security: don't provide default passwords

Also check if they are not provided at sstartup time and fail to start in that case.
5 years ago · a015710e54
parent aaec22dd99
commit a015710e54
9 changed files with 73 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -32,9 +32,11 @@ follow these steps:

 * Clone this repository to your computer.
  * `git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet`
-* Create a ``.env`` file by copying and adjusting ``env.example``, and create required `CONFIG` directories
+* Create a ``.env`` file by copying and adjusting ``env.example``
  * `cp env.example .env`
-  * `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}`
+  * Set strong passwords in the security section options, they ccan be generated with `openssl rand -hex 16`
+* Create required `CONFIG` directories
+  * `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb,jigasi,jibri}`
 * Run ``docker-compose up -d``.
 * Access the web UI at [``https://localhost:8443``](https://localhost:8443) (or a different port, in case you edited the compose file).

@ -51,6 +53,15 @@ If you want to use jibri too, first configure a host as described in JItsi BRoad
 and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d``
 or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d``

+### Security note
+
+This setup used to have default passwords for intetrnal accounts used across components. In order to make the default setup
+secure by default these have been removed and the respective containers won't start without having a password set.
+
+Strong passwordds may be generated as follows: `openssl rand -hex 16`
+
+DO NOT reuse any of the passwords.
+
 ## Architecture

 A Jitsi Meet installation can be broken down into the following components:
--- a/env.example
+++ b/env.example
@ -1,3 +1,31 @@
+# Security
+#
+# Set these to strong passwords to avoid intruders from impersonating a service account
+# Here is how to generate a good password: openssl rand -hex 16
+# The service(s) won't start unless these are specified
+# You may skip the Jigasi and Jibri passwords if you are not using those
+# DO NOT reuse passwords
+#
+
+# XMPP component password for Jicofo
+JICOFO_COMPONENT_SECRET=
+
+# XMPP password for Jicofo client connections
+JICOFO_AUTH_PASSWORD=
+
+# XMPP password for JVB client connections
+JVB_AUTH_PASSWORD=
+
+# XMPP password for Jigasi MUC client connections
+JIGASI_XMPP_PASSWORD=
+
+# XMPP recorder password for Jibri client connections
+JIBRI_RECORDER_PASSWORD=
+
+# XMPP password for Jibri client connections
+JIBRI_XMPP_PASSWORD=
+
+
 #
 # Basic configuration options
 #
@ -178,9 +206,6 @@ JVB_BREWERY_MUC=jvbbrewery
 # XMPP user for JVB client connections
 JVB_AUTH_USER=jvb

-# XMPP password for JVB client connections
-JVB_AUTH_PASSWORD=passw0rd
-
 # STUN servers used to discover the server's public IP
 JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443

@ -195,25 +220,16 @@ JVB_TCP_PORT=4443
 # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information
 #JVB_ENABLE_APIS=rest,colibri

-# XMPP component password for Jicofo
-JICOFO_COMPONENT_SECRET=s3cr37
-
 # XMPP user for Jicofo client connections.
 # NOTE: this option doesn't currently work due to a bug
 JICOFO_AUTH_USER=focus

-# XMPP password for Jicofo client connections
-JICOFO_AUTH_PASSWORD=passw0rd
-
 # Base URL of Jicofo's reservation REST API
 #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com

 # XMPP user for Jigasi MUC client connections
 JIGASI_XMPP_USER=jigasi

-# XMPP password for Jigasi MUC client connections
-JIGASI_XMPP_PASSWORD=passw0rd
-
 # MUC name for the Jigasi pool
 JIGASI_BREWERY_MUC=jigasibrewery

@ -267,9 +283,6 @@ XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
 # XMPP recorder user for Jibri client connections
 JIBRI_RECORDER_USER=recorder

-# XMPP recorder password for Jibri client connections
-JIBRI_RECORDER_PASSWORD=passw0rd
-
 # Directory for recordings inside Jibri container
 JIBRI_RECORDING_DIR=/config/recordings

