Bug #15874: Users with Deny Config Write privilege can trigger logging operations - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.03 Plus - All Closed Issues
25.03 Plus - All Open Issues
25.03 Plus - Feedback Issues
25.03 Plus - Needs Attention/Work
25.03 Plus - New/Confirmed/In Progress Issues
25.03 Plus - Pull Request Review
25.03 Plus - Waiting on Merge
25.03 Target - All Closed Issues
25.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #15874

closed

Users with Deny Config Write privilege can trigger logging operations

Added by Steve Wheeler about 1 month ago. Updated 6 days ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

User Manager / Privileges

Target version:

2.8.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

25.03

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

A user with the deny_config_write privilege set and access to the log settings page can still trigger the syslog daemon to restart and it fail to do so:

Nov 26 23:32:06     php-fpm     69047     Save config permission denied by the 'User - Config: Deny Config Write' permission for user 'Test@172.21.16.8 (Local Database)'.
Nov 26 23:32:06     sshguard     41111     Exiting on signal.
Nov 26 23:32:06     syslogd         exiting on signal 15

Nothing further is logged until the log settings page is resaved by a privileged user. The service cannot be restarted until then.

Nov 26 23:45:23     syslogd         kernel boot file is /boot/kernel/kernel
Nov 26 23:45:23     sshguard     27010     Now monitoring attacks.
Nov 26 23:45:23     nginx         2024/11/26 23:45:23 [error] 68831#116459: send() failed (54: Connection reset by peer) while logging to syslog, server: unix:/var/run/log

Tested 24.11.

See: https://forum.netgate.com/topic/195331/potential-bug-read-only-user-able-to-crash-syslogd-service

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle about 1 month ago

Assignee set to Jim Pingle

Actions

Copy link

Updated by Jim Pingle about 1 month ago

Status changed from New to In Progress

Actions

Copy link

Updated by Jim Pingle about 1 month ago

Status changed from In Progress to Feedback
% Done changed from 0 to 100

Applied in changeset 8aa54e0d780114713015dd7e970e6541dfc40378.

Actions

Copy link

Updated by Lev Prokofev about 1 month ago

After applying the patch I get a butch of php strings in logs after login using an unprivileged user (Tested on 24.11)

Dec 7 00:30:39    php-fpm    2640    /index.php: Successful login for user 'bubu' from: 192.168.70.10 (Local Database)
Dec 7 00:30:39    php-fpm    2640    /index.php: bubu@192.168.70.10 (Local Database) attempted to access /index.php but does not have access to that page. Redirecting to status_logs_packages.php.
Dec 7 00:30:39    php-fpm    2640    PHPSESSION 1 open sessions left at shutdown script!Array
Dec 7 00:30:39    php-fpm    2640    (
Dec 7 00:30:39    php-fpm    2640    [0] => #### phpsession_begin ####
Dec 7 00:30:39    php-fpm    2640    simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:39
Dec 7 00:30:39    php-fpm    2640    phpsession_begin(..) - /etc/inc/auth.inc:2218
Dec 7 00:30:39    php-fpm    2640    session_auth(..) - /etc/inc/authgui.inc:37
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39    php-fpm    2640    [1] => #### phpsession_end ####
Dec 7 00:30:39    php-fpm    2640    simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:55
Dec 7 00:30:39    php-fpm    2640    phpsession_end(..) - /etc/inc/auth.inc:2352
Dec 7 00:30:39    php-fpm    2640    session_auth(..) - /etc/inc/authgui.inc:37
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39    php-fpm    2640    [2] => #### phpsession_begin ####
Dec 7 00:30:39    php-fpm    2640    simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:39
Dec 7 00:30:39    php-fpm    2640    phpsession_begin(..) - /etc/inc/authgui.inc:42
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39    php-fpm    2640    [3] => #### phpsession_begin ####
Dec 7 00:30:39    php-fpm    2640    simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:39
Dec 7 00:30:39    php-fpm    2640    phpsession_begin(..) - /etc/inc/priv.inc:242
Dec 7 00:30:39    php-fpm    2640    getAllowedPages(..) - /etc/inc/authgui.inc:49
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39    php-fpm    2640    [4] => #### phpsession_end ####
Dec 7 00:30:39    php-fpm    2640    simplestacktrace(..) - /etc/inc/phpsessionmanager.inc:55
Dec 7 00:30:39    php-fpm    2640    phpsession_end(..) - /etc/inc/priv.inc:303
Dec 7 00:30:39    php-fpm    2640    getAllowedPages(..) - /etc/inc/authgui.inc:49
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/guiconfig.inc:61
Dec 7 00:30:39    php-fpm    2640    require_once(..) - /usr/local/www/index.php:46
Dec 7 00:30:39    php-fpm    2640    )

Actions

Copy link

Updated by Jim Pingle 30 days ago

Lev Prokofev wrote in #note-4:

After applying the patch I get a butch of php strings in logs after login using an unprivileged user (Tested on 24.11)

Those errors are from #15873 which is also fixed in snapshots. It's better to test that there, or at the very least apply both fixes.

Actions

Copy link

Updated by Jim Pingle 30 days ago

Plus Target Version changed from 25.01 to 25.03

Actions

Copy link

Updated by dylan mendez 24 days ago

Testing this, it seems that you can restart ALL services as long as you have the WebCfg - Status: Services permission even with a non-privileged user. I successfully managed to brick my firewall (stop kea, ipsec, mim, freeradius, unbound, dpinger, etc) using an account with just deny_config_write and WebCfg - Status: Services.

If this requires another bug report, let me know, if it's intended, please disregard.

Actions

Copy link

Updated by Jim Pingle 24 days ago

dylan mendez wrote in #note-7:

Testing this, it seems that you can restart ALL services as long as you have the WebCfg - Status: Services permission even with a non-privileged user. I successfully managed to brick my firewall (stop kea, ipsec, mim, freeradius, unbound, dpinger, etc) using an account with just deny_config_write and WebCfg - Status: Services.

If this requires another bug report, let me know, if it's intended, please disregard.

That's unrelated to this and expected. Deny config write only denies config changes, start/stop of a service isn't a config change, especially if someone was granted specific access to the page with the controls to do that it's part of their granted privileges. Logging is different as they could also clear logs when they shouldn't have been able to. Syslog restarting wasn't really improper but it was unnecessary since nothing actually changed which warranted restarting the daemon.

Actions

Copy link

Updated by Jim Pingle 21 days ago

Category changed from Web Interface to User Manager / Privileges

Actions

Copy link

#10

Updated by Jim Pingle 21 days ago

Subject changed from Users with deny config write privilege can trigger logging operations to Users with Deny Config Write privilege can trigger logging operations

Actions

Copy link

#11

Updated by Georgiy Tyutyunnik 6 days ago

Status changed from Feedback to Resolved

services no longer hang after being started/stopped by a user with no config write privilegies
tested on:
25.03-DEVELOPMENT (amd64)
built on Tue Dec 31 13:06:00 CET 2024
FreeBSD 15.0-CURRENT

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #15874

Users with Deny Config Write privilege can trigger logging operations

Updated by Jim Pingle about 1 month ago

Updated by Jim Pingle about 1 month ago

Updated by Jim Pingle about 1 month ago

Updated by Lev Prokofev about 1 month ago

Updated by Jim Pingle 30 days ago

Updated by Jim Pingle 30 days ago

Updated by dylan mendez 24 days ago

Updated by Jim Pingle 24 days ago

Updated by Jim Pingle 21 days ago

Updated by Jim Pingle 21 days ago

Updated by Georgiy Tyutyunnik 6 days ago