Property:security.lua

Lua-Script

Goto:   Functions  -  Dependencies   -   Model-Matrix   -   SMW-Browser

This is an "in-section" name collision covering 2 completely different files:   -   (this will be splitted one day)
For now this article explains the REST-API file in /usr/rest_api. The Dependencies and Model-Matrix cover both files.

security.lua is the REST-API Security checker. It is included by api.lua.

It provides a method for checking the access permissions for a given <endpoint> URL and access method (lan, wan).

By default an <endpoint> is denied, and whitelisted by a per <endpoint> access mask assigned in this script.

AVM comments it: Allow-List definition which endpoint with which rights can be accessed.

Security is enabled in ui-module webui:settings/rest_api_endpoint_security, which defaults to 1.
Tests to set it to 0 using ctlmgr_ctl did not work in fw 7.50.

root@fritz1:/var/media/ftp# ctlmgr_ctl r webui settings/rest_api_endpoint_security
1
root@fritz1:/var/media/ftp# ctlmgr_ctl w webui settings/rest_api_endpoint_securityr 0
root@fritz1:/var/media/ftp# ctlmgr_ctl r webui settings/rest_api_endpoint_security
1

REST-API:

• Lexicon: REST-API
• Commands: scgi_server
• Ports: Port-8187-tcp
• UI-Mods: webui
• API-Root: api.lua
• Includes: api_generic.lua, rest_config.lua, security.lua, espresso.lua
• Includes: rest_api_const.lua, response.lua, error.lua, avmluamessages.lua
• Includes: uimod.lua, api_generic_filter.lua, resource.lua
• Modules: storagenasrights_rest.lua, webusb_rest.lua
• Modules: calllog_rest.lua, faxjournal_rest.lua, phonebook_rest.lua
• Modules: smarthome_rest.lua, boxnotify_rest.lua
• Develop: obl_fboxname.lua, dev_debug.lua, landevice.lua
• Develop: query_tree.lua, fake_modules.lua, obl.lua

The function names of scripts often help to understand function blocks (and show gaps in the docs). fw 7.50 functions:

$ grep -e '^function' -e '^local function' /usr/rest_api/security.lua

# Get the user rights from rights UIM.
local function get_user_session_rights()

# Check if the user(session) match any of the given required rights.
local function check_authentication(required_rights)

# Check if rights for endpoints should be checked or not.
local function security_active()

# Checks if the user has the permissions to access the requested url path.
function security.permission(path, access_type) 

Dependencies

Daily updated index of all dependencies of this script. Last update: 2024-04-23 08:48 GMT.
A * in the Mod column marks info from Supportdata-Probes, which will always stay incomplete.
If an Object includes itself then this is a file with the same name but another Path and the dependencies are merged.

Model-Matrix

Daily updated index of the presence, path and size of this script for each model. Last update: 2024-04-23 06:22 GMT.
Showing all models using this script. Click any column header (click-wait-click) to sort the list by the respective data.
The (main/scrpn/boot/arm/prx/atom) label in the Model column shows which CPU is meant for models with multiple Linux instances.
Note that this list is merged from Firmware-Probes of all known AVM firmware for a model, including Recovery.exe and Labor-Files.

SMW-Browser