Improved application security by changing the defaultness of auth_dev module.

The auth_dev authentication module was accidentaly enabled by default in configuration file shipped with Mentat packages. It was changed at some point locally during development and the change was accidentally committed. The documentation was missing the warning about disabling it during installation in production deployment. This is fixed now.

Improved application security by changing the defaultness of auth_dev module.
05aaa355 · Jan Mach · 260be019 · 05aaa355 · 05aaa355 · 05aaa355
Commit 05aaa355 authored 4 years ago by Jan Mach
--- a/conf/mentat-hawat.py.conf
+++ b/conf/mentat-hawat.py.conf
@@ -40,7 +40,7 @@ ENABLED_BLUEPRINTS = [
    'vial.blueprints.changelogs',
    'hawat.blueprints.auth_env',
-    'hawat.blueprints.auth_dev',
+    #'hawat.blueprints.auth_dev',
    'hawat.blueprints.auth_pwd',
    'hawat.blueprints.home',
    'hawat.blueprints.reports',

--- a/doc/sphinx/_doclib/installation.rst
+++ b/doc/sphinx/_doclib/installation.rst
@@ -618,7 +618,10 @@ ready for deployment out of the box:
    a2ensite site_mentat.conf
    # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
-    # Step 5: Change default SECRET_KEY in /etc/mentat/mentat-hawat.py.conf:
+    # Step 5: In file /etc/mentat/mentat-hawat.py.conf change default SECRET_KEY and
+    # in production deployment make sure, that ENABLED_BLUEPRINTS key does not
+    # contain 'hawat.blueprints.auth_dev', or that is is commented out. Otherwise
+    # you would enable anyone impersonate any other user without password.
    # !!!!! THIS STEP IS SUPER IMPORTANT !!!!!
    vim /etc/mentat/mentat-hawat.py.conf
@@ -634,6 +637,12 @@ ready for deployment out of the box:
    # (please adjust the attributes, do not simply copy and paste):
    mentat-dbmngr.py --command user-add login=superman "fullname=Clark Kent" email=kent@dailyplanet.com "organization=Daily Planet, inc." roles=user,admin
+.. warning::
+    Please make sure you have read step 5 in the recipe above. The :ref:`section-hawat-plugin-auth-dev`
+    authentication module in particular is a HUGE security risk when enabled in production
+    installation and accessible from network.
 .. warning::
    For demonstration purposes Mentat package ships with preconfigured ``htpasswd``

--- a/hawat.local.conf
+++ b/hawat.local.conf
@@ -5,3 +5,32 @@ MAIL_DEFAULT_SENDER = 'mentat@cesnet.cz'
 HAWAT_LOG_DEFAULT_LEVEL = 'debug'
 HAWAT_LOG_FILE = '/var/tmp/mentat-hawat.py.log'
 HAWAT_LOG_FILE_LEVEL = 'debug'
+ENABLED_BLUEPRINTS = [
+    'vial.blueprints.auth',
+    'vial.blueprints.auth_api',
+    'vial.blueprints.design_bs3',
+    'vial.blueprints.devtools',
+    'vial.blueprints.changelogs',
+    'hawat.blueprints.auth_env',
+    'hawat.blueprints.auth_dev',
+    'hawat.blueprints.auth_pwd',
+    'hawat.blueprints.home',
+    'hawat.blueprints.reports',
+    'hawat.blueprints.events',
+    'hawat.blueprints.hosts',
+    'hawat.blueprints.timeline',
+    'hawat.blueprints.dnsr',
+    #'hawat.blueprints.pdnsr',
+    'hawat.blueprints.geoip',
+    #'hawat.blueprints.nerd',
+    'hawat.blueprints.whois',
+    'hawat.blueprints.performance',
+    'hawat.blueprints.status',
+    'hawat.blueprints.dbstatus',
+    'hawat.blueprints.users',
+    'hawat.blueprints.groups',
+    'hawat.blueprints.settings_reporting',
+    'hawat.blueprints.filters',
+    'hawat.blueprints.networks',
+]