@ -279,9 +292,6 @@ JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh
 # XMPP user for Jibri client connections
 JIBRI_XMPP_USER=jibri

-# XMPP password for Jibri client connections
-JIBRI_XMPP_PASSWORD=passw0rd
-
 # MUC name for the Jibri pool
 JIBRI_BREWERY_MUC=jibribrewery

--- a/jibri/rootfs/etc/cont-init.d/10-config
+++ b/jibri/rootfs/etc/cont-init.d/10-config
@ -1,5 +1,10 @@
 #!/usr/bin/with-contenv bash

+if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then
+    echo 'FATAL ERROR: Jibri recorder password and auth password must be set'
+    exit 1
+fi
+
 # DISPLAY is necessary for start
 [ -z "${DISPLAY}" ] \
 && ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 )
--- a/jicofo/rootfs/etc/cont-init.d/10-config
+++ b/jicofo/rootfs/etc/cont-init.d/10-config
@ -1,5 +1,10 @@
 #!/usr/bin/with-contenv bash

+if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
+    echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
+    exit 1
+fi
+
 if [[ ! -f /config/sip-communicator.properties ]]; then
    tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
 fi
@ -8,4 +13,4 @@ if [[ ! -f /config/logging.properties ]]; then
    cp /defaults/logging.properties /config
 fi

-chown -R jicofo:jitsi /config
+chown -R jicofo:jitsi /config
--- a/jicofo/rootfs/etc/services.d/jicofo/run
+++ b/jicofo/rootfs/etc/services.d/jicofo/run
@ -6,4 +6,3 @@ DAEMON_DIR=/usr/share/jicofo/
 DAEMON_OPTS="--domain=$XMPP_DOMAIN --host=$XMPP_SERVER --secret=$JICOFO_COMPONENT_SECRET --user_name=$JICOFO_AUTH_USER --user_domain=$XMPP_AUTH_DOMAIN --user_password=$JICOFO_AUTH_PASSWORD"

 exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS"
-
--- a/jigasi/rootfs/etc/cont-init.d/10-config
+++ b/jigasi/rootfs/etc/cont-init.d/10-config
@ -1,5 +1,10 @@
 #!/usr/bin/with-contenv bash

+if [[ -z $JIGASI_XMPP_PASSWORD ]]; then
+    echo 'FATAL ERROR: Jigasi auth password must be set'
+    exit 1
+fi
+
 if [[ ! -f /config/sip-communicator.properties ]]; then
    tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
 fi
--- a/jvb/rootfs/defaults/sip-communicator.properties
+++ b/jvb/rootfs/defaults/sip-communicator.properties
@ -16,4 +16,3 @@ org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true
 org.jitsi.videobridge.ENABLE_STATISTICS=true
 org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
 org.jitsi.videobridge.STATISTICS_INTERVAL=5000
-
--- a/jvb/rootfs/etc/cont-init.d/10-config
+++ b/jvb/rootfs/etc/cont-init.d/10-config
@ -1,5 +1,10 @@
 #!/usr/bin/with-contenv bash

+if [[ -z $JVB_AUTH_PASSWORD ]]; then
+    echo 'FATAL ERROR: JVB auth password must be set'
+    exit 1
+fi
+
 if [[ ! -f /config/sip-communicator.properties ]]; then
    tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties
 fi
--- a/prosody/rootfs/etc/cont-init.d/10-config
+++ b/prosody/rootfs/etc/cont-init.d/10-config
@ -34,7 +34,18 @@ if [[ ! -f $PROSODY_CFG ]]; then
    tpl /defaults/prosody.cfg.lua > $PROSODY_CFG
    tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua

+    if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then
+        echo 'FATAL ERROR: Jicofo component secret and auth password must be set'
+        exit 1
+    fi
+
    prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD
+
+    if [[ -z $JVB_AUTH_PASSWORD ]]; then
+        echo 'FATAL ERROR: JVB auth password must be set'
+        exit 1
+    fi
+
    prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD

    if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then