From a015710e547e8746023f12ee33d2482dabf8ce0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= Date: Mon, 6 Apr 2020 12:22:11 +0200 Subject: [PATCH] security: don't provide default passwords Also check if they are not provided at sstartup time and fail to start in that case. --- README.md | 15 +++++- env.example | 46 +++++++++++-------- jibri/rootfs/etc/cont-init.d/10-config | 5 ++ jicofo/rootfs/etc/cont-init.d/10-config | 7 ++- jicofo/rootfs/etc/services.d/jicofo/run | 1 - jigasi/rootfs/etc/cont-init.d/10-config | 5 ++ .../defaults/sip-communicator.properties | 1 - jvb/rootfs/etc/cont-init.d/10-config | 5 ++ prosody/rootfs/etc/cont-init.d/10-config | 11 +++++ 9 files changed, 73 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index d8ab181..4b372ee 100644 --- a/README.md +++ b/README.md @@ -32,9 +32,11 @@ follow these steps: * Clone this repository to your computer. * `git clone https://github.com/jitsi/docker-jitsi-meet && cd docker-jitsi-meet` -* Create a ``.env`` file by copying and adjusting ``env.example``, and create required `CONFIG` directories +* Create a ``.env`` file by copying and adjusting ``env.example`` * `cp env.example .env` - * `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}` + * Set strong passwords in the security section options, they ccan be generated with `openssl rand -hex 16` +* Create required `CONFIG` directories + * `mkdir -p ~/.jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb,jigasi,jibri}` * Run ``docker-compose up -d``. * Access the web UI at [``https://localhost:8443``](https://localhost:8443) (or a different port, in case you edited the compose file). @@ -51,6 +53,15 @@ If you want to use jibri too, first configure a host as described in JItsi BRoad and then run Docker Compose as follows: ``docker-compose -f docker-compose.yml -f jibri.yml up -d`` or to use jigasi too: ``docker-compose -f docker-compose.yml -f jigasi.yml -f jibri.yml up -d`` +### Security note + +This setup used to have default passwords for intetrnal accounts used across components. In order to make the default setup +secure by default these have been removed and the respective containers won't start without having a password set. + +Strong passwordds may be generated as follows: `openssl rand -hex 16` + +DO NOT reuse any of the passwords. + ## Architecture A Jitsi Meet installation can be broken down into the following components: diff --git a/env.example b/env.example index c720b12..f63278c 100644 --- a/env.example +++ b/env.example @@ -1,3 +1,31 @@ +# Security +# +# Set these to strong passwords to avoid intruders from impersonating a service account +# Here is how to generate a good password: openssl rand -hex 16 +# The service(s) won't start unless these are specified +# You may skip the Jigasi and Jibri passwords if you are not using those +# DO NOT reuse passwords +# + +# XMPP component password for Jicofo +JICOFO_COMPONENT_SECRET= + +# XMPP password for Jicofo client connections +JICOFO_AUTH_PASSWORD= + +# XMPP password for JVB client connections +JVB_AUTH_PASSWORD= + +# XMPP password for Jigasi MUC client connections +JIGASI_XMPP_PASSWORD= + +# XMPP recorder password for Jibri client connections +JIBRI_RECORDER_PASSWORD= + +# XMPP password for Jibri client connections +JIBRI_XMPP_PASSWORD= + + # # Basic configuration options # @@ -178,9 +206,6 @@ JVB_BREWERY_MUC=jvbbrewery # XMPP user for JVB client connections JVB_AUTH_USER=jvb -# XMPP password for JVB client connections -JVB_AUTH_PASSWORD=passw0rd - # STUN servers used to discover the server's public IP JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 @@ -195,25 +220,16 @@ JVB_TCP_PORT=4443 # See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/rest.md for more information #JVB_ENABLE_APIS=rest,colibri -# XMPP component password for Jicofo -JICOFO_COMPONENT_SECRET=s3cr37 - # XMPP user for Jicofo client connections. # NOTE: this option doesn't currently work due to a bug JICOFO_AUTH_USER=focus -# XMPP password for Jicofo client connections -JICOFO_AUTH_PASSWORD=passw0rd - # Base URL of Jicofo's reservation REST API #JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com # XMPP user for Jigasi MUC client connections JIGASI_XMPP_USER=jigasi -# XMPP password for Jigasi MUC client connections -JIGASI_XMPP_PASSWORD=passw0rd - # MUC name for the Jigasi pool JIGASI_BREWERY_MUC=jigasibrewery @@ -267,9 +283,6 @@ XMPP_RECORDER_DOMAIN=recorder.meet.jitsi # XMPP recorder user for Jibri client connections JIBRI_RECORDER_USER=recorder -# XMPP recorder password for Jibri client connections -JIBRI_RECORDER_PASSWORD=passw0rd - # Directory for recordings inside Jibri container JIBRI_RECORDING_DIR=/config/recordings @@ -279,9 +292,6 @@ JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh # XMPP user for Jibri client connections JIBRI_XMPP_USER=jibri -# XMPP password for Jibri client connections -JIBRI_XMPP_PASSWORD=passw0rd - # MUC name for the Jibri pool JIBRI_BREWERY_MUC=jibribrewery diff --git a/jibri/rootfs/etc/cont-init.d/10-config b/jibri/rootfs/etc/cont-init.d/10-config index 2d7fa68..809718a 100644 --- a/jibri/rootfs/etc/cont-init.d/10-config +++ b/jibri/rootfs/etc/cont-init.d/10-config @@ -1,5 +1,10 @@ #!/usr/bin/with-contenv bash +if [[ -z $JIBRI_RECORDER_PASSWORD || -z $JIBRI_XMPP_PASSWORD ]]; then + echo 'FATAL ERROR: Jibri recorder password and auth password must be set' + exit 1 +fi + # DISPLAY is necessary for start [ -z "${DISPLAY}" ] \ && ( echo -e "\e[31mERROR: Please set DISPLAY variable.\e[39m"; kill 1; exit 1 ) diff --git a/jicofo/rootfs/etc/cont-init.d/10-config b/jicofo/rootfs/etc/cont-init.d/10-config index b9d96a6..6edbb64 100644 --- a/jicofo/rootfs/etc/cont-init.d/10-config +++ b/jicofo/rootfs/etc/cont-init.d/10-config @@ -1,5 +1,10 @@ #!/usr/bin/with-contenv bash +if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then + echo 'FATAL ERROR: Jicofo component secret and auth password must be set' + exit 1 +fi + if [[ ! -f /config/sip-communicator.properties ]]; then tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties fi @@ -8,4 +13,4 @@ if [[ ! -f /config/logging.properties ]]; then cp /defaults/logging.properties /config fi -chown -R jicofo:jitsi /config \ No newline at end of file +chown -R jicofo:jitsi /config diff --git a/jicofo/rootfs/etc/services.d/jicofo/run b/jicofo/rootfs/etc/services.d/jicofo/run index 5c6b453..7932d72 100644 --- a/jicofo/rootfs/etc/services.d/jicofo/run +++ b/jicofo/rootfs/etc/services.d/jicofo/run @@ -6,4 +6,3 @@ DAEMON_DIR=/usr/share/jicofo/ DAEMON_OPTS="--domain=$XMPP_DOMAIN --host=$XMPP_SERVER --secret=$JICOFO_COMPONENT_SECRET --user_name=$JICOFO_AUTH_USER --user_domain=$XMPP_AUTH_DOMAIN --user_password=$JICOFO_AUTH_PASSWORD" exec s6-setuidgid jicofo /bin/bash -c "cd $DAEMON_DIR; JAVA_SYS_PROPS=\"$JAVA_SYS_PROPS\" exec $DAEMON $DAEMON_OPTS" - diff --git a/jigasi/rootfs/etc/cont-init.d/10-config b/jigasi/rootfs/etc/cont-init.d/10-config index e34f1a2..91795e6 100644 --- a/jigasi/rootfs/etc/cont-init.d/10-config +++ b/jigasi/rootfs/etc/cont-init.d/10-config @@ -1,5 +1,10 @@ #!/usr/bin/with-contenv bash +if [[ -z $JIGASI_XMPP_PASSWORD ]]; then + echo 'FATAL ERROR: Jigasi auth password must be set' + exit 1 +fi + if [[ ! -f /config/sip-communicator.properties ]]; then tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties fi diff --git a/jvb/rootfs/defaults/sip-communicator.properties b/jvb/rootfs/defaults/sip-communicator.properties index fb26fec..0633084 100644 --- a/jvb/rootfs/defaults/sip-communicator.properties +++ b/jvb/rootfs/defaults/sip-communicator.properties @@ -16,4 +16,3 @@ org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true org.jitsi.videobridge.ENABLE_STATISTICS=true org.jitsi.videobridge.STATISTICS_TRANSPORT=muc org.jitsi.videobridge.STATISTICS_INTERVAL=5000 - diff --git a/jvb/rootfs/etc/cont-init.d/10-config b/jvb/rootfs/etc/cont-init.d/10-config index aa9bb04..4c4d5c0 100644 --- a/jvb/rootfs/etc/cont-init.d/10-config +++ b/jvb/rootfs/etc/cont-init.d/10-config @@ -1,5 +1,10 @@ #!/usr/bin/with-contenv bash +if [[ -z $JVB_AUTH_PASSWORD ]]; then + echo 'FATAL ERROR: JVB auth password must be set' + exit 1 +fi + if [[ ! -f /config/sip-communicator.properties ]]; then tpl /defaults/sip-communicator.properties > /config/sip-communicator.properties fi diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config index 701efcd..83a617e 100644 --- a/prosody/rootfs/etc/cont-init.d/10-config +++ b/prosody/rootfs/etc/cont-init.d/10-config @@ -34,7 +34,18 @@ if [[ ! -f $PROSODY_CFG ]]; then tpl /defaults/prosody.cfg.lua > $PROSODY_CFG tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua + if [[ -z $JICOFO_COMPONENT_SECRET || -z $JICOFO_AUTH_PASSWORD ]]; then + echo 'FATAL ERROR: Jicofo component secret and auth password must be set' + exit 1 + fi + prosodyctl --config $PROSODY_CFG register $JICOFO_AUTH_USER $XMPP_AUTH_DOMAIN $JICOFO_AUTH_PASSWORD + + if [[ -z $JVB_AUTH_PASSWORD ]]; then + echo 'FATAL ERROR: JVB auth password must be set' + exit 1 + fi + prosodyctl --config $PROSODY_CFG register $JVB_AUTH_USER $XMPP_AUTH_DOMAIN $JVB_AUTH_PASSWORD if [[ ! -z $JIBRI_XMPP_USER ]] && [[ ! -z $JIBRI_XMPP_PASSWORD ]]; then