diff options
author | Jeffrey Armstrong <jeff@approximatrix.com> | 2022-07-01 14:16:38 -0400 |
---|---|---|
committer | Jeffrey Armstrong <jeff@approximatrix.com> | 2022-07-01 14:16:38 -0400 |
commit | 2272c4cb50ceb68efa91991f57b9dd9f1e1ab312 (patch) | |
tree | f1579b4e0194cb6d4549aa9ad6e0df3ac9fdcd8b | |
parent | 556c62a21c09ba36254d9a9ebdacce7587a5954e (diff) | |
download | levitating-2272c4cb50ceb68efa91991f57b9dd9f1e1ab312.tar.gz levitating-2272c4cb50ceb68efa91991f57b9dd9f1e1ab312.zip |
Quick README updates about security. Updated license copyright.
-rw-r--r-- | LICENSE.txt | 2 | ||||
-rw-r--r-- | README.md | 16 |
2 files changed, 13 insertions, 5 deletions
diff --git a/LICENSE.txt b/LICENSE.txt index ede734c..ca516ab 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,4 +1,4 @@ -Copyright (c) 2021 Approximatrix, LLC <support@approximatrix.com> +Copyright (c) 2021, 2022 Approximatrix, LLC <support@approximatrix.com> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: @@ -14,7 +14,9 @@ To build Levitating, you'll need: * GNU Fortran or another compiler that supports a handful of extensions used * libssl -* json-fortran (version 7 series, untested with 8) +* json-fortran (version 7 series, should work with 8) +* uuidgen (part of Debian's uuid-runtime package) +* mkpasswd (part of Debian's whois package) if your system is having trouble with creating users (see below) ## Instructions @@ -40,15 +42,21 @@ A CGI gateway (that's not a typo) for a compatible HTTP server is planned but no ## Security -The current configuration has literally no security features. Anyone who can connect to the _captain's_ interface can start jobs, download releases (the products of what the _players_ build, ostensibly), or manage _players_. Additionally, _players_ are also not authenticated, so any process claiming to be an approved _player_ can just proceed with downloading/uploading files. +The system currently implements a simple user model. Access levels are defined as 0 through 10, and are listed in the file pointed to by *permissions_file* in the main configuration. An example (and quite reasonable) access model is included in the example folder. Certain access levels, including the public (0), can be restricted from accessing all sorts of features relatively easily. -The plan is to change this complete lack of authentication at some point. It's probably not a great idea to leave an instance of Levitating up in a public-facing manner. +Currently, the system provides a command line method of creating an administrator using the *--new-admin* command line option when you execute the captain's executable from the command line. This action will create a user with access level set to 10. At this time, there is no way to create other users through the web or Gemini interfaces, though that would make sense if an administrator is indeed logged in. + +The Gemini login process will pass the user's password as a query. Consider this fact when setting up logins. + +Despite this software being written in Fortran (albeit a modern variant), the password hashing and storage is robust be default. Passwords are hashed via blowfish and stored in the database, and a system-wide salt, appearing in the configuration file, is used prior to blowfish encryption. + +Some older distros that have not included standard blowfish utilities in their runtimes or are just using older Fortran compilers may actually fail to create users. In this case, Levitating includes an alternate *m_crypt* module in the *captain/cryptcl.f90* file that uses the *mkpasswd* command and relies on SHA-512 hashing of passwords instead. Users should really only use this solution if all else fails. ## License Levitating is subject to the following license: -Copyright (c) 2021 Approximatrix, LLC <support@approximatrix.com> +Copyright (c) 2021, 2022 Approximatrix, LLC <support@approximatrix.com> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: |