Browse Source

feat: add `SYNO_LOCAL_HOSTNAME` to prevent remote deploy via temp admin method

pull/5023/head
Scruel Tao 10 months ago
parent
commit
192ec598a3
  1. 53
      deploy/synology_dsm.sh

53
deploy/synology_dsm.sh

@ -8,30 +8,34 @@
# Updated: 2023-07-03
# Issues: https://github.com/acmesh-official/acme.sh/issues/2727
################################################################################
# Usage:
# Usage (shown values are the examples):
# 1. Set required environment variables:
# - use automatically created temp admin user to authenticate
# `export SYNO_USE_TEMP_ADMIN=1`
# export SYNO_USE_TEMP_ADMIN=1
# - or provide your own admin user credential to authenticate
# 1. `export SYNO_USERNAME="adminUser"`
# 2. `export SYNO_PASSWORD="adminPassword"`
# 2. Set optional environment variables (shown values are the defaults)
# 1. export SYNO_USERNAME="adminUser"
# 2. export SYNO_PASSWORD="adminPassword"
# 2. Set optional environment variables
# - common optional variables
# - `export SYNO_SCHEME="http"`
# - `export SYNO_HOSTNAME="localhost"`
# - `export SYNO_PORT="5000"`
# - `export SYNO_CREATE=""` - to allow creating the cert if it doesn't exist
# - `export SYNO_CERTIFICATE=""` - to replace a specific cert by its
# - export SYNO_SCHEME="http" - defaults to "http"
# - export SYNO_HOSTNAME="localhost" - defaults to "localhost"
# - export SYNO_PORT="5000" - defaults to "5000"
# - export SYNO_CREATE=1 - to allow creating the cert if it doesn't exist
# - export SYNO_CERTIFICATE="" - to replace a specific cert by its
# description
# - 2FA-OTP optional variables (with your own admin user)
# - `export SYNO_OTP_CODE=""` - required for 2FA-OTP, script won't require
# interactive input the code if set.
# - `export SYNO_DEVICE_NAME=""` - required for 2FA-OTP, script won't require
# interactive input the device name if set.
# - `export SYNO_DEVICE_ID=""` - required for omitting 2FA-OTP (might be
# deprecated, auth with OTP code instead)
# - export SYNO_OTP_CODE="XXXXXX" - if set, script won't require to
# interactive input the OTP code
# - export SYNO_DEVICE_NAME="CertRenewal" - if set, script won't require to
# interactive input the device name
# - export SYNO_DEVICE_ID="" - (deprecated) required for omitting 2FA-OTP
# (please auth with OTP code instead)
# - temp admin optional variables
# - export SYNO_LOCAL_HOSTNAME=1 - if set to 1, force to treat hostname is
# targeting current local machine (since
# this method only locally supported)
# 3. Run command:
# `acme.sh --deploy --deploy-hook synology_dsm -d example.com``
# acme.sh --deploy --deploy-hook synology_dsm -d example.com
################################################################################
# Dependencies:
# - curl
@ -83,8 +87,6 @@ synology_dsm_deploy() {
SYNO_DEVICE_ID=
SYNO_DEVICE_NAME=
SYNO_OTP_CODE=
# Pre-delete temp admin user if already exists.
synouser --del "$SYNO_USERNAME" >/dev/null 2>/dev/null
else
_debug2 SYNO_USERNAME "$SYNO_USERNAME"
_secure_debug2 SYNO_PASSWORD "$SYNO_PASSWORD"
@ -178,7 +180,16 @@ synology_dsm_deploy() {
# Assume the current account disabled 2FA-OTP, try to log in right away.
else
if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
_getdeployconf SYNO_LOCAL_HOSTNAME
_debug SYNO_LOCAL_HOSTNAME "${SYNO_LOCAL_HOSTNAME:-}"
if [ "$SYNO_LOCAL_HOSTNAME" != "1" ] && [ "$SYNO_LOCAL_HOSTNAME" == "$SYNO_HOSTNAME" ]; then
if [ "$SYNO_HOSTNAME" != "localhost" ] && [ "$SYNO_HOSTNAME" != "127.0.0.1" ]; then
_err "SYNO_USE_TEMP_ADMIN=1 Only support locally deployment, if you are sure that hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
return 1
fi
fi
_debug "Creating temp admin user in Synology DSM..."
synouser --del "$SYNO_USERNAME" >/dev/null 2>/dev/null
synouser --add "$SYNO_USERNAME" "$SYNO_PASSWORD" "" 0 "scruelt@hotmail.com" 0 >/dev/null
if synogroup --help | grep -q '\-\-memberadd'; then
synogroup --memberadd administrators "$SYNO_USERNAME" >/dev/null
@ -229,6 +240,7 @@ synology_dsm_deploy() {
printf "Enter OTP code for user '%s': " "$SYNO_USERNAME"
read -r SYNO_OTP_CODE
fi
_secure_debug SYNO_OTP_CODE "${SYNO_OTP_CODE:-}"
if [ -z "$SYNO_OTP_CODE" ]; then
response='{"error":{"code":404}}'
@ -288,6 +300,7 @@ synology_dsm_deploy() {
_cleardeployconf SYNO_DEVICE_ID
_cleardeployconf SYNO_DEVICE_NAME
_savedeployconf SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
_savedeployconf SYNO_LOCAL_HOSTNAME "$SYNO_HOSTNAME"
else
_savedeployconf SYNO_USERNAME "$SYNO_USERNAME"
_savedeployconf SYNO_PASSWORD "$SYNO_PASSWORD"
@ -308,7 +321,7 @@ synology_dsm_deploy() {
if [ "$error_code" -eq 105 ]; then
_err "Current user is not administrator and does not have sufficient permission for deploying."
else
_err "Failed to fetch certificate info with error: $error_code, contact Synology for more info about it."
_err "Failed to fetch certificate info with error: $error_code, please try again or contact Synology to learn more."
fi
_temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
return 1

Loading…
Cancel
Save