The 25.7 release announcement references this change:
Quoteo system: allow experimental feature to run web GUI privilege separated as "wwwonly" user
I don't see any option to enable this in the web GUI settings, unless I missed it. How do we try this?
Check out the bottom of the system settings administration page
Ah, definitely missed it. "Strict security" option under Deployment section. Thanks @Monviech
Note we're still working on adjusting components to play nice. Especially legacy pages may have issues with that for now. Could be the case for plugins as well.
But it's also been progressing pretty well so far. If you use the system for API-only purposes it's relatively unlikely you will hit a bug.
Cheers,
Franco
Only using a few plugins as of now, but will keep an eye out.
This seems like a good security option. Thanks for adding it :)
Only took 10 years of planning, but we're getting there :)
I did finally hit some snags and it's crashing the UI, although I'm not entirely sure that this is the culprit. I'm assuming so.
I've already submitted the first crash instance with the built-in crash reporter tool.
The first error came when I tried to disable an interface option under Interfaces->[GUEST]->Track IPv6->Manual configuration:
PHP Fatal error: Uncaught TypeError: fstat(): Argument #1 ($stream) must be of type resource, false given in /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php:117
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php(117): fstat(false)
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php(147): OPNsense\Core\FileObject->read()
#2 /usr/local/etc/inc/interfaces.inc(3898): OPNsense\Core\FileObject->readJson()
#3 /usr/local/etc/inc/interfaces.inc(3855): interfaces_neighbors_configure('vlan0.20', Array)
#4 /usr/local/etc/inc/interfaces.inc(2426): interfaces_staticarp_configure('opt2', Array)
#5 /usr/local/www/interfaces.php(560): interface_configure(false, 'opt2', true)
#6 {main}
thrown in /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php on line 117
I also tried to disable the security setting in System->Administration and I got another error then:
PHP Fatal error: Uncaught TypeError: fwrite(): Argument #1 ($stream) must be of type resource, false given in /usr/local/etc/inc/system.inc:1340
Stack trace:
#0 /usr/local/etc/inc/system.inc(1340): fwrite(false, '#\n')
#1 /usr/local/www/system_advanced_admin.php(390): system_login_configure()
#2 {main}
thrown in /usr/local/etc/inc/system.inc on line 1340
I have a snapshot from before enabling the setting so will restore from that. Going to keep this disabled for now and give it a little more time to bake :) Hope these traces are useful.
Thanks for reporting these. The underlying issue is simple: static pages ending in *.php are much more likely to be not ready having been written 10-20 years ago and the setting makes sense to get them ready. We will look into these soon.
Cheers,
Franco