Hello,
Running the latest 21.1.4. I'm currently logged in as root.
This morning I created a new user and assigned him to the admin group. I couldn't login as that user, so I gave him escalated rights by editing "Effective Privileges" under the user just to test. It seems as soon as I did this, the user became untouchable. I can no longer edit anything, including even adding a name or description.
I logged into the console and removed the user from admins group, but I assume OPNsense isn't reading the OS level groups? "pw groupmod admins -d <user>" and he's no longer an admins user, but the Web UI still shows him in the admins group.
The user has a certificate linked to him, but I can't remove it from certs page, and I can't edit the user to unlink it either.
When I go to the WebUI Groups, I have just the "admins" group, with 2 members (root and this user). I've rebooted, but no change.
I'm wary of messing around too much on the console side, as I don't want to remove him in the OS, but have config files or something that still reference him in OPNsense.
Thoughts on how to make this user editable again? I don't know his password, so I can't login as him to the WebUI or SSH.
Two ways, either edit the config.xml file removing the user or grab one of the backups in /conf/backup and import it. Remember to pick one that was dated before you added the user. Reboot.. done.
Hmm.. I grabbed a safe backup file, tried to apply in the UI (as root user) and it says:
The following input errors were detected:
You do not have the permission to perform this action.I don't understand. Somehow root lost permissions?
I checked in the UI, and
- There are only 2 users (root and my user)
- They are both recognized as system admins (denoted by red user icon).
- There is only 1 group (admins) and both users are part of it
I've logged in via SSH.
- root and the user are still part of the admins group, according to /etc/group
Root user can still do other things. I created a Firewall rule just fine and could delete it. But I can't seem to do system administration, even on the root user. I can't create a new user either, even just a low level user - not an admin.
If I recall correctly, the last edit I made in any of the sections was not to the root user, but to the extra user I created. The user already existed and was an admin, but I couldn't SSH. So for testing purposes, I added the user to the admins group, and I edited the "Effective Permissions" under this user. I clicked "Select all" and saved. I'm not sure which action it was, but since that point, I haven't been able to make changes to any user as the root user.
This is what I would do. If you have a windows PC, using WINSCP find a back up file that dates to a time before you added the new user. make a note of the name. Now SSH into the shell and issue the command:
cp /conf/backup/config-filename.xml /conf/config.xml
Then do a hard reboot.
If the shell will not let you do that, then try "sudo cp /conf/backup/config-filename.xml /conf/config.xml" and see if it accepts your credentials.
You might also want to backup your /conf directory to your PC. Mine auto backs up conf and a few other critical scripts every night.
That makes sense! Wasn't sure how to apply config from shell. I don't seem to be limited as root on the shell, so I'll give that a shot tomorrow once an outage is acceptable in the house.
Thanks!
Yet another option -- since you have a backup config -- re-install opnsense. During installation select your backup config file or after the installation is complete, reload the backup config, reboot and you are done.
Well.. I have no idea how OPNsense ended up in that position, but your solution fixed it. Root didn't have any permission issues at the OS level, so I was able to easily just copy a good backup in place of the existing config.xml and a reboot restored everything to the way it should be.
I'll be setting up automated config backups now on this system, since I didn't have those enabled before.
Thanks marjohn56 & Inxsible!