msg = $"msg"};
dfb0d0d7 29 if not (Sec.Req.notifyNew id) then
b6dd1aaf 30 %><h3>Error sending e-mail notification</h3><%
dfb0d0d7 31 end
b6dd1aaf 32 %><h3>Request added</h3><%
dfb0d0d7
AC		 33
34elseif $"cmd" = "tpe" then
35 showNormal := false;
36 val tpe = iff $"tpe" = "yes" then "on" else "off";
3d2ed222
AC		 37 %>Are you sure you want to request that trusted-path-executables-only for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be turned <b><% tpe %></b>?<br>
38 <a href="sec?cmd=tpe2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&tpe=<% tpe %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
dfb0d0d7 39elseif $"cmd" = "tpe2" then
3d2ed222 40 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": turn tpe ", $"tpe"], msg = $"msg"};
dfb0d0d7 41 if not (Sec.Req.notifyNew id) then
b6dd1aaf 42 %><h3>Error sending e-mail notification</h3><%
dfb0d0d7 43 end
b6dd1aaf 44 %><h3>Request added</h3><%
dfb0d0d7 45
e510b9bd
AC		 46elseif $"cmd" = "cron" then
47 showNormal := false;
48 val cron = iff $"cron" = "yes" then "enabled" else "disabled";
3d2ed222
AC		 49 %>Are you sure you want to request that <tt>cron</tt> permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% cron %></b>?<br>
50 <a href="sec?cmd=cron2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&cron=<% cron %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd
AC		 51elseif $"cmd" = "cron2" then
52 val cron = iff $"cron" = "enabled" then "enable" else "disable";
3d2ed222 53 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", cron, " cron access"], msg = $"msg"};
e510b9bd 54 if not (Sec.Req.notifyNew id) then
b6dd1aaf 55 %><h3>Error sending e-mail notification</h3><%
e510b9bd 56 end
b6dd1aaf 57 %><h3>Request added</h3><%
e510b9bd 58
f432bce2
AC		 59elseif $"cmd" = "ftp" then
60 showNormal := false;
61 val ftp = iff $"ftp" = "yes" then "enabled" else "disabled";
3d2ed222
AC		 62 %>Are you sure you want to request that FTP permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% ftp %></b>?<br>
63 <a href="sec?cmd=ftp2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&ftp=<% ftp %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
f432bce2
AC		 64elseif $"cmd" = "ftp2" then
65 val ftp = iff $"ftp" = "enabled" then "enable" else "disable";
3d2ed222 66 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", ftp, " FTP access"], msg = $"msg"};
f432bce2 67 if not (Sec.Req.notifyNew id) then
b6dd1aaf 68 %><h3>Error sending e-mail notification</h3><%
f432bce2 69 end
b6dd1aaf 70 %><h3>Request added</h3><%
f432bce2 71
e510b9bd
AC		 72elseif $"cmd" = "rule" then
73 showNormal := false;
74 val rule = $"rule";
308f44e7
AC		 75
76 if Sec.validRule rule then
77 %>Are you sure you want to request the firewall rule <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
3d2ed222 78 <a href="sec?cmd=rule2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
308f44e7
AC		 79 else
80 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
81 end
82
e510b9bd 83elseif $"cmd" = "rule2" then
308f44e7
AC		 84 val rule = $"rule";
85
86 if Sec.validRule rule then
87 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Add firewall rule \"", uname, " ", rule, "\""], msg = $"msg"};
88 if not (Sec.Req.notifyNew id) then
89 %><h3>Error sending e-mail notification</h3><%
90 end
91 %><h3>Request added</h3><%
92 else
93 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
e510b9bd 94 end
e510b9bd
AC		 95
96elseif $"modRule" <> "" then
97 showNormal := false;
98 val oldRule = $"modRule";
99 val rule = $"rule"
100 if oldRule = rule then
101 %>You didn't modify the textbox for this rule before clicking the button, so there is no request to be made.<%
102 else
3d2ed222
AC		 103 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> be replaced by <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
104 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&modRule2=<% Web.urlEncode oldRule %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd
AC		 105 end
106elseif $"modRule2" <> "" then
3d2ed222 107 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Change firewall rule \"", uname, " ", $"modRule2", "\" to \"", uname, " ", $"rule", "\""], msg = $"msg"};
e510b9bd 108 if not (Sec.Req.notifyNew id) then
b6dd1aaf 109 %><h3>Error sending e-mail notification</h3><%
e510b9bd 110 end
b6dd1aaf 111 %><h3>Request added</h3><%
e510b9bd
AC		 112
113elseif $"delRule" <> "" then
114 showNormal := false;
115 val oldRule = $"delRule";
3d2ed222
AC		 116 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> on <b><% Web.html nodeName %></b> be <b>deleted</bD>?<br>
117 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&delRule2=<% Web.urlEncode oldRule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd 118elseif $"delRule2" <> "" then
3d2ed222 119 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Delete firewall rule \"", uname, " ", $"delRule2", "\""], msg = $"msg"};
e510b9bd 120 if not (Sec.Req.notifyNew id) then
b6dd1aaf 121 %><h3>Error sending e-mail notification</h3><%
e510b9bd 122 end
b6dd1aaf 123 %><h3>Request added</h3><%
e510b9bd 124
dfb0d0d7
AC		 125elseif $"cmd" = "open" then
126 showNormal := false;
127 Group.requireGroupName "server";
b6dd1aaf 128 %><h3>Open requests</h3>
dfb0d0d7
AC		 129 <a href="sec?cmd=list">List all requests</a><%
130
131 foreach (name, req) in Sec.Req.listOpen () do %>
132<br><hr><br>
b6dd1aaf
AC		 133<table class="blanks">
134<tr> <td>By:</td> <td><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
6b8b767b 135<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
3d2ed222 136<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
b6dd1aaf
AC		 137<tr> <td>Request:</td> <td><% #data req %></td> </tr>
138<tr> <td>Msg:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
dfb0d0d7
AC		 139</table>
140
141<br>
142<a href="sec?mod=<% #id req %>">[Modify]</a>
143<a href="sec?del=<% #id req %>">[Delete]</a><br>
144
145<% end
146
147elseif $"cmd" = "list" then
148 showNormal := false;
149 Group.requireGroupName "server"
b6dd1aaf 150 %><h3>All requests</h3><%
dfb0d0d7
AC		 151
152 foreach (name, req) in Sec.Req.list () do %>
153<br><hr><br>
b6dd1aaf
AC		 154<table class="blanks">
155<tr> <td>By:</td> <td colspan="2"><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
6b8b767b 156<tr> <td>Time:</td> <td colspan="2"><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
3d2ed222 157<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
b6dd1aaf
AC		 158<tr> <td>Request:</td> <td><% #data req %></td> </tr>
159<tr> <td>Reason:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
dfb0d0d7
AC		 160</table>
161
162<br>
163<a href="sec?mod=<% #id req %>">[Modify]</a>
164<a href="sec?del=<% #id req %>">[Delete]</a>
165
166<% end
167
168elseif $"mod" <> "" then
169 showNormal := false;
170 Group.requireGroupName "server";
171 val id = Web.stoi ($"mod");
172 val req = Sec.Req.lookup id;
173 val user = Init.lookupUser (#usr req) %>
b6dd1aaf 174<h3>Handle request</h3>
dfb0d0d7
AC		 175
176<form action="sec" method="post">
177<input type="hidden" name="save" value="<% id %>">
b6dd1aaf
AC		 178<table class="blanks">
179<tr> <td>Requestor:</td> <td><a href="user?id=<% #usr req %>"><% #name user %></a></td> </tr>
6b8b767b 180<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
b6dd1aaf 181<tr> <td>Status:</td> <td><select name="status">
dfb0d0d7
AC		 182 <option value="0"<% if #status req = Sec.Req.NEW then %> selected<% end %>>New</option>
183 <option value="1"<% if #status req = Sec.Req.INSTALLED then %> selected<% end %>>Installed</option>
184 <option value="2"<% if #status req = Sec.Req.REJECTED then %> selected<% end %>>Rejected</option>
185</select></td> </tr>
3d2ed222
AC		 186<tr> <td>Node:</td> <td><select name="node">
187<% foreach node in Init.listNodes () do %>
188 <option value="<% #id node %>"<% if nodeNum = #node req then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
189<% end %></select></td> </tr>
b6dd1aaf
AC		 190<tr> <td>Request:</td> <td><input name="req" value="<% #data req %>"></td> </tr>
191<tr> <td>Message:</td> <td><textarea name="msg" rows="10" cols="80" wrap="soft"><% Web.html (#msg req) %></textarea></td> </tr>
dfb0d0d7
AC		 192<tr> <td><input type="submit" value="Save"></td> </tr>
193</table>
194</form>
195
196<% elseif $"save" <> "" then
197 showNormal := false;
198 Group.requireGroupName "server";
199 val id = Web.stoi ($"save");
200 val req = Sec.Req.lookup id;
201 val oldStatus = #status req;
202 val newStatus = Sec.Req.statusFromInt (Web.stoi ($"status"));
3d2ed222 203 Sec.Req.modify {req with node = nodeNum, data = $"req", msg = $"msg", status = newStatus};
dfb0d0d7 204 if oldStatus <> newStatus then
3d2ed222 205 if not (Sec.Req.notifyMod {old = oldStatus, new = newStatus, changer = Init.getUserName(), req = id}) then
