Bug #15874
closed
Users with Deny Config Write privilege can trigger logging operations
100%
Description
A user with the deny_config_write privilege set and access to the log settings page can still trigger the syslog daemon to restart and it fail to do so:
Nov 26 23:32:06 php-fpm 69047 Save config permission denied by the 'User - Config: Deny Config Write' permission for user 'Test@172.21.16.8 (Local Database)'. Nov 26 23:32:06 sshguard 41111 Exiting on signal. Nov 26 23:32:06 syslogd exiting on signal 15
Nothing further is logged until the log settings page is resaved by a privileged user. The service cannot be restarted until then.
Nov 26 23:45:23 syslogd kernel boot file is /boot/kernel/kernel Nov 26 23:45:23 sshguard 27010 Now monitoring attacks. Nov 26 23:45:23 nginx 2024/11/26 23:45:23 [error] 68831#116459: send() failed (54: Connection reset by peer) while logging to syslog, server: unix:/var/run/log
Tested 24.11.
See: https://forum.netgate.com/topic/195331/potential-bug-read-only-user-able-to-crash-syslogd-service
Updated by Jim Pingle about 1 month ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 8aa54e0d780114713015dd7e970e6541dfc40378.
Updated by Lev Prokofev about 1 month ago
After applying the patch I get a butch of php strings in logs after login using an unprivileged user (Tested on 24.11)
Dec 7 00:30:39 php-fpm 2640 /index.php: Successful login for user 'bubu' from: 192.168.70.10 (Local Database)
Dec 7 00:30:39 php-fpm 2640 /index.php: bubu@192.168.70.10 (Local Database) attempted to access /index.php but does not have access to that page. Redirecting to status_logs_packages.php.
Dec 7 00:30:39 php-fpm 2640 PHPSESSION 1 open sessions left at shutdown script!Array
Dec 7 00:30:39 php-fpm 2640 (
Dec 7 00:30:39 php-fpm 2640 [0] => #### phpsession_begin ####
Dec 7 00:30:39 php-fpm 2640 simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:39
Dec 7 00:30:39 php-fpm 2640 phpsession_begin(..) - /etc/inc/auth.inc:2218
Dec 7 00:30:39 php-fpm 2640 session_auth(..) - /etc/inc/authgui.inc:37
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39 php-fpm 2640 [1] => #### phpsession_end ####
Dec 7 00:30:39 php-fpm 2640 simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:55
Dec 7 00:30:39 php-fpm 2640 phpsession_end(..) - /etc/inc/auth.inc:2352
Dec 7 00:30:39 php-fpm 2640 session_auth(..) - /etc/inc/authgui.inc:37
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39 php-fpm 2640 [2] => #### phpsession_begin ####
Dec 7 00:30:39 php-fpm 2640 simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:39
Dec 7 00:30:39 php-fpm 2640 phpsession_begin(..) - /etc/inc/authgui.inc:42
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39 php-fpm 2640 [3] => #### phpsession_begin ####
Dec 7 00:30:39 php-fpm 2640 simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:39
Dec 7 00:30:39 php-fpm 2640 phpsession_begin(..) - /etc/inc/priv.inc:242
Dec 7 00:30:39 php-fpm 2640 getAllowedPages(..) - /etc/inc/authgui.inc:49
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39 php-fpm 2640 [4] => #### phpsession_end ####
Dec 7 00:30:39 php-fpm 2640 simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:55
Dec 7 00:30:39 php-fpm 2640 phpsession_end(..) - /etc/inc/priv.inc:303
Dec 7 00:30:39 php-fpm 2640 getAllowedPages(..) - /etc/inc/authgui.inc:49
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39 php-fpm 2640 require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39 php-fpm 2640 )
Updated by Jim Pingle 28 days ago
Updated by Jim Pingle 28 days ago
- Plus Target Version changed from 25.01 to 25.03
Updated by dylan mendez 23 days ago
Testing this, it seems that you can restart ALL services as long as you have the WebCfg - Status: Services permission even with a non-privileged user. I successfully managed to brick my firewall (stop kea, ipsec, mim, freeradius, unbound, dpinger, etc) using an account with just deny_config_write and WebCfg - Status: Services.
If this requires another bug report, let me know, if it's intended, please disregard.
Updated by Jim Pingle 23 days ago
dylan mendez wrote in #note-7:
Testing this, it seems that you can restart ALL services as long as you have the WebCfg - Status: Services permission even with a non-privileged user. I successfully managed to brick my firewall (stop kea, ipsec, mim, freeradius, unbound, dpinger, etc) using an account with just deny_config_write and WebCfg - Status: Services.
If this requires another bug report, let me know, if it's intended, please disregard.
That's unrelated to this and expected. Deny config write only denies config changes, start/stop of a service isn't a config change, especially if someone was granted specific access to the page with the controls to do that it's part of their granted privileges. Logging is different as they could also clear logs when they shouldn't have been able to. Syslog restarting wasn't really improper but it was unnecessary since nothing actually changed which warranted restarting the daemon.
Updated by Jim Pingle 20 days ago
- Category changed from Web Interface to User Manager / Privileges
Updated by Jim Pingle 20 days ago
- Subject changed from Users with deny config write privilege can trigger logging operations to Users with Deny Config Write privilege can trigger logging operations
Updated by Georgiy Tyutyunnik 4 days ago
- Status changed from Feedback to Resolved
services no longer hang after being started/stopped by a user with no config write privilegies
tested on:
25.03-DEVELOPMENT (amd64)
built on Tue Dec 31 13:06:00 CET 2024
FreeBSD 15.0-CURRENT