From 768b6c4a50d75b143ca5006e63182f1eb924076c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Mon, 6 Apr 2020 16:54:33 +0200 Subject: [PATCH] security: fail to start if using the old default password --- jibri/rootfs/etc/cont-init.d/10-config | 12 ++++++++++++ jicofo/rootfs/etc/cont-init.d/10-config | 12 ++++++++++++ jigasi/rootfs/etc/cont-init.d/10-config | 6 ++++++ jvb/rootfs/etc/cont-init.d/10-config | 6 ++++++ prosody/rootfs/etc/cont-init.d/10-config | 21 +++++++++++++++++++++ 5 files changed, 57 insertions(+) diff --git a/jibri/rootfs/etc/cont-init.d/10-config b/jibri/rootfs/etc/cont-init.d/10-config index 809718a..5ef0048 100644 --- a/jibri/rootfs/etc/cont-init.d/10-config +++ b/jibri/rootfs/etc/cont-init.d/10-config @@ -5,6 +5,18 @@ if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then exit 1 fi +OLD_JIBRI_RECORDER_PASSWORD=passw0rd +if [[ "$JIBRI_RECORDER_PASSWORD" == "$OLD_JIBRI_RECORDER_PASSWORD" ]]; then + echo 'FATAL ERROR: Jibri recorder password must be changed, check the README' + exit 1 +fi + +OLD_JIBRI_XMPP_PASSWORD=passw0rd +if [[ "$JIBRI_XMPP_PASSWORD" == "$OLD_JIBRI_XMPP_PASSWORD" ]]; then + echo 'FATAL ERROR: Jibri auth password must be changed, check the README' + exit 1 +fi + # DISPLAY is necessary for start [ -z "${DISPLAY}" ] \ && ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 ) diff --git a/jicofo/rootfs/etc/cont-init.d/10-config b/jicofo/rootfs/etc/cont-init.d/10-config index 6edbb64..eac6164 100644 --- a/jicofo/rootfs/etc/cont-init.d/10-config +++ b/jicofo/rootfs/etc/cont-init.d/10-config @@ -5,6 +5,18 @@ if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then exit 1 fi +OLD_JICOFO_COMPONENT_SECRET=s3cr37 +if [[ "$JICOFO_COMPONENT_SECRET" == "$OLD_JICOFO_COMPONENT_SECRET" ]]; then + echo 'FATAL ERROR: Jicofo component secret must be changed, check the README' + exit 1 +fi + +OLD_JICOFO_AUTH_PASSWORD=passw0rd +if [[ "$JICOFO_AUTH_PASSWORD" == "$OLD_JICOFO_AUTH_PASSWORD" ]]; then + echo 'FATAL ERROR: Jicofo auth password must be changed, check the README' + exit 1 +fi + if [[ ! -f /config/sip-communicator.properties ]]; then tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties fi diff --git a/jigasi/rootfs/etc/cont-init.d/10-config b/jigasi/rootfs/etc/cont-init.d/10-config index 91795e6..c99f712 100644 --- a/jigasi/rootfs/etc/cont-init.d/10-config +++ b/jigasi/rootfs/etc/cont-init.d/10-config @@ -5,6 +5,12 @@ if [[ -z $JIGASI_XMPP_PASSWORD ]]; then exit 1 fi +OLD_JIGASI_XMPP_PASSWORD=passw0rd +if [[ "$JIGASI_XMPP_PASSWORD" == "$OLD_JIGASI_XMPP_PASSWORD" ]]; then + echo 'FATAL ERROR: Jigasi auth password must be changed, check the README' + exit 1 +fi + if [[ ! -f /config/sip-communicator.properties ]]; then tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties fi diff --git a/jvb/rootfs/etc/cont-init.d/10-config b/jvb/rootfs/etc/cont-init.d/10-config index 4c4d5c0..11af52c 100644 --- a/jvb/rootfs/etc/cont-init.d/10-config +++ b/jvb/rootfs/etc/cont-init.d/10-config @@ -5,6 +5,12 @@ if [[ -z $JVB_AUTH_PASSWORD ]]; then exit 1 fi +OLD_JVB_AUTH_PASSWORD=passw0rd +if [[ "$JVB_AUTH_PASSWORD" == "$OLD_JVB_AUTH_PASSWORD" ]]; then + echo 'FATAL ERROR: JVB auth password must be changed, check the README' + exit 1 +fi + if [[ ! -f /config/sip-communicator.properties ]]; then tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties fi diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config index 83a617e..475470c 100644 --- a/prosody/rootfs/etc/cont-init.d/10-config +++ b/prosody/rootfs/etc/cont-init.d/10-config @@ -46,17 +46,38 @@ if [[ ! -f $PROSODY_CFG ]]; then exit 1 fi + OLD_JVB_AUTH_PASSWORD=passw0rd + if [[ "$JVB_AUTH_PASSWORD" == "$OLD_JVB_AUTH_PASSWORD" ]]; then + echo 'FATAL ERROR: JVB auth password must be changed, check the README' + exit 1 + fi + prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then + OLD_JIBRI_XMPP_PASSWORD=passw0rd + if [[ "$JIBRI_XMPP_PASSWORD" == "$OLD_JIBRI_XMPP_PASSWORD" ]]; then + echo 'FATAL ERROR: Jibri auth password must be changed, check the README' + exit 1 + fi prosodyctl --config $PROSODY_CFG register $JIBRI_XMPP_USER $XMPP_AUTH_DOMAIN $JIBRI_XMPP_PASSWORD fi if [[ ! -z $JIBRI_RECORDER_USER ]] && [[ ! -z $JIBRI_RECORDER_PASSWORD ]]; then + OLD_JIBRI_RECORDER_PASSWORD=passw0rd + if [[ "$JIBRI_RECORDER_PASSWORD" == "$OLD_JIBRI_RECORDER_PASSWORD" ]]; then + echo 'FATAL ERROR: Jibri recorder password must be changed, check the README' + exit 1 + fi prosodyctl --config $PROSODY_CFG register $JIBRI_RECORDER_USER $XMPP_RECORDER_DOMAIN $JIBRI_RECORDER_PASSWORD fi if [[ ! -z $JIGASI_XMPP_USER ]] && [[ ! -z $JIGASI_XMPP_PASSWORD ]]; then + OLD_JIGASI_XMPP_PASSWORD=passw0rd + if [[ "$JIGASI_XMPP_PASSWORD" == "$OLD_JIGASI_XMPP_PASSWORD" ]]; then + echo 'FATAL ERROR: Jigasi auth password must be changed, check the README' + exit 1 + fi prosodyctl --config $PROSODY_CFG register $JIGASI_XMPP_USER $XMPP_AUTH_DOMAIN $JIGASI_XMPP_PASSWORD fi fi