Darek Posted February 25, 2020 Share Posted February 25, 2020 (edited) Please provide steps to disable webui terminal. I prefer ssh key exchange shell access. Unraid Version 6.8.2 -- Digest : We can remove the button on the front end using this command: rm /usr/local/emhttp/plugins/dynamix/TerminalButton.page Above change does not disable the root access to command line interface, it can be accessed using direct URL with standard authentication: https://unraid:8443/webterminal/ There are other avenues to execute nefarious code using unraid UI, and removing this functionality will not address these security issues. Any breach of the UI effectively provides root access to unraid system. Edited February 26, 2020 by Darek Quote Link to comment
limetech Posted February 25, 2020 Share Posted February 25, 2020 One doesn't preclude the other. Quote Link to comment
Darek Posted February 25, 2020 Author Share Posted February 25, 2020 Thank you for your comment. Webui terminal provides command line interface (CLI) without ssh key requirement. I can disable ssh, but I don't see a way to disable Webui terminal. Once configured I don't need this feature and see it as undesired vulnerability. I would like to limit this kind of access if possible. Quote Link to comment
limetech Posted February 25, 2020 Share Posted February 25, 2020 1 hour ago, Darek said: Thank you for your comment. Webui terminal provides command line interface (CLI) without ssh key requirement. I can disable ssh, but I don't see a way to disable Webui terminal. Once configured I don't need this feature and see it as undesired vulnerability. I would like to limit this kind of access if possible. You have to have logged into webGUI in order to use it. If someone has hacked that, they could just go and "re-enable" the terminal. 1 Quote Link to comment
Squid Posted February 25, 2020 Share Posted February 25, 2020 Like @limetech says, once logged into the webUI anyone can do pretty much anything, but if you really want to remove that button, rm /usr/local/emhttp/plugins/dynamix/TerminalButton.page Will accomplish this if set via a user script to run at Array Start (1st Boot Only) But, you may be better off renaming it as there may come a time when you need to get in via the webGUI to the terminal. Quote Link to comment
Darek Posted February 25, 2020 Author Share Posted February 25, 2020 To be clear , removing the button doesn't disable functionality. But at least nobody is going to click on the silly link now. https://unraid:8443/webterminal/ Quote Link to comment
BRiT Posted February 25, 2020 Share Posted February 25, 2020 Why would you even let anyone who isn't you have access to your unraid root account for the web ui? 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.