Hi Rodrigo,
Only review the security implications of radiale.org,
Any open CVEs that might compromise BlueOnyx security.
https://www.cvedetails.com/vulnerability-list/vendor_id-15782/product_id-331
31/Radicale-Radicale.html
Yeah, I've seen those as well and it is good that you mention it. We
will be using "radicale3-3.1.8" from Epel on 5211R and I believe the
version for 5210R will not be much older either. Both are much newer
than the vulnerabilities you mentioned. The latest CVE from 2017
(CVE-2017-8342) for example is now directly mitigated by a built in
brute force detection and enforcing a growing delay on authentication
after each failed login.
In fact the *really* tight security in Radicale v3 has already driven me
nuts and complicated the integration tremendously.
It runs as unprivileged user "radicale" in a Systemd jail. That jail has
its own /tmp and Radicale only has access to it's own home directory
/var/lib/radicale. Beyond that Radicale is unable to elevate its own
privileges, capabilities and can't modify ControlGroups or access
devices or anything kernel related:
----------------------------------------------------------------
[root@5211r ~]# cat /usr/lib/systemd/system/radicale.service
[Unit]
Description=Radicale CalDAV and CardDAV server
Documentation=https://radicale.org/3.0.html#documentation
After=network.target
Requires=network.target
[Service]
ExecStart=/usr/libexec/radicale/radicale
Restart=on-failure
Type=exec
User=radicale
Group=radicale
UMask=0027
WorkingDirectory=/var/lib/radicale
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
NoNewPrivileges=true
CapabilityBoundingSet=
ReadWritePaths=/var/lib/radicale/
----------------------------------------------------------------
That is about as tight as you can configure something.
Which also meant that Radicale itself didn't even have the ability to do
any authentication itself and was either accessible to anyone (like:
when you use it in internal networks) or relied on htpasswd protection
via htpasswd file *in* the jail. Or mod_proxy and mod_authnz_external
password protection in Apache itself and passing the user-name via
%{REMOTE_USER} *after* the external authentication had been satisfied.
Something like this:
----------------------------------------------------------------
RewriteEngine On
RewriteRule ^/radicale$ /radicale/ [R,L]
<Location "/radicale/">
AuthType Basic
AuthName "Radicale - Password Required"
AuthUserFile "/etc/radicale/htpasswd"
Require valid-user
ProxyPass http://localhost:5232/ retry=0
ProxyPassReverse http://localhost:5232/
RequestHeader set X-Script-Name /radicale
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
</Location>
----------------------------------------------------------------
While that is good, it makes GUI-integration a real hassle.
Access to the authentication layer via PAM? Nope! Not possible from
within that strict jail. Even if: An unprivileged user can only PAM auth
his own credentials and not those of someone else.
So I had to devise a secure method how Radicale can auth over the
network (by letting Radicale do a POST request to Apache on "localhost"
against a new /internalauth" URL that checks username and passwords and
reports if they're fine or not. And then I wrote a Python authentication
module for Radicale which uses that method.
Even then I can't do an auto-login from the GUI into the Radicale
backend, as it has cross-site scripting protection enabled (so a remote
POST request won't work) and on top of that: It prevents hitting the
"submit" button via a jQuery script, which is another way I tried to get
auto-login working from inside the GUI.
In principle I have it all working now (minus the auto-login) and the
code is in SVN:
https://devel.blueonyx.it/trac/browser/BlueOnyx/5211R/ui/base-organizer.mod
As I can't get auto-login into the backend working I'll be doing a full
GUI integration of Radicale instead. That way we can manage all Radicale
aspects from within the BlueOnyx GUI, using BlueOnyx methods. And then
we don't need the GUI that Radicale itself brings with it. At least not
for the management. It's still used when someone accesses CalDAV or
CardDAV to access calendars and/or contacts.
By the weekend I should perhaps have it ready for 5211R and will then
port it to 5210R as well.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
