Project

General

Profile

Bug #5294

System users and groups not fully protected from deletion

Added by Fernando Munoz about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
Start date:
10/10/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

It's possible to shoot yourself on the foot and delete the admin user and all/admin groups.

1. Configure tamper data/ burpsuit

Delete admin user - Steps to reproduce
2. Create any user
3. Attempt to delete that user and modify the http request, put user id 0 and name admin
4. admin will be deleted

Delete all/admins groups
2. Create a group called all or admins
3. Attempt to delete the group created and modify thehttp request, put group id 0 if using all or 1 if using admins
4. group will be deleted

This checks should be applied on the server side before attempting to do the action and not just when showing the menu.

History

#1 Updated by Phillip Davis about 4 years ago

https://github.com/pfsense/pfsense/pull/1957 should check for this case of the user manually messing with the $POST value of "id" and display an input error message rather than deleting a system user.
I guess something similar for the Groups tab will cover that case also.

#2 Updated by Phillip Davis about 4 years ago

https://github.com/pfsense/pfsense/pull/1958
Similar fix for preventing deletion of a system group.

#3 Updated by Phillip Davis about 4 years ago

If these fixes for RELENG_2_2 are accepted, then they need to also be done in master for 2.3

#4 Updated by Phillip Davis about 4 years ago

System User Delete checks committed https://github.com/pfsense/pfsense/commit/8d070c072ec2b662f6a235cc3779fb62835dd647
System Group Delete checks committed https://github.com/pfsense/pfsense/commit/d7e5efa46134e738ae62e5c387c1e92fd803124d

This should be fixed in a RELENG_2_2 snapshot built after the time of this post.

@Fernando - please test with these changes and confirm that these system users and groups are now protected from deletion.

#5 Updated by Chris Buechler about 4 years ago

  • Subject changed from Deleting the undeletable to System users and groups not fully protected from deletion
  • Category set to User Manager / Privileges
  • Status changed from New to Feedback
  • Target version set to 2.2.5
  • Affected Version set to All

#6 Updated by Chris Buechler about 4 years ago

  • Status changed from Feedback to Resolved

fixed

Also available in: Atom PDF