From c9ffde27d8adb7d289ea2e42b7eb66c66ff665ac Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 15 Mar 2025 14:32:10 +0100 Subject: [PATCH 1/5] add forgotten entry --- DOCUMENTATION.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 7bde4cbb..6483d090 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -812,6 +812,9 @@ Available backends: `none` : Just allows all usernames and passwords. +`denyall` _(>= 3.2.2)_ +: Just denies all usernames and passwords. + `htpasswd` : Use an [Apache htpasswd file](https://httpd.apache.org/docs/current/programs/htpasswd.html) From 7bb4beeae21d3df69767b624d1d5f23db108f169 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 15 Mar 2025 14:33:55 +0100 Subject: [PATCH 2/5] add note when was introduced --- DOCUMENTATION.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 6483d090..542d55b7 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -135,6 +135,8 @@ Note: some OS contain unpatched `htpasswd` (< 2.4.59) without supporting SHA-256 (e.g. Ubuntu LTS 22), in this case use '-B' for "bcrypt" hash method or stay with insecure MD5 (default) or SHA-1 ('-s'). +Note that support of SHA-256 or SHA-512 was introduced with 3.1.9 + ```bash # Create a new htpasswd file with the user "user1" using SHA-512 as hash method $ htpasswd -5 -c /path/to/users user1 From be43ce516103439abc01f2eaeb4d33d1a631762e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 15 Mar 2025 14:34:51 +0100 Subject: [PATCH 3/5] change default of authentication type to "denyall" for secure-by-default --- config | 2 +- radicale/config.py | 2 +- radicale/tests/test_base.py | 2 ++ radicale/tests/test_rights.py | 3 +++ radicale/tests/test_storage.py | 1 + 5 files changed, 8 insertions(+), 2 deletions(-) diff --git a/config b/config index 14bb3c40..6df01d9f 100644 --- a/config +++ b/config @@ -63,7 +63,7 @@ # Authentication method # Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall -#type = none +#type = denyall # Cache logins for until expiration time #cache_logins = false diff --git a/radicale/config.py b/radicale/config.py index f13a8d6a..e683cb5b 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -206,7 +206,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "type": str})])), ("auth", OrderedDict([ ("type", { - "value": "none", + "value": "denyall", "help": "authentication method (" + "|".join(auth.INTERNAL_TYPES) + ")", "type": str_or_callable, "internal": auth.INTERNAL_TYPES}), diff --git a/radicale/tests/test_base.py b/radicale/tests/test_base.py index 69864366..63c420e9 100644 --- a/radicale/tests/test_base.py +++ b/radicale/tests/test_base.py @@ -1714,6 +1714,7 @@ permissions: RrWw""") assert status == 200 and prop.text == "text/vcard;charset=utf-8" def test_authorization(self) -> None: + self.configure({"auth": {"type": "none"}}) _, responses = self.propfind("/", """\ @@ -1740,6 +1741,7 @@ permissions: RrWw""") def test_principal_collection_creation(self) -> None: """Verify existence of the principal collection.""" + self.configure({"auth": {"type": "none"}}) self.propfind("/user/", login="user:") def test_authentication_current_user_principal_hack(self) -> None: diff --git a/radicale/tests/test_rights.py b/radicale/tests/test_rights.py index 896c910e..8231214c 100644 --- a/radicale/tests/test_rights.py +++ b/radicale/tests/test_rights.py @@ -143,6 +143,7 @@ collection: public/[^/]* permissions: i""") self.configure({"rights": {"type": "from_file", "file": rights_file_path}}) + self.configure({"auth": {"type": "none"}}) self.mkcalendar("/tmp/calendar", login="tmp:bepo") self.mkcol("/public", login="tmp:bepo") self.mkcalendar("/public/calendar", login="tmp:bepo") @@ -165,6 +166,7 @@ permissions: i""") Items are allowed at "/.../.../...". """ + self.configure({"auth": {"type": "none"}}) self.mkcalendar("/", check=401) self.mkcalendar("/user/", check=401) self.mkcol("/user/") @@ -175,6 +177,7 @@ permissions: i""") def test_put_collections_and_items(self) -> None: """Test rights for creation of calendars and items with