Project

General

Profile

Actions

Bug #15282

closed

Users with Deny Config Write privilege can trigger some VLAN interface operations

Added by Steve Wheeler 10 months ago. Updated 3 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Interfaces
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.01
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

A user with the Deny Connfig Write privilege set but access to the interfaces config pages can try to create VLANs and QinQ interfaces.

The interfaces fail to be created correctly and are not added to the config but the underlying ifconfig commands are still run creating the interfaces on the system.

Those bogus interfaces then appear as assignable and although that user cannot assign them another user could, creating invalid config.

Other interface types do not seem affected; GRE PPP etc


Related issues

Related to Bug #15318: Users with Deny Config Write privilege can trigger some QinQ interface operationsFeedbackMarcos M

Actions
Actions #1

Updated by Kris Phillips 10 months ago

Tested this on 24.03 builds from Feb 23rd. Can confirm this issue is present.

Actions #2

Updated by Jim Pingle 9 months ago

  • Assignee set to Jim Pingle
Actions #3

Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle 9 months ago

  • Subject changed from A user with Deny Config Write set can still create VLANs to Users with Deny Config Write privilege can trigger some VLAN interface operations
  • Status changed from Feedback to Resolved

Looks good on the current snapshot. Trying to create, save, or delete a VLAN as a user with that privilege displays an appropriate error and no action is taken.

Rephrased the subject since it wasn't quite right. The changes weren't saved but some operations still happened in the OS level.

Actions #5

Updated by Steve Wheeler 9 months ago

  • Status changed from Resolved to In Progress

A user with deny config write can no longer create VLANs in current snapshots but can still create QinQ interfaces:

Mar 7 18:29:33     php-fpm     558     /index.php: Successful login for user 'test' from: 172.21.16.8 (Local Database)
Mar 7 18:30:45     php-fpm     59067     Save config permission denied by the 'User - Config: Deny Config Write' permission for user 'test@172.21.16.8 (Local Database)'.
Mar 7 18:30:45     kernel         vlan3: changing name to 'igc2.10'
Mar 7 18:30:45     kernel         igc2: permanently promiscuous mode enabled
Mar 7 18:30:45     kernel         vlan4: changing name to 'igc2.10.25' 

Tested: 24.03.b.20240307.0536

Actions #6

Updated by Steve Wheeler 9 months ago

  • Related to Bug #15318: Users with Deny Config Write privilege can trigger some QinQ interface operations added
Actions #7

Updated by Steve Wheeler 9 months ago

  • Status changed from In Progress to Resolved

QinQ separated to a new ticket: https://redmine.pfsense.org/issues/15318

Actions #8

Updated by Jim Pingle 9 months ago

  • Category changed from User Manager / Privileges to Interfaces
Actions #9

Updated by Marcos M 4 days ago

  • Status changed from Resolved to In Progress
  • % Done changed from 100 to 0
  • Plus Target Version changed from 24.03 to 25.01

This is still an issue in 24.11. A commit that went in shortly after the fix caused a regression.

Actions #10

Updated by Marcos M 4 days ago

  • Assignee changed from Jim Pingle to Marcos M
Actions #11

Updated by Marcos M 4 days ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #12

Updated by Kris Phillips 3 days ago

  • Status changed from Feedback to Resolved

Tested on latest 25.01 build. I can confirm the following message is not present:

The following input errors were detected:

Insufficient privileges to make the requested change (read only).

Looks good. Closing as Resolved.

Actions

Also available in: Atom PDF