[WebUI] fix the security flaw in account (#764)

- In developement mode, if there is no default admin account, Node.js server WILL create admin/1423 account. - In production mode, even though there is no default admin account, Node.js server WILL NOT create admin/1423 account. 1. WebUI installation script will create default admin account if there is no account. $ curl -fsSL https://open5gs.org/open5gs/assets/webui/install | sudo -E bash - 2. Installation script will automatically uninstall WebUI if WebUI has already been installed.
2021-05-08 23:11:27 +09:00 · 2021-05-08 23:11:27 +09:00 · 26f14ee7ca
parent ff4695bd5a
commit 26f14ee7ca
4 changed files with 58 additions and 27 deletions
--- a/docs/assets/webui/install
+++ b/docs/assets/webui/install
@ -68,16 +68,28 @@ exec_cmd() {
 }

 uninstall() {
-exec_cmd_nobail "deb-systemd-invoke stop open5gs-webui"
-exec_cmd_nobail "systemctl disable open5gs-webui"
-exec_cmd_nobail "rm -f /lib/systemd/system/${PACKAGE}-webui.service"
-exec_cmd_nobail "systemctl daemon-reload"
+if [ -f /lib/systemd/system/${PACKAGE}-webui.service ]; then
+    STATUS="$(systemctl is-active open5gs-webui.service)"
+    if [ "${STATUS}" = "active" ]; then
+        exec_cmd_nobail "deb-systemd-invoke stop open5gs-webui"
+    fi
+
+    STATUS="$(systemctl is-enabled open5gs-webui.service)"
+    if [ "${STATUS}" = "enabled" ]; then
+        exec_cmd_nobail "systemctl disable open5gs-webui"
+    fi
+
+    exec_cmd_nobail "rm -f /lib/systemd/system/${PACKAGE}-webui.service"
+    exec_cmd_nobail "systemctl daemon-reload"
+fi
+
+if [ -d /usr/lib/node_modules/${PACKAGE} ]; then
+    exec_cmd_nobail "rm -rf /usr/lib/node_modules/${PACKAGE}"
+fi

-exec_cmd "rm -rf ./${PACKAGE}-${VERSION}"
-exec_cmd "rm -rf /usr/lib/node_modules/${PACKAGE}"
 }

-setup() {
+preinstall() {

 PRE_INSTALL_PKGS=""

@ -259,6 +271,23 @@ exec_cmd "deb-systemd-invoke start open5gs-webui"
 exec_cmd "rm -rf ./${PACKAGE}-${VERSION}"
 }

+postinstall() {
+
+print_status "Default Administrator Account [Username:admin, Password:1423]..."
+
+exec_cmd "cat << EOF > ./account.js
+db = db.getSiblingDB('open5gs')
+cursor = db.accounts.find()
+if ( cursor.count() == 0 ) {
+    db.accounts.insert({ salt: 'f5c15fa72622d62b6b790aa8569b9339729801ab8bda5d13997b5db6bfc1d997', hash: '402223057db5194899d2e082aeb0802f6794622e1cbc47529c419e5a603f2cc592074b4f3323b239ffa594c8b756d5c70a4e1f6ecd3f9f0d2d7328c4cf8b1b766514effff0350a90b89e21eac54cd4497a169c0c7554a0e2cd9b672e5414c323f76b8559bc768cba11cad2ea3ae704fb36abc8abc2619231ff84ded60063c6e1554a9777a4a464ef9cfdfa90ecfdacc9844e0e3b2f91b59d9ff024aec4ea1f51b703a31cda9afb1cc2c719a09cee4f9852ba3cf9f07159b1ccf8133924f74df770b1a391c19e8d67ffdcbbef4084a3277e93f55ac60d80338172b2a7b3f29cfe8a36738681794f7ccbe9bc98f8cdeded02f8a4cd0d4b54e1d6ba3d11792ee0ae8801213691848e9c5338e39485816bb0f734b775ac89f454ef90992003511aa8cceed58a3ac2c3814f14afaaed39cbaf4e2719d7213f81665564eec02f60ede838212555873ef742f6666cc66883dcb8281715d5c762fb236d72b770257e7e8d86c122bb69028a34cf1ed93bb973b440fa89a23604cd3fefe85fbd7f55c9b71acf6ad167228c79513f5cfe899a2e2cc498feb6d2d2f07354a17ba74cecfbda3e87d57b147e17dcc7f4c52b802a8e77f28d255a6712dcdc1519e6ac9ec593270bfcf4c395e2531a271a841b1adefb8516a07136b0de47c7fd534601b16f0f7a98f1dbd31795feb97da59e1d23c08461cf37d6f2877d0f2e437f07e25015960f63', username: 'admin', roles: [ 'admin' ], "__v" : 0})
+}
+EOF"
+exec_cmd "mongo open5gs ./account.js"
+exec_cmd "rm -f ./account.js"
+}
+
 ## Defer setup until we have the complete script
-setup
+uninstall
+preinstall
 install
+postinstall
--- a/webui/package-lock.json
+++ b/webui/package-lock.json
@ -1,6 +1,6 @@
 {
  "name": "open5gs",
-  "version": "2.2.6",
+  "version": "2.2.8",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
--- a/webui/package.json
+++ b/webui/package.json
@ -1,6 +1,6 @@
 {
  "name": "open5gs",
-  "version": "2.2.6",
+  "version": "2.2.8",
  "description": "Open5gs",
  "main": "index.js",
  "repository": "https://github.com/open5gs/open5gs/webui",
--- a/webui/server/index.js
+++ b/webui/server/index.js
@ -41,24 +41,26 @@ co(function* () {
    /* other options */
  })

-  Account.count((err, count) => {
-    if (err) {
-      console.error(err);
-      throw err;
-    }
+  if (dev) {
+    Account.count((err, count) => {
+      if (err) {
+        console.error(err);
+        throw err;
+      }

-    if (!count) {
-      const newAccount = new Account();
-      newAccount.username = 'admin';
-      newAccount.roles = [ 'admin' ];
-      Account.register(newAccount, '1423', err => {
-        if (err) {
-          console.error(err);
-          throw err;
-        }
-      })
-    }
-  })
+      if (!count) {
+        const newAccount = new Account();
+        newAccount.username = 'admin';
+        newAccount.roles = [ 'admin' ];
+        Account.register(newAccount, '1423', err => {
+          if (err) {
+            console.error(err);
+            throw err;
+          }
+        })
+      }
+    })
+  }

  const server = express();