feat: rootless podman, session hardening, boot stability, sidebar fix
Rootless podman migration (TASK-11): - Remove sudo from all podman calls in PodmanClient + 8 backend files - Remove sudo from all podman/docker calls in deploy script - Restore full systemd security hardening: NoNewPrivileges, RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime, RestrictNamespaces, RestrictSUIDSGID, SystemCallFilter, ProtectSystem=strict - Enable loginctl linger for rootless container persistence - Remove Ollama from auto-deploy (marketplace-only) Session & auth hardening: - Increase MAX_CONCURRENT_SESSIONS 20→50 (prevents eviction storms) - Debounced 401 redirect in rpc-client.ts (prevents redirect storms) Boot stability: - optimize-debian.sh: adds chrony, swap, removes policy-rc.d - deploy script: pre-restart chrony + swap setup - ISO build: chrony package, swap file creation - BootScreen: no longer clears localStorage (prevents splash replay) - RootRedirect: sole owner of localStorage clearing on server ready UI fixes: - Sidebar opacity default changed from 0→visible (fixes missing sidebar after page-persistence login without entrance animation) - Console.log/error wrapped in import.meta.env.DEV guards - Remove unused route import from RootRedirect Beta tracking: - CLAUDE.md: beta freeze protocol added - MASTER_PLAN.md: TASK-11, TASK-17, phase structure - BETA-PROGRESS.md: initial tracking doc - Tagged v1.2.0-alpha.1 as pre-rootless baseline Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,14 +1,26 @@
|
||||
Not critical — those app proxy paths were already confirmed through other probes. The full attack surface analysis is complete above.
|
||||
Written to `loop/pentest/recon/attack-surface-analysis.md`. Here's the executive summary:
|
||||
|
||||
**Summary of critical findings:**
|
||||
## 3 Critical Findings
|
||||
|
||||
1. **Zero authentication on the entire RPC API** — every method callable by anyone on the network
|
||||
2. **Arbitrary container image execution** — `package.install` pulls and runs any Docker image
|
||||
3. **Cryptographic key abuse** — `node.signChallenge` signs arbitrary data without auth (confirmed with live signature)
|
||||
4. **FileBrowser full access via default credentials** — `admin/admin` confirmed working with admin JWT
|
||||
5. **Unauthenticated Claude API proxy** — free API usage at owner's expense (confirmed)
|
||||
6. **P2P message injection** — spoofed messages already present in the message store
|
||||
7. **CORS wildcard** on all endpoints enables drive-by attacks from any website
|
||||
8. **Backend runs as root** with dev mode enabled in production
|
||||
1. **`/lnd-connect-info` exposes full LND admin macaroon** — unauthenticated, CORS `*`. Anyone on the LAN gets complete Lightning node control (send payments, drain channels). Confirmed live.
|
||||
|
||||
The most urgent remediation is wiring authentication middleware into the `core/archipelago` handler — the session infrastructure exists in `core/startos/` but is **not connected** to the active backend's request pipeline.
|
||||
2. **Bitcoin RPC proxy on :8334 with hardcoded creds** (`archipelago:archipelago123`) — confirmed full mainnet `getblockchaininfo` works. If wallet is loaded, attacker can send transactions and export keys.
|
||||
|
||||
3. **Grafana default `admin:admin` on port 3000** — confirmed full admin access. Can query data sources and potentially pivot.
|
||||
|
||||
## 3 High Findings
|
||||
|
||||
4. **`/content` leaks personal file catalog** (names, sizes, UUIDs) without auth
|
||||
5. **Nginx Proxy Manager (port 81)** directly accessible with `setup: false` state
|
||||
6. **Multiple service ports (3000, 3001, 7777, 8080, 9000)** bypass nginx proxy auth
|
||||
|
||||
## Key Positives
|
||||
|
||||
- Login rate limiting works (triggers at 5 attempts)
|
||||
- CORS properly rejects unauthorized origins
|
||||
- Session management is solid (256-bit tokens, HttpOnly, SameSite=Strict)
|
||||
- Path traversal mitigated (/.git, /.env not exposed)
|
||||
- Security headers comprehensive (HSTS, CSP, X-Frame-Options)
|
||||
- Bcrypt + Argon2id + ChaCha20 crypto stack is production-grade
|
||||
|
||||
The report covers **150+ RPC methods**, **30+ nginx proxy routes**, **10+ direct port services**, and all authentication mechanisms with confirmed live probes.
|
||||
Reference in New Issue
Block a user