OPNsense Forum

English Forums => General Discussion => Topic started by: Northguy on December 04, 2018, 06:26:57 pm

Title: [SOLVED] GUI User and Group edit rights blocked for 'root'
Post by: Northguy on December 04, 2018, 06:26:57 pm
All,

Help needed.

Somehow I messed something up with the user access rights on the GUI access system which now effectively blocks any new changes that I try to make. Root user does not have access rights anymore.

(https://i.ibb.co/qDm9NbV/error-message.png) (https://ibb.co/6yDbH6L)

What I tried to do: remove unused menu entries by deselecting them in the 'admin' group. Don't know what I did exactly to cause this issue. My mouse got stuck somehow and I made a wrong move by selecting something. In my impression I did nothing wrong, but how do I now resolve this issue?

Please find attached GUI settings of 'root user.

(https://i.ibb.co/Q8ywNx7/Root-user-settings.png) (https://ibb.co/cb4nFsK)
Title: Re: GUI system:access:User and system:access:group edit rights blocked for 'root'
Post by: Northguy on December 06, 2018, 04:19:56 pm
Does anyone have a clue where in the background these settings are stored, so that I can change them back though SSH?
Title: Re: GUI system:access:User and system:access:group edit rights blocked for 'root'
Post by: franco on December 07, 2018, 07:40:44 am
Sorry for the late reply, edit /conf/config.xml to remove the following line:

"<priv>user-config-readonly</priv>"

It is not suitable for the admins group.


Cheers,
Franco
Title: Re: GUI system:access:User and system:access:group edit rights blocked for 'root'
Post by: Northguy on December 07, 2018, 09:57:31 am
Hey Franco,

Thanks! That did the trick... I still wonder what I did wrong to cause this situation...

Thanks,

Patrick
Title: Re: GUI system:access:User and system:access:group edit rights blocked for 'root'
Post by: franco on December 07, 2018, 02:23:15 pm
Hi Patrick,

Glad that helped.

Hmm, I guess you wanted to add *all* privileges to admins, which pulled in the deny config write privilege as well by design.... not the greatest design to be fair.

The update to or over 18.7.7 added this due to a security issue:

https://github.com/opnsense/changelog/blob/a2119f5cfcb92bd08a7af50575543662cb71212a/doc/18.7/18.7.7#L27

So that's when this started behaving abnormally.

We're not happy with deny config write so we are looking for better solutions in the long term.


Cheers,
Franco
Title: Re: GUI system:access:User and system:access:group edit rights blocked for 'root'
Post by: Northguy on December 08, 2018, 01:00:14 am
Thanks for the clarification!