Adding static user for LuCI Lua RPC with limited RPCs - uhttpd

I want to add static user other than admin to get access to certain RPCs.

Currently I used:

uhttpd.main.config=/etc/httpd.conf

and

root@OpenWrt:/# cat /etc/httpd.conf 
:admin:$p$admin
:user123:$1$o38FGUqi$qPKdfdsyPrJYstq7Wta.

For this when I use RPC from LAN PC like below:

# curl --insecure -i -X POST  http://192.168.0.1/cgi-bin/luci/rpc/auth  -d'
{
  "method": "login",
  "params": [
    "admin",
    "1g2h3g"
  ]
}'

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json
Set-Cookie: sysauth=f201c26de92ab2d230583248a5bbfb12; path=/
Cache-Control: no-cache
Expires: 0

{"id":null,"result":"f201c26de92ab2d230583248a5bbfb12","error":null}

I get token but for new user user123 I get different response without token =

# curl --insecure -i -X POST http://192.168.0.1/cgi-bin/luci/rpc/auth -d'
{
  "method": "login",
  "params": [
    "user123",
    "1a2b2c"
  ]
}'

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json
Cache-Control: no-cache
Expires: 0

So user has added but authentication is not done. At least token is not issued by uhttpd.
How it can be achieved?
to that next is to limit RPC to this user

Thanks in advance!

The LuCI exposed rpc api does not support restricted users, you need to use uhttpd-mod-ubus for that in conjunction with restricted accounts in /etc/config/rpcd.

1 Like

thanks for quick reply.

do you have any links to config and call from LAN PC this rpcd RPCs. ?

I could get hardly any documentation on rpcd use case

To add on :

I try adding linux user and its home directory has only one binary which this user can access to give try.
This time RPC get token but next binary execution dont work-

#curl --insecure -i -X POST http://192.168.0.1/cgi-bin/luci/rpc/auth -d'                                     
{
  "method": "login",
  "params": [                                   
    "user123",
    "a1b3d45"
  ]
}'

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json
Set-Cookie: sysauth=3f860b275dd6ed1767bed2b44394ee05; path=/
Cache-Control: no-cache
Expires: 0

{"id":null,"result":"3f860b275dd6ed1767bed2b44394ee05","error":null}


#curl --insecure -i -X POST http://192.168.0.1/cgi-bin/luci/rpc/sys?auth=3f860b275dd6ed1767bed2b44394ee05 -d'
{
   "method": "exec",
   "params": ["ls -a"]
 }'

HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked

Any clue why RPC fail