luci-app-lxc: add permission to set lxc options

[mdevolde]

• This PR is not from my main or master branch 💩, but a separate branch ✅
• Each commit has a valid ✒️ Signed-off-by: <my@email.address> row (via git commit --signoff)
• Each commit and PR title has a valid 📝 <package name>: title first line subject for packages
• Incremented 🆙 any PKG_VERSION in the Makefile
• Tested on: aarch64, OpenWrt 25.12.2, Opera One(version : 129.0.5823.44) ✅
• Mention: @systemcrash
• Screenshot of changes:

Actual behavior:

New behavior (working set/save):

• Description:

Add set permission in acl.d file for luci-app-lxc to allow users to set lxc options in luci-app-lxc.
To perform my tests, I considered a user with these permissions in /etc/config/rpcd:

config login
        option username 'lxc'
        option password '$p$lxc'
        list read 'unauthenticated'
        list read 'luci-base'
        list read 'luci-app-lxc'
        list write 'luci-app-lxc'

Actually, users with these permissions are able to create containers and perform actions on them, but are not able to edit the basic settings. That's the purpose of this PR.

[github-actions]

Warning

Some formality checks failed.

Consider (re)reading submissions guidelines.

Failed checks

Issues marked with an ❌ are failing checks.

Commit 9220734

• 🔶 Author name must be either a real name 'firstname lastname' or a nickname/alias/handle
  Actual: mdevolde seems to be a nickname or an alias
  Expected: a real name 'firstname lastname'
• 🔶 Commit(ter) name must be either a real name 'firstname lastname' or a nickname/alias/handle
  Actual: mdevolde seems to be a nickname or an alias
  Expected: a real name 'firstname lastname'

For more details, see the full job log.

_{Something broken? Consider providing feedback.}

[systemcrash]

Am I right in thinking that the uci set command is now globally accessible via this app/user combo (e.g. uci set any-app any-property is possible)?

[mdevolde]

I made the set query with the sysauth_https of a non-admin user that hasn't access to this app (I received à 200):

I made the apply query with the same sysauth_https as above, and with a CSRF token that I just genereted for this user (I reveiced a 204):

But, as we can see, the changes aren't really applied (Free Space Treshold should be 200000):

So, it seems that a user just has uci access to the apps specified in the uci section (here, "uci": [ "lxc" ]), but it would be interesting to be sure about the exact behavior.

[mdevolde]

@systemcrash the curious thing is the 2xx responses, and not 4xx responses. I will check in the code to be 100% confident. If you know exactly how it works, I'm interested !

[mdevolde]

I forgot to precise but the other user trying to edit the lxc params has these permissions:

        list read 'unauthenticated'
        list read 'luci-base'
        list read 'luci-app-wol'
        list write 'luci-app-wol'

And this is the luci-app-wol acls:

{
	"luci-app-wol": {
		"description": "Grant access to wake-on-lan executables",
		"read": {
			"ubus": {
				"luci.wol": [ "stat" ],
				"luci-rpc": [ "getHostHints", "getNetworkDevices" ]
			},
			"uci": [ "luci-wol" ]
		},
		"write": {
			"ubus": {
				"luci.wol": [ "exec" ],
				"uci": [ "add", "set", "delete", "order" ]
			},
			"uci": [ "luci-wol" ]
		}
	}
}

So, he has uci set perm, but we don't wan't him to perform uci set on our lxc app

[mdevolde]

Ok I figured it out.

Response to uci set with the right auth token:

HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=20
Content-Type: application/json
Content-Length: 39

[{"jsonrpc":"2.0","id":7,"result":[0]}]

Response to uci set with the wrong auth token:

HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=20
Content-Type: application/json
Content-Length: 39

[{"jsonrpc":"2.0","id":7,"result":[6]}]

Diff:

HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=20
Content-Type: application/json
Content-Length: 39

- [{"jsonrpc":"2.0","id":7,"result":[0]}]
+ [{"jsonrpc":"2.0","id":7,"result":[6]}]

The difference is the result code.
0 is 200 OK:

luci/modules/luci-base/ucode/controller/admin/uci.uc

Line 9 in b1450ce

200, 'OK',

6 is 403 Permission denied:

luci/modules/luci-base/ucode/controller/admin/uci.uc

Line 15 in b1450ce

403, 'Permission denied',

So, a user with this permission can't perform uci set to any app.

[mdevolde]

@systemcrash do you need any other information/test about these permissions?

[systemcrash]

I guess there's no other reasonable way around this.