From 004ba283789d38cbad4054f7d0824f2850e03e20 Mon Sep 17 00:00:00 2001
From: DL6ER <derigs@ph1.uni-koeln.de>
Date: Tue, 13 Dec 2016 15:52:28 +0100
Subject: [PATCH] Prevent web UI password change by web user

---
 advanced/Scripts/webpage.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/advanced/Scripts/webpage.sh b/advanced/Scripts/webpage.sh
index 0a79d853..db7d2026 100755
--- a/advanced/Scripts/webpage.sh
+++ b/advanced/Scripts/webpage.sh
@@ -41,6 +41,18 @@ SetTemperatureUnit(){
 
 SetWebPassword(){
 
+	if[ "$SUDO_USER" == "www-data" ]; then
+		echo "Security measure: user www-data is not allowed to change webUI password!"
+		echo "Exiting"
+		exit 1
+	fi
+
+	if[ "$SUDO_USER" == "lighttpd" ]; then
+		echo "Security measure: user lighttpd is not allowed to change webUI password!"
+		echo "Exiting"
+		exit 1
+	fi
+
 	# Remove password from file (create backup setupVars.conf.bak)
 	sed -i.bak '/WEBPASSWORD/d' /etc/pihole/setupVars.conf
 	# Set password only if there is one to be set