feat: rootless podman, session hardening, boot stability, sidebar fix

Rootless podman migration (TASK-11):
- Remove sudo from all podman calls in PodmanClient + 8 backend files
- Remove sudo from all podman/docker calls in deploy script
- Restore full systemd security hardening: NoNewPrivileges,
  RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime,
  RestrictNamespaces, RestrictSUIDSGID, SystemCallFilter, ProtectSystem=strict
- Enable loginctl linger for rootless container persistence
- Remove Ollama from auto-deploy (marketplace-only)

Session & auth hardening:
- Increase MAX_CONCURRENT_SESSIONS 20→50 (prevents eviction storms)
- Debounced 401 redirect in rpc-client.ts (prevents redirect storms)

Boot stability:
- optimize-debian.sh: adds chrony, swap, removes policy-rc.d
- deploy script: pre-restart chrony + swap setup
- ISO build: chrony package, swap file creation
- BootScreen: no longer clears localStorage (prevents splash replay)
- RootRedirect: sole owner of localStorage clearing on server ready

UI fixes:
- Sidebar opacity default changed from 0→visible (fixes missing sidebar
  after page-persistence login without entrance animation)
- Console.log/error wrapped in import.meta.env.DEV guards
- Remove unused route import from RootRedirect

Beta tracking:
- CLAUDE.md: beta freeze protocol added
- MASTER_PLAN.md: TASK-11, TASK-17, phase structure
- BETA-PROGRESS.md: initial tracking doc
- Tagged v1.2.0-alpha.1 as pre-rootless baseline

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-18 13:53:27 +00:00
parent 934d120243
commit 870ff095d8
48 changed files with 2979 additions and 2196 deletions

View File

@@ -1,14 +1,26 @@
Not critical — those app proxy paths were already confirmed through other probes. The full attack surface analysis is complete above.
Written to `loop/pentest/recon/attack-surface-analysis.md`. Here's the executive summary:
**Summary of critical findings:**
## 3 Critical Findings
1. **Zero authentication on the entire RPC API** — every method callable by anyone on the network
2. **Arbitrary container image execution**`package.install` pulls and runs any Docker image
3. **Cryptographic key abuse**`node.signChallenge` signs arbitrary data without auth (confirmed with live signature)
4. **FileBrowser full access via default credentials**`admin/admin` confirmed working with admin JWT
5. **Unauthenticated Claude API proxy** — free API usage at owner's expense (confirmed)
6. **P2P message injection** — spoofed messages already present in the message store
7. **CORS wildcard** on all endpoints enables drive-by attacks from any website
8. **Backend runs as root** with dev mode enabled in production
1. **`/lnd-connect-info` exposes full LND admin macaroon** — unauthenticated, CORS `*`. Anyone on the LAN gets complete Lightning node control (send payments, drain channels). Confirmed live.
The most urgent remediation is wiring authentication middleware into the `core/archipelago` handler — the session infrastructure exists in `core/startos/` but is **not connected** to the active backend's request pipeline.
2. **Bitcoin RPC proxy on :8334 with hardcoded creds** (`archipelago:archipelago123`) — confirmed full mainnet `getblockchaininfo` works. If wallet is loaded, attacker can send transactions and export keys.
3. **Grafana default `admin:admin` on port 3000** — confirmed full admin access. Can query data sources and potentially pivot.
## 3 High Findings
4. **`/content` leaks personal file catalog** (names, sizes, UUIDs) without auth
5. **Nginx Proxy Manager (port 81)** directly accessible with `setup: false` state
6. **Multiple service ports (3000, 3001, 7777, 8080, 9000)** bypass nginx proxy auth
## Key Positives
- Login rate limiting works (triggers at 5 attempts)
- CORS properly rejects unauthorized origins
- Session management is solid (256-bit tokens, HttpOnly, SameSite=Strict)
- Path traversal mitigated (/.git, /.env not exposed)
- Security headers comprehensive (HSTS, CSP, X-Frame-Options)
- Bcrypt + Argon2id + ChaCha20 crypto stack is production-grade
The report covers **150+ RPC methods**, **30+ nginx proxy routes**, **10+ direct port services**, and all authentication mechanisms with confirmed live probes.