From 81e80c4b876e8e68bb8b022c39d0941e2c1ccb56 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Wed, 9 Dec 2015 20:32:12 +0100
Subject: [PATCH] luci-base: properly handle ubus connections for non-root
 (#570, #571)

Instead of relying on the connect-before-setuid hack, ship a proper
acl definition file whitelisting the procedures that LuCI requires
on its non-root pages.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---
 modules/luci-base/luasrc/dispatcher.lua               | 3 ---
 modules/luci-base/root/usr/share/acl.d/luci-base.json | 8 ++++++++
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 modules/luci-base/root/usr/share/acl.d/luci-base.json

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index cd5d77a12..2fbc2c96f 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -402,9 +402,6 @@ function dispatch(request)
 	end
 
 	if track.setuser then
-		-- trigger ubus connection before dropping root privs
-		util.ubus()
-
 		sys.process.setuser(track.setuser)
 	end
 
diff --git a/modules/luci-base/root/usr/share/acl.d/luci-base.json b/modules/luci-base/root/usr/share/acl.d/luci-base.json
new file mode 100644
index 000000000..4d582366f
--- /dev/null
+++ b/modules/luci-base/root/usr/share/acl.d/luci-base.json
@@ -0,0 +1,8 @@
+{
+	"user": "nobody",
+	"access": {
+		"system": {
+			"methods": [ "board", "info" ]
+		}
+	}
+}
-- 
2.11.0