Hi,
I have just discovered a small bug regarding user group membership:
When editing a user in the UI, adding or removing a user from a group no longer updates the unix group membership.
Bug seen on OPNsense 25.1.4_1-amd64
--
Best regards,
David Jack Wange Olrik
It is possible that you encounter the following:
OPNsense 25.1 released (https://forum.opnsense.org/index.php?topic=45460.msg227323#msg227323)
Quoteo The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. [...]
Quote from: patient0 on March 31, 2025, 12:20:34 PMIt is possible that you encounter the following:
OPNsense 25.1 released (https://forum.opnsense.org/index.php?topic=45460.msg227323#msg227323)
I don't think so, I have 4 installations with OPNsense 25.1.4_1-amd64 and only one of them is exhibiting the problem.
All of the users are non-admin accounts with a shell configured so they can be used as a jump host.
The UI renders fine, but adding or removing group membership has no effect.
As a workaround, I've just added the user to the unix group manually like so `sudo pw group mod ssh -m <username>`
Quote from: davidolrik on March 31, 2025, 08:23:08 PMAs a workaround, I've just added the user to the unix group manually like so `sudo pw group mod ssh -m <username>`
That won't survive a reboot, IIRC.
Quote from: Patrick M. Hausen on March 31, 2025, 10:35:40 PMThat won't survive a reboot, IIRC.
It does indeed survive a reboot.
Quote from: davidolrik on April 03, 2025, 08:33:33 PMQuote from: Patrick M. Hausen on March 31, 2025, 10:35:40 PMThat won't survive a reboot, IIRC.
It does indeed survive a reboot.
Interesting, thanks. What about doing any modification on users and/or groups in the UI and clicking "save"?
Quote from: Patrick M. Hausen on April 03, 2025, 08:37:32 PMInteresting, thanks. What about doing any modification on users and/or groups in the UI and clicking "save"?
That the problem I'm experiencing, using the UI does nothing for the unix groups. I've tried editing both individual fields and the group selector.
State change is remembered in the UI but not reflected in the unix groups.
And I just found out, that while manual change using
sudo pw group mod ssh -m <username> does survive a reboot - it does
not survive an upgrade to 25.1.7_2
I've played around a bit more, and I have found that group removal is reflected in the unix groups, but not adding user to group (tested on an admin user).
OPNsense does not use the Unix groups. It comes with its own PAM module:
https://github.com/opnsense/ports/tree/master/opnsense/pam
Quote from: Patrick M. Hausen on May 21, 2025, 10:20:13 AMOPNsense does not use the Unix groups. It comes with its own PAM module:
https://github.com/opnsense/ports/tree/master/opnsense/pam
Well
ssh still does, and OPNsense used to keep group membership in sync which allowed me to create a special group called
ssh and put all users that need ssh access in that group (even users with /usr/sbin/nologin set as shell).
This no longer works, now only admins get to have ssh access through the wheel group.
I use OPNsense as a jumphost, and setting an additional group in "System->Settings->Administration->Secure shell->Login group" no longer has any effect for any user.
I think this is a regression in functionality, and have created an issue on GitHub:
https://github.com/opnsense/core/issues/8721