Bug #15282: Users with Deny Config Write privilege can trigger some VLAN interface operations - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #15282

closed

Users with Deny Config Write privilege can trigger some VLAN interface operations

Added by Steve Wheeler 9 months ago. Updated 8 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

Interfaces

Target version:

2.8.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

24.03

Release Notes:

Default

Affected Version:

All

Affected Architecture:

Description

A user with the Deny Connfig Write privilege set but access to the interfaces config pages can try to create VLANs and QinQ interfaces.

The interfaces fail to be created correctly and are not added to the config but the underlying ifconfig commands are still run creating the interfaces on the system.

Those bogus interfaces then appear as assignable and although that user cannot assign them another user could, creating invalid config.

Other interface types do not seem affected; GRE PPP etc

Related issues

Related to Bug #15318: Users with Deny Config Write privilege can trigger some QinQ interface operations

Resolved

Jim Pingle

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Kris Phillips 9 months ago

Tested this on 24.03 builds from Feb 23rd. Can confirm this issue is present.

Actions

Copy link

Updated by Jim Pingle 9 months ago

Assignee set to Jim Pingle

Actions

Copy link

Updated by Jim Pingle 9 months ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset d3929b79ff7c3f0cdf1ba3179efea05037a18d00.

Actions

Copy link

Updated by Jim Pingle 9 months ago

Subject changed from A user with Deny Config Write set can still create VLANs to Users with Deny Config Write privilege can trigger some VLAN interface operations
Status changed from Feedback to Resolved

Looks good on the current snapshot. Trying to create, save, or delete a VLAN as a user with that privilege displays an appropriate error and no action is taken.

Rephrased the subject since it wasn't quite right. The changes weren't saved but some operations still happened in the OS level.

Actions

Copy link

Updated by Steve Wheeler 9 months ago

Status changed from Resolved to In Progress

A user with deny config write can no longer create VLANs in current snapshots but can still create QinQ interfaces:

Mar 7 18:29:33     php-fpm     558     /index.php: Successful login for user 'test' from: 172.21.16.8 (Local Database)
Mar 7 18:30:45     php-fpm     59067     Save config permission denied by the 'User - Config: Deny Config Write' permission for user 'test@172.21.16.8 (Local Database)'.
Mar 7 18:30:45     kernel         vlan3: changing name to 'igc2.10'
Mar 7 18:30:45     kernel         igc2: permanently promiscuous mode enabled
Mar 7 18:30:45     kernel         vlan4: changing name to 'igc2.10.25'

Tested: 24.03.b.20240307.0536

Actions

Copy link