Bug #2247
closed
Misleading security permission
0%
Description
In checking bug 2245 I noticed a definition used in security groups is misleading.
The "admins" group is defined (when viewing "groups" tab) as having the single permission "WebCfg - All pages". But a user given "WebCfg - All pages" access actually has access to much more - console, shell, VPN, etc. This isn't made clear and should be, because there may well be users one wants to give "Webcfg all pages" access but not shell access, and from security perspectives it's crucial the permissions assigned are clear when the summary user/group tables are viewed.
"WebCfg all pages" permission should mean just that, full access to Webcfg (exactly), not Webcfg and (unstated) much more. Either a new permission "Full access" should be added and "admin" assigned this instead so it's clear, or "admins" should be assigned all webcfg and also VPN, shell, etc.
But either way ACL groups should not show "webcfg all pages" as a permission, and then use it to mean permissions such as full shell/console/ssh access that aren't Webcfg at all. Fix one way or the other.
Updated by Jim Pingle over 13 years ago
VPN access is available regardless of permissions, except for IPsec, so that isn't valid for this issue. I thought there were separate tickets for making PPTP and OpenVPN permissions.
Shell access is a bit misleading to allow based on that, though.
EDIT: ... and if they can get to IPsec, it's because they have shell access. Fix that one and the rest would fall in line.
Though for consistency's sake, upgrade code would need to be added to give the shell access permission all existing users/groups with admin rights, then let the user fix their own permissions. To do otherwise could break someone's system.
Updated by Stilez y over 8 years ago
I suppose that "WebCfg - All pages" includes shell command prompt, so it's clearly on reflection going to have shell access. So the issue can be re-described as being, that this permission's title doesn't make it obvious that "all webGUI pages" will include full shell access. Should it?
Updated by Phillip Davis over 8 years ago
And as soon as you have "Diagnostics->Edit File" you can change whatever code you like, so you can add/modify code to give yourself whatever privs you may wish, or to add extra accounts with plenty of privs, or to change the admin password or... so "WebCfg - All pages" includes "Diagnostics->Edit File" and thus effectively has all privs. Similar for "Diagnostics->Command Prompt" and maybe some others.
So a few of these page privs just need to be noted that they are effectively opening up all privs.
Updated by Stilez y over 8 years ago
See PR 3331 . Note added to assignment pages, probably suffices?
Updated by Phillip Davis over 8 years ago
Next round of possibilities in PR https://github.com/pfsense/pfsense/pull/3337
Updated by Kill Bill