Security: Web admin password via YAMA_WEB_ADMIN_PASS, decoupled from master password
This commit is contained in:
yuanyuanxiang
@@ -1877,11 +1877,20 @@ BOOL CMy2015RemoteDlg::OnInitDialog()
|
|||||||
auto webSvrPort = THIS_CFG.GetInt("settings", "WebSvrPort", -1);
|
auto webSvrPort = THIS_CFG.GetInt("settings", "WebSvrPort", -1);
|
||||||
if (webSvrPort > 0) {
|
if (webSvrPort > 0) {
|
||||||
WebService().SetParentDlg(this);
|
WebService().SetParentDlg(this);
|
||||||
// Use master password as web login password
|
// Pick web admin password: prefer the web-specific env var so the
|
||||||
if (!m_superPass.empty()) {
|
// Web UI password can be rotated independently of the master
|
||||||
WebService().SetAdminPassword(m_superPass);
|
// password (BRAND_ENV_VAR) used for licensing / sub-server HMAC.
|
||||||
|
// Fall back to m_superPass for backward compatibility — existing
|
||||||
|
// deployments keep working without changing env vars.
|
||||||
|
const char* webPassEnv = getenv(BRAND_WEB_ENV_VAR);
|
||||||
|
std::string webPass = (webPassEnv && *webPassEnv) ? webPassEnv : m_superPass;
|
||||||
|
if (!webPass.empty()) {
|
||||||
|
WebService().SetAdminPassword(webPass);
|
||||||
|
Mprintf("[WebService] Admin password configured from %s\n",
|
||||||
|
(webPassEnv && *webPassEnv) ? BRAND_WEB_ENV_VAR : BRAND_ENV_VAR);
|
||||||
} else {
|
} else {
|
||||||
Mprintf("[WebService] Warning: No master password set, web login disabled\n");
|
Mprintf("[WebService] Warning: neither %s nor %s set, web login disabled\n",
|
||||||
|
BRAND_WEB_ENV_VAR, BRAND_ENV_VAR);
|
||||||
}
|
}
|
||||||
// HideWebSessions: 1=hide (default), 0=show (for debugging)
|
// HideWebSessions: 1=hide (default), 0=show (for debugging)
|
||||||
WebService().SetHideWebSessions(THIS_CFG.GetInt("settings", "HideWebSessions", 1) != 0);
|
WebService().SetHideWebSessions(THIS_CFG.GetInt("settings", "HideWebSessions", 1) != 0);
|
||||||
|
|||||||
@@ -293,6 +293,11 @@
|
|||||||
#define BRAND_LICENSE_MAGIC "YAMA" // 许可证魔数
|
#define BRAND_LICENSE_MAGIC "YAMA" // 许可证魔数
|
||||||
#define BRAND_EVENT_PREFIX "YAMA" // 进程事件名前缀
|
#define BRAND_EVENT_PREFIX "YAMA" // 进程事件名前缀
|
||||||
#define BRAND_ENV_VAR "YAMA_PWD" // 环境变量名(set YAMA_PWD=密码)
|
#define BRAND_ENV_VAR "YAMA_PWD" // 环境变量名(set YAMA_PWD=密码)
|
||||||
|
// Web UI 专用 admin 密码;优先级高于 BRAND_ENV_VAR。两者都未设置时退回到
|
||||||
|
// 兼容行为(用 m_superPass)。隔离的目的是让公网 Web 登录密码与下级授权
|
||||||
|
// 用的 master password 解耦——后者一旦泄漏影响面更大,应避免在公网登录
|
||||||
|
// 时复用。与 Go 服务端的 YAMA_WEB_ADMIN_PASS 语义一致。
|
||||||
|
#define BRAND_WEB_ENV_VAR "YAMA_WEB_ADMIN_PASS"
|
||||||
|
|
||||||
// --- 宽字符版本(自动生成)---
|
// --- 宽字符版本(自动生成)---
|
||||||
#define BRAND_APP_NAME_W _T(BRAND_APP_NAME)
|
#define BRAND_APP_NAME_W _T(BRAND_APP_NAME)
|
||||||
|
|||||||
Reference in New Issue
Block a user