Bug #15282
closedUsers with Deny Config Write privilege can trigger some VLAN interface operations
100%
Description
A user with the Deny Connfig Write privilege set but access to the interfaces config pages can try to create VLANs and QinQ interfaces.
The interfaces fail to be created correctly and are not added to the config but the underlying ifconfig commands are still run creating the interfaces on the system.
Those bogus interfaces then appear as assignable and although that user cannot assign them another user could, creating invalid config.
Other interface types do not seem affected; GRE PPP etc
Related issues
Updated by Kris Phillips 10 months ago
Tested this on 24.03 builds from Feb 23rd. Can confirm this issue is present.
Updated by Jim Pingle 9 months ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset d3929b79ff7c3f0cdf1ba3179efea05037a18d00.
Updated by Jim Pingle 9 months ago
- Subject changed from A user with Deny Config Write set can still create VLANs to Users with Deny Config Write privilege can trigger some VLAN interface operations
- Status changed from Feedback to Resolved
Looks good on the current snapshot. Trying to create, save, or delete a VLAN as a user with that privilege displays an appropriate error and no action is taken.
Rephrased the subject since it wasn't quite right. The changes weren't saved but some operations still happened in the OS level.
Updated by Steve Wheeler 9 months ago
- Status changed from Resolved to In Progress
A user with deny config write can no longer create VLANs in current snapshots but can still create QinQ interfaces:
Mar 7 18:29:33 php-fpm 558 /index.php: Successful login for user 'test' from: 172.21.16.8 (Local Database) Mar 7 18:30:45 php-fpm 59067 Save config permission denied by the 'User - Config: Deny Config Write' permission for user 'test@172.21.16.8 (Local Database)'. Mar 7 18:30:45 kernel vlan3: changing name to 'igc2.10' Mar 7 18:30:45 kernel igc2: permanently promiscuous mode enabled Mar 7 18:30:45 kernel vlan4: changing name to 'igc2.10.25'
Tested: 24.03.b.20240307.0536
Updated by Steve Wheeler 9 months ago
- Related to Bug #15318: Users with Deny Config Write privilege can trigger some QinQ interface operations added
Updated by Steve Wheeler 9 months ago
- Status changed from In Progress to Resolved
QinQ separated to a new ticket: https://redmine.pfsense.org/issues/15318
Updated by Jim Pingle 9 months ago
- Category changed from User Manager / Privileges to Interfaces
Updated by Marcos M 4 days ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset a4d40f3e5852a3b8cd9ae19460cfe0d8429d32ea.
Updated by Kris Phillips 3 days ago
- Status changed from Feedback to Resolved
Tested on latest 25.01 build. I can confirm the following message is not present:
The following input errors were detected:
Insufficient privileges to make the requested change (read only).
Looks good. Closing as Resolved.