Feature #736
closedPrivileges for accessing each service that uses the user manager
0%
Description
Currently it isn't possible to restrict users to accessing only specific services, except when they have a separate requirement like needing a key or certificate. Any service enabled that does not have such a requirement will be accessible by any user added to the system. Things were already fixed so that users don't have SSH access unless it is granted to them; however, there are still other services that can be accessed by any user. The ones I know of off hand are the captive portal and I think also OpenVPN (if using user auth. without SSL/TLS).
Privilege settings could be added for each of these for allowing access to them, preventing users from having access to more than they should. In the case of captive portal and upgrading from 1.2.x, a group could be created that has the captive portal privilege assigned to it and the captive portal users being upgraded could be made members of the group.
If implemented for 2.0 and if it would be desired to not break existing configurations from 2.0 when people upgrade to a newer snapshot (requiring that they fix their users), a checkbox could be added on each service that has a privilege setting to enable checking the privileges, which would be checked in the default configuration and on upgrades from 1.2.x but left alone on existing 2.0 configurations. Not sure whether this last thing is really necessary, but I figured I'd just put the idea here anyway.
Updated by Erik Fonnesbeck about 14 years ago
Captive portal part split off to #1010
Updated by Jim Pingle over 5 years ago
- Category set to Authentication
- Status changed from New to Resolved
This has been in place for some time now.