Make syslogctrl.c use TCP as remote logging file if specified so.
Thanks to Michael for reviewing this.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This would become a security risk if anyone gets
shell access as any user to copy out the HTTPS keys.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will allow us to run multiple builds on the same
system at the same time (or at least have them on disk).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Validate GPG keys by fingerprint and not by 8-bit key-ID.
This makes exploiting bug #11539 harder, but not impossible
and does not affect existing installations.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
This fixes: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
CVE-2017-13087, CVE-2017-13088
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is not necessary to stop any clients from accessing the
Internet, but if we know that we don't need a line for certain
any more, we can as well remove the firewall rule straight away.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When loading the initscript of the firewall the neccessary chains for
the captive portalneed to be created.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
The cleanup script is called every hour and deletes expired clients from
the clients file.
every night the captivectrl warpper runs once to flush the chains and
reload rules for active clients
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
When the expiry time equals zero, the lease will have
no time constraints. The IP address will also be removed
as it might probably change.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This wrapper reads the captive settings and clients and sets the
firewall access rules. It is called every time the config changed or
everytime that a client changes. Also this wrapper is later called once
hourly to flush the chains and rebuild rules for actual clients.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
- Updated to apache 2.4
- Updated the htpasswd generation to use the more secure bcrypt algorithm
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this resolves problems that negative answers from
a forwarder was still used after setting new servers.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
the ntp initskript will only run at first connection try. If this fails
and the connection can established later DNS will not work if the clock
is too far away.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
new versions of agetty missinterpretes the baudrate and set it as TERM
without the parameter agetty use the previous rate that was set by the
kernel via console=XXX,Baudrate parameter.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
