Project

General

Profile

Actions
Copy link

Bug #15282

closed

Users with Deny Config Write privilege can trigger some VLAN interface operations

Added by Steve Wheeler 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Interfaces
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.03
Release Notes:
Default
Affected Version:
All
Affected Architecture:

Description

A user with the Deny Connfig Write privilege set but access to the interfaces config pages can try to create VLANs and QinQ interfaces.

The interfaces fail to be created correctly and are not added to the config but the underlying ifconfig commands are still run creating the interfaces on the system.

Those bogus interfaces then appear as assignable and although that user cannot assign them another user could, creating invalid config.

Other interface types do not seem affected; GRE PPP etc

Related issues

Related to Bug #15318: Users with Deny Config Write privilege can trigger some QinQ interface operationsResolvedJim Pingle

Actions
Actions
Copy link
 #1

Updated by Kris Phillips 2 months ago

Tested this on 24.03 builds from Feb 23rd. Can confirm this issue is present.

Actions
Copy link
 #2

Updated by Jim Pingle about 2 months ago

  • Assignee set to Jim Pingle
Actions
Copy link
 #3

Updated by Jim Pingle about 2 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Jim Pingle about 2 months ago

  • Subject changed from A user with Deny Config Write set can still create VLANs to Users with Deny Config Write privilege can trigger some VLAN interface operations
  • Status changed from Feedback to Resolved

Looks good on the current snapshot. Trying to create, save, or delete a VLAN as a user with that privilege displays an appropriate error and no action is taken.

Rephrased the subject since it wasn't quite right. The changes weren't saved but some operations still happened in the OS level.

Actions
Copy link
 #5

Updated by Steve Wheeler about 2 months ago

  • Status changed from Resolved to In Progress

A user with deny config write can no longer create VLANs in current snapshots but can still create QinQ interfaces:

Mar 7 18:29:33     php-fpm     558     /index.php: Successful login for user 'test' from: 172.21.16.8 (Local Database)
Mar 7 18:30:45     php-fpm     59067     Save config permission denied by the 'User - Config: Deny Config Write' permission for user 'test@172.21.16.8 (Local Database)'.
Mar 7 18:30:45     kernel         vlan3: changing name to 'igc2.10'
Mar 7 18:30:45     kernel         igc2: permanently promiscuous mode enabled
Mar 7 18:30:45     kernel         vlan4: changing name to 'igc2.10.25'

Tested: 24.03.b.20240307.0536

Actions
Copy link
 #6

Updated by Steve Wheeler about 2 months ago

  • Related to Bug #15318: Users with Deny Config Write privilege can trigger some QinQ interface operations added
Actions
Copy link
 #7

Updated by Steve Wheeler about 2 months ago

  • Status changed from In Progress to Resolved

QinQ separated to a new ticket: https://redmine.pfsense.org/issues/15318

Actions
Copy link
 #8

Updated by Jim Pingle about 1 month ago

  • Category changed from User Manager / Privileges to Interfaces
Actions
Copy link

Also available in: Atom PDF