PUT.""" + self.configure({"auth": {"type": "none"}}) self.put("/user/", "BEGIN:VCALENDAR\r\nEND:VCALENDAR", check=401) self.mkcol("/user/") self.put("/user/calendar/", "BEGIN:VCALENDAR\r\nEND:VCALENDAR") diff --git a/radicale/tests/test_storage.py b/radicale/tests/test_storage.py index 1957a137..2fcfe717 100644 --- a/radicale/tests/test_storage.py +++ b/radicale/tests/test_storage.py @@ -77,6 +77,7 @@ class TestMultiFileSystem(BaseTest): """Verify that the hooks runs when a new user is created.""" self.configure({"storage": {"hook": "mkdir %s" % os.path.join( "collection-root", "created_by_hook")}}) + self.configure({"auth": {"type": "none"}}) self.propfind("/", login="user:") self.propfind("/created_by_hook/") From e8c974a72aab3fcbf64fad2addebcf5ebdbafa6b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 15 Mar 2025 14:35:30 +0100 Subject: [PATCH 4/5] add versions when option was introduced --- DOCUMENTATION.md | 130 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 111 insertions(+), 19 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 542d55b7..5f18488d 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -765,10 +765,12 @@ to secure TCP traffic between Radicale and a reverse proxy. If you want to authenticate users with client-side certificates, you also have to write an authentication plugin that extracts the username from the certificate. -Default: +Default: (unset) ##### protocol +_(>= 3.3.1)_ + Accepted SSL protocol (maybe not all supported by underlying OpenSSL version) Example for secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1 Format: Apache SSLProtocol list (from "mod_ssl") @@ -777,6 +779,8 @@ Default: (system default) ##### ciphersuite +_(>= 3.3.1)_ + Accepted SSL ciphersuite (maybe not all supported by underlying OpenSSL version) Example for secure configuration: DHE:ECDHE:-NULL:-SHA Format: OpenSSL cipher list (see also "man openssl-ciphers") @@ -785,6 +789,8 @@ Default: (system-default) ##### script_name +_(>= 3.5.0)_ + Strip script name from URI if called by reverse proxy Default: (taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME) @@ -832,26 +838,27 @@ Available backends: authentication. This can be used to provide the username from a reverse proxy. -`ldap` +`ldap` _(>= 3.3.0)_ : Use a LDAP or AD server to authenticate users. -`dovecot` +`dovecot` _(>= 3.3.1)_ : Use a Dovecot server to authenticate users. -`imap` +`imap` _(>= 3.4.1)_ : Use an IMAP server to authenticate users. -`oauth2` +`oauth2` _(>= 3.5.0)_ : Use an OAuth2 server to authenticate users. -`pam` +`pam` _(>= 3.5.0)_ : Use local PAM to authenticate users. - -Default: `none` +Default: `none` _(< 3.5.0)_ `denyall` _(>= 3.5.0)_ ##### cache_logins +_(>= 3.4.0)_ + Cache successful/failed logins until expiration time. Enable this to avoid overload of authentication backends. @@ -859,12 +866,16 @@ Default: `false` ##### cache_successful_logins_expiry +_(>= 3.4.0)_ + Expiration time of caching successful logins in seconds Default: `15` ##### cache_failed_logins_expiry +_(>= 3.4.0)_ + Expiration time of caching failed logins in seconds Default: `90` @@ -899,19 +910,21 @@ Available methods: `md5` : This uses an iterated MD5 digest of the password with a salt (nowadays insecure). -`sha256` +`sha256` _(>= 3.1.9)_ : This uses an iterated SHA-256 digest of the password with a salt. -`sha512` +`sha512` _(>= 3.1.9)_ : This uses an iterated SHA-512 digest of the password with a salt. -`autodetect` +`autodetect` _(>= 3.1.9)_ : This selects autodetection of method per entry. -Default: `autodetect` +Default: `md5` _(< 3.3.0)_ `autodetect` _(>= 3.3.0)_ ##### htpasswd_cache +_(>= 3.4.0)_ + Enable caching of htpasswd file based on size and mtime_ns Default: `False` @@ -930,48 +943,64 @@ Default: `Radicale - Password Required` ##### ldap_uri +_(>= 3.3.0)_ + The URI to the ldap server Default: `ldap://localhost` ##### ldap_base +_(>= 3.3.0)_ + LDAP base DN of the ldap server. This parameter must be provided if auth type is ldap. Default: ##### ldap_reader_dn +_(>= 3.3.0)_ + The DN of a ldap user with read access to get the user accounts. This parameter must be provided if auth type is ldap. Default: ##### ldap_secret +_(>= 3.3.0)_ + The password of the ldap_reader_dn. Either this parameter or `ldap_secret_file` must be provided if auth type is ldap. Default: ##### ldap_secret_file +_(>= 3.3.0)_ + Path of the file containing the password of the ldap_reader_dn. Either this parameter or `ldap_secret` must be provided if auth type is ldap. Default: ##### ldap_filter +_(>= 3.3.0)_ + The search filter to find the user DN to authenticate by the username. User '{0}' as placeholder for the user name. Default: `(cn={0})` ##### ldap_user_attribute +_(>= 3.4.0)_ + The LDAP attribute whose value shall be used as the user name after successful authentication Default: not set, i.e. the login name given is used directly. ##### ldap_groups_attribute +_(>= 3.4.0)_ + The LDAP attribute to read the group memberships from in the authenticated user's LDAP entry. If set, load the LDAP group memberships from the attribute given @@ -983,28 +1012,36 @@ This also gives you access to the group calendars, if they exist. Use 'memberOf' if you want to load groups on Active Directory and alikes, 'groupMembership' on Novell eDirectory, ... -Default: unset +Default: (unset) ##### ldap_use_ssl +_(>= 3.3.0)_ + Use ssl on the ldap connection Default: False ##### ldap_ssl_verify_mode +_(>= 3.3.0)_ + The certificate verification mode. NONE, OPTIONAL or REQUIRED Default: REQUIRED ##### ldap_ssl_ca_file +_(>= 3.3.0)_ + The path to the CA file in pem format which is used to certificate the server certificate Default: ##### dovecot_connection_type = AF_UNIX +_(>= 3.4.1)_ + Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6) Note: credentials are transmitted in cleartext @@ -1013,48 +1050,64 @@ Default: `AF_UNIX` ##### dovecot_socket +_(>= 3.3.1)_ + The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket. Default: `/var/run/dovecot/auth-client` ##### dovecot_host +_(>= 3.4.1)_ + Host of via network exposed dovecot socket Default: `localhost` ##### dovecot_port +_(>= 3.4.1)_ + Port of via network exposed dovecot socket Default: `12345` ##### imap_host +_(>= 3.4.1)_ + IMAP server hostname: address | address:port | [address]:port | imap.server.tld Default: `localhost` ##### imap_security +_(>= 3.4.1)_ + Secure the IMAP connection: tls | starttls | none Default: `tls` ##### oauth2_token_endpoint +_(>= 3.5.0)_ + OAuth2 token endpoint URL Default: ##### pam_service +_(>= 3.5.0)_ + PAM service Default: radicale ##### pam_group_membership +_(>= 3.5.0)_ + PAM group user should be member of Default: @@ -1070,6 +1123,8 @@ Note: cannot be enabled together with `uc_username` ##### uc_username +_(>= 3.3.2)_ + Сonvert username to uppercase, must be true for case-insensitive auth providers like ldap, kerberos @@ -1079,6 +1134,8 @@ Note: cannot be enabled together with `lc_username` ##### strip_domain +_(>= 3.2.3)_ + Strip domain from username Default: `False` @@ -1120,7 +1177,7 @@ File for the rights backend `from_file`. See the ##### permit_delete_collection -(New since 3.1.9) +_(>= 3.1.9)_ Global control of permission to delete complete collection (default: True) @@ -1129,7 +1186,7 @@ If True it can be forbidden by permissions per section with: d ##### permit_overwrite_collection -(New since 3.3.0) +_(>= 3.3.0)_ Global control of permission to overwrite complete collection (default: True) @@ -1161,6 +1218,8 @@ Default: `/var/lib/radicale/collections` ##### filesystem_cache_folder +_(>= 3.3.2)_ + Folder for storing cache of local collections, created if not present Default: (filesystem_folder) @@ -1171,6 +1230,8 @@ Note: can be used on multi-instance setup to cache files on local node (see belo ##### use_cache_subfolder_for_item +_(>= 3.3.2)_ + Use subfolder `collection-cache` for cache file structure of 'item' instead of inside collection folders, created if not present Default: `False` @@ -1179,6 +1240,8 @@ Note: can be used on multi-instance setup to cache 'item' on local node ##### use_cache_subfolder_for_history +_(>= 3.3.2)_ + Use subfolder `collection-cache` for cache file structure of 'history' instead of inside collection folders, created if not present Default: `False` @@ -1187,6 +1250,8 @@ Note: use only on single-instance setup, will break consistency with client in m ##### use_cache_subfolder_for_synctoken +_(>= 3.3.2)_ + Use subfolder `collection-cache` for cache file structure of 'sync-token' instead of inside collection folders, created if not present Default: `False` @@ -1195,6 +1260,8 @@ Note: use only on single-instance setup, will break consistency with client in m ##### use_mtime_and_size_for_item_cache +_(>= 3.3.2)_ + Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed) Default: `False` @@ -1205,6 +1272,8 @@ Note: conversion is done on access, bulk conversion can be done offline using st ##### folder_umask +_(>= 3.3.2)_ + Use configured umask for folder creation (not applicable for OS Windows) Default: (system-default, usual `0022`) @@ -1219,6 +1288,8 @@ Default: `2592000` ##### skip_broken_item +_(>= 3.2.2)_ + Skip broken item instead of triggering an exception Default: `True` @@ -1279,7 +1350,7 @@ Set the logging level. Available levels: **debug**, **info**, **warning**, **error**, **critical** -Default: `warning` +Default: `warning` _(< 3.2.0)_ `info` _(>= 3.2.0)_ ##### mask_passwords @@ -1289,30 +1360,40 @@ Default: `True` ##### bad_put_request_content +_(>= 3.2.1)_ + Log bad PUT request content (for further diagnostics) Default: `False` ##### backtrace_on_debug +_(>= 3.2.2)_ + Log backtrace on level=debug Default: `False` ##### request_header_on_debug +_(>= 3.2.2)_ + Log request on level=debug Default: `False` ##### request_content_on_debug +_(>= 3.2.2)_ + Log request on level=debug Default: `False` ##### response_content_on_debug +_(>= 3.2.2)_ + Log response on level=debug Default: `False` @@ -1325,6 +1406,8 @@ Default: `False` ##### storage_cache_actions_on_debug +_(>= 3.3.2)_ + Log storage cache actions on level=debug Default: `False` @@ -1350,13 +1433,15 @@ Available types: `none` : Disabled. Nothing will be notified. -`rabbitmq` +`rabbitmq` _(>= 3.2.0)_ : Push the message to the rabbitmq server. Default: `none` ##### rabbitmq_endpoint +_(>= 3.2.0)_ + End-point address for rabbitmq server. Ex: amqp://user:password@localhost:5672/ @@ -1364,19 +1449,26 @@ Default: ##### rabbitmq_topic +_(>= 3.2.0)_ + RabbitMQ topic to publish message. Default: ##### rabbitmq_queue_type +_(>= 3.2.0)_ + RabbitMQ queue type for the topic. Default: classic #### reporting + ##### max_freebusy_occurrence +_(>= 3.2.3)_ + When returning a free-busy report, a list of busy time occurrences are generated based on a given time frame. Large time frames could generate a lot of occurrences based on the time frame supplied. This @@ -1591,8 +1683,8 @@ The following `permissions` are recognized: (CalDAV/CardDAV is susceptible to expensive search requests) * **W:** write collections (excluding address books and calendars) * **w:** write address book and calendar collections -* **D:** permit delete of collection in case permit_delete_collection=False -* **d:** forbid delete of collection in case permit_delete_collection=True +* **D:** permit delete of collection in case permit_delete_collection=False _(>= 3.3.0)_ +* **d:** forbid delete of collection in case permit_delete_collection=True _(>= 3.3.0)_ * **O:** permit overwrite of collection in case permit_overwrite_collection=False * **o:** forbid overwrite of collection in case permit_overwrite_collection=True From 9f8ac21130ba4c78c732c00c237ae752d4f2502e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 15 Mar 2025 14:36:40 +0100 Subject: [PATCH 5/5] reflect change of default for auth.type --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf157773..b2069010 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ * Improve: catch htpasswd hash verification errors * Improve: add support for more bcrypt algos on autodetection, extend logging for autodetection fallback to PLAIN in case of hash length is not matching * Add: warning in case of started standalone and not listen on loopback interface but trusting external authentication +* Adjust: Change default [auth] type from "none" to "denyall" for secure-by-default ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port