b6dd1aaf 206 %><h3>Error sending e-mail notification</h3><%
dfb0d0d7
AC		 207 end
208 end
b6dd1aaf 209 %><h3>Request modified</h3>
dfb0d0d7
AC		 210 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
211
212<% elseif $"del" <> "" then
213 showNormal := false;
214 Group.requireGroupName "server";
215 val id = Web.stoi ($"del");
216 val req = Sec.Req.lookup id;
217 val user = Init.lookupUser (#usr req)
3d2ed222 218 %><h3>Are you sure you want to delete request by <% #name user %> for "<% #data req %>" on <% Web.html (Init.nodeName (#node req)) %>?</h3>
dfb0d0d7
AC		 219 <a href="sec?del2=<% id %>">Yes, I'm sure!</a>
220
221<% elseif $"del2" <> "" then
222 showNormal := false;
223 Group.requireGroupName "server";
224 val id = Web.stoi ($"del2");
225 Sec.Req.delete id
b6dd1aaf 226 %><h3>Request deleted</b><h3>
dfb0d0d7
AC		 227 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
228
229<% end;
230
231if showNormal then %>
232
3d2ed222
AC		 233<table class="blanks">
234<form action="sec" method="post">
235<input type="hidden" name="uname" value="<% Web.html uname %>">
236<tr> <td>Machines:</td> <td><select name="node">
237<% foreach node in Init.listNodes () do %>
238 <option value="<% #id node %>"<% if nodeNum = #id node then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
239<% end %></select></td>
240<td><input type="submit" value="Switch"></td> </tr>
241</form>
dfb0d0d7 242<form action="sec" method="post">
3d2ed222
AC		 243<input type="hidden" name="node" value="<% nodeNum %>">
244<tr> <td>Your users:</td> <td><select name="uname">
dfb0d0d7
AC		 245<% foreach name in (yourname :: Sec.findSubusers yourname) do %>
246 <option value="<% name %>"<% if uname = name then %> selected<% end %>><% name %></option>
3d2ed222
AC		 247<% end %></select></td>
248<td><input type="submit" value="Switch"></td> </tr>
249</form>
250</table>
dfb0d0d7 251
a4adbfb9 252<!--h3>Request socket permissions change</h3>
dfb0d0d7 253
2d7faa73
AC		 254<p>You need to request socket permissions before you are able to open any network connections. While you will be limited by firewall rules even then, any requests for firewall rules you enter in the "Reason" blank here <b>will be ignored</b>. Please use the separate form at the bottom of this page for that. There is no need to wait until a request for socket permissions has been granted before starting to request firewall rules.</p>
255
4d46d3eb
AC		 256<p>Keep in mind that, if your request is granted, it will never apply to existing log-in sessions. Close them and re-connect to take advantage of your new privileges.</p>
257
dfb0d0d7 258<form action="sec" method="post">
3d2ed222 259<input type="hidden" name="node" value="<% nodeNum %>">
dfb0d0d7
AC		 260<input type="hidden" name="uname" value="<% uname %>">
261<input type="hidden" name="cmd" value="socks">
b6dd1aaf
AC		 262<table class="blanks">
263<tr> <td>New permissions:</td> <td><select name="socks">
dfb0d0d7
AC		 264 <option value="none"<% if socks = Sec.NADA then %> selected<% end %>>None</option>
265 <option value="any"<% if socks = Sec.ANY then %> selected<% end %>>Any</option>
266 <option value="client"<% if socks = Sec.CLIENT_ONLY then %> selected<% end %>>Client only</option>
267 <option value="server"<% if socks = Sec.SERVER_ONLY then %> selected<% end %>>Server only</option>
268</select></td> </tr>
b6dd1aaf 269<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
dfb0d0d7
AC		 270<tr> <td><input type="submit" value="Request"></td> </tr>
271</table>
272</form>
273
b6dd1aaf 274<h3>Request change to your execute permissions</h3>
dfb0d0d7
AC		 275
276<form action="sec" method="post">
3d2ed222 277<input type="hidden" name="node" value="<% nodeNum %>">
dfb0d0d7
AC		 278<input type="hidden" name="uname" value="<% uname %>">
279<input type="hidden" name="cmd" value="tpe">
b6dd1aaf
AC		 280<table class="blanks">
281<tr> <td>Trusted path executables only?</td> <td><select name="tpe">
dfb0d0d7
AC		 282 <option value="no"<% if not tpe then %> selected<% end %>>No</option>
283 <option value="yes"<% if tpe then %> selected<% end %>>Yes</option>
284</select></td> </tr>
b6dd1aaf 285<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
dfb0d0d7
AC		 286<tr> <td><input type="submit" value="Request"></td> </tr>
287</table>
a4adbfb9 288</form-->
dfb0d0d7 289
