Bug #7375
closedUser with restricted privileges can still delete all monitoring/graphing data
100%
Description
I attempted to create a "graph-viewing-only" user account that I could hand out to non-admin users so that they could check WAN gateway quality without allowing them the ability to change or break any configs. In testing this, I discovered that all functions that wrote changes to disk were successfully blocked for this user account, except that it could permanently delete all graphing data even though it had the "Deny Config Write" permission set.
Seen on the latest beta: 2.4.0.b.20170309.1553
Steps to reproduce:- As an admin, create a new user account "readonlymonitor", set a password, and save the new account
- Edit the new account, and under "Effective Privileges", add the following two privileges:
- User - Config: Deny Config Write
- WebCfg - Status: Monitoring
- Save the account settings, and logout of the pfSense web UI
- Login as the "readonlymonitor" user
- You should automatically arrive at the Status -> Monitoring page, since it's your only privilege
- For the purposes of testing, verify that at least some graphing data already exists and is being displayed properly
- Click on the Settings wrench icon
- Click the Display Advanced button
- Click the red Reset Data button and approve the confirmation pop-up
- Note that the refreshed graph now has no data points
Logging out and logging back in as admin, one can confirm that the deletion was indeed permanent and not an artifact because the graphs will still have zero data points even when viewed as admin.
If a user account is assigned the "User - Config: Deny Config Write" privilege, I think it is reasonable to assume that they should be prevented from deleting large amounts of data such as the RRD graphs, even if this data may not be part of the config database in the strictest sense.