From: Jo-Philipp Wich <jow@openwrt.org>
Date: Wed, 9 Dec 2015 19:32:12 +0000 (+0100)
Subject: luci-base: properly handle ubus connections for non-root (#570, #571)
X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fluci.git;a=commitdiff_plain;h=81e80c4b876e8e68bb8b022c39d0941e2c1ccb56

luci-base: properly handle ubus connections for non-root (#570, #571)

Instead of relying on the connect-before-setuid hack, ship a proper
acl definition file whitelisting the procedures that LuCI requires
on its non-root pages.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index cd5d77a12..2fbc2c96f 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -402,9 +402,6 @@ function dispatch(request)
 	end
 
 	if track.setuser then
-		-- trigger ubus connection before dropping root privs
-		util.ubus()
-
 		sys.process.setuser(track.setuser)
 	end
 
diff --git a/modules/luci-base/root/usr/share/acl.d/luci-base.json b/modules/luci-base/root/usr/share/acl.d/luci-base.json
new file mode 100644
index 000000000..4d582366f
--- /dev/null
+++ b/modules/luci-base/root/usr/share/acl.d/luci-base.json
@@ -0,0 +1,8 @@
+{
+	"user": "nobody",
+	"access": {
+		"system": {
+			"methods": [ "board", "info" ]
+		}
+	}
+}