b6dd1aaf 290<h3>Request change to your <tt>cron</tt> permissions</h3>
e510b9bd
AC		 291
292<form action="sec" method="post">
3d2ed222 293<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd
AC		 294<input type="hidden" name="uname" value="<% uname %>">
295<input type="hidden" name="cmd" value="cron">
b6dd1aaf
AC		 296<table class="blanks">
297<tr> <td>Allowed to use cron?</td> <td><select name="cron">
18eeb749 298 <option value="no"<% if not cron then %> selected<% end %>>No</option>
e510b9bd
AC		 299 <option value="yes"<% if cron then %> selected<% end %>>Yes</option>
300</select></td> </tr>
b6dd1aaf 301<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
e510b9bd
AC		 302<tr> <td><input type="submit" value="Request"></td> </tr>
303</table>
304</form>
305
b6dd1aaf 306<h3>Request change to your FTP permissions</h3>
f432bce2 307
18eeb749
AC		 308<p>Please read <a href="http://wiki.hcoop.net/wiki/FileTransfer">our wiki instructions on file transfer</a> before requesting FTP access. Almost everyone should use alternative protocols to FTP that provide superior security benefits.</p>
309
f432bce2 310<form action="sec" method="post">
3d2ed222 311<input type="hidden" name="node" value="<% nodeNum %>">
f432bce2
AC		 312<input type="hidden" name="uname" value="<% uname %>">
313<input type="hidden" name="cmd" value="ftp">
b6dd1aaf
AC		 314<table class="blanks">
315<tr> <td>Allowed to use FTP?</td> <td><select name="ftp">
f432bce2
AC		 316 <option value="no"<% if not ftp then %> selected<% end %>>No</option>
317 <option value="yes"<% if ftp then %> selected<% end %>>Yes</option>
318</select></td> </tr>
b6dd1aaf 319<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
f432bce2
AC		 320<tr> <td><input type="submit" value="Request"></td> </tr>
321</table>
322</form>
323
3d2ed222 324<% val rules = Sec.findFirewallRules {node = nodeNum, uname = uname};
e510b9bd
AC		 325switch rules of
326 _::_ => %>
b6dd1aaf 327<h3>Your firewall rules</h3>
e510b9bd
AC		 328
329<% foreach rule in rules do %>
330<form action="sec" method="post">
3d2ed222 331<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd
AC		 332<input type="hidden" name="uname" value="<% uname %>">
333<input type="hidden" name="modRule" value="<% Web.html rule %>">
334<input name="rule" value="<% Web.html rule %>">
335<a href="sec?delRule=<% Web.urlEncode rule %>">[Request deletion]</a>
336<input type="submit" value="Request change">
337</form><br>
338<% end
339end%>
340
1bb18394
AC		 341<h3>Request a new firewall rule</h3>
342
99061f22 343<p><b>This form isn't needed yet to allow you to use any port. However, if you request a rule here, you can be sure it will be added when we first implement firewalls on our new servers. Otherwise, your custom services may stop working.</b></p>
e510b9bd
AC		 344
345<p>You can find a description of rule formats <a href="http://wiki.hcoop.net/wiki/FirewallRules">on our wiki</a>. Enter here the rule you want, without the initial <tt>user</tt> portion.</p>
346
4d46d3eb 347<p>Please note that <b>your firewall rule will be useless</b> if you don't first request the corresponding socket privileges at the top of this page. Also, common ports like 80 (HTTP) are open to everyone with socket permissions. Verify that you can't access a port after socket permissions have been granted before requesting a special rule here.</p>
18eeb749 348
b986395e
AC		 349<p>We very rarely grant requests for Client rules that don't include remote host whitelists. For example, important security concerns make it a bad idea for us to give anybody blanket IRC permissions. Instead, request specific servers. We will refuse such requests that include networks that are popularly considered fronts for illegal activity.</p>
350
e510b9bd 351<form action="sec" method="post">
3d2ed222 352<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd
AC		 353<input type="hidden" name="uname" value="<% uname %>">
354<input type="hidden" name="cmd" value="rule">
b6dd1aaf
AC		 355<table class="blanks">
356<tr> <td>Rule</td> <td><input name="rule" size="80"></td> </tr>
357<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
e510b9bd
AC		 358<tr> <td><input type="submit" value="Request"></td> </tr>
359</table>
1bb18394 360</form>
e510b9bd 361
dfb0d0d7
AC		 362<% end %>
363
364<% @footer[] %>
Unnamed repository; edit this file 'description' to name the repository.