pfSense

Related to this, we also need to look at how shell access in general should be handled for non-root users. The console menu doesn't work correctly for such users. But then when they can escape out to a shell, they likely might as well have sudo access. Someone with decent skill could easily find many ways to escalate privileges at this point, given the codebase wasn't originally designed for doing this.

Certain screens/capabilities need a warning - exec.php, backup/restore, (to a slightly lesser extent) CLI access all come with the ability for the user to escalate privileges to any other portion of the system.

Yeah that could get hairy, especially since any shell user can read the raw config which (necessarily) contains some info that they may not otherwise have access to see. Perhaps we need some kind of restricted shell or chroot environment where these users get dumped, but it seems easier to just assume that anyone getting ssh access is effectively root.

I'm not sure how people would intend to use this unless it was for admin privileges. The SCP privilege will let them restrict to file copying (if you install scponly) but the only other real use might be for letting people make SSH tunnels, which they can probably do with some other restricted shell.

For tunnels, it could probably even be a shell that just says something like "Press any key when you want to log out of this SSH session." and doesn't do anything else. It would be very easy to make a C program or shell script that does this.

I've changed the shell code around a bit so that normal users with shell access just get tcsh as a shell, because the menu doesn't work properly for non-admin users.

I suppose we could either include sudo and setup the menu to use sudo if the user isn't id 0, or have a low-privilege menu with items that do work.

Meant to also say in that update that the ssh tunnel shell should really be in a separate ticket since it isn't directly related to the issue of privileges not being assigned.