Project

General

Profile

Actions

Bug #7375

closed

User with restricted privileges can still delete all monitoring/graphing data

Added by Brett Keller about 7 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jared Dillard
Category:
User Manager / Privileges
Target version:
-
Start date:
03/10/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:

Description

I attempted to create a "graph-viewing-only" user account that I could hand out to non-admin users so that they could check WAN gateway quality without allowing them the ability to change or break any configs. In testing this, I discovered that all functions that wrote changes to disk were successfully blocked for this user account, except that it could permanently delete all graphing data even though it had the "Deny Config Write" permission set.

Seen on the latest beta: 2.4.0.b.20170309.1553

Steps to reproduce:
  1. As an admin, create a new user account "readonlymonitor", set a password, and save the new account
  2. Edit the new account, and under "Effective Privileges", add the following two privileges:
    • User - Config: Deny Config Write
    • WebCfg - Status: Monitoring
  3. Save the account settings, and logout of the pfSense web UI
  4. Login as the "readonlymonitor" user
  5. You should automatically arrive at the Status -> Monitoring page, since it's your only privilege
  6. For the purposes of testing, verify that at least some graphing data already exists and is being displayed properly
  7. Click on the Settings wrench icon
  8. Click the Display Advanced button
  9. Click the red Reset Data button and approve the confirmation pop-up
  10. Note that the refreshed graph now has no data points

Logging out and logging back in as admin, one can confirm that the deletion was indeed permanent and not an artifact because the graphs will still have zero data points even when viewed as admin.

If a user account is assigned the "User - Config: Deny Config Write" privilege, I think it is reasonable to assume that they should be prevented from deleting large amounts of data such as the RRD graphs, even if this data may not be part of the config database in the strictest sense.

Actions #1

Updated by Jared Dillard about 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Jared Dillard
Actions #3

Updated by Jim Pingle over 3 years ago

  • Status changed from Assigned to Pull Request Review
Actions #4

Updated by Renato Botelho over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #5

Updated by Alhusein Zawi over 3 years ago

I followed the steps

at Step 9 I received "Insufficient privileges to make the requested change (read only)." and Graph/data has not been deleted.
Fixed.

Actions #6

Updated by Alhusein Zawi over 3 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF