Project

General

Profile

Bug #9259

User with "Deny Config Write" privilege is not fully prevented from creating accounts

Added by Stefan Beckers 16 days ago. Updated 16 days ago.

Status:
New
Priority:
Normal
Assignee:
Category:
User manager
Target version:
Start date:
01/07/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.4_1
Affected Architecture:
All

Description

I do log into the web GUI as a user "myuser" with admin group membership (other than the builtin admin/root). I used to be able to add a user to the system.

Now the creation of a new user fails and

  • the console gives me hostname php-fpm[12038]: Save config permission denied by the 'User - Config: Deny Config Write' permission for user 'myuser@192.168.1.1 (Local Database)'.
  • The user is invisible in the GUI
  • The user was created in /etc/passwd and the rest of the system

I have not altered the "admin" group and "myuser" is member in the admin group. We do have other groups with restrictions, which do not apply to the user "myuser", used above.

Interestingly the next try on the GUI fails, stating in the GUI "That username is reserved by the system." Reason: the new user was created on system level but stays invisible in the web GUI.

How to resolve this:
  • Clean up the system from your last try
    • rmuser
  • log in as buildtin "admin" user on web GUI
  • create user as usual

History

#1 Updated by Jim Pingle 16 days ago

  • Subject changed from Creating a new user on Backend local Database fails halfways, when done with account other that buildtin "admin" to User with "Deny Config Write" privilege is not fully prevented from creating accounts
  • Assignee changed from Renato Botelho to Jim Pingle
  • Target version set to 2.4.5
  • Affected Architecture set to All

You must have incorrectly added the "User - Config: Deny Config Write" privilege to your admin group, which is common when unnecessarily using "select all" on the privilege list without considering the consequences.

There is still a bug here, but it did deny the config.xml change as expected. Since that was not technically a config.xml change, the privilege did what it was told to do and blocked only the config.xml change. It should probably also block the shell account portion from being added.

#2 Updated by Stefan Beckers 16 days ago

That is not the case. I just have tried another system, where this issue does not show. My latest install does behave well.

At least on all three systems, I have compared yet, the "custom" admin users do have
  • admins WebCfg - All pages Allow access to all pages (admin privilege)
the "admin" user does have:
  • admins WebCfg - All pages Allow access to all pages (admin privilege)
  • User - System: Shell account access Indicates whether the user is able to login for example via SSH. (admin privilege)

and the admin group only has

  • "WebCfg - All pages Allow access to all pages (admin privilege)"

assigned.

It is not like that only older systems which have undergone multiple Updates and Upgrades and lots of configuration changes. It seems to be showing only on some systems. Others do behave well.

Any additional information I can compile for you here?

#3 Updated by Jim Pingle 16 days ago

The only way you can see that "Deny Config Write" message is if your user, or a group they are in, has the "Deny Config Write" privilege. That is 100% a configuration error and not the bug you are seeing here.

The other systems work because you don't have "Deny Config Write" in those privilege lists.

If you need more explanation, post on the forum.

Also available in: Atom PDF