AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard

Published 20 hours ago verified publisher icon AdguardTeam

Option to completely disable configuration via web UI

Open yuha0 opened this issue 4 years ago • 9 comments

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • [x] I am running the latest version
  • [x] I checked the documentation and found no answer
  • [x] I checked to make sure that this issue has not already been filed

Problem Description

Currently, an admin user can configure the instance via the web UI and it does not seem to possible to disable that. There are a few issues regarding this:

  1. From a security perspective, if the web UI is compromised (e.g. password leak), the whole AdGuard Home instance is effectively taken over by the attacker, putting all the users in danger. If the user uses DoH, the interface may even be exposed to the internet, making it even more risky.

  2. I guess allowing web configuration is the only reason why AdGuard Home requires write permission to the configuration file? If the config file is read-only, AdGuard Home complains about it and exits. I deploy AdGuard Home in Kubernetes, and use infrastructure-as-code concept to manage its configuration in git. As a result, AdGuard's configuration file is managed by a Kubernetes ConfigMap object, and it is dynamically mounted to the container on container startup time. ConfigMap is mounted as read-only, since the idea is that the content of the ConfigMap is managed by higher level Kubernetes API and should not be changed through mounted filesystem. To workaround this, I have to do some weird dances to make both Kubernetes and AdGuard happy: Before starts the container, start another "initContainer" to copy the content of the ConfigMap to a shared volume, and start the AdGuard container with that shared volume mounted at /opt/adguardhome/conf/AdGuardHome.yaml: https://github.com/yuha0/home-infra/blob/531a899a4617935a32f2fcce7c43f1e0ba93d092/kubernetes/adguardhome/deploy.yaml#L58-L127

Proposed Solution

Provide an option as command line argument or environment variable to disable web configuration, and when disabled, allow the config file to be read-only and do not attempt to write to it.

This mitigates the security risk since now, in order to make changes to AdGuard, the attacker has to gain access to the filesystem, which is a lot more difficult.

This also allow to use the web interface as a read-only stats dashboard. Unprivileged users or anonymous users can visualize interesting stats while being kept from having the ability to make change to the system.

Alternatives Considered

Additional Information

yuha0 avatar Jul 27 '20 06:07 yuha0