Configs changed after install, and serious security risk. #21
Comments
|
And for security reasons, you guys need to stop using the same API key for all installs. This is a HUGE security risk. |
Will-wastelander
changed the title
Will-wastelander
changed the title
|
Yes, I am trying the way you said, but you still need to wait patiently before I debug and stabilize. Thank you for your feedback. |
|
There also seems to be an issue w/ Settings > WiFi, as when I click it, it either hangs OctoBTT, or drops to console. |
|
Also, OctoPrint will be making user auth mandatory in the near future, so it might be good to start getting that worked on. |
|
The Wi-Fi connection is performed by the console operation mode, and I did not encounter the situation of falling into the console. As for the problem you encountered, I wonder if you could record a video for me, so That I can locate your problem more easily. |
|
@bigtreetech I can do the video, no problem. I have a spare rPi and screen I can set it up on. I should be able to get it in the next day or 2. I am active user on OctoPrint's discord server, and have been told that auth will be mandatory in the near future. I believe it will be 0.15.0 that implements this requirement. I look forward to the official release. Will this be the software used w/ the Biqu BX rPi interface ? I am a kickstarter backer of it, and can't wait for the printer to be delivered. :) |
|
Thank you for your support. I also have a request that you send me a copy of your configuration file, and I will refer to your configuration requirements to improve the usability of the software. |
|
What configuration file do you need ? And where can I locate it ? |
|
config.yaml for OctoPrint ? |
|
I have completed a fresh install of OctoPi 0.18.0 RC1 armhf. I completed a apt update and upgrade, then installed OctoDash before configuring OctoPrint. I then logged into OctoPrint, and did not get the normal Welcome wizard for the new installation. Here is the config.yaml that is currently in use. (The BTT Provided config.yaml I believe.) Along w/ the vanilla config that came with the install. If you need a live config, I will need to sanitize it before sending it to you. But all salts, sercret keys, api keys, application keys, discovery upnpUuid, and error tracking/tracking unique_id are generated uniquely per installation. They cannot be reused for another system, or this causes a security issue. Also... https://octoprint.org/blog/2020/11/10/new-release-candidate-1.5.0rc1 |
|
Here is the video for the wifi issues. It looks like it's just hanging, and doesn't do anything at all. I am running on a rPi 4 4GB. https://drive.google.com/file/d/1QVfl7Mkzt5qdeotWIxBuVq4aAmaWnNR2/view?usp=sharing |
|
|
|
@bigtreetech - Just to let you know, as of OctoPrint 1.5.0 OctoBTT no longer works, because of the configuration copying. It requires Access Control to be enabled, which also means you need a You should not need change the entire configuration like this to connect to OctoPrint. If you want an example of how it can be done, OctoDash is a good example. You only need the API key, not the entire file. |
|
There is no reason to sudo to read info either. sudo should ONLY be used for system changes, not reading data.. Line 202 in e3516ea ifconfig | grep -E "flags|inet|ether" |
|
@bigtreetech @Shine6Z If I want to recompile my changes for testing, what do I need to run from the rPi ? The below lines ?
|
|
Hardcoding password, APIs, etc is a HUGE no no.. This needs to be removed. |
|
If needing sudo for the commands is required, which some of them aren't. You should be using something like this in /etc/sudoers.d/OctoBTT pi ALL=(ALL) NOPASSWD: /sbin/iwlist, /sbin/wpa_cli, /sbin/iwconfig, /sbins/ifconfig |
|
I have forked the build, and will make some security changes, and do a PR. I'm not that into coding, so I won't be much help with anything outside of security stuff, and recommendations.. |
Yes, I have noticed the existence of similar problems, so I will solve this problem as soon as possible. |
|
For incorrect console passwords, you can enter the correct console password by clicking on the console icon at the top. |
Indeed, here I do need to adjust for the right access, I'm already doing it, you need to be patient. |
Due to the scanning permission involved, the command sudo will be used. However, it is not a complete command procedure shown in the figure. Here, the required command is simply passed to the Terminal unit for execution, and the terminal unit will automatically solve the process of entering the password. |
Right, you can execute this command to recompile the boot:
|
Involving safety I can adjust to a more reasonable way to solve this kind of problem, the current operation permissions not immediately remove permissions required demand, this also involves dynamic loading of USB storage devices, but does not rule out future will take a more reasonable way to deal with these problems, thank you for your feedback, also hope that you will continue to focus on, do better suggestion for our improvement. |
Combined with the overall content, video interface freeze reason is caused by the console password is not correct, my side to freeze the aim is to avoid multiple console driver execution at the same time lead to chaos, so I'll be frozen when entering the video interface interface scanning devices are available, and after the scan will remove freeze, I'm sorry to bring you problems, I will prioritize the unfriendly interface freeze. |
|
I was able to resolve the wifi issue w/ my OctoBTT file in sudoers.d. This gives OctoBTT access to run iwlist, iwconfig, wpa_cli, and ifconfig. If there are any other sudo commands that I have missed, please let me know, and I will get them added. Then we no longer need to provide a password for those specific commands to be ran. |
|
Would you mind explaining what is going on with the USB mounting stuff ? Why is it needed, what is the function/purpose of it ? I think there is a way to auto-mount USB drives, as it happens when you insert a USB drive when running Xorg. |
|
Here are some articles about automounting. |
|
I would like to have full bash console capability in OctoBTT so that DIY users do not lose their console access because they are using OctoBTT. There are still some issues with introducing Bash, so I'm still looking for a more sensible solution; As for the USB storage device mount problem, I tried the automatic mount scheme before, but for some reason, the mount function did not seem to work, so I took it on OctoBTT and I used the Bash console command to scan and mount the USB storage device. |
|
Full bash console is not something a dashboard screen should have. That's what SSH is for. There is no reason a dashboard should ever have full control of a system. Ok, but what is the USB storage used for ? autofs, should be able to mount the USB devices, in theory. I can install and test this if you would like. |
|
apt info autofs |
|
You have to remember that security needs to be #1 priority.. Unless BTT wants to be liable for a customer being hacked. |
|
The dashboard has console access only so that the Raspberry PI can be completely independent of the remote control mode of the computer to achieve full capability, of course, for the raspberry PI only printer system this feature is really redundant, I can completely consider cancelling this feature. |
|
@Shine6Z Email has been sent. And unless you want a bunch of other people potentially emailing saying they are me. You should remove contact, or delete post. ;) |
Ok, we have received your email. We will communicate with you in the email about the internal test of new product deployment in the future. |
It appears that instead of keeping the users existing config, you guys back it up, and copy a new one in place of it. This can be bad for someone that has spent days getting their OctoPrint install setup and dialed in to how they want it. Instead, you guys should be adding the required lines to the config, if any that are needed to enable OctoBTT to work.
You can use this command to get additional info on how to set configs via CLI.
~/oprint/bin/octoprint config --help
And here is some info on what is in the config.yaml file.
https://docs.octoprint.org/en/master/configuration/config_yaml.html
The text was updated successfully, but these errors were encountered: